Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OP-22435: Bugfix spin cli trigger a pipeline user is admin or not for custom gate. #483

Merged
merged 4 commits into from
Sep 13, 2024
Merged

OP-22435: Bugfix spin cli trigger a pipeline user is admin or not for custom gate. #483

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b418f9a
OP-22435: BugFix-WU-webhook-trigger for x509-admin users on skipping …
emanipravallika Sep 13, 2024
edd5c7c
OP-22435: Addressed the comments - Added log statements
emanipravallika Sep 13, 2024
8571165
OP-22435: Addressed the comments - Added log statements
emanipravallika Sep 13, 2024
745ab80
OP-22435: Addressed the comments
emanipravallika Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ...web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApplicationIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public class ApplicationIdRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
log.debug("***********Start of the preHandle -- ApplicationIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -43,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- ApplicationIdRbacInterceptor");
return true;
}
}
4 changes: 2 additions & 2 deletions ...eb/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApprovalGateIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class ApprovalGateIdRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {

log.debug("***********Start of the preHandle -- ApprovalGateIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -44,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- ApprovalGateIdRbacInterceptor");
return true;
}
}
4 changes: 2 additions & 2 deletions ...ain/java/com/opsmx/spinnaker/gate/interceptors/ApprovalGateInstanceIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class ApprovalGateInstanceIdRbacInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {

log.debug("***********Start of the preHandle -- ApprovalGateInstanceIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -44,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- ApprovalGateInstanceIdRbacInterceptor");
return true;
}
}
4 changes: 2 additions & 2 deletions ...-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApprovalPolicyIdInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class ApprovalPolicyIdInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {

log.debug("***********Start of the preHandle -- ApprovalPolicyIdInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -44,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- ApprovalPolicyIdInterceptor");
return true;
}
}
4 changes: 2 additions & 2 deletions ...rc/main/java/com/opsmx/spinnaker/gate/interceptors/CustomGatesTriggerRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public class CustomGatesTriggerRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {

log.debug("***********Start of the preHandle -- CustomGatesTriggerRbacInterceptor");
Optional.ofNullable(request.getHeader("x-spinnaker-user"))
.orElseThrow(
() -> new XSpinnakerUserHeaderMissingException("x-spinnaker-user header missing"));
Expand All @@ -50,7 +50,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- CustomGatesTriggerRbacInterceptor");
return true;
}
}
4 changes: 3 additions & 1 deletion ...src/main/java/com/opsmx/spinnaker/gate/interceptors/FeatureVisibilityRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,14 @@ public class FeatureVisibilityRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
log.info("request intercepted to authorize if the user is having feature visibility");
log.debug("***********Start of the preHandle -- FeatureVisibilityRbacInterceptor");
log.info("request intercepted to authorize if the user is having feature visibility ");
String origin = request.getHeader(HttpHeaders.ORIGIN);
if (origin != null && customGatePlugins.contains(origin)) {
return true;
}
applicationFeatureRbac.authorizeUserForFeatureVisibility(request.getUserPrincipal().getName());
log.debug("***********End of the preHandle -- FeatureVisibilityRbacInterceptor");
return true;
}
}
4 changes: 2 additions & 2 deletions gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/GateIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class GateIdRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {

log.debug("***********Start of the preHandle -- GateIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -44,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- GateIdRbacInterceptor");
return true;
}
}
3 changes: 2 additions & 1 deletion gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/PipelineIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public class PipelineIdRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
log.debug("***********Start of the preHandle -- PipelineIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -59,7 +60,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- PipelineIdRbacInterceptor");
return true;
}
}
3 changes: 2 additions & 1 deletion gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ServiceIdRbacInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public class ServiceIdRbacInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
log.debug("***********Start of the preHandle -- ServiceIdRbacInterceptor");
try {
log.info(
"Request intercepted for authorizing if the user is having enough access to perform the action");
Expand All @@ -43,7 +44,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
} catch (NumberFormatException nfe) {
log.debug("Ignoring the rbac check as it threw number format exception");
}

log.debug("***********End of the preHandle -- ServiceIdRbacInterceptor");
return true;
}
}
74 changes: 66 additions & 8 deletions gate-web/src/main/java/com/opsmx/spinnaker/gate/rbac/ApplicationFeatureRbac.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import com.google.gson.JsonObject;
import com.netflix.spinnaker.gate.model.PermissionModel;
import com.netflix.spinnaker.gate.services.OesAuthorizationService;
import com.netflix.spinnaker.gate.services.PermissionService;
import com.opsmx.spinnaker.gate.enums.PermissionEnum;
import com.opsmx.spinnaker.gate.enums.RbacFeatureType;
import com.opsmx.spinnaker.gate.exception.AccessForbiddenException;
Expand All @@ -43,6 +44,9 @@ public class ApplicationFeatureRbac {

@Autowired private OesAuthorizationService oesAuthorizationService;

@Autowired
PermissionService permissionService;

public static final List<String> runtime_access = new ArrayList<>();
public static final List<String> applicationFeatureRbacEndpoints = new ArrayList<>();
public static final List<String> endpointsWithApplicationId = new ArrayList<>();
Expand Down Expand Up @@ -71,13 +75,17 @@ public class ApplicationFeatureRbac {
public void authorizeUserForFeatureVisibility(String userName) {

Boolean isFeatureVisibility;

log.debug("validating the user for FeatureVisibility");
if (permissionService.isAdmin(userName)) {
log.info("{} is admin, Hence not validating with ISD", userName);
return;
}
isFeatureVisibility =
Boolean.parseBoolean(
oesAuthorizationService
.isFeatureVisibility(userName, RbacFeatureType.APP.name(), userName)
.getBody()
.get("isEnabled"));
Boolean.parseBoolean(
oesAuthorizationService
.isFeatureVisibility(userName, RbacFeatureType.APP.name(), userName)
.getBody()
.get("isEnabled"));
log.info("is feature visibility enabled : {}", isFeatureVisibility);
if (!isFeatureVisibility) {
throw new AccessForbiddenException(
Expand All @@ -86,8 +94,12 @@ public void authorizeUserForFeatureVisibility(String userName) {
}

public void authorizeUserForApplicationId(
String username, String endpointUrl, String httpMethod) {

String username, String endpointUrl, String httpMethod) {
log.debug("validating the user for ApplicationId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer applicationId = getApplicationId(endpointUrl);
PermissionModel permission;
Expand Down Expand Up @@ -176,6 +188,11 @@ private Integer getApplicationId(String endpoint) {

public void authorizeUserForServiceId(String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for ServiceId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer serviceId = getServiceId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -262,6 +279,11 @@ private Integer getServiceId(String endpoint) {

public void authorizeUserForPipelineId(String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for PipelineId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer pipelineId = getPipelineId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -350,6 +372,11 @@ private Integer getPipelineId(String endpoint) {

public void authorizeUserForGateId(String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for GateId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer gateId = getGateId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -442,6 +469,11 @@ private Integer getGateId(String endpoint) {
public void authorizeUserForApprovalGateId(
String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for GateId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer approvalGateId = getApprovalGateId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -529,6 +561,11 @@ private Integer getApprovalGateId(String endpoint) {
public void authorizeUserForApprovalGateInstanceId(
String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for ApprovalGateInstanceId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer approvalGateInstanceId = getApprovalGateInstanceId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -618,6 +655,11 @@ private Integer getApprovalGateInstanceId(String endpoint) {
public void authorizeUserForApprovalPolicyId(
String username, String endpointUrl, String httpMethod) {

log.debug("validating the user for ApprovalPolicyId");
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
HttpMethod method = HttpMethod.valueOf(httpMethod);
Integer approvalPolicyId = getApprovalPolicyId(endpointUrl);
Boolean isAuthorized;
Expand Down Expand Up @@ -720,7 +762,12 @@ private String readXSpinnakerUserFromHeader(HttpServletRequest request) {

public void authorizeUserForApprovalGateTrigger(HttpServletRequest request) {

log.debug("validating the user for ApprovalGateTrigger");
String username = readXSpinnakerUserFromHeader(request);
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
String endpointUrl = request.getRequestURI();

Integer approvalGateId = getApprovalGateId(endpointUrl);
Expand Down Expand Up @@ -757,7 +804,13 @@ public void authorizeUserForApprovalGateTrigger(HttpServletRequest request) {

public void authorizeUserForPolicyGateTrigger(HttpServletRequest request, Object input) {

log.debug("validating the user for ApprovalGateTrigger");

String username = readXSpinnakerUserFromHeader(request);
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
String endpointUrl = request.getRequestURI();

String inputStr = gson.toJson(input);
Expand Down Expand Up @@ -805,7 +858,12 @@ public void authorizeUserForPolicyGateTrigger(HttpServletRequest request, Object
public void authorizeUserForVerificationAndTestVerificationGateTrigger(
HttpServletRequest request, Object input) {

log.debug("validating the user for ApprovalGateTrigger");
String username = readXSpinnakerUserFromHeader(request);
if (permissionService.isAdmin(username)) {
log.info("{} is admin, Hence not validating with ISD", username);
return;
}
String endpointUrl = request.getRequestURI();

String inputStr = gson.toJson(input);
Expand Down
Loading