Merge pull request cdapio#16036 from cdapio/CDAP-21203_dev

sahusanket · web-flow · commit 6eca5a0a0309 · 2025-08-11T15:11:31.000+05:30
CDAP-21203 : Handle unauthorized exception case for remote calls for Audit logs and proper error message
diff --git a/cdap-app-fabric/src/main/java/io/cdap/cdap/gateway/handlers/meta/RemotePrivilegesHandler.java b/cdap-app-fabric/src/main/java/io/cdap/cdap/gateway/handlers/meta/RemotePrivilegesHandler.java
@@ -34,6 +34,7 @@
 import io.cdap.cdap.security.spi.authorization.AuditLogContext;
 import io.cdap.cdap.security.spi.authorization.AuthorizationResponse;
 import io.cdap.cdap.security.spi.authorization.PermissionManager;
+import io.cdap.cdap.security.spi.authorization.UnauthorizedException;
 import io.cdap.http.HttpResponder;
 import io.netty.handler.codec.http.FullHttpRequest;
 import io.netty.handler.codec.http.HttpResponseStatus;
@@ -83,23 +84,30 @@ public void enforce(FullHttpRequest request, HttpResponder responder) throws Exc
         AuthorizationPrivilege.class);
     LOG.debug("Enforcing for {}", authorizationPrivilege);
     Set<Permission> permissions = authorizationPrivilege.getPermissions();
-    if (authorizationPrivilege.getChildEntityType() != null) {
-      //It's expected that we'll always have one, but let's handle generic case
-      for (Permission permission : permissions) {
-        accessEnforcer.enforceOnParent(authorizationPrivilege.getChildEntityType(),
-            authorizationPrivilege.getEntity(),
-            authorizationPrivilege.getPrincipal(), permission);
+    HttpResponseStatus responseStatus = HttpResponseStatus.OK;
+    try {
+      if (authorizationPrivilege.getChildEntityType() != null) {
+        //It's expected that we'll always have one, but let's handle generic case
+        for (Permission permission : permissions) {
+          accessEnforcer.enforceOnParent(authorizationPrivilege.getChildEntityType(),
+              authorizationPrivilege.getEntity(),
+              authorizationPrivilege.getPrincipal(), permission);
+        }
+      } else {
+        accessEnforcer.enforce(authorizationPrivilege.getEntity(),
+            authorizationPrivilege.getPrincipal(),
+            permissions);
       }
-    } else {
-      accessEnforcer.enforce(authorizationPrivilege.getEntity(),
-          authorizationPrivilege.getPrincipal(),
-          permissions);
+    } catch (UnauthorizedException e) {
+      // In case of UnauthorizedException, we have the audit logs. So, propagating them with proper response instead of
+      // throwing it here as we will loose the audit logs. The caller should handle the logs and throw as needed.
+      responseStatus = HttpResponseStatus.valueOf(e.getStatusCode());
     }
     Queue<AuditLogContext>  auditLogContextQueue = SecurityRequestContext.getAuditLogQueue();
     //Clearing this so it doesn't get double write to messaging queue
     //This should be written by the Client who is calling this service.
     SecurityRequestContext.clearAuditLogQueue();
-    responder.sendJson(HttpResponseStatus.OK, GSON.toJson(auditLogContextQueue));
+    responder.sendJson(responseStatus, GSON.toJson(auditLogContextQueue));
   }
 
   @POST
diff --git a/cdap-security-spi/src/main/java/io/cdap/cdap/security/spi/authorization/UnauthorizedException.java b/cdap-security-spi/src/main/java/io/cdap/cdap/security/spi/authorization/UnauthorizedException.java
@@ -77,11 +77,15 @@ public UnauthorizedException(Principal principal, EntityId entityId) {
   }
 
   public UnauthorizedException(Principal principal, Set<? extends ActionOrPermission> actions,
-      EntityId entityId,
-      boolean mustHaveAllPermissions) {
+      EntityId entityId, boolean mustHaveAllPermissions) {
+    this(principal, actions, entityId, mustHaveAllPermissions, true);
+  }
+
+  public UnauthorizedException(Principal principal, Set<? extends ActionOrPermission> actions,
+                               EntityId entityId, boolean mustHaveAllPermissions, boolean includePrincipal) {
     this(principal.toString(), actions.stream().map(action -> action.toString())
-            .collect(Collectors.toCollection(LinkedHashSet::new)), getEntityLabel(entityId),
-        null, mustHaveAllPermissions, true, null);
+           .collect(Collectors.toCollection(LinkedHashSet::new)), getEntityLabel(entityId),
+         null, mustHaveAllPermissions, includePrincipal, null);
   }
 
   public UnauthorizedException(@Nullable String principal, Set<String> missingPermissions,
diff --git a/cdap-security/src/main/java/io/cdap/cdap/security/authorization/RemoteAccessEnforcer.java b/cdap-security/src/main/java/io/cdap/cdap/security/authorization/RemoteAccessEnforcer.java
@@ -86,6 +86,8 @@ public class RemoteAccessEnforcer extends AbstractAccessEnforcer {
       .enableComplexMapKeySerialization()
       .create();
 
+  private static final Type AUDIT_LOG_QUEUE_TYPE = new TypeToken<LinkedBlockingDeque<AuditLogContext>>(){}.getType();
+
   private static final Type MAP_ENTITY_TYPE = new TypeToken<Map<EntityId, AuthorizationResponse>>() {
   }.getType();
 
@@ -305,19 +307,33 @@ private EnforcementResponse doEnforce(AuthorizationPrivilege authorizationPrivil
     LOG.trace("Remotely enforcing on authorization privilege {}", authorizationPrivilege);
     try {
       HttpResponse response = remoteClient.execute(request);
-
-      Type queueType = new TypeToken<LinkedBlockingDeque<AuditLogContext>>(){}.getType();
-      Queue<AuditLogContext> deserializedQueue = GSON.fromJson(response.getResponseBodyAsString(), queueType);
-
-      if (response.getResponseCode() == HttpURLConnection.HTTP_OK) {
-        return new EnforcementResponse(true, deserializedQueue, null);
+      Queue<AuditLogContext> deserializedQueue = GSON.fromJson(response.getResponseBodyAsString(),
+          AUDIT_LOG_QUEUE_TYPE);
+      switch (response.getResponseCode()) {
+        case HttpURLConnection.HTTP_OK:
+          return new EnforcementResponse(true, deserializedQueue, null);
+
+        default:
+          return new EnforcementResponse(false,
+              deserializedQueue,
+              new IOException(String.format("Failed to enforce with code %d: %s",
+                  response.getResponseCode(),
+                  response.getResponseBodyAsString())));
       }
-      return new EnforcementResponse(false,
-                                     deserializedQueue,
-                                     new IOException(String.format("Failed to enforce with code %d: %s",
-                                        response.getResponseCode(),
-                                        response.getResponseBodyAsString())));
     } catch (UnauthorizedException e) {
+      try {
+        Queue<AuditLogContext> deserializedQueue = GSON.fromJson(e.getMessage(), AUDIT_LOG_QUEUE_TYPE);
+        return new EnforcementResponse(false,
+            deserializedQueue,
+            new UnauthorizedException(
+                authorizationPrivilege.getPrincipal(),
+                authorizationPrivilege.getPermissions(),
+                authorizationPrivilege.getEntity(),
+                true, false));
+
+      } catch (Exception ex) {
+        // no-op
+      }
       return new EnforcementResponse(false, null, e);
     }
   }
