Skip to content

Commit

Permalink
refactor(api): change FiatPermissionEvaluator to implement UserPermis…
Browse files Browse the repository at this point in the history 
…sionEvaluator

instead of PermissionEvaluator, and mark

public boolean hasPermission(
      String username, Serializable resourceName, String resourceType, Object authorization)

as @OverRide.

This makes this method available to e.g. S3ArtifactStoreGetter so it can authenticate by
user.  In some pipeline execution scenarios in orca (e.g. using #fetchReference in an
Evaluate Variables stage), this is necessary since SecurityContextHolder.getContext() is
null.
  • Loading branch information
@dbyron-sf
dbyron-sf committed Apr 26, 2024
1 parent ec6ef15 commit 02d947d
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter;
import com.netflix.spinnaker.security.AccessControlled;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import com.netflix.spinnaker.security.UserPermissionEvaluator;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
Expand All @@ -48,7 +49,6 @@
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
Expand All @@ -58,7 +58,7 @@

@Component
@Slf4j
public class FiatPermissionEvaluator implements PermissionEvaluator {
public class FiatPermissionEvaluator implements UserPermissionEvaluator {
private static final ThreadLocal<AuthorizationFailure> authorizationFailure = new ThreadLocal<>();

private final Registry registry;
Expand Down Expand Up @@ -215,6 +215,7 @@ public boolean hasCachedPermission(String username) {
return permissionsCache.getIfPresent(username) != null;
}

@Override
public boolean hasPermission(
String username, Serializable resourceName, String resourceType, Object authorization) {
if (!fiatStatus.isEnabled()) {
Expand Down

0 comments on commit 02d947d

Please sign in to comment.