Enforce system-app authorization on OAuth provider endpoints#16112
Open
TristanInSec wants to merge 1 commit intocdapio:developfrom
Open
Enforce system-app authorization on OAuth provider endpoints#16112TristanInSec wants to merge 1 commit intocdapio:developfrom
TristanInSec wants to merge 1 commit intocdapio:developfrom
Conversation
The data pipeline StudioService's OAuthHandler exposes PUT/DELETE/GET endpoints for managing OAuth providers and stored credentials. These are cluster-wide resources, but the handler previously performed no authorization check beyond CDAP's baseline authentication, so any authenticated user of the instance could register, modify, delete, or fetch credentials for any OAuth provider. Wire the existing ContextAccessEnforcer from the SystemHttpServiceContext and gate every endpoint on enforceOnParent(SYSTEM_APP_ENTITY, SYSTEM) with the matching StandardPermission (GET for reads, UPDATE for PUT-based mutations, DELETE for the delete endpoint). Only users with system-app administration permissions in the system namespace can now use these endpoints. This mirrors the ContextAccessEnforcer usage already adopted by ConnectionHandler and DraftHandler in the same module.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The data pipeline
StudioService'sOAuthHandlerexposes PUT/DELETE/GET endpoints for managing OAuth providers and stored credentials underv1/oauth/provider/.... OAuth providers are a cluster-wide resource — the storedloginURL,tokenRefreshURL, and client credentials are shared across the instance — but the handler previously performed no authorization check beyond the CDAP baseline, so any authenticated user of the instance could register, modify, delete or fetch OAuth providers and their credentials.This PR wires the existing
ContextAccessEnforcerfrom theSystemHttpServiceContextand gates every endpoint onenforceOnParent(SYSTEM_APP_ENTITY, SYSTEM, permission):getAuthURL,getOAuthCredential,getOAuthCredentialValidity) enforceStandardPermission.GET.putOAuthProvider,putOAuthCredential) enforceStandardPermission.UPDATE.deleteOAuthProviderenforcesStandardPermission.DELETE.After this change, only users with system-app administration permissions in the system namespace can call these endpoints.
This mirrors the
ContextAccessEnforcerusage already adopted byConnectionHandlerandDraftHandlerin the same module.Test plan
data-pipeline-basetests still pass.