From 66edfd7a09d32351c50dd66a172b8bda40abcb65 Mon Sep 17 00:00:00 2001
From: Tyler Ouyang <tylerwowen@users.noreply.github.com>
Date: Tue, 28 May 2024 11:52:18 -0700
Subject: [PATCH] Use Pastis for all user authorizations. (#1629)

When CompositeAuthorizationFactory is used, only return Pastis authorizer for UserPrincipal.
Only create 1 BasePastisAuthorizer instance.
Change the order of authenticators to favor envoyAuthFilter.
---
 deploy-service/teletraanservice/pom.xml       |  3 ++
 .../CompositeAuthenticationFactory.java       |  8 +++-
 .../config/CompositeAuthorizationFactory.java | 18 ++++----
 .../CompositeAuthorizationFactoryTest.java    | 43 +++++++++++++++++++
 4 files changed, 61 insertions(+), 11 deletions(-)
 create mode 100644 deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java

diff --git a/deploy-service/teletraanservice/pom.xml b/deploy-service/teletraanservice/pom.xml
index 38bb6e9cc7..3e722d9990 100644
--- a/deploy-service/teletraanservice/pom.xml
+++ b/deploy-service/teletraanservice/pom.xml
@@ -180,6 +180,9 @@
                     <excludes>
                       <exclude>com/pinterest/teletraan/config/CompositeAuthorizationFactory.java</exclude>
                     </excludes>
+                    <testExcludes>
+                      <testExclude>**/CompositeAuthorizationFactoryTest.java</testExclude>
+                    </testExcludes>
                   </configuration>
                 </plugin>
               </plugins>
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
index 5b8e122af5..bbacc9e91f 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
@@ -52,7 +52,11 @@ public ContainerRequestFilter create(TeletraanServiceContext context) throws Exc
                         .setAuthorizer(context.getAuthorizationFactory().create(context))
                         .buildAuthFilter();
 
-        return new ChainedAuthFilter(Arrays.asList(createScriptTokenAuthFilter(context),
-                createOauthTokenAuthFilter(context), envoyAuthFilter, createJwtTokenAuthFilter(context)));
+        return new ChainedAuthFilter(
+                Arrays.asList(
+                        createScriptTokenAuthFilter(context),
+                        envoyAuthFilter,
+                        createOauthTokenAuthFilter(context),
+                        createJwtTokenAuthFilter(context)));
     }
 }
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java
index 2cdea12633..ed98aa8fa7 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java
@@ -19,11 +19,9 @@
 import com.fasterxml.jackson.annotation.JsonTypeName;
 import com.pinterest.teletraan.TeletraanServiceContext;
 import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
-import com.pinterest.teletraan.security.UserRoleAuthorizer;
 import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
 import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
 import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
-import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
 import io.dropwizard.auth.Authorizer;
 
 @JsonTypeName("composite")
@@ -31,6 +29,7 @@ public class CompositeAuthorizationFactory implements AuthorizationFactory {
     private static final String DEFAULT_PASTIS_SERVICE_NAME = "teletraan_dev";
 
     @JsonProperty private String pastisServiceName = DEFAULT_PASTIS_SERVICE_NAME;
+    private Authorizer<TeletraanPrincipal> pastisAuthorizer;
 
     public void setPastisServiceName(String pastisServiceName) {
         this.pastisServiceName = pastisServiceName;
@@ -43,11 +42,14 @@ public String getPastisServiceName() {
     @Override
     public <P extends TeletraanPrincipal> Authorizer<P> create(TeletraanServiceContext context)
             throws Exception {
-        return (Authorizer<P>)
-                BasePastisAuthorizer.builder()
-                        .factory(context.getAuthZResourceExtractorFactory())
-                        .serviceName(pastisServiceName)
-                        .build();
+        if (pastisAuthorizer == null) {
+            pastisAuthorizer =
+                    BasePastisAuthorizer.builder()
+                            .factory(context.getAuthZResourceExtractorFactory())
+                            .serviceName(pastisServiceName)
+                            .build();
+        }
+        return (Authorizer<P>) pastisAuthorizer;
     }
 
     @Override
@@ -55,8 +57,6 @@ public <P extends TeletraanPrincipal> Authorizer<? extends TeletraanPrincipal> c
             TeletraanServiceContext context, Class<P> principalClass) throws Exception {
         if (ServicePrincipal.class.equals(principalClass)) {
             return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
-        } else if (UserPrincipal.class.equals(principalClass)) {
-            return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
         }
         return create(context);
     }
diff --git a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java
new file mode 100644
index 0000000000..92d21c94d5
--- /dev/null
+++ b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.config;
+
+import static org.junit.Assert.assertSame;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import com.pinterest.teletraan.TeletraanServiceContext;
+import com.pinterest.teletraan.security.TeletraanAuthZResourceExtractorFactory;
+import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
+import io.dropwizard.auth.Authorizer;
+import org.junit.jupiter.api.Test;
+
+class CompositeAuthorizationFactoryTest {
+    @Test
+    void testCreate() throws Exception {
+        TeletraanServiceContext context = new TeletraanServiceContext();
+        context.setAuthZResourceExtractorFactory(
+                new TeletraanAuthZResourceExtractorFactory(context));
+        CompositeAuthorizationFactory factory = new CompositeAuthorizationFactory();
+
+        Authorizer<?> authorizer = factory.create(context);
+        assertNotNull(authorizer);
+        assertTrue(authorizer instanceof BasePastisAuthorizer);
+
+        Authorizer<?> authorizer2 = factory.create(context);
+        assertSame(authorizer, authorizer2);
+    }
+}