Implement authenticated read access (#2071)

* Implement authenticated read access

* Implement tests for authenticated read access

Author: carlesarnal

app/src/main/java/io/apicurio/registry/auth/AuthConfig.java

@@ -47,6 +47,9 @@ public class AuthConfig {
     @ConfigProperty(name = "registry.auth.anonymous-read-access.enabled", defaultValue = "false")
     boolean anonymousReadAccessEnabled;
 
+    @ConfigProperty(name = "registry.auth.authenticated-read-access.enabled", defaultValue = "false")
+    boolean authenticatedReadAccessEnabled;
+
     @ConfigProperty(name = "registry.auth.roles.readonly", defaultValue = "sr-readonly")
     String readOnlyRole;
 
@@ -85,6 +88,7 @@ void onConstruct() {
         log.debug("===============================");
         log.debug("Auth Enabled: " + authenticationEnabled);
         log.debug("Anonymous Read Access Enabled: " + anonymousReadAccessEnabled);
+        log.debug("Authenticated Read Access Enabled: " + authenticatedReadAccessEnabled);
         log.debug("RBAC Enabled: " + roleBasedAuthorizationEnabled);
         if (roleBasedAuthorizationEnabled) {
             log.debug("   RBAC Roles: " + readOnlyRole + ", " + developerRole + ", " + adminRole);

app/src/main/java/io/apicurio/registry/auth/AuthorizedInterceptor.java

@@ -88,10 +88,10 @@ public Object authorizeMethod(InvocationContext context) throws Exception {
 
         log.trace("Authentication enabled, protected resource: " + context.getMethod());
 
+        Authorized annotation = context.getMethod().getAnnotation(Authorized.class);
+
         // If the securityIdentity is not set (or is anonymous)...
         if (securityIdentity == null || securityIdentity.isAnonymous()) {
-            Authorized annotation = context.getMethod().getAnnotation(Authorized.class);
-
             // Anonymous users are allowed to perform "None" operations.
             if (annotation.level() == AuthorizedLevel.None) {
                 log.trace("Anonymous user is being granted access to unprotected operation.");
@@ -110,7 +110,7 @@ public Object authorizeMethod(InvocationContext context) throws Exception {
             throw new UnauthorizedException("User is not authenticated.");
         }
 
-        log.trace("                               principalId:" + securityIdentity.getPrincipal().getName());
+        log.trace("principalId:" + securityIdentity.getPrincipal().getName());
 
         // If the user is an admin (via the admin-override check) then there's no need to
         // check rbac or obac.
@@ -119,6 +119,11 @@ public Object authorizeMethod(InvocationContext context) throws Exception {
             return context.proceed();
         }
 
+        // If Authenticated read access is enabled, and the operation is read, allow it.
+        if (authConfig.authenticatedReadAccessEnabled && (annotation.level() == AuthorizedLevel.Read) || annotation.level() == AuthorizedLevel.None) {
+            return context.proceed();
+        }
+
         // If RBAC is enabled, apply role based rules
         if (authConfig.roleBasedAuthorizationEnabled && !rbac.isAuthorized(context)) {
             log.warn("RBAC enabled and required role missing.");

app/src/main/resources/application.properties

@@ -167,6 +167,7 @@ registry.auth.role-based-authorization=${REGISTRY_AUTH_RBAC_ENABLED:${registry-l
 registry.auth.owner-only-authorization=${REGISTRY_AUTH_OBAC_ENABLED:${registry-legacy.auth.owner-only-authorization}}
 registry.auth.owner-only-authorization.limit-group-access=${REGISTRY_AUTH_OBAC_LIMIT_GROUP_ACCESS:false}
 registry.auth.anonymous-read-access.enabled=${REGISTRY_AUTH_ANONYMOUS_READS_ENABLED:${registry-legacy.auth.anonymous-read-access.enabled}}
+registry.auth.authenticated-read-access.enabled=${REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED:false}
 registry.auth.roles.readonly=${REGISTRY_AUTH_ROLES_READONLY:sr-readonly}
 registry.auth.roles.developer=${REGISTRY_AUTH_ROLES_DEVELOPER:sr-developer}
 registry.auth.roles.admin=${REGISTRY_AUTH_ROLES_ADMIN:sr-admin}

app/src/test/java/io/apicurio/registry/auth/AuthTestAuthenticatedReadAccess.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2021 Red Hat
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.apicurio.registry.auth;
+
+/**
+ * @author carnalca@redhat.com
+ */
+
+import io.apicurio.registry.AbstractResourceTestBase;
+import io.apicurio.registry.rest.client.RegistryClient;
+import io.apicurio.registry.rest.client.RegistryClientFactory;
+import io.apicurio.registry.rest.v2.beans.ArtifactSearchResults;
+import io.apicurio.registry.types.ArtifactType;
+import io.apicurio.registry.utils.tests.ApicurioTestTags;
+import io.apicurio.registry.utils.tests.AuthTestProfileAuthenticatedReadAccess;
+import io.apicurio.rest.client.auth.Auth;
+import io.apicurio.rest.client.auth.OidcAuth;
+import io.apicurio.rest.client.auth.exception.ForbiddenException;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.TestProfile;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.Optional;
+
+@QuarkusTest
+@TestProfile(AuthTestProfileAuthenticatedReadAccess.class)
+@Tag(ApicurioTestTags.DOCKER)
+public class AuthTestAuthenticatedReadAccess extends AbstractResourceTestBase {
+
+    @ConfigProperty(name = "registry.auth.token.endpoint")
+    String authServerUrl;
+
+    String noRoleClientId = "registry-api-no-role";
+    String adminClientId = "registry-api";
+
+    final String groupId = getClass().getSimpleName() + "Group";
+
+    private RegistryClient createClient(Auth auth) {
+        return RegistryClientFactory.create(registryV2ApiUrl, Collections.emptyMap(), auth);
+    }
+
+    @Override
+    protected RegistryClient createRestClientV2() {
+        Auth auth = new OidcAuth(authServerUrl, adminClientId, "test1", Optional.empty());
+        return this.createClient(auth);
+    }
+
+    @Test
+    public void testReadOperationWithNoRole() throws Exception {
+        // Read-only operation should work with credentials but no role.
+
+        Auth auth = new OidcAuth(authServerUrl, noRoleClientId, "test1", Optional.empty());
+        RegistryClient client = this.createClient(auth);
+        ArtifactSearchResults results = client.searchArtifacts(groupId, null, null, null, null, null, null, null, null);
+        Assertions.assertTrue(results.getCount() >= 0);
+
+        // Write operation should fail with credentials but not role.
+        InputStream data = new ByteArrayInputStream(("{\r\n" +
+                "    \"type\" : \"record\",\r\n" +
+                "    \"name\" : \"userInfo\",\r\n" +
+                "    \"namespace\" : \"my.example\",\r\n" +
+                "    \"fields\" : [{\"name\" : \"age\", \"type\" : \"int\"}]\r\n" +
+                "}").getBytes(StandardCharsets.UTF_8));
+        Assertions.assertThrows(ForbiddenException.class, () -> {
+            client.createArtifact(groupId, "testReadOperationWithNoRole", ArtifactType.AVRO, data);
+        });
+    }
+}

distro/openshift-template/mt/apicurio-registry-mt-template.yaml

@@ -211,6 +211,8 @@ objects:
             value: ${REGISTRY_AUTH_OBAC_LIMIT_GROUP_ACCESS}
           - name: REGISTRY_AUTH_ANONYMOUS_READS_ENABLED
             value: ${REGISTRY_AUTH_ANONYMOUS_READS_ENABLED}
+          - name: REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED
+            value: ${REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED}
           - name: REGISTRY_AUTH_ROLES_READONLY
             value: ${REGISTRY_AUTH_ROLES_READONLY}
           - name: REGISTRY_AUTH_ROLES_DEVELOPER
@@ -552,6 +554,9 @@ parameters:
 - name: REGISTRY_AUTH_ANONYMOUS_READS_ENABLED
   description: flag to enable/disable anonymous read access
   value: "false"
+- name: REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED
+  description: flag to enable/disable authenticated read access
+  value: "false"
 - name: REGISTRY_AUTH_ROLES_READONLY
   description: property to set the name of the role that enables ReadOnly access when using token based RBAC
   value: "sr-readonly"

utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAuthenticatedReadAccess.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2021 Red Hat
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.apicurio.registry.utils.tests;
+
+import io.quarkus.test.junit.QuarkusTestProfile;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * @author carnalca@redhat.com
+ */
+public class AuthTestProfileAuthenticatedReadAccess implements QuarkusTestProfile {
+
+    @Override
+    public Map<String, String> getConfigOverrides() {
+        return Map.of("registry.auth.authenticated-read-access.enabled", "true");
+    }
+
+    @Override
+    public List<TestResourceEntry> testResources() {
+        return Collections.singletonList(
+                new TestResourceEntry(KeycloakTestResource.class));
+    }
+}