fix(auth): use runAs instead of deprecated propagate (#1087)

spinnaker · Mar 11, 2021 · 46d88a3 · 46d88a3
1 parent 19163d2
commit 46d88a3
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 28 deletions.
diff --git a/...ain/java/com/netflix/spinnaker/echo/pipelinetriggers/eventhandlers/BuildEventHandler.java b/...ain/java/com/netflix/spinnaker/echo/pipelinetriggers/eventhandlers/BuildEventHandler.java
@@ -27,11 +27,16 @@
 import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator;
 import com.netflix.spinnaker.kork.artifacts.model.Artifact;
 import com.netflix.spinnaker.security.AuthenticatedRequest;
-import com.netflix.spinnaker.security.User;
-import java.util.*;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
 import java.util.function.Function;
 import java.util.function.Predicate;
+import javax.annotation.Nonnull;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -90,15 +95,15 @@ public Function<Trigger, Trigger> buildTrigger(BuildEvent buildEvent) {
               .withLink(buildEvent.getContent().getProject().getLastBuild().getUrl());
       if (buildInfoService.isPresent()) {
         try {
-          return AuthenticatedRequest.propagate(
+          return AuthenticatedRequest.runAs(
+                  getRunAsUser(trigger),
                   () ->
                       trigger
                           .withBuildInfo(buildInfoService.get().getBuildInfo(buildEvent))
                           .withProperties(
                               buildInfoService
                                   .get()
-                                  .getProperties(buildEvent, inputTrigger.getPropertyFile())),
-                  getKorkUser(trigger))
+                                  .getProperties(buildEvent, inputTrigger.getPropertyFile())))
               .call();
         } catch (Exception e) {
           log.warn("Unable to add buildInfo and properties to trigger {}", trigger, e);
@@ -133,9 +138,9 @@ private boolean isBuildTrigger(Trigger trigger) {
   protected List<Artifact> getArtifactsFromEvent(BuildEvent event, Trigger trigger) {
     if (buildInfoService.isPresent()) {
       try {
-        return AuthenticatedRequest.propagate(
-                () -> buildInfoService.get().getArtifactsFromBuildEvent(event, trigger),
-                getKorkUser(trigger))
+        return AuthenticatedRequest.runAs(
+                getRunAsUser(trigger),
+                () -> buildInfoService.get().getArtifactsFromBuildEvent(event, trigger))
             .call();
       } catch (Exception e) {
         log.warn("Unable to get artifacts from event {}, trigger {}", event, trigger, e);
@@ -144,12 +149,17 @@ protected List<Artifact> getArtifactsFromEvent(BuildEvent event, Trigger trigger
     return Collections.emptyList();
   }
 
-  private User getKorkUser(Trigger trigger) {
-    User user = new User();
-    if (trigger.getRunAsUser() != null) {
-      user.setEmail(trigger.getRunAsUser());
+  /**
+   * @param trigger the trigger from which to get the runAsUser
+   * @return the runAsUser from the trigger if specified, otherwise 'anonymous'
+   */
+  @Nonnull
+  private String getRunAsUser(Trigger trigger) {
+    if (StringUtils.isNotBlank(trigger.getRunAsUser())) {
+      return trigger.getRunAsUser().trim();
     }
-    return user;
+
+    return "anonymous";
   }
 
   private boolean checkPayloadConstraintsMet(BuildEvent event, Trigger trigger) {
@@ -174,9 +184,9 @@ private boolean checkPayloadConstraintsMet(BuildEvent event, Trigger trigger) {
   private Map getPropertiesFromEvent(BuildEvent event, Trigger trigger) {
     if (buildInfoService.isPresent()) {
       try {
-        return AuthenticatedRequest.propagate(
-                () -> buildInfoService.get().getProperties(event, trigger.getPropertyFile()),
-                getKorkUser(trigger))
+        return AuthenticatedRequest.runAs(
+                getRunAsUser(trigger),
+                () -> buildInfoService.get().getProperties(event, trigger.getPropertyFile()))
             .call();
       } catch (Exception e) {
         log.warn("Unable to get artifacts from event {}, trigger {}", event, trigger, e);

diff --git a/...ers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/orca/PipelineInitiator.java b/...ers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/orca/PipelineInitiator.java
@@ -30,7 +30,7 @@
 import com.netflix.spinnaker.kork.discovery.DiscoveryStatusListener;
 import com.netflix.spinnaker.kork.dynamicconfig.DynamicConfigService;
 import com.netflix.spinnaker.security.AuthenticatedRequest;
-import com.netflix.spinnaker.security.User;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
@@ -42,6 +42,7 @@
 import javax.annotation.PostConstruct;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
@@ -230,23 +231,23 @@ private Void triggerPipelineImpl(Pipeline pipeline, TriggerSource triggerSource)
       if (pipeline.getTrigger() != null && pipeline.getTrigger().isPropagateAuth()) {
         response = triggerWithRetries(pipeline);
       } else {
-        // If we should not propagate authentication, create an empty User object for the request
-        User korkUser = new User();
+        // default to anonymous consistent with the existing pattern of
+        // `AuthenticatedRequest.getSpinnakerUser().orElse("anonymous")`
+        String runAsUser = "anonymous";
+        Collection<String> allowedAccounts = Collections.emptySet();
 
         if (fiatStatus.isEnabled()) {
-          if (pipeline.getTrigger() != null && pipeline.getTrigger().getRunAsUser() != null) {
-            korkUser.setEmail(pipeline.getTrigger().getRunAsUser());
-          } else {
-            // consistent with the existing pattern of
-            // `AuthenticatedRequest.getSpinnakerUser().orElse("anonymous")`
-            // and defaulting to `anonymous` throughout all Spinnaker services
-            korkUser.setEmail("anonymous");
+          if (pipeline.getTrigger() != null
+              && StringUtils.isNotBlank(pipeline.getTrigger().getRunAsUser())) {
+            runAsUser = pipeline.getTrigger().getRunAsUser().trim();
           }
-          korkUser.setAllowedAccounts(getAllowedAccountsForUser(korkUser.getEmail()));
+          allowedAccounts = getAllowedAccountsForUser(runAsUser);
         }
 
         response =
-            AuthenticatedRequest.propagate(() -> triggerWithRetries(pipeline), korkUser).call();
+            AuthenticatedRequest.runAs(
+                    runAsUser, allowedAccounts, () -> triggerWithRetries(pipeline))
+                .call();
       }
 
       log.info("Successfully triggered {}: execution id: {}", pipeline, response.getRef());