fix(stageExecution): Extend MJ auth propagate logic for exhaustive ca…

…ses (#4368) (#4373)

* fix(stageExecution): Permission retrieved from last user interaction

* fix(stageExecution): Include not authenticated to apply backtracking

* fix(stageExecution): Extended logic for sub cases

(cherry picked from commit d6d0f33)

Co-authored-by: Oscar Michel Herrera <oscarmichelh@gmail.com>

orca-echo/src/main/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStage.groovy

@@ -56,7 +56,7 @@ class ManualJudgmentStage implements StageDefinitionBuilder, AuthenticatedStage
   @Override
   Optional<PipelineExecution.AuthenticationDetails> authenticatedUser(StageExecution stage) {
     def stageData = stage.mapTo(StageData)
-    if (stageData.state != StageData.State.CONTINUE || !stage.lastModified?.user || !stageData.propagateAuthenticationContext) {
+    if (stageData.state != StageData.State.CONTINUE || !stage.lastModified?.user) {
       return Optional.empty()
     }
 

orca-echo/src/test/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStageSpec.groovy

@@ -242,7 +242,7 @@ class ManualJudgmentStageSpec extends Specification {
     judgmentStatus | propagateAuthenticationContext || isPresent
     "continue"     | true                           || true
     "ContinuE"     | true                           || true
-    "continue"     | false                          || false
+    "continue"     | false                          || true
     "stop"         | true                           || false
     "stop"         | false                          || false
     ""             | true                           || false

orca-queue/src/main/kotlin/com/netflix/spinnaker/orca/q/handler/AuthenticationAware.kt

@@ -56,30 +56,29 @@ interface AuthenticationAware {
     return stageNavigator
       .ancestors(stage)
       .firstOrNull { it.stageBuilder is AuthenticatedStage } ?.let{
-        (it.stageBuilder as AuthenticatedStage).authenticatedUser(solveSkippedStages(it.stage)).orElse(null)
+        (it.stageBuilder as AuthenticatedStage).authenticatedUser(solveAuthStages(it.stage)).orElse(null)
       }
   }
 
 
   // When a first valid candidate is found in the ancestors chain is returned
   // until the ancestor chain was iterated completely at the pipeline beginning
-  fun backtrackSkippedStages(stage: StageExecution): StageExecution {
+  fun backtrackStages(stage: StageExecution): StageExecution {
     if (stage.isManualJudgmentType &&
       !stage.status.isSkipped &&
       stage.withPropagateAuthentication()) {
       return stage;
     }
     val previousStage = if (stageNavigator.ancestors(stage).size > 1) stageNavigator.ancestors(stage).get(1).stage else null
-    return if (previousStage == null) stage else backtrackSkippedStages(previousStage)
+    return if (previousStage == null) stage else backtrackStages(previousStage)
   }
 
   //Next method will look by a possible stage with authentication propagated in case that previous
-  //stage was skipped, iterating the stage ancestors. By the moment only MJ stages approved with
+  //stage brokes the auth chain, iterating the stage ancestors. By the moment only MJ stages approved with
   //auth propagated are considerated as candidates
-  fun solveSkippedStages(stage: StageExecution): StageExecution {
-    if (stage.isManualJudgmentType() &&
-      stage.status.isSkipped) {
-      val result = backtrackSkippedStages(stage)
+  fun solveAuthStages(stage: StageExecution): StageExecution {
+    if (stage.isManualJudgmentType()) {
+      val result = backtrackStages(stage)
       stage.lastModified = result.lastModified
       return result
     }