Merge branch 'master' of https://github.com/linkedin/datahub

Author: Dexter Lee

datahub-frontend/app/auth/ConfigUtil.java

@@ -1,27 +1,32 @@
 package auth;
 
+import com.typesafe.config.Config;
+import java.util.Optional;
+
+
 public class ConfigUtil {
 
-  private ConfigUtil() { }
+  private ConfigUtil() {
+  }
 
-  public static String getRequired(
-      final com.typesafe.config.Config configs,
-      final String path) {
+  public static String getRequired(final Config configs, final String path) {
     if (!configs.hasPath(path)) {
-      throw new IllegalArgumentException(
-          String.format("Missing required config with path %s", path));
+      throw new IllegalArgumentException(String.format("Missing required config with path %s", path));
     }
     return configs.getString(path);
   }
 
-  public static String getOptional
-      (final com.typesafe.config.Config configs,
-      final String path,
-      final String defaultVal) {
+  public static String getOptional(final Config configs, final String path, final String defaultVal) {
     if (!configs.hasPath(path)) {
       return defaultVal;
     }
     return configs.getString(path);
   }
 
+  public static Optional<String> getOptional(final Config configs, final String path) {
+    if (!configs.hasPath(path)) {
+      return Optional.empty();
+    }
+    return Optional.of(configs.getString(path));
+  }
 }

datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java

@@ -214,7 +214,7 @@ private List<CorpGroupSnapshot> extractGroups(CommonProfile profile) {
     final OidcConfigs configs = (OidcConfigs) _ssoManager.getSsoProvider().configs();
 
     // First, attempt to extract a list of groups from the profile, using the group name attribute config.
-    final String groupsClaimName = configs.groupsClaimName();
+    final String groupsClaimName = configs.getGroupsClaimName();
     if (profile.containsAttribute(groupsClaimName)) {
       try {
         final List<CorpGroupSnapshot> groupSnapshots = new ArrayList<>();

datahub-frontend/app/auth/sso/oidc/OidcConfigs.java

@@ -1,13 +1,16 @@
 package auth.sso.oidc;
 
 import auth.sso.SsoConfigs;
+import java.util.Optional;
+import lombok.Getter;
 
 import static auth.ConfigUtil.*;
 
 
 /**
  * Class responsible for extracting and validating OIDC related configurations.
  */
+@Getter
 public class OidcConfigs extends SsoConfigs {
 
     /**
@@ -29,6 +32,10 @@ public class OidcConfigs extends SsoConfigs {
     public static final String OIDC_PRE_PROVISIONING_REQUIRED_CONFIG_PATH = "auth.oidc.preProvisioningRequired";
     public static final String OIDC_EXTRACT_GROUPS_ENABLED = "auth.oidc.extractGroupsEnabled";
     public static final String OIDC_GROUPS_CLAIM_CONFIG_PATH_CONFIG_PATH = "auth.oidc.groupsClaim"; // Claim expected to be an array of group names.
+    public static final String OIDC_RESPONSE_TYPE = "auth.oidc.responseType";
+    public static final String OIDC_RESPONSE_MODE = "auth.oidc.responseMode";
+    public static final String OIDC_USE_NONCE = "auth.oidc.useNonce";
+    public static final String OIDC_CUSTOM_PARAM_RESOURCE = "auth.oidc.customParam.resource";
 
     /**
      * Default values
@@ -43,85 +50,45 @@ public class OidcConfigs extends SsoConfigs {
     private static final String DEFAULT_OIDC_EXTRACT_GROUPS_ENABLED = "true";
     private static final String DEFAULT_OIDC_GROUPS_CLAIM = "groups";
 
-    private String _clientId;
-    private String _clientSecret;
-    private String _discoveryUri;
-    private String _userNameClaim;
-    private String _userNameClaimRegex;
-    private String _scope;
-    private String _clientName;
-    private String _clientAuthenticationMethod;
-    private boolean _jitProvisioningEnabled;
-    private boolean _preProvisioningRequired;
-    private boolean _extractGroupsEnabled;
-    private String _groupsClaimName;
+    private String clientId;
+    private String clientSecret;
+    private String discoveryUri;
+    private String userNameClaim;
+    private String userNameClaimRegex;
+    private String scope;
+    private String clientName;
+    private String clientAuthenticationMethod;
+    private boolean jitProvisioningEnabled;
+    private boolean preProvisioningRequired;
+    private boolean extractGroupsEnabled;
+    private String groupsClaimName;
+    private Optional<String> responseType;
+    private Optional<String> responseMode;
+    private Optional<Boolean> useNonce;
+    private Optional<String> customParamResource;
 
     public OidcConfigs(final com.typesafe.config.Config configs) {
         super(configs);
-        _clientId = getRequired(configs, OIDC_CLIENT_ID_CONFIG_PATH);
-        _clientSecret = getRequired(configs, OIDC_CLIENT_SECRET_CONFIG_PATH);
-        _discoveryUri = getRequired(configs, OIDC_DISCOVERY_URI_CONFIG_PATH);
-        _userNameClaim = getOptional(configs, OIDC_USERNAME_CLAIM_CONFIG_PATH, DEFAULT_OIDC_USERNAME_CLAIM);
-        _userNameClaimRegex =
+        clientId = getRequired(configs, OIDC_CLIENT_ID_CONFIG_PATH);
+        clientSecret = getRequired(configs, OIDC_CLIENT_SECRET_CONFIG_PATH);
+        discoveryUri = getRequired(configs, OIDC_DISCOVERY_URI_CONFIG_PATH);
+        userNameClaim = getOptional(configs, OIDC_USERNAME_CLAIM_CONFIG_PATH, DEFAULT_OIDC_USERNAME_CLAIM);
+        userNameClaimRegex =
             getOptional(configs, OIDC_USERNAME_CLAIM_REGEX_CONFIG_PATH, DEFAULT_OIDC_USERNAME_CLAIM_REGEX);
-        _scope = getOptional(configs, OIDC_SCOPE_CONFIG_PATH, DEFAULT_OIDC_SCOPE);
-        _clientName = getOptional(configs, OIDC_CLIENT_NAME_CONFIG_PATH, DEFAULT_OIDC_CLIENT_NAME);
-        _clientAuthenticationMethod = getOptional(configs, OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH,
+        scope = getOptional(configs, OIDC_SCOPE_CONFIG_PATH, DEFAULT_OIDC_SCOPE);
+        clientName = getOptional(configs, OIDC_CLIENT_NAME_CONFIG_PATH, DEFAULT_OIDC_CLIENT_NAME);
+        clientAuthenticationMethod = getOptional(configs, OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH,
             DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD);
-        _jitProvisioningEnabled = Boolean.parseBoolean(
+        jitProvisioningEnabled = Boolean.parseBoolean(
             getOptional(configs, OIDC_JIT_PROVISIONING_ENABLED_CONFIG_PATH, DEFAULT_OIDC_JIT_PROVISIONING_ENABLED));
-        _preProvisioningRequired = Boolean.parseBoolean(
+        preProvisioningRequired = Boolean.parseBoolean(
             getOptional(configs, OIDC_PRE_PROVISIONING_REQUIRED_CONFIG_PATH, DEFAULT_OIDC_PRE_PROVISIONING_REQUIRED));
-        _extractGroupsEnabled = Boolean.parseBoolean(
+        extractGroupsEnabled = Boolean.parseBoolean(
             getOptional(configs, OIDC_EXTRACT_GROUPS_ENABLED, DEFAULT_OIDC_EXTRACT_GROUPS_ENABLED));
-        _groupsClaimName = getOptional(configs, OIDC_GROUPS_CLAIM_CONFIG_PATH_CONFIG_PATH, DEFAULT_OIDC_GROUPS_CLAIM);
-    }
-
-    public boolean isJitProvisioningEnabled() {
-        return _jitProvisioningEnabled;
-    }
-
-    public boolean isPreProvisioningRequired() {
-        return _preProvisioningRequired;
-    }
-
-    public String getClientId() {
-        return _clientId;
-    }
-
-    public String getClientSecret() {
-        return _clientSecret;
-    }
-
-    public String getDiscoveryUri() {
-        return _discoveryUri;
-    }
-
-    public String getUserNameClaim() {
-        return _userNameClaim;
-    }
-
-    public String getUserNameClaimRegex() {
-        return _userNameClaimRegex;
-    }
-
-    public String getScope() {
-        return _scope;
-    }
-
-    public String getClientName() {
-        return _clientName;
-    }
-
-    public boolean isExtractGroupsEnabled() {
-        return _extractGroupsEnabled;
-    }
-
-    public String groupsClaimName() {
-        return _groupsClaimName;
-    }
-
-    public String getClientAuthenticationMethod() {
-        return _clientAuthenticationMethod;
+        groupsClaimName = getOptional(configs, OIDC_GROUPS_CLAIM_CONFIG_PATH_CONFIG_PATH, DEFAULT_OIDC_GROUPS_CLAIM);
+        responseType = getOptional(configs, OIDC_RESPONSE_TYPE);
+        responseMode = getOptional(configs, OIDC_RESPONSE_MODE);
+        useNonce = getOptional(configs, OIDC_USE_NONCE).map(Boolean::parseBoolean);
+        customParamResource = getOptional(configs, OIDC_CUSTOM_PARAM_RESOURCE);
     }
 }

datahub-frontend/app/auth/sso/oidc/OidcProvider.java

@@ -1,11 +1,12 @@
 package auth.sso.oidc;
 
+import auth.sso.SsoProvider;
+import com.google.common.collect.ImmutableMap;
 import org.pac4j.core.client.Client;
 import org.pac4j.core.http.callback.PathParameterCallbackUrlResolver;
 import org.pac4j.oidc.config.OidcConfiguration;
 import org.pac4j.oidc.credentials.OidcCredentials;
 import org.pac4j.oidc.profile.OidcProfile;
-import auth.sso.SsoProvider;
 
 
 /**
@@ -51,8 +52,14 @@ private Client<OidcCredentials, OidcProfile> createPac4jClient() {
     oidcConfiguration.setDiscoveryURI(_oidcConfigs.getDiscoveryUri());
     oidcConfiguration.setClientAuthenticationMethodAsString(_oidcConfigs.getClientAuthenticationMethod());
     oidcConfiguration.setScope(_oidcConfigs.getScope());
+    _oidcConfigs.getResponseType().ifPresent(oidcConfiguration::setResponseType);
+    _oidcConfigs.getResponseMode().ifPresent(oidcConfiguration::setResponseType);
+    _oidcConfigs.getUseNonce().ifPresent(oidcConfiguration::setUseNonce);
+    _oidcConfigs.getCustomParamResource()
+        .ifPresent(value -> oidcConfiguration.setCustomParams(ImmutableMap.of("resource", value)));
 
-    final org.pac4j.oidc.client.OidcClient<OidcProfile, OidcConfiguration>  oidcClient = new org.pac4j.oidc.client.OidcClient<>(oidcConfiguration);
+    final org.pac4j.oidc.client.OidcClient<OidcProfile, OidcConfiguration> oidcClient =
+        new org.pac4j.oidc.client.OidcClient<>(oidcConfiguration);
     oidcClient.setName(OIDC_CLIENT_NAME);
     oidcClient.setCallbackUrl(_oidcConfigs.getAuthBaseUrl() + _oidcConfigs.getAuthBaseCallbackPath());
     oidcClient.setCallbackUrlResolver(new PathParameterCallbackUrlResolver());

datahub-frontend/conf/application.conf

@@ -121,6 +121,10 @@ auth.oidc.jitProvisioningEnabled = ${?AUTH_OIDC_JIT_PROVISIONING_ENABLED} # Whet
 auth.oidc.preProvisioningRequired = ${?AUTH_OIDC_PRE_PROVISIONING_REQUIRED} # Whether the user should already exist in DataHub on login, failing login if they are not. Defaults to false.
 auth.oidc.extractGroupsEnabled = ${?AUTH_OIDC_EXTRACT_GROUPS_ENABLED} # Whether groups should be extracted from a claim in the OIDC profile. Only applies if JIT provisioning is enabled. Groups will be created if they do not exist. Defaults to true.
 auth.oidc.groupsClaim = ${?AUTH_OIDC_GROUPS_CLAIM} # The OIDC claim to extract groups information from. Defaults to 'groups'
+auth.oidc.responseType = ${?AUTH_OIDC_RESPONSE_TYPE}
+auth.oidc.responseMode = ${?AUTH_OIDC_RESPONSE_MODE}
+auth.oidc.useNonce = ${?AUTH_OIDC_USE_NONCE}
+auth.oidc.customParam.resource = ${?AUTH_OIDC_CUSTOM_PARAM_RESOURCE}
 
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/GmsGraphQLEngine.java

@@ -43,7 +43,11 @@
 import com.linkedin.datahub.graphql.resolvers.load.EntityRelationshipsResultResolver;
 import com.linkedin.datahub.graphql.resolvers.load.TimeSeriesAspectResolver;
 import com.linkedin.datahub.graphql.resolvers.load.UsageTypeResolver;
+import com.linkedin.datahub.graphql.resolvers.mutate.AddTagResolver;
+import com.linkedin.datahub.graphql.resolvers.mutate.AddTermResolver;
 import com.linkedin.datahub.graphql.resolvers.mutate.MutableTypeResolver;
+import com.linkedin.datahub.graphql.resolvers.mutate.RemoveTagResolver;
+import com.linkedin.datahub.graphql.resolvers.mutate.RemoveTermResolver;
 import com.linkedin.datahub.graphql.resolvers.policy.DeletePolicyResolver;
 import com.linkedin.datahub.graphql.resolvers.policy.ListPoliciesResolver;
 import com.linkedin.datahub.graphql.resolvers.config.AppConfigResolver;
@@ -69,7 +73,7 @@
 import com.linkedin.datahub.graphql.resolvers.browse.BrowsePathsResolver;
 import com.linkedin.datahub.graphql.resolvers.browse.BrowseResolver;
 import com.linkedin.datahub.graphql.resolvers.search.AutoCompleteResolver;
-import com.linkedin.datahub.graphql.resolvers.search.AutoCompleteForAllResolver;
+import com.linkedin.datahub.graphql.resolvers.search.AutoCompleteForMultipleResolver;
 import com.linkedin.datahub.graphql.resolvers.search.SearchResolver;
 import com.linkedin.datahub.graphql.resolvers.type.EntityInterfaceTypeResolver;
 import com.linkedin.datahub.graphql.resolvers.type.PlatformSchemaUnionTypeResolver;
@@ -88,6 +92,7 @@
 import com.linkedin.datahub.graphql.types.glossary.GlossaryTermType;
 
 import com.linkedin.datahub.graphql.types.usage.UsageType;
+import com.linkedin.metadata.entity.EntityService;
 import graphql.execution.DataFetcherResult;
 import graphql.schema.idl.RuntimeWiring;
 import java.util.ArrayList;
@@ -123,6 +128,7 @@ public class GmsGraphQLEngine {
     private static final Logger _logger = LoggerFactory.getLogger(GmsGraphQLEngine.class.getName());
 
     private final AnalyticsService analyticsService;
+    private final EntityService entityService;
 
     private final DatasetType datasetType;
     private final CorpUserType corpUserType;
@@ -176,11 +182,13 @@ public class GmsGraphQLEngine {
     public final List<BrowsableEntityType<?>> browsableTypes;
 
     public GmsGraphQLEngine() {
-        this(null);
+        this(null, null);
     }
 
-    public GmsGraphQLEngine(final AnalyticsService analyticsService) {
+    public GmsGraphQLEngine(final AnalyticsService analyticsService, final EntityService entityService) {
         this.analyticsService = analyticsService;
+        this.entityService = entityService;
+
         this.datasetType = new DatasetType(GmsClientFactory.getEntitiesClient());
         this.corpUserType = new CorpUserType(GmsClientFactory.getEntitiesClient());
         this.corpGroupType = new CorpGroupType(GmsClientFactory.getEntitiesClient());
@@ -314,8 +322,8 @@ private void configureQueryResolvers(final RuntimeWiring.Builder builder) {
                     new SearchResolver(searchableTypes)))
             .dataFetcher("autoComplete", new AuthenticatedResolver<>(
                     new AutoCompleteResolver(searchableTypes)))
-            .dataFetcher("autoCompleteForAll", new AuthenticatedResolver<>(
-                    new AutoCompleteForAllResolver(searchableTypes)))
+            .dataFetcher("autoCompleteForMultiple", new AuthenticatedResolver<>(
+                    new AutoCompleteForMultipleResolver(searchableTypes)))
             .dataFetcher("browse", new AuthenticatedResolver<>(
                     new BrowseResolver(browsableTypes)))
             .dataFetcher("browsePaths", new AuthenticatedResolver<>(
@@ -369,15 +377,19 @@ private void configureQueryResolvers(final RuntimeWiring.Builder builder) {
 
     private void configureMutationResolvers(final RuntimeWiring.Builder builder) {
         builder.type("Mutation", typeWiring -> typeWiring
-                .dataFetcher("updateDataset", new AuthenticatedResolver<>(new MutableTypeResolver<>(datasetType)))
-                .dataFetcher("updateTag", new AuthenticatedResolver<>(new MutableTypeResolver<>(tagType)))
-                .dataFetcher("updateChart", new AuthenticatedResolver<>(new MutableTypeResolver<>(chartType)))
-                .dataFetcher("updateDashboard", new AuthenticatedResolver<>(new MutableTypeResolver<>(dashboardType)))
-                .dataFetcher("updateDataJob", new AuthenticatedResolver<>(new MutableTypeResolver<>(dataJobType)))
-                .dataFetcher("updateDataFlow", new AuthenticatedResolver<>(new MutableTypeResolver<>(dataFlowType)))
-                .dataFetcher("createPolicy", new UpsertPolicyResolver(GmsClientFactory.getAspectsClient()))
-                .dataFetcher("updatePolicy", new UpsertPolicyResolver(GmsClientFactory.getAspectsClient()))
-                .dataFetcher("deletePolicy", new DeletePolicyResolver(GmsClientFactory.getEntitiesClient()))
+            .dataFetcher("updateDataset", new AuthenticatedResolver<>(new MutableTypeResolver<>(datasetType)))
+            .dataFetcher("updateTag", new AuthenticatedResolver<>(new MutableTypeResolver<>(tagType)))
+            .dataFetcher("updateChart", new AuthenticatedResolver<>(new MutableTypeResolver<>(chartType)))
+            .dataFetcher("updateDashboard", new AuthenticatedResolver<>(new MutableTypeResolver<>(dashboardType)))
+            .dataFetcher("updateDataJob", new AuthenticatedResolver<>(new MutableTypeResolver<>(dataJobType)))
+            .dataFetcher("updateDataFlow", new AuthenticatedResolver<>(new MutableTypeResolver<>(dataFlowType)))
+            .dataFetcher("addTag", new AuthenticatedResolver<>(new AddTagResolver(entityService)))
+            .dataFetcher("removeTag", new AuthenticatedResolver<>(new RemoveTagResolver(entityService)))
+            .dataFetcher("addTerm", new AuthenticatedResolver<>(new AddTermResolver(entityService)))
+            .dataFetcher("removeTerm", new AuthenticatedResolver<>(new RemoveTermResolver(entityService)))
+            .dataFetcher("createPolicy", new UpsertPolicyResolver(GmsClientFactory.getAspectsClient()))
+            .dataFetcher("updatePolicy", new UpsertPolicyResolver(GmsClientFactory.getAspectsClient()))
+            .dataFetcher("deletePolicy", new DeletePolicyResolver(GmsClientFactory.getEntitiesClient()))
         );
     }
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java

@@ -0,0 +1,58 @@
+package com.linkedin.datahub.graphql.resolvers.mutate;
+
+import com.linkedin.common.urn.CorpuserUrn;
+
+import com.linkedin.common.urn.Urn;
+import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.generated.TagUpdateInput;
+import com.linkedin.metadata.entity.EntityService;
+import graphql.schema.DataFetcher;
+import graphql.schema.DataFetchingEnvironment;
+import java.util.concurrent.CompletableFuture;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+import static com.linkedin.datahub.graphql.resolvers.ResolverUtils.*;
+
+
+@Slf4j
+@RequiredArgsConstructor
+public class AddTagResolver implements DataFetcher<CompletableFuture<Boolean>> {
+  private final EntityService _entityService;
+
+  @Override
+  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
+    final TagUpdateInput input = bindArgument(environment.getArgument("input"), TagUpdateInput.class);
+    Urn tagUrn = Urn.createFromString(input.getTagUrn());
+    Urn targetUrn = Urn.createFromString(input.getTargetUrn());
+
+    if (!LabelUtils.isAuthorizedToUpdateTags(environment.getContext(), targetUrn, input.getSubResource())) {
+      throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
+    }
+
+    return CompletableFuture.supplyAsync(() -> {
+      try {
+
+        if (!tagUrn.getEntityType().equals("tag")) {
+          log.error("Failed to add {}. It is not a tag urn.", tagUrn.toString());
+          return false;
+        }
+
+        log.info("Adding Tag. input: {}", input.toString());
+        Urn actor = CorpuserUrn.createFromString(((QueryContext) environment.getContext()).getActor());
+        LabelUtils.addTagToTarget(
+            tagUrn,
+            targetUrn,
+            input.getSubResource(),
+            actor,
+            _entityService
+        );
+        return true;
+      } catch (Exception e) {
+        log.error("Failed to perform update against input {}, {}", input.toString(), e.getMessage());
+        throw new RuntimeException(String.format("Failed to perform update against input %s", input.toString()), e);
+      }
+    });
+  }
+}