Annotate endpoints that are secured at the workspace level (#22168)

airbyte-commons/src/main/java/io/airbyte/commons/auth/SecuredWorkspace.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2022 Airbyte, Inc., all rights reserved.
+ */
+
+package io.airbyte.commons.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Used to mark a controller route as requiring authorization at the workspace level. Works in
+ * conjunction with {@link io.micronaut.security.annotation.Secured}, which denotes the required
+ * roles that should be associated with the user and workspace.
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+@Inherited
+public @interface SecuredWorkspace {
+
+}

airbyte-server/src/main/java/io/airbyte/server/apis/ConnectionApiController.java

@@ -16,6 +16,7 @@
 import io.airbyte.api.model.generated.ConnectionUpdate;
 import io.airbyte.api.model.generated.JobInfoRead;
 import io.airbyte.api.model.generated.WorkspaceIdRequestBody;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.ConnectionsHandler;
 import io.airbyte.commons.server.handlers.OperationsHandler;
 import io.airbyte.commons.server.handlers.SchedulerHandler;
@@ -51,27 +52,31 @@ public ConnectionApiController(final ConnectionsHandler connectionsHandler,
   @Override
   @Post(uri = "/create")
   @Secured({EDITOR})
+  @SecuredWorkspace
   public ConnectionRead createConnection(@Body final ConnectionCreate connectionCreate) {
     return ApiHelper.execute(() -> connectionsHandler.createConnection(connectionCreate));
   }
 
   @Override
   @Post(uri = "/update")
   @Secured({EDITOR})
+  @SecuredWorkspace
   public ConnectionRead updateConnection(@Body final ConnectionUpdate connectionUpdate) {
     return ApiHelper.execute(() -> connectionsHandler.updateConnection(connectionUpdate));
   }
 
   @Override
   @Post(uri = "/list")
   @Secured({READER})
+  @SecuredWorkspace
   public ConnectionReadList listConnectionsForWorkspace(@Body final WorkspaceIdRequestBody workspaceIdRequestBody) {
     return ApiHelper.execute(() -> connectionsHandler.listConnectionsForWorkspace(workspaceIdRequestBody));
   }
 
   @Override
   @Post(uri = "/list_all")
   @Secured({READER})
+  @SecuredWorkspace
   public ConnectionReadList listAllConnectionsForWorkspace(@Body final WorkspaceIdRequestBody workspaceIdRequestBody) {
     return ApiHelper.execute(() -> connectionsHandler.listAllConnectionsForWorkspace(workspaceIdRequestBody));
   }
@@ -85,6 +90,7 @@ public ConnectionReadList searchConnections(@Body final ConnectionSearch connect
   @Override
   @Post(uri = "/get")
   @Secured({READER})
+  @SecuredWorkspace
   public ConnectionRead getConnection(@Body final ConnectionIdRequestBody connectionIdRequestBody) {
     return ApiHelper.execute(() -> connectionsHandler.getConnection(connectionIdRequestBody.getConnectionId()));
   }
@@ -93,6 +99,7 @@ public ConnectionRead getConnection(@Body final ConnectionIdRequestBody connecti
   @Post(uri = "/delete")
   @Status(HttpStatus.NO_CONTENT)
   @Secured({EDITOR})
+  @SecuredWorkspace
   public void deleteConnection(@Body final ConnectionIdRequestBody connectionIdRequestBody) {
     ApiHelper.execute(() -> {
       operationsHandler.deleteOperationsForConnection(connectionIdRequestBody);
@@ -104,13 +111,15 @@ public void deleteConnection(@Body final ConnectionIdRequestBody connectionIdReq
   @Override
   @Post(uri = "/sync")
   @Secured({EDITOR})
+  @SecuredWorkspace
   public JobInfoRead syncConnection(@Body final ConnectionIdRequestBody connectionIdRequestBody) {
     return ApiHelper.execute(() -> schedulerHandler.syncConnection(connectionIdRequestBody));
   }
 
   @Override
   @Post(uri = "/reset")
   @Secured({EDITOR})
+  @SecuredWorkspace
   public JobInfoRead resetConnection(@Body final ConnectionIdRequestBody connectionIdRequestBody) {
     return ApiHelper.execute(() -> schedulerHandler.resetConnection(connectionIdRequestBody));
   }

airbyte-server/src/main/java/io/airbyte/server/apis/DestinationApiController.java

@@ -17,6 +17,7 @@
 import io.airbyte.api.model.generated.DestinationSearch;
 import io.airbyte.api.model.generated.DestinationUpdate;
 import io.airbyte.api.model.generated.WorkspaceIdRequestBody;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.DestinationHandler;
 import io.airbyte.commons.server.handlers.SchedulerHandler;
 import io.micronaut.context.annotation.Requires;
@@ -44,13 +45,15 @@ public DestinationApiController(final DestinationHandler destinationHandler, fin
 
   @Post(uri = "/check_connection")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public CheckConnectionRead checkConnectionToDestination(@Body final DestinationIdRequestBody destinationIdRequestBody) {
     return ApiHelper.execute(() -> schedulerHandler.checkDestinationConnectionFromDestinationId(destinationIdRequestBody));
   }
 
   @Post(uri = "/check_connection_for_update")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public CheckConnectionRead checkConnectionToDestinationForUpdate(@Body final DestinationUpdate destinationUpdate) {
     return ApiHelper.execute(() -> schedulerHandler.checkDestinationConnectionFromDestinationIdForUpdate(destinationUpdate));
@@ -64,13 +67,15 @@ public DestinationRead cloneDestination(@Body final DestinationCloneRequestBody
 
   @Post(uri = "/create")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public DestinationRead createDestination(@Body final DestinationCreate destinationCreate) {
     return ApiHelper.execute(() -> destinationHandler.createDestination(destinationCreate));
   }
 
   @Post(uri = "/delete")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   @Status(HttpStatus.NO_CONTENT)
   public void deleteDestination(@Body final DestinationIdRequestBody destinationIdRequestBody) {
@@ -82,13 +87,15 @@ public void deleteDestination(@Body final DestinationIdRequestBody destinationId
 
   @Post(uri = "/get")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public DestinationRead getDestination(@Body final DestinationIdRequestBody destinationIdRequestBody) {
     return ApiHelper.execute(() -> destinationHandler.getDestination(destinationIdRequestBody));
   }
 
   @Post(uri = "/list")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public DestinationReadList listDestinationsForWorkspace(@Body final WorkspaceIdRequestBody workspaceIdRequestBody) {
     return ApiHelper.execute(() -> destinationHandler.listDestinationsForWorkspace(workspaceIdRequestBody));
@@ -102,6 +109,7 @@ public DestinationReadList searchDestinations(@Body final DestinationSearch dest
 
   @Post(uri = "/update")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public DestinationRead updateDestination(@Body final DestinationUpdate destinationUpdate) {
     return ApiHelper.execute(() -> destinationHandler.updateDestination(destinationUpdate));

airbyte-server/src/main/java/io/airbyte/server/apis/DestinationDefinitionApiController.java

@@ -19,6 +19,7 @@
 import io.airbyte.api.model.generated.PrivateDestinationDefinitionRead;
 import io.airbyte.api.model.generated.PrivateDestinationDefinitionReadList;
 import io.airbyte.api.model.generated.WorkspaceIdRequestBody;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.DestinationDefinitionsHandler;
 import io.micronaut.context.annotation.Context;
 import io.micronaut.context.annotation.Requires;
@@ -44,6 +45,7 @@ public DestinationDefinitionApiController(final DestinationDefinitionsHandler de
 
   @Post(uri = "/create_custom")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public DestinationDefinitionRead createCustomDestinationDefinition(final CustomDestinationDefinitionCreate customDestinationDefinitionCreate) {
     return ApiHelper.execute(() -> destinationDefinitionsHandler.createCustomDestinationDefinition(customDestinationDefinitionCreate));
@@ -69,6 +71,7 @@ public DestinationDefinitionRead getDestinationDefinition(final DestinationDefin
 
   @Post(uri = "/get_for_workspace")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public DestinationDefinitionRead getDestinationDefinitionForWorkspace(final DestinationDefinitionIdWithWorkspaceId destinationDefinitionIdWithWorkspaceId) {
     return ApiHelper.execute(() -> destinationDefinitionsHandler.getDestinationDefinitionForWorkspace(destinationDefinitionIdWithWorkspaceId));
@@ -91,6 +94,7 @@ public DestinationDefinitionReadList listDestinationDefinitions() {
 
   @Post(uri = "/list_for_workspace")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public DestinationDefinitionReadList listDestinationDefinitionsForWorkspace(final WorkspaceIdRequestBody workspaceIdRequestBody) {
     return ApiHelper.execute(() -> destinationDefinitionsHandler.listDestinationDefinitionsForWorkspace(workspaceIdRequestBody));

airbyte-server/src/main/java/io/airbyte/server/apis/DestinationOauthApiController.java

@@ -12,6 +12,7 @@
 import io.airbyte.api.model.generated.DestinationOauthConsentRequest;
 import io.airbyte.api.model.generated.OAuthConsentRead;
 import io.airbyte.api.model.generated.SetInstancewideDestinationOauthParamsRequestBody;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.OAuthHandler;
 import io.micronaut.context.annotation.Context;
 import io.micronaut.context.annotation.Requires;
@@ -36,13 +37,15 @@ public DestinationOauthApiController(final OAuthHandler oAuthHandler) {
 
   @Post("/complete_oauth")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public Map<String, Object> completeDestinationOAuth(final CompleteDestinationOAuthRequest completeDestinationOAuthRequest) {
     return ApiHelper.execute(() -> oAuthHandler.completeDestinationOAuth(completeDestinationOAuthRequest));
   }
 
   @Post("/get_consent_url")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public OAuthConsentRead getDestinationOAuthConsent(final DestinationOauthConsentRequest destinationOauthConsentRequest) {
     return ApiHelper.execute(() -> oAuthHandler.getDestinationOAuthConsent(destinationOauthConsentRequest));

airbyte-server/src/main/java/io/airbyte/server/apis/JobsApiController.java

@@ -18,6 +18,7 @@
 import io.airbyte.api.model.generated.JobListRequestBody;
 import io.airbyte.api.model.generated.JobOptionalRead;
 import io.airbyte.api.model.generated.JobReadList;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.JobHistoryHandler;
 import io.airbyte.commons.server.handlers.SchedulerHandler;
 import io.micronaut.context.annotation.Context;
@@ -44,6 +45,7 @@ public JobsApiController(final JobHistoryHandler jobHistoryHandler, final Schedu
 
   @Post("/cancel")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public JobInfoRead cancelJob(final JobIdRequestBody jobIdRequestBody) {
     return ApiHelper.execute(() -> schedulerHandler.cancelJob(jobIdRequestBody));
@@ -58,20 +60,23 @@ public AttemptNormalizationStatusReadList getAttemptNormalizationStatusesForJob(
 
   @Post("/get_debug_info")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public JobDebugInfoRead getJobDebugInfo(final JobIdRequestBody jobIdRequestBody) {
     return ApiHelper.execute(() -> jobHistoryHandler.getJobDebugInfo(jobIdRequestBody));
   }
 
   @Post("/get")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public JobInfoRead getJobInfo(final JobIdRequestBody jobIdRequestBody) {
     return ApiHelper.execute(() -> jobHistoryHandler.getJobInfo(jobIdRequestBody));
   }
 
   @Post("/get_light")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public JobInfoLightRead getJobInfoLight(final JobIdRequestBody jobIdRequestBody) {
     return ApiHelper.execute(() -> jobHistoryHandler.getJobInfoLight(jobIdRequestBody));
@@ -86,6 +91,7 @@ public JobOptionalRead getLastReplicationJob(final ConnectionIdRequestBody conne
 
   @Post("/list")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public JobReadList listJobsFor(final JobListRequestBody jobListRequestBody) {
     return ApiHelper.execute(() -> jobHistoryHandler.listJobsFor(jobListRequestBody));

airbyte-server/src/main/java/io/airbyte/server/apis/OperationApiController.java

@@ -17,6 +17,7 @@
 import io.airbyte.api.model.generated.OperationReadList;
 import io.airbyte.api.model.generated.OperationUpdate;
 import io.airbyte.api.model.generated.OperatorConfiguration;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.OperationsHandler;
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.http.HttpStatus;
@@ -49,12 +50,14 @@ public CheckOperationRead checkOperation(@Body final OperatorConfiguration opera
   @Post("/create")
   @Override
   @Secured({EDITOR})
+  @SecuredWorkspace
   public OperationRead createOperation(@Body final OperationCreate operationCreate) {
     return ApiHelper.execute(() -> operationsHandler.createOperation(operationCreate));
   }
 
   @Post("/delete")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   @Status(HttpStatus.NO_CONTENT)
   public void deleteOperation(@Body final OperationIdRequestBody operationIdRequestBody) {
@@ -66,20 +69,23 @@ public void deleteOperation(@Body final OperationIdRequestBody operationIdReques
 
   @Post("/get")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public OperationRead getOperation(@Body final OperationIdRequestBody operationIdRequestBody) {
     return ApiHelper.execute(() -> operationsHandler.getOperation(operationIdRequestBody));
   }
 
   @Post("/list")
   @Secured({READER})
+  @SecuredWorkspace
   @Override
   public OperationReadList listOperationsForConnection(@Body final ConnectionIdRequestBody connectionIdRequestBody) {
     return ApiHelper.execute(() -> operationsHandler.listOperationsForConnection(connectionIdRequestBody));
   }
 
   @Post("/update")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public OperationRead updateOperation(@Body final OperationUpdate operationUpdate) {
     return ApiHelper.execute(() -> operationsHandler.updateOperation(operationUpdate));

airbyte-server/src/main/java/io/airbyte/server/apis/SchedulerApiController.java

@@ -12,6 +12,7 @@
 import io.airbyte.api.model.generated.DestinationCoreConfig;
 import io.airbyte.api.model.generated.SourceCoreConfig;
 import io.airbyte.api.model.generated.SourceDiscoverSchemaRead;
+import io.airbyte.commons.auth.SecuredWorkspace;
 import io.airbyte.commons.server.handlers.SchedulerHandler;
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.http.annotation.Controller;
@@ -47,6 +48,7 @@ public CheckConnectionRead executeSourceCheckConnection(final SourceCoreConfig s
 
   @Post("/sources/discover_schema")
   @Secured({EDITOR})
+  @SecuredWorkspace
   @Override
   public SourceDiscoverSchemaRead executeSourceDiscoverSchema(final SourceCoreConfig sourceCoreConfig) {
     return ApiHelper.execute(() -> schedulerHandler.discoverSchemaForSourceFromSourceCreate(sourceCoreConfig));