feat(fiat): Adds Fiat Session filter to force relogin if Fiat entry i…

…s missing. (#368)
spinnaker · Mar 31, 2017 · 9305261 · 9305261
1 parent 4050f7b
commit 9305261
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 0 deletions.
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/config/GateConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/config/GateConfig.groovy
@@ -23,6 +23,7 @@ import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
 import com.netflix.spinnaker.fiat.shared.FiatService
 import com.netflix.spinnaker.filters.AuthenticatedRequestFilter
 import com.netflix.spinnaker.gate.filters.CorsFilter
+import com.netflix.spinnaker.gate.filters.FiatSessionFilter
 import com.netflix.spinnaker.gate.filters.GateOriginValidator
 import com.netflix.spinnaker.gate.filters.OriginValidator
 import com.netflix.spinnaker.gate.retrofit.EurekaOkClient

diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/filters/FiatSessionFilter.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/filters/FiatSessionFilter.groovy
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2017 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.gate.filters
+
+import com.netflix.spinnaker.fiat.shared.FiatClientConfigurationProperties
+import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
+import com.netflix.spinnaker.security.AuthenticatedRequest
+import groovy.util.logging.Slf4j
+import org.springframework.security.core.context.SecurityContextHolder
+
+import javax.servlet.Filter
+import javax.servlet.FilterChain
+import javax.servlet.FilterConfig
+import javax.servlet.ServletException
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+import javax.servlet.http.HttpServletRequest
+
+@Slf4j
+class FiatSessionFilter implements Filter {
+
+  FiatClientConfigurationProperties configProps
+
+  FiatPermissionEvaluator permissionEvaluator
+
+  FiatSessionFilter(FiatClientConfigurationProperties configProps,
+                    FiatPermissionEvaluator permissionEvaluator) {
+    this.configProps = configProps
+    this.permissionEvaluator = permissionEvaluator
+  }
+
+  /**
+   * This filter checks if the user has an entry in Fiat, and if not, forces them to re-login. This
+   * is handy for (re)populating the Fiat user repo for a deployment with existing users & sessions.
+   */
+  @Override
+  void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    if (configProps.enabled) {
+      String user = AuthenticatedRequest.getSpinnakerUser().orElse(null)
+      if (permissionEvaluator.getPermission(user) == null) {
+        HttpServletRequest httpReq = (HttpServletRequest) request
+        log.info("Invalidating user '${user}' session '${httpReq.session.id}'" +
+                     " because Fiat permission was not found.")
+        httpReq.session.invalidate()
+        SecurityContextHolder.clearContext()
+      }
+    }
+    chain.doFilter(request, response)
+  }
+
+  @Override
+  void init(FilterConfig filterConfig) throws ServletException {
+
+  }
+
+  @Override
+  void destroy() {
+
+  }
+}
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/AuthConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/AuthConfig.groovy
@@ -16,11 +16,16 @@
 
 package com.netflix.spinnaker.gate.security
 
+import com.netflix.discovery.converters.Auto
+import com.netflix.spinnaker.fiat.shared.FiatClientConfigurationProperties
+import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
+import com.netflix.spinnaker.gate.filters.FiatSessionFilter
 import com.netflix.spinnaker.gate.security.rolesprovider.UserRolesProvider
 import com.netflix.spinnaker.gate.services.PermissionService
 import com.netflix.spinnaker.security.User
 import groovy.util.logging.Slf4j
 import org.springframework.beans.factory.InitializingBean
+import org.springframework.beans.factory.annotation.Autowire
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
@@ -33,6 +38,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler
+import org.springframework.security.web.session.ConcurrentSessionFilter
 import org.springframework.stereotype.Component
 
 import javax.servlet.ServletException
@@ -49,6 +55,12 @@ class AuthConfig {
   @Autowired
   SecurityProperties securityProperties
 
+  @Autowired
+  FiatClientConfigurationProperties configProps
+
+  @Autowired
+  FiatPermissionEvaluator permissionEvaluator
+
   @Bean
   @ConditionalOnMissingBean(UserRolesProvider)
   UserRolesProvider defaultUserRolesProvider() {
@@ -76,6 +88,7 @@ class AuthConfig {
         .antMatchers('/health').permitAll()
         .antMatchers('/**').authenticated()
         .and()
+      .addFilterAfter(new FiatSessionFilter(configProps, permissionEvaluator), ConcurrentSessionFilter.class)
       .logout()
         .logoutUrl("/auth/logout")
         .logoutSuccessHandler(permissionRevokingLogoutSuccessHandler)