Skip to content

Commit

Permalink
feat(roles): Configurable __unrestricted_user__ roles (#263)
Browse files Browse the repository at this point in the history 
Delegates loading to the `UserRolesProvider` with the default remaining
an empty set.

We have a custom `UserRolesProvider` at Netflix and would like the
ability to specify one or more additional roles for the anonymous user.
  • Loading branch information
@ajordens
ajordens authored Sep 28, 2018
1 parent 4045c08 commit 4fb1da6
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 2 deletions.
6 changes: 4 additions & 2 deletions ...oles/src/main/java/com/netflix/spinnaker/fiat/permissions/DefaultPermissionsResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,10 @@ public class DefaultPermissionsResolver implements PermissionsResolver {

@Override
public UserPermission resolveUnrestrictedUser() {
return getUserPermission(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME,
new HashSet<>() /* groups */);
return getUserPermission(
UnrestrictedResourceConfig.UNRESTRICTED_USERNAME,
new HashSet<>(userRolesProvider.loadUnrestrictedRoles())
);
}

@Override
Expand Down
5 changes: 5 additions & 0 deletions fiat-roles/src/main/java/com/netflix/spinnaker/fiat/roles/UserRolesProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,17 @@
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.permissions.ExternalUser;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;

public interface UserRolesProvider {

default List<Role> loadUnrestrictedRoles() {
return new ArrayList<>();
}

/**
* Load the roles assigned to the {@link com.netflix.spinnaker.security.User User}.
*
Expand Down
5 changes: 5 additions & 0 deletions .../test/groovy/com/netflix/spinnaker/fiat/permissions/DefaultPermissionsResolverSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import spock.lang.Specification
import spock.lang.Subject

class DefaultPermissionsResolverSpec extends Specification {
UserRolesProvider userRolesProvider = Mock(UserRolesProvider)

@Shared
Account noReqGroupsAcct = new Account().setName("noReqGroups")
Expand Down Expand Up @@ -82,13 +83,17 @@ class DefaultPermissionsResolverSpec extends Specification {
.setResourceProviders(resourceProviders)
.setMapper(new ObjectMapper())
.setFiatAdminConfig(new FiatAdminConfig())
.setUserRolesProvider(userRolesProvider)

when:
def result = resolver.resolveUnrestrictedUser()

then:
1 * userRolesProvider.loadUnrestrictedRoles() >> { return [new Role("anonymous")] }

def expected = new UserPermission().setId("__unrestricted_user__")
.setAccounts([noReqGroupsAcct] as Set)
.setRoles([new Role("anonymous")] as Set)
result == expected
}

Expand Down

0 comments on commit 4fb1da6

Please sign in to comment.