Merge pull request #24 from ttomsu/google-get-apps

Introduction of fiat-api module.

Author: Travis Tomsu

README.md

@@ -15,15 +15,11 @@ Roadmap/Implementation Punch list:
 * ☐ Compile "to secure" list of endpoints. (In progress)
 * ☐ **Component integration** - wire it all together throughout the other microservices.
   * ☑ Gate
-  * ☐ Front50 (in progress)
-    * ☐ GET /default/applications
-    * ☐ PUT /default/applications
-    * ☐ POST /default/applications/batchUpdate
-    * ☐ DELETE /default/applications/name/{application}
-    * ☐ GET /default/applications/name/{application}
-    * ☐ POST /default/applications/name/{application}
-    * ☐ GET /default/applications/search
-    * ☐ GET /default/applications/{application}/history
+  * ☑ Front50 (in progress)
+    * Troublesome:
+      * DELETE /pipelines/deleteById
+      * DELETE /strategies/deleteById
+      * NotificationsController
   * ☐ Orca
   * ☐ Clouddriver
   * ☐ Echo

build.gradle

@@ -34,7 +34,7 @@ allprojects {
   apply plugin: 'groovy'
 
   spinnaker {
-    dependenciesVersion = "0.37.0"
+    dependenciesVersion = "0.48.0"
   }
   test {
     testLogging {

fiat-api/fiat-api.gradle

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2016 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+dependencies {
+  compile project(":fiat-core")
+
+  spinnaker.group("retrofitDefault")
+
+  compile spinnaker.dependency("korkSecurity")
+  compile spinnaker.dependency("bootActuator")
+  compile spinnaker.dependency("bootWeb")
+
+  compile spinnaker.dependency("springSecurityConfig")
+  compile spinnaker.dependency("springSecurityCore")
+  compile spinnaker.dependency("springSecurityWeb")
+}

fiat-api/src/main/java/com/netflix/spinnaker/config/FiatAuthenticationConfig.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2016 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.config;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spinnaker.fiat.config.RetrofitConfig;
+import com.netflix.spinnaker.fiat.shared.FiatAuthenticationFilter;
+import com.netflix.spinnaker.fiat.shared.FiatService;
+import lombok.Setter;
+import lombok.val;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.boot.context.embedded.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.core.Ordered;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import retrofit.Endpoints;
+import retrofit.RestAdapter;
+import retrofit.client.OkClient;
+import retrofit.converter.JacksonConverter;
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@Configuration
+@Import(RetrofitConfig.class)
+@ComponentScan("com.netflix.spinnaker.fiat.shared")
+public class FiatAuthenticationConfig {
+
+  @Autowired
+  @Setter
+  private RestAdapter.LogLevel retrofitLogLevel;
+
+  @Autowired
+  @Setter
+  private ObjectMapper objectMapper;
+
+  @Autowired
+  @Setter
+  private OkClient okClient;
+
+  @Value("${services.fiat.baseUrl}")
+  @Setter
+  private String fiatEndpoint;
+
+  @Bean
+  public FiatService fiatService() {
+    return new RestAdapter.Builder()
+        .setEndpoint(Endpoints.newFixedEndpoint(fiatEndpoint))
+        .setClient(okClient)
+        .setConverter(new JacksonConverter(objectMapper))
+        .setLogLevel(retrofitLogLevel)
+        .build()
+        .create(FiatService.class);
+  }
+
+  @Bean
+  FilterRegistrationBean fiatFilterRegistrationBean(FiatAuthenticationFilter filter) {
+    val frb = new FilterRegistrationBean(filter);
+    frb.setOrder(Ordered.HIGHEST_PRECEDENCE + 1);
+    frb.addUrlPatterns("/*");
+    return frb;
+  }
+
+  @ConditionalOnExpression("!${services.fiat.enabled:false}")
+  @Bean
+  AnonymousConfig anonymousConfig() {
+    return new AnonymousConfig();
+  }
+
+  private class AnonymousConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+      http.authorizeRequests().anyRequest().permitAll();
+    }
+  }
+}

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationFilter.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2016 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.fiat.shared;
+
+import com.netflix.spinnaker.security.AuthenticatedRequest;
+import lombok.extern.slf4j.Slf4j;
+import lombok.val;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import java.io.IOException;
+import java.util.ArrayList;
+
+@Slf4j
+@Component
+public class FiatAuthenticationFilter implements Filter {
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    Authentication auth = AuthenticatedRequest
+        .getSpinnakerUser()
+        .map(username -> (Authentication) new PreAuthenticatedAuthenticationToken(username,
+                                                                                  null,
+                                                                                  new ArrayList<>()))
+        .orElseGet(() -> new AnonymousAuthenticationToken(
+            "ignored1", // These values are never used. See FiatPermissionEvaluator.
+            "ignored2",
+            AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")
+        ));
+
+    val ctx = SecurityContextHolder.createEmptyContext();
+    ctx.setAuthentication(auth);
+    SecurityContextHolder.setContext(ctx);
+    chain.doFilter(request, response);
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+  }
+
+  @Override
+  public void destroy() {
+  }
+}

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2016 Google, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.fiat.shared;
+
+import com.netflix.spinnaker.fiat.model.Authorization;
+import com.netflix.spinnaker.fiat.model.resources.Resource;
+import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.stereotype.Component;
+import retrofit.RetrofitError;
+
+import java.io.Serializable;
+
+@Component
+@Slf4j
+public class FiatPermissionEvaluator implements PermissionEvaluator {
+
+  @Autowired
+  @Setter
+  private FiatService fiatService;
+
+  @Value("${services.fiat.enabled:false}")
+  @Setter
+  private String fiatEnabled;
+
+  @Override
+  public boolean hasPermission(Authentication authentication, Object resource, Object authorization) {
+    return false;
+  }
+
+  @Override
+  public boolean hasPermission(Authentication authentication, Serializable resourceName, String resourceType, Object authorization) {
+    if (!Boolean.valueOf(fiatEnabled)) {
+      return true;
+    }
+
+    String username = getUsername(authentication);
+    Resource r = Resource.parse(resourceType);
+    Authorization a = Authorization.valueOf(authorization.toString());
+
+    return isAuthorized(username, r, resourceName.toString(), a);
+  }
+
+  private String getUsername(Authentication authentication) {
+    String username = "anonymous";
+    if (authentication instanceof PreAuthenticatedAuthenticationToken) {
+      PreAuthenticatedAuthenticationToken authToken = (PreAuthenticatedAuthenticationToken) authentication;
+      if (authToken.isAuthenticated()) {
+        username = authToken.getPrincipal().toString();
+      }
+    }
+    return username;
+  }
+
+  private boolean isAuthorized(String username, Resource resource, String resourceName, Authorization a) {
+    try {
+      fiatService.hasAuthorization(username, resource.toString(), resourceName, a.toString());
+    } catch (RetrofitError re) {
+      String message = String.format("Fiat authorization failed for user '%s' '%s'-ing '%s' " +
+                                         "resource named '%s'. Cause: %s", username, a, resource, resourceName, re.getMessage());
+      log.debug(message);
+      log.trace(message, re);
+      return false;
+    }
+    return true;
+  }
+}

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatService.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2016 Netflix, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.fiat.shared;
+
+import com.squareup.okhttp.Response;
+import retrofit.http.GET;
+import retrofit.http.Path;
+
+public interface FiatService {
+
+  @GET("/authorize/{userId}/{resourceType}/{resourceName}/{authorization}")
+  Response hasAuthorization(@Path("userId") String userId,
+                            @Path("resourceType") String resourceType,
+                            @Path("resourceName") String resourceName,
+                            @Path("authorization") String authorization);
+}

fiat-core/fiat-core.gradle

@@ -7,6 +7,7 @@ dependencies {
   compile spinnaker.dependency("springContext")
   compile spinnaker.dependency("guava")
   compile spinnaker.dependency("bootActuator")
+  compile spinnaker.dependency('korkWeb')
 
   compile "org.apache.commons:commons-lang3:3.4"
   compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.7.4"