From 4afff61a40c18cfec9a3b2bb73b7ff776dfbac28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B8rgen=20Jervidalo?= Date: Fri, 18 Oct 2019 18:43:33 +0200 Subject: [PATCH] fix(roles): Allow anonymous calls from Fiat to other Spinnaker modules (#479) Will suppress all the `Request GET:http://front50/serviceAccounts is missing [X-SPINNAKER-USER, X-SPINNAKER-ACCOUNTS] authentication headers and will be treated as anonymous` messages that is currently spamming the Fiat log. --- fiat-roles/fiat-roles.gradle | 1 + .../fiat/providers/internal/ClouddriverService.java | 6 ++++-- .../spinnaker/fiat/providers/internal/Front50Service.java | 6 ++++-- .../spinnaker/fiat/providers/internal/IgorService.java | 4 +++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/fiat-roles/fiat-roles.gradle b/fiat-roles/fiat-roles.gradle index 0acccbb7e..40f326530 100644 --- a/fiat-roles/fiat-roles.gradle +++ b/fiat-roles/fiat-roles.gradle @@ -29,6 +29,7 @@ dependencies { implementation "com.netflix.spinnaker.kork:kork-dynomite" implementation "com.netflix.spinnaker.kork:kork-hystrix" implementation "com.netflix.spinnaker.kork:kork-jedis" + implementation "com.netflix.spinnaker.kork:kork-security" implementation "redis.clients:jedis" implementation "com.google.api-client:google-api-client" diff --git a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/ClouddriverService.java b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/ClouddriverService.java index 35b73d3fb..a61e428e9 100644 --- a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/ClouddriverService.java +++ b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/ClouddriverService.java @@ -16,6 +16,8 @@ package com.netflix.spinnaker.fiat.providers.internal; +import static com.netflix.spinnaker.security.AuthenticatedRequest.allowAnonymous; + import com.netflix.spinnaker.fiat.model.resources.Account; import com.netflix.spinnaker.fiat.model.resources.Application; import com.netflix.spinnaker.fiat.providers.HealthTrackable; @@ -66,13 +68,13 @@ public List getApplications() { @Scheduled(fixedDelayString = "${fiat.clouddriver-refresh-ms:30000}") public void refreshAccounts() { - accountCache.set(clouddriverApi.getAccounts()); + accountCache.set(allowAnonymous(clouddriverApi::getAccounts)); healthTracker.success(); } @Scheduled(fixedDelayString = "${fiat.clouddriver-refresh-ms:30000}") public void refreshApplications() { - applicationCache.set(clouddriverApi.getApplications()); + applicationCache.set(allowAnonymous(clouddriverApi::getApplications)); healthTracker.success(); } } diff --git a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/Front50Service.java b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/Front50Service.java index 59971a2a4..4933a0dd0 100644 --- a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/Front50Service.java +++ b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/Front50Service.java @@ -16,6 +16,8 @@ package com.netflix.spinnaker.fiat.providers.internal; +import static com.netflix.spinnaker.security.AuthenticatedRequest.*; + import com.netflix.hystrix.exception.HystrixBadRequestException; import com.netflix.spinnaker.fiat.model.resources.Application; import com.netflix.spinnaker.fiat.model.resources.ServiceAccount; @@ -55,7 +57,7 @@ public List getAllApplicationPermissions() { GROUP_KEY, "getAllApplicationPermissions", () -> { - applicationCache.set(front50Api.getAllApplicationPermissions()); + applicationCache.set(allowAnonymous(front50Api::getAllApplicationPermissions)); healthTracker.success(); return applicationCache.get(); }, @@ -75,7 +77,7 @@ public List getAllServiceAccounts() { GROUP_KEY, "getAccounts", () -> { - serviceAccountCache.set(front50Api.getAllServiceAccounts()); + serviceAccountCache.set(allowAnonymous(front50Api::getAllServiceAccounts)); healthTracker.success(); return serviceAccountCache.get(); }, diff --git a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/IgorService.java b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/IgorService.java index 27f4dd544..0b7e308c7 100644 --- a/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/IgorService.java +++ b/fiat-roles/src/main/java/com/netflix/spinnaker/fiat/providers/internal/IgorService.java @@ -17,6 +17,8 @@ package com.netflix.spinnaker.fiat.providers.internal; +import static com.netflix.spinnaker.security.AuthenticatedRequest.allowAnonymous; + import com.netflix.spinnaker.fiat.model.resources.BuildService; import com.netflix.spinnaker.fiat.providers.HealthTrackable; import com.netflix.spinnaker.fiat.providers.ProviderHealthTracker; @@ -60,7 +62,7 @@ public List getAllBuildServices() { @Scheduled(fixedDelayString = "${fiat.igor-refresh-ms:30000}") public void refreshBuildServices() { if (igorEnabled) { - buildServicesCache.set(igorApi.getBuildMasters()); + buildServicesCache.set(allowAnonymous(igorApi::getBuildMasters)); } healthTracker.success(); }