feat(roles): Adding dynomite support (#249)

Also fixes a bug that failed to revoke roles during put operations.

fiat-roles/fiat-roles.gradle

@@ -25,9 +25,9 @@ dependencies {
   compile spinnaker.dependency("bootWeb")
   compile spinnaker.dependency("korkHystrix")
   compile spinnaker.dependency("korkJedis")
+  compile spinnaker.dependency("korkDynomite")
   compile spinnaker.dependency("kork")
 
-  compile "redis.clients:jedis:${spinnaker.version('jedis')}"
   compile "com.google.api-client:google-api-client:1.21.0"
   compile "com.google.apis:google-api-services-admin-directory:directory_v1-rev65-1.21.0"
   compile "com.squareup.retrofit:converter-simplexml:1.9.0"

fiat-roles/src/main/java/com/netflix/spinnaker/fiat/config/DynomiteConfig.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2018 Netflix, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.netflix.spinnaker.fiat.config;
+
+import com.netflix.spinnaker.kork.dynomite.DynomiteClientConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+
+@Configuration
+@ConditionalOnProperty("dynomite.enabled")
+@Import(DynomiteClientConfiguration.class)
+public class DynomiteConfig {
+
+}

fiat-roles/src/main/java/com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepository.java

@@ -102,6 +102,13 @@ public RedisPermissionsRepository put(@NonNull UserPermission permission) {
         });
 
     try {
+      Set<Role> existingRoles = redisClientDelegate.withCommandsClient(client -> {
+        return client.hgetAll(userKey(permission.getId(), ResourceType.ROLE)).values().stream()
+          .map((ThrowingFunction<String, Role>) serialized ->
+            objectMapper.readValue(serialized, Role.class))
+          .collect(Collectors.toSet());
+      });
+
       redisClientDelegate.withMultiKeyPipeline(pipeline -> {
         String userId = permission.getId();
         pipeline.sadd(allUsersKey(), userId);
@@ -113,6 +120,9 @@ public RedisPermissionsRepository put(@NonNull UserPermission permission) {
         }
 
         permission.getRoles().forEach(role -> pipeline.sadd(roleKey(role), userId));
+        existingRoles.stream()
+          .filter(it -> !permission.getRoles().contains(it))
+          .forEach(role -> pipeline.srem(roleKey(role), userId));
 
         for (ResourceType r : ResourceType.values()) {
           String userResourceKey = userKey(userId, r);

fiat-roles/src/test/groovy/com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepositorySpec.groovy

@@ -103,8 +103,8 @@ class RedisPermissionsRepositorySpec extends Specification {
 
   def "should remove permission that has been revoked"() {
     setup:
-    jedis.sadd("unittest:users", "testUser");
-    jedis.sadd("unittest:roles:role1", "testUser")
+    jedis.sadd("unittests:users", "testUser");
+    jedis.sadd("unittests:roles:role1", "testUser")
     jedis.hset("unittests:permissions:testUser:accounts",
                "account",
                '{"name":"account","requiredGroupMembership":[]}')
@@ -114,6 +114,9 @@ class RedisPermissionsRepositorySpec extends Specification {
     jedis.hset("unittests:permissions:testUser:service_accounts",
                "serviceAccount",
                '{"name":"serviceAccount"}')
+    jedis.hset("unittests:permissions:testUser:roles",
+               "role1",
+               '{"name":"role1"}')
 
     when:
     repo.put(new UserPermission()