fix(permissionSource): Set order (lowest precedence) on default permi…

…ssion sources (#519) Additionally, rename Front50ApplicationResourcePermissionSource to ApplicationResourcePermissionSource and adjust config accordingly
spinnaker · Dec 5, 2019 · e9a380f · e9a380f
1 parent cc1b3e3
commit e9a380f
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 37 deletions.
diff --git a/...0ApplicationResourcePermissionSource.java → .../ApplicationResourcePermissionSource.java b/...0ApplicationResourcePermissionSource.java → .../ApplicationResourcePermissionSource.java
@@ -27,12 +27,12 @@
 import java.util.Map;
 import javax.annotation.Nonnull;
 
-public final class Front50ApplicationResourcePermissionSource
+public final class ApplicationResourcePermissionSource
     implements ResourcePermissionSource<Application> {
 
   private final Authorization executeFallback;
 
-  public Front50ApplicationResourcePermissionSource(Authorization executeFallback) {
+  public ApplicationResourcePermissionSource(Authorization executeFallback) {
     this.executeFallback = executeFallback;
   }
 

diff --git a/...rc/test/groovy/com/netflix/spinnaker/fiat/providers/DefaultApplicationProviderSpec.groovy b/...rc/test/groovy/com/netflix/spinnaker/fiat/providers/DefaultApplicationProviderSpec.groovy
@@ -34,7 +34,7 @@ class DefaultApplicationProviderSpec extends Specification {
 
   ClouddriverService clouddriverService = Mock(ClouddriverService)
   Front50Service front50Service = Mock(Front50Service)
-  ResourcePermissionProvider<Application> defaultProvider = new AggregatingResourcePermissionProvider<>([new Front50ApplicationResourcePermissionSource(Authorization.READ)])
+  ResourcePermissionProvider<Application> defaultProvider = new AggregatingResourcePermissionProvider<>([new ApplicationResourcePermissionSource(Authorization.READ)])
 
   @Subject DefaultApplicationResourceProvider provider
 
@@ -114,7 +114,7 @@ class DefaultApplicationProviderSpec extends Specification {
   def "should add fallback execute permissions based on executeFallback value" () {
     setup:
     def app = new Application().setName("app")
-    def provider = new AggregatingResourcePermissionProvider([new Front50ApplicationResourcePermissionSource(fallback)])
+    def provider = new AggregatingResourcePermissionProvider([new ApplicationResourcePermissionSource(fallback)])
 
     when:
     app.setPermissions(makePerms(givenPermissions))

diff --git a/...eb/src/main/java/com/netflix/spinnaker/fiat/config/AggregateResourcePermissionConfig.java b/...eb/src/main/java/com/netflix/spinnaker/fiat/config/AggregateResourcePermissionConfig.java
@@ -0,0 +1,39 @@
+package com.netflix.spinnaker.fiat.config;
+
+import com.netflix.spinnaker.fiat.model.resources.Account;
+import com.netflix.spinnaker.fiat.model.resources.Application;
+import com.netflix.spinnaker.fiat.model.resources.BuildService;
+import com.netflix.spinnaker.fiat.providers.AggregatingResourcePermissionProvider;
+import com.netflix.spinnaker.fiat.providers.ResourcePermissionProvider;
+import com.netflix.spinnaker.fiat.providers.ResourcePermissionSource;
+import java.util.List;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class AggregateResourcePermissionConfig {
+
+  @Bean
+  @ConditionalOnProperty(value = "auth.permissions.provider.account", havingValue = "aggregate")
+  public ResourcePermissionProvider<Account> aggregateAccountPermissionProvider(
+      List<ResourcePermissionSource<Account>> sources) {
+    return new AggregatingResourcePermissionProvider<>(sources);
+  }
+
+  @Bean
+  @ConditionalOnProperty(value = "auth.permissions.provider.application", havingValue = "aggregate")
+  public ResourcePermissionProvider<Application> aggregateApplicationPermissionProvider(
+      List<ResourcePermissionSource<Application>> sources) {
+    return new AggregatingResourcePermissionProvider<>(sources);
+  }
+
+  @Bean
+  @ConditionalOnProperty(
+      value = "auth.permissions.provider.build-service",
+      havingValue = "aggregate")
+  public ResourcePermissionProvider<BuildService> aggregateBuildServicePermissionProvider(
+      List<ResourcePermissionSource<BuildService>> sources) {
+    return new AggregatingResourcePermissionProvider<>(sources);
+  }
+}
diff --git a/...-web/src/main/java/com/netflix/spinnaker/fiat/config/DefaultResourcePermissionConfig.java b/...-web/src/main/java/com/netflix/spinnaker/fiat/config/DefaultResourcePermissionConfig.java
@@ -20,11 +20,11 @@
 import com.netflix.spinnaker.fiat.model.resources.Application;
 import com.netflix.spinnaker.fiat.model.resources.BuildService;
 import com.netflix.spinnaker.fiat.providers.*;
-import java.util.List;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 
 @Configuration
 class DefaultResourcePermissionConfig {
@@ -33,6 +33,7 @@ class DefaultResourcePermissionConfig {
   @ConditionalOnProperty(
       value = "auth.permissions.source.account.resource.enabled",
       matchIfMissing = true)
+  @Order
   ResourcePermissionSource<Account> accountResourcePermissionSource() {
     return new AccessControlledResourcePermissionSource<>();
   }
@@ -47,27 +48,14 @@ public ResourcePermissionProvider<Account> defaultAccountPermissionProvider(
     return new DefaultResourcePermissionProvider<>(accountResourcePermissionSource);
   }
 
-  @Bean
-  @ConditionalOnProperty(value = "auth.permissions.provider.account", havingValue = "aggregate")
-  public ResourcePermissionProvider<Account> aggregateAccountPermissionProvider(
-      List<ResourcePermissionSource<Account>> sources) {
-    return new AggregatingResourcePermissionProvider<>(sources);
-  }
-
-  @Bean
-  @ConditionalOnProperty("auth.permissions.source.application.prefix.enabled")
-  @ConfigurationProperties("auth.permissions.source.application.prefix")
-  ResourcePermissionSource<Application> applicationPrefixResourcePermissionSource() {
-    return new ResourcePrefixPermissionSource<Application>();
-  }
-
   @Bean
   @ConditionalOnProperty(
-      value = "auth.permissions.source.application.front50.enabled",
+      value = "auth.permissions.source.application.resource.enabled",
       matchIfMissing = true)
-  ResourcePermissionSource<Application> front50ResourcePermissionSource(
+  @Order
+  ResourcePermissionSource<Application> applicationResourcePermissionSource(
       FiatServerConfigurationProperties fiatServerConfigurationProperties) {
-    return new Front50ApplicationResourcePermissionSource(
+    return new ApplicationResourcePermissionSource(
         fiatServerConfigurationProperties.getExecuteFallback());
   }
 
@@ -77,21 +65,15 @@ ResourcePermissionSource<Application> front50ResourcePermissionSource(
       havingValue = "default",
       matchIfMissing = true)
   public ResourcePermissionProvider<Application> defaultApplicationPermissionProvider(
-      ResourcePermissionSource<Application> front50ResourcePermissionSource) {
-    return new DefaultResourcePermissionProvider<>(front50ResourcePermissionSource);
-  }
-
-  @Bean
-  @ConditionalOnProperty(value = "auth.permissions.provider.application", havingValue = "aggregate")
-  public ResourcePermissionProvider<Application> aggregateApplicationPermissionProvider(
-      List<ResourcePermissionSource<Application>> sources) {
-    return new AggregatingResourcePermissionProvider<>(sources);
+      ResourcePermissionSource<Application> applicationResourcePermissionSource) {
+    return new DefaultResourcePermissionProvider<>(applicationResourcePermissionSource);
   }
 
   @Bean
   @ConditionalOnProperty(
       value = "auth.permissions.source.build-service.resource.enabled",
       matchIfMissing = true)
+  @Order
   ResourcePermissionSource<BuildService> buildServiceResourcePermissionSource() {
     return new AccessControlledResourcePermissionSource<>();
   }
@@ -107,11 +89,9 @@ public ResourcePermissionProvider<BuildService> defaultBuildServicePermissionPro
   }
 
   @Bean
-  @ConditionalOnProperty(
-      value = "auth.permissions.provider.build-service",
-      havingValue = "aggregate")
-  public ResourcePermissionProvider<BuildService> aggregateBuildServicePermissionProvider(
-      List<ResourcePermissionSource<BuildService>> sources) {
-    return new AggregatingResourcePermissionProvider<>(sources);
+  @ConditionalOnProperty("auth.permissions.source.application.prefix.enabled")
+  @ConfigurationProperties("auth.permissions.source.application.prefix")
+  ResourcePermissionSource<Application> applicationPrefixResourcePermissionSource() {
+    return new ResourcePrefixPermissionSource<Application>();
   }
 }