Authentication and Authorization (#793)

* Auth * Authentication and Authorization Client sdk authentication, Server Authentication and authorization. * PR Feedback fixes * Updating docs * Pr comments and end to end test fixes * Adding get token check and minor refactoring * changing autovalue to lombok * removed lognet * Authentication and Authorization End to end test PR comments and end to end test with google auth. * list_features_by_ref to use updated core service method. * Fix for failing test after rebase. * Removed boolean conversion. * Added missing fixture dependency. * Corrected overriding yaml for auth, removed redundant echo. * Allow gcloud command to run without exiting tests * Lint error. * Set GOOGLE_APPLICATION_CREDENTIALS for auth testW * Add gcloud sdk installation to auth tests * Add transactions back to projects, revert to AccessManagementService, and make Auth Config generic * Fix typo in core configuration * Update documentation to remove Google terminology * Remove stream specific configuration in e2e tests * Fix linting Co-authored-by: Andres March (vistaprint) <amarch@vistaprint.com> Co-authored-by: Jayanth Kumar M J <treffen.jayanth@gmail.com> Co-authored-by: e10112844 <jayant.mj@vistaprint.com> Co-authored-by: Willem Pienaar <6728866+woop@users.noreply.github.com> Co-authored-by: Willem Pienaar <git@willem.co>
feast-dev · Jun 23, 2020 · 74bcd3f · 74bcd3f
1 parent 8c2201c
commit 74bcd3f
Show file tree

Hide file tree

Showing 36 changed files with 1,797 additions and 272 deletions.
diff --git a/.prow/config.yaml b/.prow/config.yaml
@@ -157,7 +157,7 @@ presubmits:
 
   - name: test-end-to-end-auth
     decorate: true
-    always_run: false
+    always_run: true
     spec:
       containers:
       - image: maven:3.6-jdk-11

diff --git a/core/pom.xml b/core/pom.xml
@@ -109,11 +109,56 @@
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-web</artifactId>
         </dependency>
-        <!--compile io.github.lognet:grpc-spring-boot-starter:3.0.2'-->
-        <dependency>
-            <groupId>io.github.lognet</groupId>
-            <artifactId>grpc-spring-boot-starter</artifactId>
-        </dependency>
+	    <dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+			<version>2.4.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-client</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-web</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-resource-server</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-jose</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>net.devh</groupId>
+			<artifactId>grpc-server-spring-boot-starter</artifactId>
+			<version>2.4.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>nimbus-jose-jwt</artifactId>
+			<version>8.2.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-core</artifactId>
+			<version>5.3.0.RELEASE</version>
+		</dependency>
         <!--compile "org.springframework.boot:spring-boot-starter-data-jpa:${springBootVersion}"-->
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -130,7 +175,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-configuration-processor</artifactId>
         </dependency>
-
         <!--compile "io.grpc:grpc-services:${grpcVersion}"-->
         <dependency>
             <groupId>io.grpc</groupId>
@@ -146,7 +190,6 @@
             <groupId>com.google.protobuf</groupId>
             <artifactId>protobuf-java-util</artifactId>
         </dependency>
-
         <!--compile 'com.google.guava:guava:26.0-jre'-->
         <dependency>
             <groupId>com.google.guava</groupId>
@@ -168,7 +211,6 @@
             <artifactId>google-api-services-dataflow</artifactId>
             <version>v1b3-rev266-1.25.0</version>
         </dependency>
-
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-core</artifactId>
@@ -207,19 +249,35 @@
             <groupId>io.prometheus</groupId>
             <artifactId>simpleclient_servlet</artifactId>
         </dependency>
+		<dependency>
+			<groupId>com.google.api.client</groupId>
+			<artifactId>google-api-client-googleapis-auth-oauth</artifactId>
+			<version>1.2.3-alpha</version>
+		</dependency>
+		<dependency>
+			<groupId>com.auth0</groupId>
+			<artifactId>jwks-rsa</artifactId>
+			<version>0.11.0</version>
+		</dependency>
 
+		<dependency>
+			<groupId>com.auth0</groupId>
+			<artifactId>java-jwt</artifactId>
+			<version>3.10.0</version>
+		</dependency>
+
+		<dependency>
+			<groupId>sh.ory.keto</groupId>
+			<artifactId>keto-client</artifactId>
+			<version>0.4.4-alpha.1</version>
+		</dependency>
         <!--testCompile 'com.jayway.jsonpath:json-path-assert:2.2.0'-->
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path-assert</artifactId>
             <version>2.2.0</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <scope>test</scope>
-        </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -231,32 +289,50 @@
             <artifactId>spring-boot-test-autoconfigure</artifactId>
             <scope>test</scope>
         </dependency>
-
         <dependency>
             <groupId>javax.xml.bind</groupId>
             <artifactId>jaxb-api</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>javax.validation</groupId>
-            <artifactId>validation-api</artifactId>
-            <version>2.0.0.Final</version>
-        </dependency>
-        <dependency>
-            <groupId>org.hibernate.validator</groupId>
-            <artifactId>hibernate-validator</artifactId>
-            <version>6.1.2.Final</version>
-        </dependency>
-        <dependency>
-            <groupId>org.hibernate.validator</groupId>
-            <artifactId>hibernate-validator-annotation-processor</artifactId>
-            <version>6.1.2.Final</version>
-        </dependency>
 
         <dependency>
             <groupId>org.flywaydb</groupId>
             <artifactId>flyway-core</artifactId>
             <version>${flyway.version}</version>
         </dependency>
-    </dependencies>
+		<dependency>
+			<groupId>javax.validation</groupId>
+			<artifactId>validation-api</artifactId>
+			<version>2.0.0.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>org.hibernate.validator</groupId>
+			<artifactId>hibernate-validator</artifactId>
+			<version>6.1.2.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>org.hibernate.validator</groupId>
+			<artifactId>hibernate-validator-annotation-processor</artifactId>
+			<version>6.1.2.Final</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+			<version>2.23.0</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-test</artifactId>
+			<version>5.1.3.RELEASE</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter</artifactId>
+			<version>RELEASE</version>
+			<scope>test</scope>
+		</dependency>
+  </dependencies>
 </project>
diff --git a/core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java b/core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java
@@ -0,0 +1,61 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.core.auth.authentication;
+
+import java.util.Map;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
+
+/** Json Web Token Authentication Provider used to validate incoming requests to Feast Core. */
+public class DefaultJwtAuthenticationProvider implements AuthenticationProvider {
+
+  private JwtAuthenticationProvider authProvider;
+
+  /**
+   * @param options String K/V pair of options to initialize the AuthenticationProvider with. Only
+   *     one option is currently configurable, the jwkEndpointURI.
+   */
+  public DefaultJwtAuthenticationProvider(Map<String, String> options) {
+    // Endpoint used to retrieve certificates to validate JWT token
+    String jwkEndpointURI = options.get("jwkEndpointURI");
+
+    // Provide a custom endpoint to retrieve certificates
+    authProvider =
+        new JwtAuthenticationProvider(NimbusJwtDecoder.withJwkSetUri(jwkEndpointURI).build());
+    authProvider.setJwtAuthenticationConverter(new JwtAuthenticationConverter());
+  }
+
+  /**
+   * Authenticate a request based on its Spring Security Authentication object
+   *
+   * @param authentication Authentication object which contains a JWT to validate
+   * @return Returns the same authentication object after authentication
+   */
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+    return authProvider.authenticate(authentication);
+  }
+
+  @Override
+  public boolean supports(Class<?> aClass) {
+    return authProvider.supports(aClass);
+  }
+}
diff --git a/core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java b/core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java
@@ -0,0 +1,35 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.core.auth.authorization;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ * AuthorizationProvider is the base interface that each AuthorizationProvider needs to implement in
+ * order to authorize requests to Feast Core
+ */
+public interface AuthorizationProvider {
+
+  /**
+   * Validates whether a user is allowed access to the project
+   *
+   * @param project Name of the Feast project
+   * @param authentication Spring Security Authentication object
+   * @return AuthorizationResult result of authorization query
+   */
+  AuthorizationResult checkAccess(String project, Authentication authentication);
+}
diff --git a/core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java b/core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java
@@ -0,0 +1,66 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.core.auth.authorization;
+
+import java.util.Optional;
+import javax.annotation.Nullable;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+/**
+ * Implementation of AuthorizationProvider will return AuthorizationResult after validating incoming
+ * requests to Feast Core. AuthorizationResult provides methods to check if user is authorized to
+ * perform an action or not.
+ */
+@Getter
+@AllArgsConstructor
+public class AuthorizationResult {
+
+  /**
+   * Method to create AuthorizationResult Object.
+   *
+   * @param allowed True If user is authorized, False otherwise.
+   * @param failureReason Reason for authorization failure, if any
+   * @return AuthorizationResult Object.
+   */
+  public static AuthorizationResult create(
+      @Nullable boolean allowed, @Nullable String failureReason) {
+    return new AuthorizationResult(allowed, Optional.ofNullable(failureReason));
+  }
+
+  /**
+   * Method to create failed AuthorizationResult Object.
+   *
+   * @param failureReason Reason for authorization failure, if any or Null
+   * @return AuthorizationResult Object.
+   */
+  public static AuthorizationResult failed(@Nullable String failureReason) {
+    return new AuthorizationResult(false, Optional.ofNullable(failureReason));
+  }
+
+  /**
+   * Method to create Success AuthorizationResult Object.
+   *
+   * @return AuthorizationResult Object.
+   */
+  public static AuthorizationResult success() {
+    return new AuthorizationResult(true, Optional.empty());
+  }
+
+  private boolean allowed;
+  private Optional<String> failureReason;
+}