[User management] Disabling user management in auth when user managem…

…ent feature is disabled [DPP-827] (#12503) CHANGELOG_BEGIN CHANGELOG_END
digital-asset · Jan 25, 2022 · 42d86ac · 42d86ac
1 parent 13153de
commit 42d86ac
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 33 deletions.
diff --git a/...a/bindings-rxjava/src/test/scala/com/daml/ledger/rxjava/grpc/helpers/LedgerServices.scala b/...a/bindings-rxjava/src/test/scala/com/daml/ledger/rxjava/grpc/helpers/LedgerServices.scala
@@ -94,7 +94,7 @@ final class LedgerServices(val ledgerId: String) {
   ): Server = {
     val authorizationInterceptor = AuthorizationInterceptor(
       authService,
-      new InMemoryUserManagementStore(),
+      Some(new InMemoryUserManagementStore()),
       executionContext,
       new ErrorCodesVersionSwitcher(enableSelfServiceErrorCodes = true),
     )

diff --git a/ledger/error/src/main/scala/com/daml/error/definitions/LedgerApiErrors.scala b/ledger/error/src/main/scala/com/daml/error/definitions/LedgerApiErrors.scala
@@ -304,6 +304,12 @@ object LedgerApiErrors extends LedgerApiErrorGroup {
       ) extends LoggingTransactionErrorImpl(
             cause = "The command is missing a (valid) JWT token"
           )
+
+      case class UserBasedAuthenticationIsDisabled()(implicit
+          loggingContext: ContextualizedErrorLogger
+      ) extends LoggingTransactionErrorImpl(
+            cause = "User based authentication is disabled."
+          )
     }
 
     @Explanation("An internal system authorization error occurred.")

diff --git a/...rc/main/scala/com/digitalasset/ledger/api/auth/interceptor/AuthorizationInterceptor.scala b/...rc/main/scala/com/digitalasset/ledger/api/auth/interceptor/AuthorizationInterceptor.scala
@@ -3,6 +3,7 @@
 
 package com.daml.ledger.api.auth.interceptor
 
+import com.daml.error.definitions.LedgerApiErrors
 import com.daml.error.{DamlContextualizedErrorLogger, ErrorCodesVersionSwitcher}
 import com.daml.ledger.api.auth._
 import com.daml.ledger.api.domain.UserRight
@@ -18,10 +19,12 @@ import scala.util.{Failure, Success, Try}
 
 /** This interceptor uses the given [[AuthService]] to get [[Claims]] for the current request,
   * and then stores them in the current [[Context]].
+  *
+  * @param userManagementStoreO - use None if user management is disabled
   */
 final class AuthorizationInterceptor(
     authService: AuthService,
-    userManagementStore: UserManagementStore,
+    userManagementStoreO: Option[UserManagementStore],
     implicit val ec: ExecutionContext,
     errorCodesVersionSwitcher: ErrorCodesVersionSwitcher,
 )(implicit loggingContext: LoggingContext)
@@ -77,37 +80,59 @@ final class AuthorizationInterceptor(
   private[this] def resolveAuthenticatedUserRights(claimSet: ClaimSet): Future[ClaimSet] =
     claimSet match {
       case ClaimSet.AuthenticatedUser(userIdStr, participantId, expiration) =>
-        Ref.UserId.fromString(userIdStr) match {
-          case Left(err) =>
-            Future.failed(
-              errorFactories.invalidArgument(None)(s"token $err")(errorLogger)
-            )
-          case Right(userId) =>
-            userManagementStore
-              .listUserRights(userId)
-              .flatMap {
-                case Left(msg) =>
-                  Future.failed(
-                    errorFactories.permissionDenied(
-                      s"Could not resolve rights for user '$userId' due to '$msg'"
-                    )(errorLogger)
-                  )
-                case Right(userClaims) =>
-                  Future.successful(
-                    ClaimSet.Claims(
-                      claims = userClaims.view.map(userRightToClaim).toList.prepended(ClaimPublic),
-                      ledgerId = None,
-                      participantId = participantId,
-                      applicationId = Some(userId),
-                      expiration = expiration,
-                      resolvedFromUser = true,
-                    )
-                  )
-              }
+        for {
+          userManagementStore <- getUserManagementStore(userManagementStoreO)
+          userId <- getUserId(userIdStr)
+          userRightsResult <- userManagementStore.listUserRights(userId)
+          claimsSet <- userRightsResult match {
+            case Left(msg) =>
+              Future.failed(
+                errorFactories.permissionDenied(
+                  s"Could not resolve rights for user '$userId' due to '$msg'"
+                )(errorLogger)
+              )
+            case Right(userClaims) =>
+              Future.successful(
+                ClaimSet.Claims(
+                  claims = userClaims.view.map(userRightToClaim).toList.prepended(ClaimPublic),
+                  ledgerId = None,
+                  participantId = participantId,
+                  applicationId = Some(userId),
+                  expiration = expiration,
+                  resolvedFromUser = true,
+                )
+              )
+          }
+        } yield {
+          claimsSet
         }
       case _ => Future.successful(claimSet)
     }
 
+  private[this] def getUserManagementStore(
+      userManagementStoreO: Option[UserManagementStore]
+  ): Future[UserManagementStore] =
+    userManagementStoreO match {
+      case None =>
+        Future.failed(
+          LedgerApiErrors.AuthorizationChecks.Unauthenticated
+            .UserBasedAuthenticationIsDisabled()(errorLogger)
+            .asGrpcError
+        )
+      case Some(userManagementStore) =>
+        Future.successful(userManagementStore)
+    }
+
+  private[this] def getUserId(userIdStr: String): Future[Ref.UserId] =
+    Ref.UserId.fromString(userIdStr) match {
+      case Left(err) =>
+        Future.failed(
+          errorFactories.invalidArgument(None)(s"token $err")(errorLogger)
+        )
+      case Right(userId) =>
+        Future.successful(userId)
+    }
+
   private[this] def userRightToClaim(r: UserRight): Claim = r match {
     case UserRight.CanActAs(p) => ClaimActAsParty(Ref.Party.assertFromString(p))
     case UserRight.CanReadAs(p) => ClaimReadAsParty(Ref.Party.assertFromString(p))
@@ -133,11 +158,11 @@ object AuthorizationInterceptor {
 
   def apply(
       authService: AuthService,
-      userManagementStore: UserManagementStore,
+      userManagementStoreO: Option[UserManagementStore],
       ec: ExecutionContext,
       errorCodesStatusSwitcher: ErrorCodesVersionSwitcher,
   ): AuthorizationInterceptor =
     LoggingContext.newLoggingContext { implicit loggingContext: LoggingContext =>
-      new AuthorizationInterceptor(authService, userManagementStore, ec, errorCodesStatusSwitcher)
+      new AuthorizationInterceptor(authService, userManagementStoreO, ec, errorCodesStatusSwitcher)
     }
 }
diff --git a/.../src/test/suite/scala/com/digitalasset/ledger/api/auth/AuthorizationInterceptorSpec.scala b/.../src/test/suite/scala/com/digitalasset/ledger/api/auth/AuthorizationInterceptorSpec.scala
@@ -66,7 +66,12 @@ class AuthorizationInterceptorSpec
 
     val errorCodesStatusSwitcher = new ErrorCodesVersionSwitcher(usesSelfServiceErrorCodes)
     val authorizationInterceptor =
-      AuthorizationInterceptor(authService, userManagementService, global, errorCodesStatusSwitcher)
+      AuthorizationInterceptor(
+        authService,
+        Some(userManagementService),
+        global,
+        errorCodesStatusSwitcher,
+      )
 
     val statusCaptor = ArgCaptor[Status]
     val metadataCaptor = ArgCaptor[Metadata]

diff --git a/...r/participant-integration-api/src/main/scala/platform/apiserver/StandaloneApiServer.scala b/...r/participant-integration-api/src/main/scala/platform/apiserver/StandaloneApiServer.scala
@@ -128,7 +128,7 @@ object StandaloneApiServer {
         config.tlsConfig,
         AuthorizationInterceptor(
           authService,
-          userManagementStore,
+          Option.when(config.enableUserManagement)(userManagementStore),
           servicesExecutionContext,
           errorCodesVersionSwitcher,
         ) :: otherInterceptors,