Authz hardening: secure registry load, tighter fallback policy, and policy change events (#30)

Changed: Fix auth registry being loaded in insecure mode
Changed: authPolicyRegistryFactory plugin
Changed: Emit PolicyChanged when policies update
Changed: Restrict fallback policy to stream access
Changed: Rename PolicyType to DefaultPolicyType
Changed: Explicitly deny stream operations in fallback policy, skip
PolicyRegistry setup when a custom authz plugin is configured
Changed: StreamBasedAuthPolicyRegistry tests
Changed: Use custom Publisher and longer timeouts

Signed-off-by: JOSE FUXA <[email protected]>

Author: j-fuxa

src/EventStore.ClusterNode/AuthorizationPolicyRegistryFactory.cs

@@ -0,0 +1,122 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using EventStore.Common.Exceptions;
+using EventStore.Core;
+using EventStore.Core.Authorization.AuthorizationPolicies;
+using EventStore.Core.Bus;
+using EventStore.PluginHosting;
+using EventStore.Plugins;
+using EventStore.Plugins.Subsystems;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Serilog;
+
+namespace EventStore.ClusterNode;
+
+public class AuthorizationPolicyRegistryFactory : SubsystemsPlugin
+{
+	private readonly ILogger _logger = Log.ForContext<AuthorizationPolicyRegistryFactory>();
+	private readonly IPolicySelectorFactory[] _pluginSelectorFactories = [];
+	private readonly Func<IPublisher, IAuthorizationPolicyRegistry> _createRegistry;
+	private IAuthorizationPolicyRegistry? _authorizationPolicyRegistry;
+
+	public AuthorizationPolicyRegistryFactory(ClusterVNodeOptions options, IConfiguration configuration,
+		PluginLoader pluginLoader)
+	{
+		if (options.Application.Insecure)
+		{
+			_createRegistry = _ => new StaticAuthorizationPolicyRegistry([]);
+			return;
+		}
+
+		// Load up all policy selectors in the plugins directory
+		var factories = pluginLoader.Load<IPolicySelectorFactory>();
+		_pluginSelectorFactories = factories?
+			.Select(x =>
+			{
+				_logger.Information("Loaded Authorization Policy plugin: {plugin}.", x.CommandLineName);
+				return x;
+			}).ToArray() ?? [];
+
+		// Set up the legacy policy selector factory
+		var allowAnonymousEndpointAccess = options.Application.AllowAnonymousEndpointAccess;
+		var allowAnonymousStreamAccess = options.Application.AllowAnonymousStreamAccess;
+		var overrideAnonymousGossipEndpointAccess = options.Application.OverrideAnonymousEndpointAccessForGossip;
+		var legacyPolicyFactory = new LegacyPolicySelectorFactory(
+			allowAnonymousEndpointAccess,
+			allowAnonymousStreamAccess,
+			overrideAnonymousGossipEndpointAccess);
+
+		// Check if there is a default policy type. Use this if the settings stream is empty
+		var defaultPolicyType =
+			configuration.GetValue<string>("EventStore:Authorization:DefaultPolicyType") ?? string.Empty;
+		AuthorizationPolicySettings defaultSettings;
+		if (!string.IsNullOrEmpty(defaultPolicyType))
+		{
+			if (_pluginSelectorFactories.Any(x => x.CommandLineName == defaultPolicyType))
+			{
+				defaultSettings = new AuthorizationPolicySettings(defaultPolicyType);
+			}
+			else
+			{
+				throw new InvalidConfigurationException(
+					$"No authorization policy with the name '{defaultPolicyType}' has been registered. " +
+					$"Available authorization policies are: {string.Join(", ", _pluginSelectorFactories.Select(x => x.CommandLineName))}");
+			}
+		}
+		else
+		{
+			// No default policy type configured. Use ACLs.
+			defaultSettings = new AuthorizationPolicySettings(LegacyPolicySelectorFactory.LegacyPolicySelectorName);
+		}
+
+		// There are no plugins and a default policy type wasn't configured.
+		// Don't use the stream based registry
+		if (_pluginSelectorFactories.Length == 0)
+		{
+			_logger.Information("No authorization policy plugins found. Only ACLs will be used.");
+			_createRegistry = publisher =>
+				new StaticAuthorizationPolicyRegistry([legacyPolicyFactory.Create(publisher)]);
+			return;
+		}
+
+		_logger.Information("The default authorization policy settings are: {settings}", defaultSettings);
+		_createRegistry = publisher => new StreamBasedAuthorizationPolicyRegistry(publisher,
+			legacyPolicyFactory.Create(publisher), _pluginSelectorFactories, defaultSettings);
+	}
+
+	// Use a factory rather than ConfigureApplication because the authorization providers
+	// are built (and requires this registry) before ConfigureApplication is called
+	public IAuthorizationPolicyRegistry Create(IPublisher publisher)
+	{
+		if (_authorizationPolicyRegistry is not null)
+		{
+			return _authorizationPolicyRegistry;
+		}
+
+		_authorizationPolicyRegistry = _createRegistry(publisher);
+		return _authorizationPolicyRegistry;
+	}
+
+	public override IReadOnlyList<ISubsystem> GetSubsystems()
+	{
+		var subsystems = new List<ISubsystem> { this };
+		// ReSharper disable once SuspiciousTypeConversion.Global
+		subsystems.AddRange(_pluginSelectorFactories.OfType<ISubsystem>());
+		return subsystems.ToArray();
+	}
+
+	public override Task Start()
+	{
+		return _authorizationPolicyRegistry!.Start();
+	}
+
+	public override Task Stop()
+	{
+		return _authorizationPolicyRegistry!.Stop();
+	}
+}

src/EventStore.ClusterNode/ClusterVNodeHostedService.cs

@@ -15,7 +15,6 @@
 using EventStore.Core.Authentication.InternalAuthentication;
 using EventStore.Core.Authentication.PassthroughAuthentication;
 using EventStore.Core.Authorization;
-using EventStore.Core.Bus;
 using EventStore.Core.Certificates;
 using EventStore.Core.Hashing;
 using EventStore.Core.LogAbstraction;
@@ -110,20 +109,20 @@ public ClusterVNodeHostedService(
 			? _options.Application.Config
 			: _options.Auth.AuthenticationConfig;
 
-		(_options, var policySelectorsFactory) = ConfigurePolicySelectorsFactory();
+		(_options, var authProviderFactory) = GetAuthorizationProviderFactory();
 		if (_options.Database.DbLogFormat == DbLogFormat.V2)
 		{
 			var logFormatFactory = new LogV2FormatAbstractorFactory();
 			Node = ClusterVNode.Create(_options, logFormatFactory, GetAuthenticationProviderFactory(),
-				GetAuthorizationProviderFactory(policySelectorsFactory),
+				authProviderFactory,
 				GetPersistentSubscriptionConsumerStrategyFactories(), certificateProvider,
 				configuration);
 		}
 		else if (_options.Database.DbLogFormat == DbLogFormat.ExperimentalV3)
 		{
 			var logFormatFactory = new LogV3FormatAbstractorFactory();
 			Node = ClusterVNode.Create(_options, logFormatFactory, GetAuthenticationProviderFactory(),
-				GetAuthorizationProviderFactory(policySelectorsFactory),
+				authProviderFactory,
 				GetPersistentSubscriptionConsumerStrategyFactories(), certificateProvider,
 				configuration);
 		}
@@ -139,81 +138,26 @@ public ClusterVNodeHostedService(
 		RegisterWebControllers(enabledNodeSubsystems);
 		return;
 
-		(ClusterVNodeOptions, PolicySelectorsFactory) ConfigurePolicySelectorsFactory()
+		(ClusterVNodeOptions, AuthorizationProviderFactory) GetAuthorizationProviderFactory()
 		{
 			if (_options.Application.Insecure)
 			{
-				return (_options, new PolicySelectorsFactory());
+				return (_options, new AuthorizationProviderFactory(_ => new PassthroughAuthorizationProviderFactory()));
 			}
 
-			var defaultPolicySelector = new LegacyPolicySelectorFactory(
-				_options.Application.AllowAnonymousEndpointAccess,
-				_options.Application.AllowAnonymousStreamAccess,
-				_options.Application.OverrideAnonymousEndpointAccessForGossip);
-
-			// Temporary: get the policy plugin configuration
-			// TODO: Allow specifying multiple policy selectors
-			var policyPluginType =
-				_options.ConfigurationRoot!.GetValue<string>("EventStore:Plugins:Authorization:PolicyType") ??
-				string.Empty;
-
-			var policyPlugins = pluginLoader.Load<IPolicySelectorFactory>().ToArray();
-			var policySelectors = new Dictionary<string, IPolicySelectorFactory>();
-			foreach (var policyPlugin in policyPlugins)
-			{
-				try
-				{
-					var commandLine = policyPlugin.Name.Replace("Plugin", "").ToLowerInvariant();
-					Log.Information(
-						"Loaded authorization policy plugin: {plugin} version {version} (Command Line: {commandLine})",
-						policyPlugin.Name, policyPlugin.Version, commandLine);
-					policySelectors.Add(commandLine, policyPlugin);
-				}
-				catch (CompositionException ex)
-				{
-					Log.Error(ex, "Error loading authorization policy plugin.");
+			var modifiedOptions = _options;
+			if (_options.Auth.AuthorizationType.Equals("internal", StringComparison.InvariantCultureIgnoreCase)) {
+				var registryFactory = new AuthorizationPolicyRegistryFactory(_options, configuration, pluginLoader);
+				foreach (var authSubsystem in registryFactory.GetSubsystems()) {
+					modifiedOptions = modifiedOptions.WithPlugableComponent(authSubsystem);
 				}
-			}
 
-			if (policyPluginType == string.Empty)
-			{
-				Log.Information("Using default authorization policy");
-				return (_options, new PolicySelectorsFactory(defaultPolicySelector));
+				var internalFactory = new AuthorizationProviderFactory(components =>
+					new InternalAuthorizationProviderFactory(registryFactory.Create(components.MainQueue)));
+				return (modifiedOptions, internalFactory);
 			}
-			if (!policySelectors.TryGetValue(policyPluginType, out var selectedPolicy))
-			{
-				throw new ApplicationInitializationException(
-					$"The authorization policy plugin type {policyPluginType} is not recognised. If this is supposed " +
-					$"to be provided by an authorization policy plugin, confirm the plugin DLL is located in {Locations.PluginsDirectory}." +
-					Environment.NewLine +
-					$"Valid options for authorization policies are: {string.Join(", ", policySelectors.Keys)}.");
-			}
-
-			Log.Information("Using authorization policy plugin: {plugin} version {version}", selectedPolicy.Name,
-				selectedPolicy.Version);
-			// Policies will be applied in order, so the default should always be last
-			var factory = new PolicySelectorsFactory([selectedPolicy, defaultPolicySelector]);
 
-			if (selectedPolicy is IPlugableComponent plugablePolicy)
-			{
-				return (_options.WithPlugableComponent(plugablePolicy), factory);
-			}
-			return (_options, factory);
-		}
-
-		AuthorizationProviderFactory GetAuthorizationProviderFactory(PolicySelectorsFactory policySelectorsFactory)
-		{
-			if (_options.Application.Insecure)
-			{
-				return new AuthorizationProviderFactory(_ => new PassthroughAuthorizationProviderFactory());
-			}
-			var authorizationTypeToPlugin = new Dictionary<string, AuthorizationProviderFactory> {
-				{
-					"internal", new AuthorizationProviderFactory(components =>
-						new InternalAuthorizationProviderFactory(policySelectorsFactory.Create(components))
-					)
-				}
-			};
+			var authorizationTypeToPlugin = new Dictionary<string, AuthorizationProviderFactory> { };
 
 			foreach (var potentialPlugin in pluginLoader.Load<IAuthorizationPlugin>())
 			{
@@ -224,8 +168,9 @@ AuthorizationProviderFactory GetAuthorizationProviderFactory(PolicySelectorsFact
 						"Loaded authorization plugin: {plugin} version {version} (Command Line: {commandLine})",
 						potentialPlugin.Name, potentialPlugin.Version, commandLine);
 					authorizationTypeToPlugin.Add(commandLine,
-						new AuthorizationProviderFactory(_ =>
-							potentialPlugin.GetAuthorizationProviderFactory(authorizationConfig)));
+						new AuthorizationProviderFactory(
+							_ => potentialPlugin.GetAuthorizationProviderFactory(authorizationConfig)
+						));
 				}
 				catch (CompositionException ex)
 				{
@@ -243,7 +188,7 @@ AuthorizationProviderFactory GetAuthorizationProviderFactory(PolicySelectorsFact
 					$"Valid options for authorization are: {string.Join(", ", authorizationTypeToPlugin.Keys)}.");
 			}
 
-			return factory;
+			return (modifiedOptions, factory);
 		}
 
 		static CompositionContainer FindPlugins()

src/EventStore.Core.Tests/Authorization/LegacyPolicyVerification.cs

@@ -5,6 +5,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using EventStore.Core.Authorization;
+using EventStore.Core.Authorization.AuthorizationPolicies;
 using EventStore.Core.Bus;
 using EventStore.Core.Data;
 using EventStore.Core.Messages;
@@ -41,10 +42,11 @@ public LegacyPolicyVerification(bool allowAnonymousEndpointAccess, bool allowAno
 		_allowAnonymousEndpointAccess = allowAnonymousEndpointAccess;
 		_allowAnonymousStreamAccess = allowAnonymousStreamAccess;
 		_overrideAnonymousGossipEndpointAccess = overrideAnonymousGossipEndpointAccess;
-		_authorizationProvider = new InternalAuthorizationProviderFactory([new LegacyPolicySelectorFactory(
-			allowAnonymousEndpointAccess,
-			allowAnonymousStreamAccess,
-			overrideAnonymousGossipEndpointAccess).Create(_aclResponder, default)])
+		_authorizationProvider = new InternalAuthorizationProviderFactory(
+				new StaticAuthorizationPolicyRegistry([new LegacyPolicySelectorFactory(
+					allowAnonymousEndpointAccess,
+					allowAnonymousStreamAccess,
+					overrideAnonymousGossipEndpointAccess).Create(_aclResponder)]))
 			.Build();
 	}
 

src/EventStore.Core.Tests/ClientOperations/specification_with_bare_vnode.cs

@@ -5,6 +5,7 @@
 using EventStore.Core.Authentication;
 using EventStore.Core.Authentication.InternalAuthentication;
 using EventStore.Core.Authorization;
+using EventStore.Core.Authorization.AuthorizationPolicies;
 using EventStore.Core.Bus;
 using EventStore.Core.Certificates;
 using EventStore.Core.Messaging;
@@ -28,11 +29,11 @@ public void CreateTestNode()
 		_node = new ClusterVNode<TStreamId>(options, logFormatFactory,
 			new AuthenticationProviderFactory(
 				c => new InternalAuthenticationProviderFactory(c, options.DefaultUser)),
-			new AuthorizationProviderFactory(c => new InternalAuthorizationProviderFactory([
-			new LegacyPolicySelectorFactory(
-				options.Application.AllowAnonymousEndpointAccess,
-				options.Application.AllowAnonymousStreamAccess,
-				options.Application.OverrideAnonymousEndpointAccessForGossip).Create(c.MainQueue, default)])),
+			new AuthorizationProviderFactory(c => new InternalAuthorizationProviderFactory(
+				new StaticAuthorizationPolicyRegistry([new LegacyPolicySelectorFactory(
+					options.Application.AllowAnonymousEndpointAccess,
+					options.Application.AllowAnonymousStreamAccess,
+					options.Application.OverrideAnonymousEndpointAccessForGossip).Create(c.MainQueue)]))),
 			certificateProvider: new OptionsCertificateProvider());
 
 		var builder = WebApplication.CreateBuilder();

src/EventStore.Core.Tests/Helpers/MiniClusterNode.cs

@@ -11,6 +11,7 @@
 using EventStore.Core.Authentication;
 using EventStore.Core.Authentication.InternalAuthentication;
 using EventStore.Core.Authorization;
+using EventStore.Core.Authorization.AuthorizationPolicies;
 using EventStore.Core.Bus;
 using EventStore.Core.Certificates;
 using EventStore.Core.Data;
@@ -191,11 +192,12 @@ public MiniClusterNode(string pathname, int debugIndex, IPEndPoint internalTcp,
 				components =>
 					new InternalAuthenticationProviderFactory(components, options.DefaultUser)),
 			new AuthorizationProviderFactory(components =>
-				new InternalAuthorizationProviderFactory([new LegacyPolicySelectorFactory(
-					options.Application.AllowAnonymousEndpointAccess,
-					options.Application.AllowAnonymousStreamAccess,
-					options.Application.OverrideAnonymousEndpointAccessForGossip).Create(components.MainQueue, default)])),
-			Array.Empty<IPersistentSubscriptionConsumerStrategyFactory>(),
+				new InternalAuthorizationProviderFactory(
+					new StaticAuthorizationPolicyRegistry([new LegacyPolicySelectorFactory(
+						options.Application.AllowAnonymousEndpointAccess,
+						options.Application.AllowAnonymousStreamAccess,
+						options.Application.OverrideAnonymousEndpointAccessForGossip).Create(components.MainQueue)]))),
+			[],
 			new OptionsCertificateProvider(),
 			configuration: inMemConf,
 			expiryStrategy,

src/EventStore.Core.Tests/Helpers/MiniNode.cs

@@ -11,6 +11,7 @@
 using EventStore.Core.Authentication;
 using EventStore.Core.Authentication.InternalAuthentication;
 using EventStore.Core.Authorization;
+using EventStore.Core.Authorization.AuthorizationPolicies;
 using EventStore.Core.Bus;
 using EventStore.Core.Certificates;
 using EventStore.Core.Configuration.Sources;
@@ -215,11 +216,11 @@ public MiniNode(string pathname,
 					c,
 					options.DefaultUser)),
 			new AuthorizationProviderFactory(
-				c => authorizationProviderFactory ?? new InternalAuthorizationProviderFactory([
-				new LegacyPolicySelectorFactory(
-					options.Application.AllowAnonymousEndpointAccess,
-					options.Application.AllowAnonymousStreamAccess,
-					options.Application.OverrideAnonymousEndpointAccessForGossip).Create(c.MainQueue, default)])),
+				c => authorizationProviderFactory ?? new InternalAuthorizationProviderFactory(
+					new StaticAuthorizationPolicyRegistry([new LegacyPolicySelectorFactory(
+						options.Application.AllowAnonymousEndpointAccess,
+						options.Application.AllowAnonymousStreamAccess,
+						options.Application.OverrideAnonymousEndpointAccessForGossip).Create(c.MainQueue)]))),
 			expiryStrategy: expiryStrategy,
 			certificateProvider: new OptionsCertificateProvider(),
 			configuration: inMemConf,