fix(roles): ensure UserRolesSyncer always refreshes anonymous user

cfieber · cfieber · commit 032c78ac0ae6 · 2018-01-19T09:30:51.000-08:00
if we lose the redis data the user roles syncer would no longer reload the anonymous
permissions.

also this caps the number of retries that the refresh will do to something that aligns with
the caching agents timeout value. The agent will get rescheduled after that point by the
scheduler.
diff --git a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/roles/UserRolesSyncer.java b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/roles/UserRolesSyncer.java
@@ -74,7 +74,13 @@ public class UserRolesSyncer implements RunnableAgent {
 
   @Value("${fiat.writeMode.retryIntervalMs:10000}")
   @Setter
-  private long retryIntervalMs;
+  private long retryIntervalMs = 10000;
+
+  @Value("${fiat.writeMode.syncDelayTimeoutMs:30000}")
+  @Setter
+  private long syncDelayTimeoutMs = 30000;
+
+
 
   public void run() {
     syncAndReturn();
@@ -83,8 +89,12 @@ public void run() {
   public long syncAndReturn() {
     FixedBackOff backoff = new FixedBackOff();
     backoff.setInterval(retryIntervalMs);
+    backoff.setMaxAttempts(Math.floorDiv(syncDelayTimeoutMs, retryIntervalMs) + 1);
     BackOffExecution backOffExec = backoff.start();
 
+    //after this point the execution will get rescheduled
+    final long timeout = System.currentTimeMillis() + syncDelayTimeoutMs;
+
     if (!isServerHealthy()) {
       log.warn("Server is currently UNHEALTHY. User permission role synchronization and " +
                    "resolution may not complete until this server becomes healthy again.");
@@ -93,6 +103,8 @@ public long syncAndReturn() {
     while (true) {
       try {
         Map<String, UserPermission> combo = new HashMap<>();
+        //force a refresh of the unrestricted user in case the backing repository is empty:
+        combo.put(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME, new UserPermission());
         Map<String, UserPermission> temp;
         if (!(temp = getUserPermissions()).isEmpty()) {
           combo.putAll(temp);
@@ -105,7 +117,7 @@ public long syncAndReturn() {
       } catch (ProviderException|PermissionResolutionException ex) {
         Status status = healthIndicator.health().getStatus();
         long waitTime = backOffExec.nextBackOff();
-        if (waitTime == BackOffExecution.STOP) {
+        if (waitTime == BackOffExecution.STOP || System.currentTimeMillis() > timeout) {
           log.error("Unable to resolve service account permissions.", ex);
           return 0;
         }
