spinnaker · jvz · Jan 3, 2024 · Jan 3, 2024 · Jan 4, 2024 · Jan 8, 2024
@@ -17,11 +17,12 @@
 package com.netflix.spinnaker.fiat.shared;
 
 import com.netflix.spinnaker.security.AuthenticatedRequest;
+import com.netflix.spinnaker.security.SpinnakerAuthorities;
+import com.netflix.spinnaker.security.SpinnakerUsers;
 import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
@@ -41,8 +42,8 @@ public Authentication convert(HttpServletRequest request) {
         .orElseGet(
             () ->
                 new AnonymousAuthenticationToken(
-                    "anonymous",
-                    "anonymous",
-                    AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
+                    SpinnakerUsers.ANONYMOUS,
+                    SpinnakerUsers.ANONYMOUS,
+                    List.of(SpinnakerAuthorities.ANONYMOUS_AUTHORITY)));
   }
 }
@@ -28,6 +28,7 @@
 import com.netflix.spinnaker.kork.web.exceptions.ExceptionMessageDecorator;
 import com.netflix.spinnaker.okhttp.SpinnakerRequestInterceptor;
 import com.netflix.spinnaker.retrofit.Slf4jRetrofitLogger;
+import com.netflix.spinnaker.security.SpinnakerUsers;
 import lombok.Setter;
 import lombok.val;
 import okhttp3.OkHttpClient;
@@ -143,6 +144,8 @@ protected void configure(HttpSecurity http) throws Exception {
           .exceptionHandling()
           .and()
           .anonymous()
+          // match the same anonymous userid as expected elsewhere
+          .principal(SpinnakerUsers.ANONYMOUS)
           .and()
           .addFilterBefore(
               new FiatAuthenticationFilter(fiatStatus, authenticationConverter),

@@ -19,6 +19,7 @@
 import com.netflix.spinnaker.fiat.model.SpinnakerAuthorities;
 import com.netflix.spinnaker.fiat.model.UserPermission;
 import com.netflix.spinnaker.kork.common.Header;
+import com.netflix.spinnaker.security.SpinnakerUsers;
 import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
@@ -47,6 +48,8 @@ public Authentication convert(HttpServletRequest request) {
       }
     }
     return new AnonymousAuthenticationToken(
-        "anonymous", "anonymous", List.of(SpinnakerAuthorities.ANONYMOUS_AUTHORITY));
+        SpinnakerUsers.ANONYMOUS,
+        SpinnakerUsers.ANONYMOUS,
+        List.of(SpinnakerAuthorities.ANONYMOUS_AUTHORITY));
   }
 }
@@ -1,6 +1,6 @@
 dependencies {
 
-  api "org.springframework.security:spring-security-core"
+  api "io.spinnaker.kork:kork-security:$korkVersion"
 
   implementation "com.fasterxml.jackson.core:jackson-annotations"
   implementation "com.google.code.findbugs:jsr305"

@@ -20,25 +20,12 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
- * Constants and utilities for working with Spring Security GrantedAuthority objects specific to
- * Spinnaker and Fiat. Spinnaker-specific roles such as admin and account manager are represented
- * here as granted authorities.
+ * Migrated to {@link com.netflix.spinnaker.security.SpinnakerAuthorities} in {@code kork-security}.
+ * This is left for backward compatibility.
  */
-public class SpinnakerAuthorities {
-  public static final String ADMIN = "SPINNAKER_ADMIN";
-  /** Granted authority for Spinnaker administrators. */
-  public static final GrantedAuthority ADMIN_AUTHORITY = new SimpleGrantedAuthority(ADMIN);
-
+public class SpinnakerAuthorities extends com.netflix.spinnaker.security.SpinnakerAuthorities {
   public static final String ACCOUNT_MANAGER = "SPINNAKER_ACCOUNT_MANAGER";
   /** Granted authority for Spinnaker account managers. */
   public static final GrantedAuthority ACCOUNT_MANAGER_AUTHORITY =
       new SimpleGrantedAuthority(ACCOUNT_MANAGER);
-
-  /** Granted authority for anonymous users. */
-  public static final GrantedAuthority ANONYMOUS_AUTHORITY = forRoleName("ANONYMOUS");
-
-  /** Creates a granted authority corresponding to the provided name of a role. */
-  public static GrantedAuthority forRoleName(String role) {
-    return new SimpleGrantedAuthority(String.format("ROLE_%s", role));
-  }
 }