[pinot] branch master updated: Fix authentication issue when auth annotation is not required (#9110)

sajjad Wed, 27 Jul 2022 13:05:54 -0700

This is an automated email from the ASF dual-hosted git repository.

sajjad pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git



The following commit(s) were added to refs/heads/master by this push:
     new c675c2882f Fix authentication issue when auth annotation is not 
required (#9110)
c675c2882f is described below

commit c675c2882f45b7d2bb02ddd38d3f9ee6ab19b411
Author: Sajjad Moradi <[email protected]>
AuthorDate: Wed Jul 27 13:05:11 2022 -0700

    Fix authentication issue when auth annotation is not required (#9110)
---
 .../api/access/AuthenticationFilter.java           | 11 ++++--
 .../api/access/AuthenticationFilterTest.java       | 43 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git 
a/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java
 
b/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java
index 35733dcf78..b25dbdcc9b 100644
--- 
a/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java
+++ 
b/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java
@@ -87,13 +87,17 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
     //     - "schemaName"
     // If table name is not available, it means the endpoint is not a 
table-level endpoint.
     Optional<String> tableName = extractTableName(uriInfo.getPathParameters(), 
uriInfo.getQueryParameters());
+    AccessType accessType = extractAccessType(endpointMethod);
+    new AccessControlUtils().validatePermission(tableName, accessType, 
_httpHeaders, endpointUrl, accessControl);
+  }
 
+  @VisibleForTesting
+  AccessType extractAccessType(Method endpointMethod) {
     // default access type
     AccessType accessType = AccessType.READ;
-
     if (endpointMethod.isAnnotationPresent(Authenticate.class)) {
       accessType = endpointMethod.getAnnotation(Authenticate.class).value();
-    } else if (accessControl.protectAnnotatedOnly()) {
+    } else {
       // heuristically infer access type via javax.ws.rs annotations
       if (endpointMethod.getAnnotation(POST.class) != null) {
         accessType = AccessType.CREATE;
@@ -103,8 +107,7 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
         accessType = AccessType.DELETE;
       }
     }
-
-    new AccessControlUtils().validatePermission(tableName, accessType, 
_httpHeaders, endpointUrl, accessControl);
+    return accessType;
   }
 
   @VisibleForTesting
diff --git 
a/pinot-controller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java
 
b/pinot-controller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java
index 3d108bfe6f..45c8f8daa2 100644
--- 
a/pinot-controller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java
+++ 
b/pinot-controller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java
@@ -19,7 +19,12 @@
 
 package org.apache.pinot.controller.api.access;
 
+import java.lang.reflect.Method;
 import java.util.Optional;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
 import javax.ws.rs.core.MultivaluedHashMap;
 import javax.ws.rs.core.MultivaluedMap;
 import org.testng.annotations.Test;
@@ -106,4 +111,42 @@ public class AuthenticationFilterTest {
     Optional<String> actual = _authFilter.extractTableName(pathParams, 
queryParams);
     assertEquals(actual, Optional.empty());
   }
+
+  @Test
+  public void testExtractAccessTypeWithAuthAnnotation() throws Exception {
+    Method method = 
AuthenticationFilterTest.class.getMethod("methodWithAuthAnnotation");
+    assertEquals(AccessType.UPDATE, _authFilter.extractAccessType(method));
+  }
+
+  @Test
+  public void testExtractAccessTypeWithMissingAuthAnnotation() throws 
Exception {
+    Method method = AuthenticationFilterTest.class.getMethod("methodWithGet");
+    assertEquals(AccessType.READ, _authFilter.extractAccessType(method));
+    method = AuthenticationFilterTest.class.getMethod("methodWithPost");
+    assertEquals(AccessType.CREATE, _authFilter.extractAccessType(method));
+    method = AuthenticationFilterTest.class.getMethod("methodWithPut");
+    assertEquals(AccessType.UPDATE, _authFilter.extractAccessType(method));
+    method = AuthenticationFilterTest.class.getMethod("methodWithDelete");
+    assertEquals(AccessType.DELETE, _authFilter.extractAccessType(method));
+  }
+
+  @Authenticate(AccessType.UPDATE)
+  public void methodWithAuthAnnotation() {
+  }
+
+  @GET
+  public void methodWithGet() {
+  }
+
+  @PUT
+  public void methodWithPut() {
+  }
+
+  @POST
+  public void methodWithPost() {
+  }
+
+  @DELETE
+  public void methodWithDelete() {
+  }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[pinot] branch master updated: Fix authentication issue when auth annotation is not required (#9110)

Reply via email to