From 5c90023372ef8aca64adf4d0dbb614e350ac8f29 Mon Sep 17 00:00:00 2001
From: David Byron <82477955+dbyron-sf@users.noreply.github.com>
Date: Fri, 26 Apr 2024 18:37:20 -0700
Subject: [PATCH] refactor(api): change FiatPermissionEvaluator to implement
 UserPermissionEvaluator (#1155)

instead of PermissionEvaluator, and mark

public boolean hasPermission(
      String username, Serializable resourceName, String resourceType, Object authorization)

as @Override.

This makes this method available to e.g. S3ArtifactStoreGetter so it can authenticate by
user.  In some pipeline execution scenarios in orca (e.g. using #fetchReference in an
Evaluate Variables stage), this is necessary since SecurityContextHolder.getContext() is
null.

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
---
 .../spinnaker/fiat/shared/FiatPermissionEvaluator.java       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
index 46f1ab8db..0248e15ba 100644
--- a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
+++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -30,6 +30,7 @@
 import com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter;
 import com.netflix.spinnaker.security.AccessControlled;
 import com.netflix.spinnaker.security.AuthenticatedRequest;
+import com.netflix.spinnaker.security.UserPermissionEvaluator;
 import java.io.Serializable;
 import java.util.Arrays;
 import java.util.Collections;
@@ -48,7 +49,6 @@
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
-import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -58,7 +58,7 @@
 
 @Component
 @Slf4j
-public class FiatPermissionEvaluator implements PermissionEvaluator {
+public class FiatPermissionEvaluator implements UserPermissionEvaluator {
   private static final ThreadLocal<AuthorizationFailure> authorizationFailure = new ThreadLocal<>();
 
   private final Registry registry;
@@ -215,6 +215,7 @@ public boolean hasCachedPermission(String username) {
     return permissionsCache.getIfPresent(username) != null;
   }
 
+  @Override
   public boolean hasPermission(
       String username, Serializable resourceName, String resourceType, Object authorization) {
     if (!fiatStatus.isEnabled()) {