control-service: add OAuth authN & authZ for data jobs

add comments

Signed-off-by: Dako Dakov <[email protected]>

projects/control-service/projects/pipelines_control_service/src/main/java/com/vmware/taurus/authorization/AuthorizationInterceptor.java

@@ -62,15 +62,19 @@ public class AuthorizationInterceptor implements HandlerInterceptor {
     public boolean preHandle(
             final HttpServletRequest request, final HttpServletResponse response, final Object handler)
             throws IOException {
+        // Is security enabled at all?
         if (!featureFlags.isSecurityEnabled()) {
             return true;
         }
 
+        // Is authorization enabled? Did we get a token?
+        // This logic is somewhat scatchy, but I've kept the old behavior
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication == null || !authentication.isAuthenticated() || !featureFlags.isAuthorizationEnabled()) {
+        if (!featureFlags.isAuthorizationEnabled() || authentication == null || !authentication.isAuthenticated()) {
             return true;
         }
 
+        // This logic is somewhat scatchy, but I've kept the old behavior
         if (!(authentication instanceof JwtAuthenticationToken jwtToken)) {
             return true;
         }
@@ -90,6 +94,22 @@ private boolean handleVmwCspToken(HttpServletRequest request, HttpServletRespons
         return isRequestAuthorized(request, response, body);
     }
 
+    private boolean isRequestAuthorized(
+            HttpServletRequest request, HttpServletResponse response, AuthorizationBody body)
+            throws IOException {
+        WebHookResult decision = this.webhookProvider.invokeWebHook(body).get();
+        response.setStatus(decision.getStatus().value());
+        if (!decision.getMessage().isBlank()) {
+            response.getWriter().write(decision.getMessage());
+        }
+        return decision.isSuccess();
+    }
+
+    private void updateOperationContext(AuthorizationBody body) {
+        opCtx.setUser(body.getRequesterUserId());
+        opCtx.setTeam(body.getRequestedResourceTeam());
+    }
+
     private boolean handleOAuthApplicationToken(HttpServletRequest request, JwtAuthenticationToken token) {
         Object tokenSubject = token.getTokenAttributes().get(OAuth2TokenIntrospectionClaimNames.SUB);
         if (!(tokenSubject instanceof String subject)) {
@@ -100,28 +120,12 @@ private boolean handleOAuthApplicationToken(HttpServletRequest request, JwtAuthe
         String teamName = authorizationProvider.getJobTeam(request);
         String newTeam = authorizationProvider.getJobNewTeam(request, teamName);
 
-        // The reqested operation is for a resource owned by another team
+        // The requested operation is for a resource owned by another team
         if (!teamName.equals(newTeam)) {
             return false;
         }
 
         VaultTeamCredentials teamCredentials = secretsService.readTeamOauthCredentials(teamName);
         return teamCredentials != null && teamClientId.equals(teamCredentials.getClientId());
     }
-
-    private boolean isRequestAuthorized(
-            HttpServletRequest request, HttpServletResponse response, AuthorizationBody body)
-            throws IOException {
-        WebHookResult decision = this.webhookProvider.invokeWebHook(body).get();
-        response.setStatus(decision.getStatus().value());
-        if (!decision.getMessage().isBlank()) {
-            response.getWriter().write(decision.getMessage());
-        }
-        return decision.isSuccess();
-    }
-
-    private void updateOperationContext(AuthorizationBody body) {
-        opCtx.setUser(body.getRequesterUserId());
-        opCtx.setTeam(body.getRequestedResourceTeam());
-    }
 }