Skip to content

Commit

Permalink
refactor(api): change FiatPermissionEvaluator to implement UserPermis…
Browse files Browse the repository at this point in the history 
…sionEvaluator (#1155)

instead of PermissionEvaluator, and mark

public boolean hasPermission(
      String username, Serializable resourceName, String resourceType, Object authorization)

as @OverRide.

This makes this method available to e.g. S3ArtifactStoreGetter so it can authenticate by
user.  In some pipeline execution scenarios in orca (e.g. using #fetchReference in an
Evaluate Variables stage), this is necessary since SecurityContextHolder.getContext() is
null.

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
  • Loading branch information
@dbyron-sf @mergify
dbyron-sf and mergify[bot] committed Apr 27, 2024
1 parent 8e8b4ed commit 5c90023
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
View file
Expand Up @@ -30,6 +30,7 @@
import com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter;
import com.netflix.spinnaker.security.AccessControlled;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import com.netflix.spinnaker.security.UserPermissionEvaluator;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
Expand All @@ -48,7 +49,6 @@
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
Expand All @@ -58,7 +58,7 @@

@Component
@Slf4j
public class FiatPermissionEvaluator implements PermissionEvaluator {
public class FiatPermissionEvaluator implements UserPermissionEvaluator {
private static final ThreadLocal<AuthorizationFailure> authorizationFailure = new ThreadLocal<>();

private final Registry registry;
Expand Down Expand Up @@ -215,6 +215,7 @@ public boolean hasCachedPermission(String username) {
return permissionsCache.getIfPresent(username) != null;
}

@Override
public boolean hasPermission(
String username, Serializable resourceName, String resourceType, Object authorization) {
if (!fiatStatus.isEnabled()) {
Expand Down

0 comments on commit 5c90023

Please sign in to comment.