Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gate and Fiat should use the same anonymous username #6918

Closed
jvz opened this issue Dec 20, 2023 · 3 comments
Closed

Gate and Fiat should use the same anonymous username #6918

jvz opened this issue Dec 20, 2023 · 3 comments
Assignees
@jvz
Labels
auth bug component/fiat component/gate stale to-be-closed

Comments

@jvz
Copy link

jvz commented Dec 20, 2023

Issue Summary:

Gate is configured to use an anonymous principal with the username anonymous, but Fiat is configured to use the default Spring Security settings which uses an anonymous principal of the string anonymousUser.

Feature Area:

Security

Description:

In Gate, AnonymousConfig configures anonymous authentication with the username anonymous. Every other services uses FiatAuthenticationConfig (from fiat-api) which configures anonymous authentication using the default Spring Security settings which uses a principal of anonymousUser (just the string, not wrapped in a UserDetails object or similar). Any code that relies on getting the authenticated username in a request directly from the Authentication object will get a different anonymous username than expected compared to using AuthenticatedRequest.getSpinnakerUser().orElse("anonymous"), the common idiom (which is being simplified in spinnaker/kork#1138).

This can cause problems in permission check code which tries to look up permissions for anonymousUser rather than anonymous which can lead to failed pipeline executions (e.g., those invoked via an unauthenticated web hook) where unrestricted permissions are not respected. This issue originally came up in code where I refactored various ways of getting the current user id to make use of SpinnakerUsers::getCurrentUserId and SpinnakerUsers::getUserId, but an unauthenticated web hook trigger to Gate made an anonymous request to Echo which led to a pipeline being invoked with the username anonymousUser who did not have permission to do jack shit.
@jvz jvz self-assigned this Dec 20, 2023
@jvz jvz mentioned this issue Dec 20, 2023
Merged
jvz added a commit to jvz/fiat that referenced this issue Jan 3, 2024
@jvz
fix(api): Use consistent anonymous principal
fef018e 
Spring Security uses an anonymous principal of "anonymousUser" by
default which does not match the rest of Spinnaker where the anonymous
user is expected to have the username "anonymous". This ensures that
fiat-api code consistently uses the same anonymous principal.

Related to spinnaker/spinnaker#6918
@jvz jvz mentioned this issue Jan 3, 2024
Open
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@spinnakerbot
Copy link

This issue is tagged as 'to-be-closed' and hasn't been updated in 45 days, so we are closing it. You can always reopen this issue if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvz jvz

Labels
auth bug component/fiat component/gate stale to-be-closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvz @spinnakerbot