coursera · josh-newman · Jul 19, 2016 · Jul 19, 2016
diff --git a/naptime/src/main/scala/org/coursera/naptime/access/StructuredAccessControl.scala b/naptime/src/main/scala/org/coursera/naptime/access/StructuredAccessControl.scala
@@ -42,7 +42,7 @@ case class StructuredAccessControl[A](
     Authenticator.authenticateAndRecover(authenticator, requestHeader).map { decoratedOption =>
       decoratedOption.map { either =>
         either.right.flatMap { decorated =>
-          Authorizer.toResponse(authorizer.authorize(decorated), decorated)
+          Authorizer.toResponse(authorizer, decorated)
         }
       }.getOrElse {
         StructuredAccessControl.missingResponse
@@ -51,7 +51,7 @@ case class StructuredAccessControl[A](
   }
 
   override private[naptime] def check(authInfo: A): Either[NaptimeActionException, A] = {
-    Authorizer.toResponse(authorizer.authorize(authInfo), authInfo)
+    Authorizer.toResponse(authorizer, authInfo)
   }
 }
 
@@ -64,4 +64,52 @@ object StructuredAccessControl {
       Some("Missing authentication")))
   }
 
+  /**
+   * Implementation note: The [[Authenticator]] is supposed to generate the authentication data.
+   * In this case, the resulting authentication data depends on the _authorizers_ in the input
+   * access controls because it reflects which authorizers accepted. Thus we run the individual
+   * authorizers in the combined access control's authenticator and generate an aggregated result
+   * in the combined authorizer.
+   */
+  def anyOf[A, B](
+      controlA: StructuredAccessControl[A],
+      controlB: StructuredAccessControl[B]):
+    StructuredAccessControl[(Option[A], Option[B])] = {
+
+    type AA = (Option[A], Option[B])
+
+    val authenticator: Authenticator[AA] = new Authenticator[AA] {
+      def maybeAuthenticate(
+          requestHeader: RequestHeader)
+          (implicit ec: ExecutionContext): Future[Option[Either[NaptimeActionException, AA]]] = {
+        for {
+          maybeAuthenticationA <- Authenticator.authenticateAndRecover(
+            controlA.authenticator, requestHeader)
+          maybeAuthenticationB <- Authenticator.authenticateAndRecover(
+            controlB.authenticator, requestHeader)
+        } yield {
+          val resultA = maybeAuthenticationA
+            .map(_.right.flatMap(Authorizer.toResponse(controlA.authorizer, _)))
+          val resultB = maybeAuthenticationB
+            .map(_.right.flatMap(Authorizer.toResponse(controlB.authorizer, _)))
+
+          (resultA, resultB) match {
+            case (Some(Left(errorA)), Some(Left(_))) =>
+              // If all return errors, return one of them, just so error information is not lost.
+              Some(Left(errorA))
+            case _ =>
+              Some(Right((resultA.flatMap(_.right.toOption), resultB.flatMap(_.right.toOption))))
+          }
+        }
+      }
+    }
+
+    val authorizer: Authorizer[AA] = Authorizer {
+      case (None, None) => AuthorizeResult.Rejected("No successful checks")
+      case _ => AuthorizeResult.Authorized
+    }
+
+    StructuredAccessControl(authenticator, authorizer)
+  }
+
 }
diff --git a/naptime/src/main/scala/org/coursera/naptime/access/authorizer/Authorizer.scala b/naptime/src/main/scala/org/coursera/naptime/access/authorizer/Authorizer.scala
@@ -29,7 +29,7 @@ trait Authorizer[-A] {
   def authorize(authentication: A): AuthorizeResult
 
   def check(authentication: A): Unit = {
-    Authorizer.toResponse(authorize(authentication), ()).left.foreach(throw _)
+    Authorizer.toResponse(this, authentication).left.foreach(throw _)
   }
 
   /**
@@ -45,9 +45,10 @@ object Authorizer {
     override def authorize(authentication: A): AuthorizeResult = f(authentication)
   }
 
-  def toResponse[T](result: AuthorizeResult, rawResponse: T): Either[NaptimeActionException, T] = {
-    result match {
-      case AuthorizeResult.Authorized => Right(rawResponse)
+  private[access] def toResponse[A](authorizer: Authorizer[A], authentication: A):
+    Either[NaptimeActionException, A] = {
+    authorizer.authorize(authentication) match {
+      case AuthorizeResult.Authorized => Right(authentication)
       case AuthorizeResult.Rejected(message, details) =>
         Left(NaptimeActionException(FORBIDDEN, Some("auth.perms"), Some(message), details))
       case AuthorizeResult.Failed(message, details) =>