Adds Frigga name parsing if the specified resource is an application.…

… This helps when authorizing other objects that conform to the naming convention (namely load balancers, server groups, and instances). (#64)
spinnaker · Sep 20, 2016 · 140a447 · 140a447
1 parent de158b3
commit 140a447
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 0 deletions.
diff --git a/fiat-api/fiat-api.gradle b/fiat-api/fiat-api.gradle
@@ -22,6 +22,7 @@ dependencies {
   compile spinnaker.dependency("korkSecurity")
   compile spinnaker.dependency("bootActuator")
   compile spinnaker.dependency("bootWeb")
+  compile spinnaker.dependency('frigga')
 
   compile spinnaker.dependency("springSecurityConfig")
   compile spinnaker.dependency("springSecurityCore")

diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -16,12 +16,15 @@
 
 package com.netflix.spinnaker.fiat.shared;
 
+import com.netflix.frigga.Names;
 import com.netflix.spinnaker.fiat.model.Authorization;
 import com.netflix.spinnaker.fiat.model.UserPermission;
 import com.netflix.spinnaker.fiat.model.resources.Authorizable;
 import com.netflix.spinnaker.fiat.model.resources.ResourceType;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
+import lombok.val;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.access.PermissionEvaluator;
@@ -58,11 +61,22 @@ public boolean hasPermission(Authentication authentication, Serializable resourc
     if (!Boolean.valueOf(fiatEnabled)) {
       return true;
     }
+    if (resourceName == null || resourceType == null || authorization == null) {
+      return false;
+    }
+
 
     String username = getUsername(authentication);
     ResourceType r = ResourceType.parse(resourceType);
     Authorization a = Authorization.valueOf(authorization.toString());
 
+    if (r == ResourceType.APPLICATION) {
+      val parsedName = Names.parseName(resourceName.toString()).getApp();
+      if (StringUtils.isNotEmpty(parsedName)) {
+        resourceName = parsedName;
+      }
+    }
+
     return isWholePermissionStored(authentication) ?
         permissionContains(authentication, resourceName.toString(), r, a) :
         isAuthorized(username, r, resourceName.toString(), a);

diff --git a/...-api/src/test/groovy/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluatorSpec.groovy b/...-api/src/test/groovy/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluatorSpec.groovy
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2016 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.fiat.shared
+
+import com.netflix.spinnaker.fiat.model.resources.ResourceType
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import retrofit.RetrofitError
+import retrofit.client.Response
+import spock.lang.Specification
+import spock.lang.Unroll
+
+class FiatPermissionEvaluatorSpec extends Specification {
+
+  @Unroll
+  def "should parse application name"() {
+    setup:
+    FiatService fiatService = Mock(FiatService)
+    FiatPermissionEvaluator evaluator = new FiatPermissionEvaluator(fiatEnabled: true,
+                                                                    fiatService: fiatService);
+
+    Authentication authentication = new PreAuthenticatedAuthenticationToken("testUser",
+                                                                            null,
+                                                                            new ArrayList<>());
+
+    when:
+    def result = evaluator.hasPermission(authentication,
+                                         resource,
+                                         resourceType.name(),
+                                         authorization)
+
+    then:
+    1 * fiatService.hasAuthorization("testUser", resourceType.name(), resourceName, authorization) >> {
+      throw RetrofitError.httpError(
+          "/",
+          new Response("/", 404, "not found", Collections.emptyList(), null),
+          null,
+          null)
+    }
+    !result
+
+    when:
+    result = evaluator.hasPermission(authentication,
+                                     resource,
+                                     resourceType.name(),
+                                     authorization)
+
+    then:
+    1 * fiatService.hasAuthorization("testUser", resourceType.name(), resourceName, authorization)
+    result
+
+    where:
+    resource           | resourceName | resourceType
+    "abc"              | "abc"        | ResourceType.APPLICATION
+    "abc-def"          | "abc"        | ResourceType.APPLICATION
+    "abc-def-ghi"      | "abc"        | ResourceType.APPLICATION
+    "abc-def-ghi-1234" | "abc"        | ResourceType.APPLICATION
+
+    authorization = 'READ'
+  }
+}