Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implementation of basic access control for Files API #91

Merged
merged 6 commits into from
Dec 18, 2023
Merged

feat: implementation of basic access control for Files API #91

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4fc41ad
support user buckets
Dec 15, 2023
be289d3
address review comments
Dec 17, 2023
ed853b5
fix controller selector
Dec 17, 2023
5cca412
address review comments
Dec 18, 2023
7674dfa
fix Files API patterns
Dec 18, 2023
287315e
Merge branch 'development' into issue-90
Dec 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ Static settings are used on startup and cannot be changed while application is r
| storage.credential | - |Blob storage secret key
| storage.bucket | - |Blob storage bucket
| storage.createBucket | false |Indicates whether bucket should be created on start-up

| encryption.password | - |Password used for AES encryption
| encryption.salt | - |Salt used for AES encryption
### Dynamic settings
Dynamic settings are stored in JSON files, specified via "config.files" static setting, and reloaded at interval, specified via "config.reload" static setting.
Dynamic settings include:
Expand Down
6 changes: 4 additions & 2 deletions src/main/java/com/epam/aidial/core/AiDial.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
package com.epam.aidial.core;

import com.auth0.jwk.UrlJwkProvider;
import com.epam.aidial.core.config.ConfigStore;
import com.epam.aidial.core.config.Encryption;
import com.epam.aidial.core.config.FileConfigStore;
import com.epam.aidial.core.config.Storage;
import com.epam.aidial.core.limiter.RateLimiter;
import com.epam.aidial.core.log.GfLogStore;
import com.epam.aidial.core.log.LogStore;
import com.epam.aidial.core.security.AccessTokenValidator;
import com.epam.aidial.core.security.EncryptionService;
import com.epam.aidial.core.storage.BlobStorage;
import com.epam.aidial.core.upstream.UpstreamBalancer;
import com.epam.deltix.gflog.core.LogConfigurator;
Expand Down Expand Up @@ -68,7 +69,8 @@ void start() throws Exception {
Storage storageConfig = Json.decodeValue(settings("storage").toBuffer(), Storage.class);
storage = new BlobStorage(storageConfig);
}
Proxy proxy = new Proxy(vertx, client, configStore, logStore, rateLimiter, upstreamBalancer, accessTokenValidator, storage);
EncryptionService encryptionService = new EncryptionService(Json.decodeValue(settings("encryption").toBuffer(), Encryption.class));
Proxy proxy = new Proxy(vertx, client, configStore, logStore, rateLimiter, upstreamBalancer, accessTokenValidator, storage, encryptionService);

server = vertx.createHttpServer(new HttpServerOptions(settings("server"))).requestHandler(proxy);
open(server, HttpServer::listen);
Expand Down
7 changes: 6 additions & 1 deletion src/main/java/com/epam/aidial/core/Proxy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import com.epam.aidial.core.limiter.RateLimiter;
import com.epam.aidial.core.log.LogStore;
import com.epam.aidial.core.security.AccessTokenValidator;
import com.epam.aidial.core.security.EncryptionService;
import com.epam.aidial.core.security.ExtractedClaims;
import com.epam.aidial.core.storage.BlobStorage;
import com.epam.aidial.core.upstream.UpstreamBalancer;
Expand All @@ -27,6 +28,7 @@

import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Set;

@Slf4j
@Getter
Expand All @@ -46,6 +48,8 @@ public class Proxy implements Handler<HttpServerRequest> {
public static final int REQUEST_BODY_MAX_SIZE_BYTES = 16 * 1024 * 1024;
public static final int FILES_REQUEST_BODY_MAX_SIZE_BYTES = 512 * 1024 * 1024;

private static final Set<HttpMethod> ALLOWED_HTTP_METHODS = Set.of(HttpMethod.GET, HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE);

private final Vertx vertx;
private final HttpClient client;
private final ConfigStore configStore;
Expand All @@ -54,6 +58,7 @@ public class Proxy implements Handler<HttpServerRequest> {
private final UpstreamBalancer upstreamBalancer;
private final AccessTokenValidator tokenValidator;
private final BlobStorage storage;
private final EncryptionService encryptionService;

@Override
public void handle(HttpServerRequest request) {
Expand All @@ -79,7 +84,7 @@ private void handleRequest(HttpServerRequest request) {
}

HttpMethod requestMethod = request.method();
if (requestMethod != HttpMethod.GET && requestMethod != HttpMethod.POST && requestMethod != HttpMethod.DELETE) {
if (!ALLOWED_HTTP_METHODS.contains(requestMethod)) {
respond(request, HttpStatus.METHOD_NOT_ALLOWED);
return;
}
Expand Down
9 changes: 9 additions & 0 deletions src/main/java/com/epam/aidial/core/config/Encryption.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.epam.aidial.core.config;

import lombok.Data;

@Data
public class Encryption {
String password;
String salt;
}
35 changes: 35 additions & 0 deletions src/main/java/com/epam/aidial/core/controller/AccessControlBaseController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package com.epam.aidial.core.controller;

import com.epam.aidial.core.Proxy;
import com.epam.aidial.core.ProxyContext;
import com.epam.aidial.core.storage.BlobStorageUtil;
import com.epam.aidial.core.util.HttpStatus;
import io.vertx.core.Future;
import lombok.AllArgsConstructor;

import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;

@AllArgsConstructor
public abstract class AccessControlBaseController {

final Proxy proxy;
final ProxyContext context;


public Future<?> handle(String bucket, String filePath) {
String decodedBucket = URLDecoder.decode(bucket, StandardCharsets.UTF_8);
String decodedFilePath = URLDecoder.decode(filePath, StandardCharsets.UTF_8);
String expectedUserBucket = BlobStorageUtil.buildUserBucket(context);
String decryptedBucket = proxy.getEncryptionService().decrypt(decodedBucket);

if (!expectedUserBucket.equals(decryptedBucket)) {
return context.respond(HttpStatus.FORBIDDEN, "You don't have an access to the bucket " + decodedBucket);
}

return handle(decodedBucket, decryptedBucket, decodedFilePath);
}

protected abstract Future<?> handle(String bucketName, String bucketLocation, String filePath);

}
25 changes: 25 additions & 0 deletions src/main/java/com/epam/aidial/core/controller/BucketController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package com.epam.aidial.core.controller;

import com.epam.aidial.core.Proxy;
import com.epam.aidial.core.ProxyContext;
import com.epam.aidial.core.data.Bucket;
import com.epam.aidial.core.security.EncryptionService;
import com.epam.aidial.core.storage.BlobStorageUtil;
import com.epam.aidial.core.util.HttpStatus;
import io.vertx.core.Future;
import lombok.AllArgsConstructor;

@AllArgsConstructor
public class BucketController {

private final Proxy proxy;
private final ProxyContext context;

public Future<?> getBucket() {
EncryptionService encryptionService = proxy.getEncryptionService();
String bucketLocation = BlobStorageUtil.buildUserBucket(context);
String encryptedBucket = encryptionService.encrypt(bucketLocation);

return context.respond(HttpStatus.OK, new Bucket(encryptedBucket));
}
}
Loading