Use Pastis for all user authorizations. (#1629)

When CompositeAuthorizationFactory is used, only return Pastis authorizer for UserPrincipal.
Only create 1 BasePastisAuthorizer instance.
Change the order of authenticators to favor envoyAuthFilter.

deploy-service/teletraanservice/pom.xml

@@ -180,6 +180,9 @@
                     <excludes>
                       <exclude>com/pinterest/teletraan/config/CompositeAuthorizationFactory.java</exclude>
                     </excludes>
+                    <testExcludes>
+                      <testExclude>**/CompositeAuthorizationFactoryTest.java</testExclude>
+                    </testExcludes>
                   </configuration>
                 </plugin>
               </plugins>

deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java

@@ -52,7 +52,11 @@ public ContainerRequestFilter create(TeletraanServiceContext context) throws Exc
                         .setAuthorizer(context.getAuthorizationFactory().create(context))
                         .buildAuthFilter();
 
-        return new ChainedAuthFilter(Arrays.asList(createScriptTokenAuthFilter(context),
-                createOauthTokenAuthFilter(context), envoyAuthFilter, createJwtTokenAuthFilter(context)));
+        return new ChainedAuthFilter(
+                Arrays.asList(
+                        createScriptTokenAuthFilter(context),
+                        envoyAuthFilter,
+                        createOauthTokenAuthFilter(context),
+                        createJwtTokenAuthFilter(context)));
     }
 }

deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java

@@ -19,18 +19,17 @@
 import com.fasterxml.jackson.annotation.JsonTypeName;
 import com.pinterest.teletraan.TeletraanServiceContext;
 import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
-import com.pinterest.teletraan.security.UserRoleAuthorizer;
 import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
 import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
 import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
-import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
 import io.dropwizard.auth.Authorizer;
 
 @JsonTypeName("composite")
 public class CompositeAuthorizationFactory implements AuthorizationFactory {
     private static final String DEFAULT_PASTIS_SERVICE_NAME = "teletraan_dev";
 
     @JsonProperty private String pastisServiceName = DEFAULT_PASTIS_SERVICE_NAME;
+    private Authorizer<TeletraanPrincipal> pastisAuthorizer;
 
     public void setPastisServiceName(String pastisServiceName) {
         this.pastisServiceName = pastisServiceName;
@@ -43,20 +42,21 @@ public String getPastisServiceName() {
     @Override
     public <P extends TeletraanPrincipal> Authorizer<P> create(TeletraanServiceContext context)
             throws Exception {
-        return (Authorizer<P>)
-                BasePastisAuthorizer.builder()
-                        .factory(context.getAuthZResourceExtractorFactory())
-                        .serviceName(pastisServiceName)
-                        .build();
+        if (pastisAuthorizer == null) {
+            pastisAuthorizer =
+                    BasePastisAuthorizer.builder()
+                            .factory(context.getAuthZResourceExtractorFactory())
+                            .serviceName(pastisServiceName)
+                            .build();
+        }
+        return (Authorizer<P>) pastisAuthorizer;
     }
 
     @Override
     public <P extends TeletraanPrincipal> Authorizer<? extends TeletraanPrincipal> create(
             TeletraanServiceContext context, Class<P> principalClass) throws Exception {
         if (ServicePrincipal.class.equals(principalClass)) {
             return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
-        } else if (UserPrincipal.class.equals(principalClass)) {
-            return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
         }
         return create(context);
     }

deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java

@@ -0,0 +1,43 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.config;
+
+import static org.junit.Assert.assertSame;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import com.pinterest.teletraan.TeletraanServiceContext;
+import com.pinterest.teletraan.security.TeletraanAuthZResourceExtractorFactory;
+import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
+import io.dropwizard.auth.Authorizer;
+import org.junit.jupiter.api.Test;
+
+class CompositeAuthorizationFactoryTest {
+    @Test
+    void testCreate() throws Exception {
+        TeletraanServiceContext context = new TeletraanServiceContext();
+        context.setAuthZResourceExtractorFactory(
+                new TeletraanAuthZResourceExtractorFactory(context));
+        CompositeAuthorizationFactory factory = new CompositeAuthorizationFactory();
+
+        Authorizer<?> authorizer = factory.create(context);
+        assertNotNull(authorizer);
+        assertTrue(authorizer instanceof BasePastisAuthorizer);
+
+        Authorizer<?> authorizer2 = factory.create(context);
+        assertSame(authorizer, authorizer2);
+    }
+}