From 92b7c94500f96c7d2d03e7788ed86e6a1bc01472 Mon Sep 17 00:00:00 2001 From: Cameron Fieber Date: Wed, 30 May 2018 13:28:53 -0700 Subject: [PATCH] fix(authn): invalidatePermission from cache During login we want to read a fresh view of the permission from fiat to support populating allowed accounts headers. Also some cleanup in FiatAuthenticationConfig for easier autoconfigging. --- build.gradle | 4 ++-- .../spinnaker/fiat/shared/FiatAuthenticationConfig.java | 9 ++++----- .../spinnaker/fiat/shared/FiatPermissionEvaluator.java | 4 ++++ 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 17abf16c5..988e68a74 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ buildscript { ext { - springBootVersion = "1.5.7.RELEASE" + springBootVersion = "1.5.10.RELEASE" } repositories { jcenter() @@ -36,7 +36,7 @@ allprojects { apply plugin: 'groovy' ext { - spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.155.1' + spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.157.3' } def checkLocalVersions = [spinnakerDependenciesVersion: spinnakerDependenciesVersion] diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java index 73398f37d..830bd80eb 100644 --- a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java +++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java @@ -18,6 +18,7 @@ import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; +import com.netflix.spinnaker.config.OkHttpClientConfiguration; import com.netflix.spinnaker.okhttp.SpinnakerRequestInterceptor; import lombok.Setter; import lombok.extern.slf4j.Slf4j; @@ -39,6 +40,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import retrofit.Endpoints; import retrofit.RestAdapter; +import retrofit.client.Client; import retrofit.client.OkClient; import retrofit.converter.JacksonConverter; @@ -54,14 +56,11 @@ public class FiatAuthenticationConfig { @Setter private RestAdapter.LogLevel retrofitLogLevel = RestAdapter.LogLevel.BASIC; - @Autowired - SpinnakerRequestInterceptor spinnakerRequestInterceptor; - @Bean @ConditionalOnMissingBean(FiatService.class) // Allows for override public FiatService fiatService(FiatClientConfigurationProperties fiatConfigurationProperties, SpinnakerRequestInterceptor interceptor, - OkClient okClient) { + OkHttpClientConfiguration okHttpClientConfiguration) { // New role providers break deserialization if this is not enabled. val objectMapper = new ObjectMapper(); objectMapper.enable(DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_AS_NULL); @@ -69,7 +68,7 @@ public FiatService fiatService(FiatClientConfigurationProperties fiatConfigurati return new RestAdapter.Builder() .setEndpoint(Endpoints.newFixedEndpoint(fiatConfigurationProperties.getBaseUrl())) .setRequestInterceptor(interceptor) - .setClient(okClient) + .setClient(new OkClient(okHttpClientConfiguration.create())) .setConverter(new JacksonConverter(objectMapper)) .setLogLevel(retrofitLogLevel) .setLog(new Slf4jRetrofitLogger(FiatService.class)) diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java index 8b4eb10a0..5ba3a1b6b 100644 --- a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java +++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java @@ -123,6 +123,10 @@ private String getUsername(Authentication authentication) { return username; } + public void invalidatePermission(String username) { + permissionsCache.invalidate(username); + } + public UserPermission.View getPermission(String username) { UserPermission.View view = null; if (StringUtils.isEmpty(username)) {