NIFI-15875 Standardize Authorization for Verify Configuration Methods (#11179)

* NIFI-15875 Standardized Authorization for Verify Configuration Methods

- Added AuthorizeConfigVerification class for shared component authorization handling

* NIFI-15875 Added Parameter Reference authorization

Author: exceptionfactory

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeConfigVerification.java

@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authorization;
+
+import org.apache.nifi.authorization.resource.Authorizable;
+import org.apache.nifi.authorization.user.NiFiUser;
+import org.apache.nifi.authorization.user.NiFiUserUtils;
+import org.apache.nifi.parameter.ParameterContext;
+
+import java.util.Map;
+
+/**
+ * Authorizes configuration-verification requests for any component type that supports verification.
+ * Requires WRITE on the target component, plus READ on any Controller Services referenced by
+ * the proposed properties.
+ */
+public final class AuthorizeConfigVerification {
+
+    private AuthorizeConfigVerification() {
+    }
+
+    /**
+     * Authorize a configuration-verification request against a single ComponentAuthorizable
+     *
+     * @param authorizer Authorizer used for determining results
+     * @param lookup Authorizable Lookup used to resolve referenced Controller Services
+     * @param component Component whose configuration is being verified
+     * @param proposedProperties Properties submitted for verification
+     */
+    public static void authorize(
+            final Authorizer authorizer,
+            final AuthorizableLookup lookup,
+            final ComponentAuthorizable component,
+            final Map<String, String> proposedProperties
+    ) {
+        authorize(authorizer, lookup, component, proposedProperties, null);
+    }
+
+    /**
+     * Authorize a configuration-verification request against a single ComponentAuthorizable with an optional ancestor
+     *
+     * @param authorizer Authorizer used for determining results
+     * @param lookup Authorizable Lookup used to resolve referenced Controller Services
+     * @param component Component whose configuration is being verified
+     * @param proposedProperties Properties submitted for verification
+     * @param ancestor optional parent Authorizable that must also be authorized
+     */
+    public static void authorize(
+            final Authorizer authorizer,
+            final AuthorizableLookup lookup,
+            final ComponentAuthorizable component,
+            final Map<String, String> proposedProperties,
+            final Authorizable ancestor
+    ) {
+        final NiFiUser user = NiFiUserUtils.getNiFiUser();
+
+        if (ancestor != null) {
+            ancestor.authorize(authorizer, RequestAction.WRITE, user);
+        }
+
+        component.getAuthorizable().authorize(authorizer, RequestAction.WRITE, user);
+
+        AuthorizeControllerServiceReference.authorizeControllerServiceReferences(proposedProperties, component, authorizer, lookup);
+
+        final ParameterContext parameterContext = component.getParameterContext();
+        if (parameterContext != null) {
+            AuthorizeParameterReference.authorizeParameterReferences(proposedProperties, authorizer, parameterContext, user);
+        }
+    }
+}

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java

@@ -41,6 +41,7 @@
 import jakarta.ws.rs.core.StreamingOutput;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AuthorizeComponentReference;
+import org.apache.nifi.authorization.AuthorizeConfigVerification;
 import org.apache.nifi.authorization.AuthorizeControllerServiceReference;
 import org.apache.nifi.authorization.Authorizer;
 import org.apache.nifi.authorization.ComponentAuthorizable;
@@ -1252,7 +1253,9 @@ public Response analyzeFlowAnalysisRuleConfiguration(
                     "issuing a GET request to /flow-analysis-rules/{taskId}/verification-requests/{requestId}. Once the request is completed, the client is expected to issue a DELETE request to " +
                     "/flow-analysis-rules/{serviceId}/verification-requests/{requestId}.",
             security = {
-                    @SecurityRequirement(name = "Read - /flow-analysis-rules/{uuid}")
+                    @SecurityRequirement(name = "Write - /controller"),
+                    @SecurityRequirement(name = "Write - /flow-analysis-rules/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitFlowAnalysisRuleConfigVerificationRequest(
@@ -1286,7 +1289,7 @@ public Response submitFlowAnalysisRuleConfigVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 flowAnalysisRuleConfigRequest,
-                lookup -> authorizeController(RequestAction.READ),
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getFlowAnalysisRule(flowAnalysisRuleId), requestDto.getProperties(), lookup.getController()),
                 () -> serviceFacade.verifyCanVerifyFlowAnalysisRuleConfig(flowAnalysisRuleId),
                 entity -> performAsyncFlowAnalysisRuleConfigVerification(entity, user)
         );
@@ -1596,7 +1599,8 @@ public Response analyzeFlowRegistryClientConfiguration(
                     + "/controller/registry-clients/{clientId}/config/verification-requests/{requestId} for status and "
                     + "DELETE the request once verification completes.",
             security = {
-                    @SecurityRequirement(name = "Read - /controller")
+                    @SecurityRequirement(name = "Write - /controller/registry-clients/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitRegistryClientConfigVerificationRequest(
@@ -1630,10 +1634,7 @@ public Response submitRegistryClientConfigVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 registryClientConfigRequest,
-                lookup -> {
-                    final Authorizable authorizable = lookup.getFlowRegistryClient(registryClientId).getAuthorizable();
-                    authorizable.authorize(authorizer, RequestAction.READ, user);
-                },
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getFlowRegistryClient(registryClientId), requestDto.getProperties()),
                 () -> serviceFacade.verifyCanVerifyFlowRegistryClientConfig(registryClientId),
                 entity -> performAsyncRegistryClientConfigVerification(entity, user)
         );

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java

@@ -40,6 +40,7 @@
 import jakarta.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AuthorizeComponentReference;
+import org.apache.nifi.authorization.AuthorizeConfigVerification;
 import org.apache.nifi.authorization.AuthorizeControllerServiceReference;
 import org.apache.nifi.authorization.Authorizer;
 import org.apache.nifi.authorization.ComponentAuthorizable;
@@ -993,7 +994,8 @@ public Response analyzeConfiguration(
                     "issuing a GET request to /controller-services/{serviceId}/verification-requests/{requestId}. Once the request is completed, the client is expected to issue a DELETE request to " +
                     "/controller-services/{serviceId}/verification-requests/{requestId}.",
             security = {
-                    @SecurityRequirement(name = "Read - /controller-services/{uuid}")
+                    @SecurityRequirement(name = "Write - /controller-services/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitConfigVerificationRequest(
@@ -1027,13 +1029,8 @@ public Response submitConfigVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 controllerServiceConfigRequest,
-                lookup -> {
-                    final ComponentAuthorizable controllerService = lookup.getControllerService(controllerServiceId);
-                    controllerService.getAuthorizable().authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
-                },
-                () -> {
-                    serviceFacade.verifyCanVerifyControllerServiceConfig(controllerServiceId);
-                },
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getControllerService(controllerServiceId), requestDto.getProperties()),
+                () -> serviceFacade.verifyCanVerifyControllerServiceConfig(controllerServiceId),
                 entity -> performAsyncConfigVerification(entity, user)
         );
     }

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ParameterProviderResource.java

@@ -43,6 +43,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AuthorizableLookup;
 import org.apache.nifi.authorization.AuthorizeComponentReference;
+import org.apache.nifi.authorization.AuthorizeConfigVerification;
 import org.apache.nifi.authorization.AuthorizeControllerServiceReference;
 import org.apache.nifi.authorization.Authorizer;
 import org.apache.nifi.authorization.ComponentAuthorizable;
@@ -1227,7 +1228,8 @@ public Response analyzeConfiguration(
                     "issuing a GET request to /parameter-providers/{serviceId}/verification-requests/{requestId}. Once the request is completed, the client is expected to issue a DELETE request to " +
                     "/parameter-providers/{providerId}/verification-requests/{requestId}.",
             security = {
-                    @SecurityRequirement(name = "Read - /parameter-providers/{uuid}")
+                    @SecurityRequirement(name = "Write - /parameter-providers/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitConfigVerificationRequest(
@@ -1260,13 +1262,8 @@ public Response submitConfigVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 parameterProviderConfigRequest,
-                lookup -> {
-                    final ComponentAuthorizable parameterProvider = lookup.getParameterProvider(parameterProviderId);
-                    parameterProvider.getAuthorizable().authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
-                },
-                () -> {
-                    serviceFacade.verifyCanVerifyParameterProviderConfig(parameterProviderId);
-                },
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getParameterProvider(parameterProviderId), requestDto.getProperties()),
+                () -> serviceFacade.verifyCanVerifyParameterProviderConfig(parameterProviderId),
                 entity -> performAsyncConfigVerification(entity, user)
         );
     }

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java

@@ -40,6 +40,7 @@
 import jakarta.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AuthorizeComponentReference;
+import org.apache.nifi.authorization.AuthorizeConfigVerification;
 import org.apache.nifi.authorization.AuthorizeControllerServiceReference;
 import org.apache.nifi.authorization.Authorizer;
 import org.apache.nifi.authorization.ComponentAuthorizable;
@@ -703,7 +704,8 @@ public Response analyzeConfiguration(
                     "issuing a GET request to /processors/{processorId}/verification-requests/{requestId}. Once the request is completed, the client is expected to issue a DELETE request to " +
                     "/processors/{processorId}/verification-requests/{requestId}.",
             security = {
-                    @SecurityRequirement(name = "Read - /processors/{uuid}")
+                    @SecurityRequirement(name = "Write - /processors/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitProcessorVerificationRequest(
@@ -736,13 +738,8 @@ public Response submitProcessorVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 processorConfigRequest,
-                lookup -> {
-                    final ComponentAuthorizable processor = lookup.getProcessor(processorId);
-                    processor.getAuthorizable().authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
-                },
-                () -> {
-                    serviceFacade.verifyCanVerifyProcessorConfig(processorId);
-                },
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getProcessor(processorId), requestDto.getProperties()),
+                () -> serviceFacade.verifyCanVerifyProcessorConfig(processorId),
                 entity -> performAsyncConfigVerification(entity, user)
         );
     }

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java

@@ -40,6 +40,7 @@
 import jakarta.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AuthorizeComponentReference;
+import org.apache.nifi.authorization.AuthorizeConfigVerification;
 import org.apache.nifi.authorization.AuthorizeControllerServiceReference;
 import org.apache.nifi.authorization.Authorizer;
 import org.apache.nifi.authorization.ComponentAuthorizable;
@@ -795,7 +796,8 @@ public Response analyzeConfiguration(
                     "issuing a GET request to /reporting-tasks/{taskId}/verification-requests/{requestId}. Once the request is completed, the client is expected to issue a DELETE request to " +
                     "/reporting-tasks/{serviceId}/verification-requests/{requestId}.",
             security = {
-                    @SecurityRequirement(name = "Read - /reporting-tasks/{uuid}")
+                    @SecurityRequirement(name = "Write - /reporting-tasks/{uuid}"),
+                    @SecurityRequirement(name = "Read - any referenced Controller Services - /controller-services/{uuid}")
             }
     )
     public Response submitConfigVerificationRequest(
@@ -828,13 +830,8 @@ public Response submitConfigVerificationRequest(
         return withWriteLock(
                 serviceFacade,
                 reportingTaskConfigRequest,
-                lookup -> {
-                    final ComponentAuthorizable reportingTask = lookup.getReportingTask(reportingTaskId);
-                    reportingTask.getAuthorizable().authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
-                },
-                () -> {
-                    serviceFacade.verifyCanVerifyReportingTaskConfig(reportingTaskId);
-                },
+                lookup -> AuthorizeConfigVerification.authorize(authorizer, lookup, lookup.getReportingTask(reportingTaskId), requestDto.getProperties()),
+                () -> serviceFacade.verifyCanVerifyReportingTaskConfig(reportingTaskId),
                 entity -> performAsyncConfigVerification(entity, user)
         );
     }