fix(authorization): Sync roles after an application is created (#619)

* sync roles after an application is created * stub fiat service * Apply suggestions from code review Co-Authored-By: Cameron Fieber <cameron@fieber.ca> * fix fiat service stub
spinnaker · Oct 28, 2019 · 7f91a48 · 7f91a48
1 parent 7e7c898
commit 7f91a48
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/...rc/main/groovy/com/netflix/spinnaker/front50/controllers/v2/ApplicationsController.groovy b/...rc/main/groovy/com/netflix/spinnaker/front50/controllers/v2/ApplicationsController.groovy
@@ -1,5 +1,6 @@
 package com.netflix.spinnaker.front50.controllers.v2
 
+import com.netflix.spinnaker.fiat.shared.FiatService
 import com.netflix.spinnaker.front50.controllers.exception.InvalidApplicationRequestException
 import com.netflix.spinnaker.front50.events.ApplicationEventListener
 import com.netflix.spinnaker.front50.exception.NotFoundException
@@ -59,6 +60,9 @@ public class ApplicationsController {
   @Autowired(required = false)
   List<ApplicationEventListener> applicationEventListeners = []
 
+  @Autowired
+  Optional<FiatService> fiatService;
+
   @PreAuthorize("#restricted ? @fiatPermissionEvaluator.storeWholePermission() : true")
   @PostFilter("#restricted ? hasPermission(filterObject.name, 'APPLICATION', 'READ') : true")
   @ApiOperation(value = "", notes = """Fetch all applications.
@@ -98,7 +102,13 @@ public class ApplicationsController {
   @ApiOperation(value = "", notes = "Create an application")
   @RequestMapping(method = RequestMethod.POST)
   Application create(@RequestBody final Application app) {
-    return getApplication().initialize(app).withName(app.getName()).save()
+    Application createdApplication = getApplication().initialize(app).withName(app.getName()).save()
+    try {
+      fiatService.ifPresent { it.sync() }
+    } catch (Exception ignored) {
+      log.warn("failed to trigger fiat permission sync", ignored)
+    } 
+    return createdApplication
   }
 
   @PreAuthorize("hasPermission(#applicationName, 'APPLICATION', 'WRITE')")

diff --git a/...test/groovy/com/netflix/spinnaker/front50/controllers/v2/ApplicationsControllerTck.groovy b/...test/groovy/com/netflix/spinnaker/front50/controllers/v2/ApplicationsControllerTck.groovy
@@ -21,6 +21,7 @@ import com.amazonaws.ClientConfiguration
 import com.amazonaws.services.s3.AmazonS3Client
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.netflix.spectator.api.NoopRegistry
+import com.netflix.spinnaker.fiat.shared.FiatService
 import com.netflix.spinnaker.front50.exception.NotFoundException
 import com.netflix.spinnaker.front50.model.DefaultObjectKeyLoader
 import com.netflix.spinnaker.front50.model.S3StorageService
@@ -75,6 +76,9 @@ abstract class ApplicationsControllerTck extends Specification {
   @Shared
   PipelineStrategyDAO pipelineStrategyDAO = Stub(PipelineStrategyDAO)
 
+  @Shared
+  Optional<FiatService> fiatService = Optional.empty();
+
   void setup() {
     this.dao = createApplicationDAO()
     this.controller = new ApplicationsController(
@@ -84,7 +88,8 @@ abstract class ApplicationsControllerTck extends Specification {
       pipelineStrategyDAO: pipelineStrategyDAO,
       pipelineDAO: pipelineDAO,
       applicationValidators: [new HasNameValidator(), new HasEmailValidator()],
-      messageSource: new StaticMessageSource()
+      messageSource: new StaticMessageSource(),
+      fiatService: fiatService
     )
     this.mockMvc = MockMvcBuilders.standaloneSetup(controller).build()
   }