feat(auth): support an optional login specific shard for fiat (#1111)

spinnaker · Mar 24, 2020 · 83138e4 · 83138e4
1 parent c70c038
commit 83138e4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy
@@ -27,6 +27,7 @@ import com.netflix.spinnaker.security.AuthenticatedRequest
 import com.netflix.spinnaker.security.User
 import groovy.util.logging.Slf4j
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Qualifier
 import org.springframework.stereotype.Component
 import retrofit.RetrofitError
 
@@ -41,6 +42,10 @@ class PermissionService {
   @Autowired
   FiatService fiatService
 
+  @Autowired
+  @Qualifier("fiatLoginService")
+  Optional<FiatService> fiatLoginService
+
   @Autowired
   FiatPermissionEvaluator permissionEvaluator
 
@@ -51,12 +56,16 @@ class PermissionService {
     return fiatStatus.isEnabled()
   }
 
+  private FiatService getFiatServiceForLogin() {
+    return fiatLoginService.orElse(fiatService);
+  }
+
   void login(String userId) {
     if (fiatStatus.isEnabled()) {
       HystrixFactory.newVoidCommand(HYSTRIX_GROUP, "login") {
         try {
           AuthenticatedRequest.allowAnonymous({
-            fiatService.loginUser(userId, "")
+            fiatServiceForLogin.loginUser(userId, "")
             permissionEvaluator.invalidatePermission(userId)
           })
         } catch (RetrofitError e) {
@@ -71,7 +80,7 @@ class PermissionService {
       HystrixFactory.newVoidCommand(HYSTRIX_GROUP, "loginWithRoles") {
         try {
           AuthenticatedRequest.allowAnonymous({
-            fiatService.loginWithRoles(userId, roles)
+            fiatServiceForLogin.loginWithRoles(userId, roles)
             permissionEvaluator.invalidatePermission(userId)
           })
         } catch (RetrofitError e) {
@@ -85,7 +94,7 @@ class PermissionService {
     if (fiatStatus.isEnabled()) {
       HystrixFactory.newVoidCommand(HYSTRIX_GROUP, "logout") {
         try {
-          fiatService.logoutUser(userId)
+          fiatServiceForLogin.logoutUser(userId)
           permissionEvaluator.invalidatePermission(userId)
         } catch (RetrofitError e) {
           throw classifyError(e)
@@ -98,7 +107,7 @@ class PermissionService {
     if (fiatStatus.isEnabled()) {
       HystrixFactory.newVoidCommand(HYSTRIX_GROUP, "sync") {
         try {
-          fiatService.sync(Collections.emptyList())
+          fiatServiceForLogin.sync(Collections.emptyList())
         } catch (RetrofitError e) {
           throw classifyError(e)
         }

diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/config/GateConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/config/GateConfig.groovy
@@ -176,11 +176,20 @@ class GateConfig extends RedisHttpSessionConfiguration {
   }
 
   @Bean
+  @Primary
   FiatService fiatService(OkHttpClient okHttpClient) {
     // always create the fiat service even if 'services.fiat.enabled' is 'false' (it can be enabled dynamically)
     createClient "fiat", FiatService, okHttpClient, null, true
   }
 
+  @Bean
+  @ConditionalOnProperty("services.fiat.config.dynamic-endpoints.login")
+  FiatService fiatLoginService(OkHttpClient okHttpClient) {
+    // always create the fiat service even if 'services.fiat.enabled' is 'false' (it can be enabled dynamically)
+    createClient "fiat", FiatService, okHttpClient, "login", true
+  }
+
+
   @Bean
   Front50Service front50Service(OkHttpClient okHttpClient) {
     createClient "front50", Front50Service, okHttpClient