fix(auth): Enable auth to all connectors except API port (1.15.x) (#858)

spinnaker · Jul 18, 2019 · 193c7b9 · 193c7b9
1 parent 70e9910
commit 193c7b9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/gate-core/gate-core.gradle b/gate-core/gate-core.gradle
@@ -29,6 +29,7 @@ dependencies {
   implementation "com.netflix.spinnaker.fiat:fiat-core:$fiatVersion"
 
   implementation "com.netflix.spinnaker.kork:kork-core"
+  implementation "com.netflix.spinnaker.kork:kork-web"
   implementation "com.netflix.spinnaker.kork:kork-security"
   implementation "com.netflix.spinnaker.kork:kork-manageddelivery"
   implementation "com.netflix.spectator:spectator-api"

diff --git a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/MultiAuthSupport.java b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/MultiAuthSupport.java
@@ -1,5 +1,7 @@
 package com.netflix.spinnaker.gate.config;
 
+import com.netflix.spinnaker.config.TomcatConfigurationProperties;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.context.WebServerApplicationContext;
 import org.springframework.boot.web.embedded.tomcat.TomcatWebServer;
 import org.springframework.boot.web.server.WebServer;
@@ -12,14 +14,23 @@
 @Configuration
 public class MultiAuthSupport {
 
+  @Value("${default.legacy-server-port-auth:true}")
+  private boolean legacyServerPortAuth;
+
   @Bean
-  RequestMatcherProvider multiAuthRequestMatcherProvider(ApplicationContext applicationContext) {
+  RequestMatcherProvider multiAuthRequestMatcherProvider(
+      ApplicationContext applicationContext,
+      TomcatConfigurationProperties tomcatConfigurationProperties) {
     return new RequestMatcherProvider() {
       @Override
       public RequestMatcher requestMatcher() {
         if (applicationContext instanceof WebServerApplicationContext) {
           final WebServerApplicationContext ctx = (WebServerApplicationContext) applicationContext;
           return req -> {
+            if (legacyServerPortAuth
+                && tomcatConfigurationProperties.getLegacyServerPort() == req.getLocalPort()) {
+              return true;
+            }
             // we have to do this per request because at bean-creation time the WebServer has not
             // yet been created
             final WebServer webServer = ctx.getWebServer();