Skip to content

Commit

Permalink
Pass Identity to S3SecurityController
Browse files Browse the repository at this point in the history
  • Loading branch information
@pranavr12
pranavr12 committed Aug 13, 2024
1 parent 231b974 commit ff4f633
Show file tree
Hide file tree
Showing 12 changed files with 32 additions and 17 deletions.
5 changes: 5 additions & 0 deletions trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/credentials/Credentials.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,9 @@ public static Credentials build(Credential emulated, Credential remote, RemoteSe
{
return new Credentials(emulated, Optional.of(remote), Optional.of(remoteSessionRole), Optional.empty());
}

public static Credentials build(Credential emulated, Credential remote, Identity identity)
{
return new Credentials(emulated, Optional.of(remote), Optional.empty(), Optional.of(identity));
}
}
7 changes: 5 additions & 2 deletions ...aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/security/S3SecurityFacadeProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,20 @@
*/
package io.trino.aws.proxy.spi.security;

import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import jakarta.ws.rs.WebApplicationException;

import java.util.Optional;

public interface S3SecurityFacadeProvider
{
S3SecurityFacadeProvider NOOP = _ -> S3SecurityFacade.NOOP;
S3SecurityFacadeProvider NOOP = (_, _) -> S3SecurityFacade.NOOP;

/**
* Return a validated/authenticated facade for the given request or
* throw {@link jakarta.ws.rs.WebApplicationException}
*/
S3SecurityFacade securityFacadeForRequest(ParsedS3Request request)
S3SecurityFacade securityFacadeForRequest(ParsedS3Request request, Optional<Identity> identity)
throws WebApplicationException;
}
3 changes: 2 additions & 1 deletion ...-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/security/opa/OpaS3SecurityMapper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
package io.trino.aws.proxy.spi.security.opa;

import com.google.common.collect.ImmutableMap;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.SecurityResponse;

Expand Down Expand Up @@ -58,7 +59,7 @@ default SecurityResponse toSecurityResponse(Map<String, Object> responseDocument
.orElse(FAILURE);
}

OpaRequest toRequest(ParsedS3Request request, Optional<String> lowercaseAction, URI baseUri);
OpaRequest toRequest(ParsedS3Request request, Optional<String> lowercaseAction, URI baseUri, Optional<Identity> identity);

static Optional<Boolean> extractBoolean(Map<?, ?> map, String key)
{
Expand Down
2 changes: 1 addition & 1 deletion trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/S3PresignController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ private Stream<Map.Entry<String, URI>> buildPresignedRemoteUrl(String httpMethod
request.rawQuery(),
request.requestContent());

return switch (s3SecurityController.apply(checkRequest)) {
return switch (s3SecurityController.apply(checkRequest, signingMetadata.credentials().identity())) {
case Success _ -> Stream.of(Map.entry(httpMethod, signingContext.signingUri()));
case Failure _ -> Stream.empty();
};
Expand Down
2 changes: 1 addition & 1 deletion trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/rest/TrinoS3ProxyClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public void proxyRequest(SigningMetadata signingMetadata, ParsedS3Request reques
{
URI remoteUri = remoteS3Facade.buildEndpoint(uriBuilder(request.queryParameters()), request.rawPath(), request.bucketName(), request.requestAuthorization().region());

SecurityResponse securityResponse = s3SecurityController.apply(request);
SecurityResponse securityResponse = s3SecurityController.apply(request, signingMetadata.credentials().identity());
if (securityResponse instanceof Failure(var error)) {
log.debug("SecurityController check failed. AccessKey: %s, Request: %s, SecurityResponse: %s", signingMetadata.credentials().emulated().accessKey(), request, securityResponse);
requestLoggingSession.logError("request.security.fail.credentials", signingMetadata.credentials().emulated());
Expand Down
7 changes: 4 additions & 3 deletions trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/security/S3SecurityController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Splitter;
import com.google.inject.Inject;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.S3SecurityFacade;
import io.trino.aws.proxy.spi.security.S3SecurityFacadeProvider;
Expand All @@ -29,7 +30,7 @@

public class S3SecurityController
{
private static final S3SecurityFacadeProvider DEFAULT_SECURITY_FACADE_PROVIDER = _ -> _ -> SUCCESS;
private static final S3SecurityFacadeProvider DEFAULT_SECURITY_FACADE_PROVIDER = (_, _) -> _ -> SUCCESS;

private final S3SecurityFacadeProvider s3SecurityFacadeProvider;

Expand All @@ -39,9 +40,9 @@ public S3SecurityController(S3SecurityFacadeProvider s3SecurityFacadeProvider)
this.s3SecurityFacadeProvider = requireNonNull(s3SecurityFacadeProvider, "s3SecurityFacadeProvider is null");
}

public SecurityResponse apply(ParsedS3Request request)
public SecurityResponse apply(ParsedS3Request request, Optional<Identity> identity)
{
S3SecurityFacade s3SecurityFacade = currentProvider().securityFacadeForRequest(request);
S3SecurityFacade s3SecurityFacade = currentProvider().securityFacadeForRequest(request, identity);

Optional<String> lowercaseAction = request.rawQuery().flatMap(S3SecurityController::parseAction);

Expand Down
9 changes: 5 additions & 4 deletions ...oxy/src/main/java/io/trino/aws/proxy/server/security/opa/OpaS3SecurityFacadeProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.Request;
import io.airlift.json.JsonCodec;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.S3SecurityFacade;
import io.trino.aws.proxy.spi.security.S3SecurityFacadeProvider;
Expand Down Expand Up @@ -56,15 +57,15 @@ public OpaS3SecurityFacadeProvider(@ForOpa HttpClient httpClient, OpaS3SecurityM
}

@Override
public S3SecurityFacade securityFacadeForRequest(ParsedS3Request request)
public S3SecurityFacade securityFacadeForRequest(ParsedS3Request request, Optional<Identity> identity)
throws WebApplicationException
{
return lowercaseAction -> facade(request, lowercaseAction);
return lowercaseAction -> facade(request, lowercaseAction, identity);
}

private SecurityResponse facade(ParsedS3Request parsedS3Request, Optional<String> lowercaseAction)
private SecurityResponse facade(ParsedS3Request parsedS3Request, Optional<String> lowercaseAction, Optional<Identity> identity)
{
OpaRequest opaRequest = opaS3SecurityMapper.toRequest(parsedS3Request, lowercaseAction, opaServerUri);
OpaRequest opaRequest = opaS3SecurityMapper.toRequest(parsedS3Request, lowercaseAction, opaServerUri, identity);

Map<String, Object> inputDocument = opaS3SecurityMapper.toInputDocument(opaRequest.document());

Expand Down
3 changes: 2 additions & 1 deletion trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/TestDatabaseSecurity.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import io.trino.aws.proxy.server.testing.containers.PySparkContainer;
import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.S3DatabaseSecurityDecorator;
import io.trino.aws.proxy.spi.security.S3SecurityFacade;
Expand Down Expand Up @@ -63,7 +64,7 @@ public static class FacadeProvider
final AtomicBoolean disallowGets = new AtomicBoolean();

@Override
public S3SecurityFacade securityFacadeForRequest(ParsedS3Request request)
public S3SecurityFacade securityFacadeForRequest(ParsedS3Request request, Optional<Identity> identity)
throws WebApplicationException
{
S3SecurityFacade s3SecurityFacade = lowercaseAction -> SUCCESS;
Expand Down
4 changes: 3 additions & 1 deletion trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/TestOpaSecurity.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import io.trino.aws.proxy.server.testing.containers.OpaContainer;
import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.opa.OpaRequest;
import io.trino.aws.proxy.spi.security.opa.OpaS3SecurityMapper;
Expand Down Expand Up @@ -80,8 +81,9 @@ public OpaMapper(OpaContainer container)
}

@Override
public OpaRequest toRequest(ParsedS3Request request, Optional<String> lowercaseAction, URI baseUri)
public OpaRequest toRequest(ParsedS3Request request, Optional<String> lowercaseAction, URI baseUri, Optional<Identity> identity)
{
assertThat(identity).isPresent();
URI uri = UriBuilder.fromUri(baseUri).port(containerPort).path("test").path("allow").build();
return new OpaRequest(uri, ImmutableMap.of("table", request.keyInBucket()));
}
Expand Down
2 changes: 1 addition & 1 deletion trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/TestS3SecurityController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public void testDisableListObjects()
assertThat(listObjectsResponse.contents()).isEmpty();

// set facade that disallows list objects on bucket "one"
securityController.setDelegate(request -> _ -> {
securityController.setDelegate((request, _) -> _ -> {
if ("one".equals(request.bucketName()) && request.httpVerb().equalsIgnoreCase("get")) {
return FAILURE;
}
Expand Down
2 changes: 1 addition & 1 deletion trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/rest/TestPresigningHeaders.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public void testPresignHeaderSecurity()
Presigned presigned = getPresigned("get", "one", "gettest");
assertThat(presigned.presignedHeaderMethods).containsExactlyInAnyOrder("GET", "PUT", "POST", "DELETE");

securityController.setDelegate(request -> lowercaseAction -> request.httpVerb().equalsIgnoreCase("DELETE") ? FAILURE : SUCCESS);
securityController.setDelegate((request, _) -> lowercaseAction -> request.httpVerb().equalsIgnoreCase("DELETE") ? FAILURE : SUCCESS);

presigned = getPresigned("get", "one", "gettest");
assertThat(presigned.presignedHeaderMethods).containsExactlyInAnyOrder("GET", "PUT", "POST");
Expand Down
3 changes: 2 additions & 1 deletion trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/testing/TestingUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ private TestingUtil() {}

public static final Credentials TESTING_CREDENTIALS = Credentials.build(
new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString()),
new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString()));
new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString()),
new TestingIdentity(UUID.randomUUID().toString(), List.of(), UUID.randomUUID().toString()));

// Domain name with a wildcard CNAME pointing to localhost - needed to test Virtual Host style addressing
public static final String LOCALHOST_DOMAIN = "local.gate0.net";
Expand Down

0 comments on commit ff4f633

Please sign in to comment.