spinnaker · sanopsmx · Oct 29, 2020 · Oct 31, 2020 · Oct 31, 2020 · Oct 31, 2020
diff --git a/orca-echo/orca-echo.gradle b/orca-echo/orca-echo.gradle
@@ -27,7 +27,7 @@ dependencies {
   implementation("org.springframework.boot:spring-boot-autoconfigure")
   implementation("javax.validation:validation-api")
   implementation("com.netflix.spinnaker.fiat:fiat-core:$fiatVersion")
-
+  implementation("com.netflix.spinnaker.fiat:fiat-api:$fiatVersion")
   testImplementation("com.squareup.retrofit:retrofit-mock")
 }
 

diff --git a/...-echo/src/main/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStage.groovy b/...-echo/src/main/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStage.groovy
@@ -19,23 +19,26 @@ package com.netflix.spinnaker.orca.echo.pipeline
 import com.fasterxml.jackson.annotation.JsonAnyGetter
 import com.fasterxml.jackson.annotation.JsonAnySetter
 import com.fasterxml.jackson.annotation.JsonIgnore
-import com.netflix.spinnaker.orca.api.pipeline.models.ExecutionStatus
+import com.google.common.annotations.VisibleForTesting
+import com.google.common.base.Strings
+import com.netflix.spinnaker.fiat.model.UserPermission
+import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
+import com.netflix.spinnaker.orca.AuthenticatedStage
 import com.netflix.spinnaker.orca.api.pipeline.OverridableTimeoutRetryableTask
-import com.netflix.spinnaker.orca.api.pipeline.models.StageExecution
 import com.netflix.spinnaker.orca.api.pipeline.TaskResult
-
-import javax.annotation.Nonnull
-import java.util.concurrent.TimeUnit
-import com.google.common.annotations.VisibleForTesting
-import com.netflix.spinnaker.orca.*
-import com.netflix.spinnaker.orca.echo.EchoService
 import com.netflix.spinnaker.orca.api.pipeline.graph.StageDefinitionBuilder
 import com.netflix.spinnaker.orca.api.pipeline.graph.TaskNode
+import com.netflix.spinnaker.orca.api.pipeline.models.ExecutionStatus
+import com.netflix.spinnaker.orca.api.pipeline.models.StageExecution
+import com.netflix.spinnaker.orca.echo.EchoService
+import com.netflix.spinnaker.orca.echo.util.ManualJudgmentAuthzGroupsUtil
 import com.netflix.spinnaker.security.User
 import groovy.util.logging.Slf4j
-import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
 
+import javax.annotation.Nonnull
+import java.util.concurrent.TimeUnit
+
 @Component
 class ManualJudgmentStage implements StageDefinitionBuilder, AuthenticatedStage {
 
@@ -72,21 +75,33 @@ class ManualJudgmentStage implements StageDefinitionBuilder, AuthenticatedStage
     final long backoffPeriod = 15000
     final long timeout = TimeUnit.DAYS.toMillis(3)
 
-    @Autowired(required = false)
-    EchoService echoService
+    private final EchoService echoService
+
+    private final FiatPermissionEvaluator fiatPermissionEvaluator
+
+    WaitForManualJudgmentTask(Optional<EchoService> echoService, Optional<FiatPermissionEvaluator> fpe) {
+      this.echoService = echoService.orElse(null)
+      this.fiatPermissionEvaluator = fpe.orElse(null)
+    }
 
     @Override
     TaskResult execute(StageExecution stage) {
       StageData stageData = stage.mapTo(StageData)
+      def stageAuthorized = stage.context.get('isAuthorized')
+      def stageRoles = stage.context.get('stageRoles')
+      def permissions = stage.context.get('permissions')
+      def username = stage.lastModified? stage.lastModified.user: stage.context.get('username')
       String notificationState
       ExecutionStatus executionStatus
 
       switch (stageData.state) {
         case StageData.State.CONTINUE:
+          stageAuthorized = stageAuthorized || checkManualJudgmentAuthorizedGroups(stageRoles, permissions, username)
           notificationState = "manualJudgmentContinue"
           executionStatus = ExecutionStatus.SUCCEEDED
           break
         case StageData.State.STOP:
+          stageAuthorized = stageAuthorized || checkManualJudgmentAuthorizedGroups(stageRoles, permissions, username)
           notificationState = "manualJudgmentStop"
           executionStatus = ExecutionStatus.TERMINAL
           break
@@ -95,12 +110,31 @@ class ManualJudgmentStage implements StageDefinitionBuilder, AuthenticatedStage
           executionStatus = ExecutionStatus.RUNNING
           break
       }
-
+      if (!stageAuthorized) {
+        notificationState = "manualJudgment"
+        executionStatus = ExecutionStatus.RUNNING
+        stage.context.put("judgmentStatus", "")
+      }
       Map outputs = processNotifications(stage, stageData, notificationState)
 
       return TaskResult.builder(executionStatus).context(outputs).build()
     }
 
+    boolean checkManualJudgmentAuthorizedGroups(def stageRoles, def permissions, def username) {
+
+      if (!Strings.isNullOrEmpty(username)) {
+        UserPermission.View permission = fiatPermissionEvaluator.getPermission(username);
+        if (permission == null) { // Should never happen?
+          return false;
+        }
+        // User has to have all the pipeline roles.
+        def userRoles = permission.getRoles().collect { it.getName().trim() }
+        return ManualJudgmentAuthzGroupsUtil.checkAuthorizedGroups(userRoles, stageRoles, permissions)
+      } else {
+        return false
+      }
+    }
+
     Map processNotifications(StageExecution stage, StageData stageData, String notificationState) {
       if (echoService) {
         // sendNotifications will be true if using the new scheme for configuration notifications.

diff --git a/...cho/src/main/java/com/netflix/spinnaker/orca/echo/util/ManualJudgmentAuthzGroupsUtil.java b/...cho/src/main/java/com/netflix/spinnaker/orca/echo/util/ManualJudgmentAuthzGroupsUtil.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2020 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.orca.echo.util;
+
+import com.netflix.spinnaker.fiat.model.Authorization;
+import java.util.List;
+import java.util.Map;
+
+public class ManualJudgmentAuthzGroupsUtil {
+
+  public static boolean checkAuthorizedGroups(
+      List<String> userRoles, List<String> stageRoles, Map<String, Object> permissions) {
+
+    boolean isAuthorizedGroup = false;
+    if (stageRoles == null || stageRoles.isEmpty()) {
+      return true;
+    }
+    for (String role : userRoles) {
+      if (stageRoles.contains(role)) {
+        for (Map.Entry<String, Object> entry : permissions.entrySet()) {
+          if (Authorization.CREATE.name().equals(entry.getKey())
+              || Authorization.EXECUTE.name().equals(entry.getKey())
+              || Authorization.WRITE.name().equals(entry.getKey())) {
+            if (entry.getValue() != null && ((List<String>) entry.getValue()).contains(role)) {
+              return true;
+            }
+          } else if (Authorization.READ.name().equals(entry.getKey())) {
+            if (entry.getValue() != null && ((List<String>) entry.getValue()).contains(role)) {
+              isAuthorizedGroup = false;
+            }
+          }
+        }
+      }
+    }
+    return isAuthorizedGroup;
+  }
+}
diff --git a/...o/src/test/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStageSpec.groovy b/...o/src/test/groovy/com/netflix/spinnaker/orca/echo/pipeline/ManualJudgmentStageSpec.groovy
@@ -16,6 +16,9 @@
 
 package com.netflix.spinnaker.orca.echo.pipeline
 
+import com.netflix.spinnaker.fiat.model.UserPermission
+import com.netflix.spinnaker.fiat.model.resources.Role
+import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
 import com.netflix.spinnaker.orca.api.pipeline.models.ExecutionStatus
 import com.netflix.spinnaker.orca.api.pipeline.models.StageExecution
 import com.netflix.spinnaker.orca.echo.EchoService
@@ -27,31 +30,65 @@ import static com.netflix.spinnaker.orca.echo.pipeline.ManualJudgmentStage.Notif
 import static com.netflix.spinnaker.orca.echo.pipeline.ManualJudgmentStage.WaitForManualJudgmentTask
 
 class ManualJudgmentStageSpec extends Specification {
+
+  EchoService echoService = Mock(EchoService)
+
+  FiatPermissionEvaluator fpe = Mock(FiatPermissionEvaluator)
+
   @Unroll
   void "should return execution status based on judgmentStatus"() {
     given:
-    def task = new WaitForManualJudgmentTask()
+    def task = new WaitForManualJudgmentTask(Optional.of(echoService), Optional.of(fpe))
 
     when:
     def result = task.execute(new StageExecutionImpl(PipelineExecutionImpl.newPipeline("orca"), "", context))
 
     then:
     result.status == expectedStatus
-    result.context.isEmpty()
 
     where:
     context                      || expectedStatus
     [:]                          || ExecutionStatus.RUNNING
-    [judgmentStatus: "continue"] || ExecutionStatus.SUCCEEDED
-    [judgmentStatus: "Continue"] || ExecutionStatus.SUCCEEDED
-    [judgmentStatus: "stop"]     || ExecutionStatus.TERMINAL
-    [judgmentStatus: "STOP"]     || ExecutionStatus.TERMINAL
-    [judgmentStatus: "unknown"]  || ExecutionStatus.RUNNING
+    [judgmentStatus: "continue", isAuthorized: true] || ExecutionStatus.SUCCEEDED
+    [judgmentStatus: "Continue", isAuthorized: true] || ExecutionStatus.SUCCEEDED
+    [judgmentStatus: "stop", isAuthorized: true]     || ExecutionStatus.TERMINAL
+    [judgmentStatus: "STOP", isAuthorized: true]     || ExecutionStatus.TERMINAL
+    [judgmentStatus: "unknown", isAuthorized: true]  || ExecutionStatus.RUNNING
+  }
+
+  @Unroll
+  void "should return execution status based on authorizedGroups"() {
+    given:
+    def task = new WaitForManualJudgmentTask(Optional.of(echoService), Optional.of(fpe))
+
+    when:
+    def result = task.execute(new StageExecutionImpl(PipelineExecutionImpl.newPipeline("orca"), "", context))
+
+    then:
+    1 * fpe.getPermission('abc@somedomain.io') >> {
+      new UserPermission().addResources([new Role('foo'), new Role('baz')]).view
+    }
+    result.status == expectedStatus
+
+    where:
+    context                      || expectedStatus
+    [judgmentStatus: "continue", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['foo'], permissions: [WRITE: ["foo"],READ: ["foo","baz"], EXECUTE: ["foo"]]] || ExecutionStatus.SUCCEEDED
+    [judgmentStatus: "Continue", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['foo'], permissions: [WRITE: ["foo"],READ: ["foo","baz"], EXECUTE: ["foo"]]] || ExecutionStatus.SUCCEEDED
+    [judgmentStatus: "stop", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['foo'], permissions: [WRITE: ["foo"],READ: ["foo","baz"], EXECUTE: ["foo"]]] || ExecutionStatus.TERMINAL
+    [judgmentStatus: "STOP", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['foo'], permissions: [WRITE: ["foo"],READ: ["foo","baz"],EXECUTE: ["foo"]]] || ExecutionStatus.TERMINAL
+    [judgmentStatus: "Continue", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['baz'], permissions: [WRITE: ["foo"],READ: ["foo","baz"], EXECUTE: ["foo"]]] || ExecutionStatus.RUNNING
+    [judgmentStatus: "Stop", isAuthorized: false, username: "abc@somedomain.io",
+     stageRoles: ['baz'], permissions: [WRITE: ["foo"],READ: ["foo","baz"], EXECUTE: ["foo"]]] || ExecutionStatus.RUNNING
   }
 
   void "should only send notifications for supported types"() {
     given:
-    def task = new WaitForManualJudgmentTask(echoService: Mock(EchoService))
+    def task = new WaitForManualJudgmentTask(Optional.of(echoService), Optional.of(fpe))
 
     when:
     def result = task.execute(new StageExecutionImpl(PipelineExecutionImpl.newPipeline("orca"), "", [notifications: [
@@ -72,14 +109,15 @@ class ManualJudgmentStageSpec extends Specification {
   @Unroll
   void "if deprecated notification configuration is in use, only send notifications for awaiting judgment state"() {
     given:
-    def task = new WaitForManualJudgmentTask(echoService: Mock(EchoService))
+    def task = new WaitForManualJudgmentTask(Optional.of(echoService), Optional.of(fpe))
 
     when:
     def result = task.execute(new StageExecutionImpl(PipelineExecutionImpl.newPipeline("orca"), "", [
       sendNotifications: sendNotifications,
       notifications: [
         new Notification(type: "email", address: "test@netflix.com", when: [ notificationState ])
       ],
+      isAuthorized: true,
       judgmentStatus: judgmentStatus
     ]))
 
@@ -153,7 +191,7 @@ class ManualJudgmentStageSpec extends Specification {
   @Unroll
   void "should retain unknown fields in the notification context"() {
     given:
-    def task = new WaitForManualJudgmentTask(echoService: Mock(EchoService))
+    def task = new WaitForManualJudgmentTask(Optional.of(echoService), Optional.of(fpe))
 
     def slackNotification = new Notification(type: "slack")
     slackNotification.setOther("customMessage", "hello slack")