[I] Microservices do not enforce @RolesAllowed; workflow-compiling-service has no auth filter at all [texera]

[via GitHub]

Yicong-Huang opened a new issue, #4904:
URL: https://github.com/apache/texera/issues/4904

   ### What happened?
   
   `@RolesAllowed` annotations on microservice resources are **not enforced** 
because none of the microservices register Jersey's 
`RolesAllowedDynamicFeature`. The annotations are decorative — anyone with a 
valid JWT can hit endpoints labeled `@RolesAllowed(Array("ADMIN"))`, regardless 
of the user's role.
   
   `workflow-compiling-service` is worse: it registers neither `JwtAuthFilter` 
nor `RolesAllowedDynamicFeature`, so its `@RolesAllowed` endpoint runs without 
any authentication or authorization at all.
   
   `amber` correctly registers `RolesAllowedDynamicFeature` 
(`amber/.../web/TexeraWebApplication.scala:142` and 
`amber/.../web/ComputingUnitMaster.scala:172`), so its annotations work as 
intended.
   
   | Service | `JwtAuthFilter` | `RolesAllowedDynamicFeature` | uses 
`@RolesAllowed`? |
   |---|---|---|---|
   | access-control-service | yes | **no** | no |
   | config-service | yes | **no** | yes (2 places) |
   | file-service | yes | **no** | no |
   | computing-unit-managing-service | yes | **no** | yes (10+ places) |
   | workflow-compiling-service | **no** | **no** | yes (1 place) |
   | amber (`TexeraWebApplication`, `ComputingUnitMaster`) | yes | yes | yes |
   
   Concrete decorative annotations:
   
   - `config-service/.../resource/ConfigResource.scala:32, 66` — 
`@RolesAllowed(Array("REGULAR", "ADMIN"))`
   - 
`computing-unit-managing-service/.../resource/ComputingUnitManagingResource.scala:252,
 262, 276, 491, 594, 642, 682, 736, 751` — `@RolesAllowed(Array("REGULAR", 
"ADMIN"))`
   - 
`computing-unit-managing-service/.../resource/ComputingUnitAccessResource.scala:104`
 — same
   - 
`workflow-compiling-service/.../resource/WorkflowCompilationResource.scala:59` 
— same (and the request is unauthenticated to begin with)
   
   ### How to reproduce?
   
   1. Issue a JWT for a user whose role is below the one a `@RolesAllowed` 
annotation requires (e.g. role `INACTIVE` against 
`@RolesAllowed(Array("REGULAR", "ADMIN"))`).
   2. `curl -H "Authorization: Bearer <that-token>" 
http://localhost:<port>/api/<annotated-endpoint>` against `config-service` or 
`computing-unit-managing-service`.
   3. Observe: the request succeeds with `200`. The role check is silently 
skipped.
   4. For `workflow-compiling-service`, omit the token entirely: any request 
reaches the resource method. No `JwtAuthFilter` runs because the service never 
registers it.
   
   ### Branch
   
   main
   
   ### Commit Hash (Optional)
   
   786a920796


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@texera.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org