Adds command to pull whole permission into security context for @PostFilter optimization. (#27)

Travis Tomsu · web-flow · commit 356503474a63 · 2016-09-01T13:48:46.000-04:00
diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -17,18 +17,24 @@
 package com.netflix.spinnaker.fiat.shared;
 
 import com.netflix.spinnaker.fiat.model.Authorization;
+import com.netflix.spinnaker.fiat.model.UserPermission;
+import com.netflix.spinnaker.fiat.model.resources.Authorizable;
 import com.netflix.spinnaker.fiat.model.resources.Resource;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.stereotype.Component;
 import retrofit.RetrofitError;
 
 import java.io.Serializable;
+import java.util.Set;
+import java.util.function.Function;
 
 @Component
 @Slf4j
@@ -57,7 +63,9 @@ public boolean hasPermission(Authentication authentication, Serializable resourc
     Resource r = Resource.parse(resourceType);
     Authorization a = Authorization.valueOf(authorization.toString());
 
-    return isAuthorized(username, r, resourceName.toString(), a);
+    return isWholePermissionStored(authentication) ?
+        permissionContains(authentication, resourceName.toString(), r, a) :
+        isAuthorized(username, r, resourceName.toString(), a);
   }
 
   private String getUsername(Authentication authentication) {
@@ -83,4 +91,65 @@ private boolean isAuthorized(String username, Resource resource, String resource
     }
     return true;
   }
+
+  @SuppressWarnings("unused")
+  public boolean storeWholePermission() {
+    if (!Boolean.valueOf(fiatEnabled)) {
+      return true;
+    }
+
+    String username = getUsername(SecurityContextHolder.getContext().getAuthentication());
+
+    UserPermission.View view;
+    try {
+      view = fiatService.getUserPermission(username);
+    } catch (RetrofitError re) {
+      String message = String.format("Cannot get whole user permission for user %s", username);
+      log.debug(message);
+      log.trace(message, re);
+      return false;
+    }
+
+    PreAuthenticatedAuthenticationToken auth = new PreAuthenticatedAuthenticationToken(username, null, null);
+    auth.setDetails(view);
+
+    SecurityContext ctx = SecurityContextHolder.createEmptyContext();
+    ctx.setAuthentication(auth);
+    SecurityContextHolder.setContext(ctx);
+
+    return true;
+  }
+
+  private boolean isWholePermissionStored(Authentication authentication) {
+    return authentication.getDetails() != null &&
+        authentication.getDetails() instanceof UserPermission.View;
+  }
+
+  private boolean permissionContains(Authentication authentication,
+                                     String resourceName,
+                                     Resource resource,
+                                     Authorization authorization) {
+    UserPermission.View permission = (UserPermission.View) authentication.getDetails();
+
+    Function<Set<? extends Authorizable>, Boolean> containsAuth = resources ->
+        resources
+            .stream()
+            .anyMatch(view -> view.getName().equalsIgnoreCase(resourceName) &&
+                view.getAuthorizations().contains(authorization));
+
+
+    switch (resource) {
+      case ACCOUNT:
+        return containsAuth.apply(permission.getAccounts());
+      case APPLICATION:
+        return containsAuth.apply(permission.getApplications());
+      default:
+        return false;
+    }
+  }
+
+  @SuppressWarnings("unused")
+  public boolean isAdmin() {
+    return true; // TODO(ttomsu): Chosen by fair dice roll. Guaranteed to be random.
+  }
 }
diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatService.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatService.java
@@ -16,12 +16,16 @@
 
 package com.netflix.spinnaker.fiat.shared;
 
+import com.netflix.spinnaker.fiat.model.UserPermission;
 import com.squareup.okhttp.Response;
 import retrofit.http.GET;
 import retrofit.http.Path;
 
 public interface FiatService {
 
+  @GET("/authorize/{userId}")
+  UserPermission.View getUserPermission(@Path("userId") String userId);
+
   @GET("/authorize/{userId}/{resourceType}/{resourceName}/{authorization}")
   Response hasAuthorization(@Path("userId") String userId,
                             @Path("resourceType") String resourceType,
