Update auth layer so dryRun operations only require read-only privs (#4800)

Author: EricWittmann

app/src/main/java/io/apicurio/registry/auth/Authorized.java

@@ -1,14 +1,14 @@
 package io.apicurio.registry.auth;
 
+import jakarta.enterprise.util.Nonbinding;
+import jakarta.interceptor.InterceptorBinding;
+
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Inherited;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-import jakarta.enterprise.util.Nonbinding;
-import jakarta.interceptor.InterceptorBinding;
-
 @InterceptorBinding
 @Inherited
 @Retention(RetentionPolicy.RUNTIME)
@@ -21,4 +21,7 @@
     @Nonbinding
     AuthorizedLevel level() default AuthorizedLevel.Read;
 
+    @Nonbinding
+    int dryRunParam() default -1;
+
 }

app/src/main/java/io/apicurio/registry/auth/AuthorizedInterceptor.java

@@ -71,27 +71,29 @@ public Object authorizeMethod(InvocationContext context) throws Exception {
         // If the securityIdentity is not set (or is anonymous)...
         try {
             if (securityIdentity == null || securityIdentity.isAnonymous()) {
-                System.out.println("=====> Identity was null or anon: " + securityIdentity);
-    
+                log.debug("Identity was null or anonymous: " + securityIdentity);
+
                 // Anonymous users are allowed to perform "None" operations.
                 if (annotation.level() == AuthorizedLevel.None) {
                     log.trace("Anonymous user is being granted access to unprotected operation.");
                     return context.proceed();
                 }
-    
+
                 // Anonymous users are allowed to perform read-only operations, but only if
                 // apicurio.auth.anonymous-read-access.enabled is set to 'true'
                 if (authConfig.anonymousReadAccessEnabled.get() && annotation.level() == AuthorizedLevel.Read) {
                     log.trace("Anonymous user is being granted access to read-only operation.");
                     return context.proceed();
                 }
-    
+
                 // Otherwise just fail - auth was enabled but no credentials provided.
                 log.warn("Authentication credentials missing and required for protected endpoint.");
                 throw new UnauthorizedException("User is not authenticated.");
             }
+        } catch (UnauthorizedException e) {
+            throw e;
         } catch (Throwable t) {
-            t.printStackTrace();
+            log.error("Error enforcing access.", t);
             throw t;
         }
 

app/src/main/java/io/apicurio/registry/auth/RoleBasedAccessController.java

@@ -24,6 +24,14 @@ public boolean isAuthorized(InvocationContext context) {
         Authorized annotation = context.getMethod().getAnnotation(Authorized.class);
         AuthorizedLevel level = annotation.level();
 
+        // If the method has a "dryRun" query param set to True then downgrade the required level from Write to Read
+        if (annotation.dryRunParam() != -1 && level == AuthorizedLevel.Write) {
+            Boolean dryRun = (Boolean) context.getParameters()[annotation.dryRunParam()];
+            if (dryRun != null && dryRun.equals(Boolean.TRUE)) {
+                level = AuthorizedLevel.Read;
+            }
+        }
+
         switch (level) {
             case Admin:
                 return isAdmin();

app/src/main/java/io/apicurio/registry/rest/v3/GroupsResourceImpl.java

@@ -600,7 +600,7 @@ public void deleteArtifactsInGroup(String groupId) {
 
     @Override
     @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_IF_EXISTS, "2", KEY_CANONICAL, "3", "dryRun"})
-    @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
+    @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write, dryRunParam = 3)
     public CreateArtifactResponse createArtifact(String groupId, IfArtifactExists ifExists, Boolean canonical, Boolean dryRun, CreateArtifact data) {
         requireParameter("groupId", groupId);
         if (data.getFirstVersion() != null) {
@@ -763,7 +763,7 @@ public VersionSearchResults listArtifactVersions(String groupId, String artifact
 
     @Override
     @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_ID, "2", "dryRun"})
-    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write)
+    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write, dryRunParam = 2)
     public VersionMetaData createArtifactVersion(String groupId, String artifactId, Boolean dryRun, CreateVersion data) {
         requireParameter("content", data.getContent());
         requireParameter("groupId", groupId);

app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java

@@ -105,6 +105,10 @@ public void testReadOnly() throws Exception {
             client.groups().byGroupId("testReadOnly").artifacts().post(createArtifact);
         });
         assertForbidden(exception3);
+        // Try the create again but with dryRun set to true (should work)
+        client.groups().byGroupId("testReadOnly").artifacts().post(createArtifact, config -> {
+            config.queryParameters.dryRun = true;
+        });
 
         var devAdapter = new VertXRequestAdapter(buildOIDCWebClient(authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
         devAdapter.setBaseUrl(registryV3ApiUrl);