Adds service account endpoints + ability for fiat-api module to verify service account authorization. (#108)

Author: Travis Tomsu

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java

@@ -76,7 +76,11 @@ public boolean hasPermission(Authentication authentication,
 
     String username = getUsername(authentication);
     ResourceType r = ResourceType.parse(resourceType);
-    Authorization a = Authorization.valueOf(authorization.toString());
+    Authorization a = null;
+    // Service accounts don't have read/write authorizations.
+    if (r != ResourceType.SERVICE_ACCOUNT) {
+      a = Authorization.valueOf(authorization.toString());
+    }
 
     if (r == ResourceType.APPLICATION) {
       val parsedName = Names.parseName(resourceName.toString()).getApp();
@@ -184,6 +188,10 @@ private boolean permissionContains(Authentication authentication,
         return containsAuth.apply(permission.getAccounts());
       case APPLICATION:
         return containsAuth.apply(permission.getApplications());
+      case SERVICE_ACCOUNT:
+        return permission.getServiceAccounts()
+                         .stream()
+                         .anyMatch(view -> view.getName().equalsIgnoreCase(resourceName));
       default:
         return false;
     }

fiat-web/src/main/java/com/netflix/spinnaker/fiat/controllers/AuthorizeController.java

@@ -22,6 +22,7 @@
 import com.netflix.spinnaker.fiat.model.resources.Account;
 import com.netflix.spinnaker.fiat.model.resources.Application;
 import com.netflix.spinnaker.fiat.model.resources.ResourceType;
+import com.netflix.spinnaker.fiat.model.resources.ServiceAccount;
 import com.netflix.spinnaker.fiat.permissions.PermissionsRepository;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -92,6 +93,53 @@ public Account.View getUserAccount(@PathVariable String userId, @PathVariable St
                                 .orElseThrow(NotFoundException::new);
   }
 
+  @RequestMapping(value = "/{userId:.+}/applications", method = RequestMethod.GET)
+  public Set<Application.View> getUserApplications(@PathVariable String userId) {
+    return permissionsRepository.get(ControllerSupport.convert(userId))
+                                .orElseThrow(NotFoundException::new)
+                                .getApplications()
+                                .stream()
+                                .map(Application::getView)
+                                .collect(Collectors.toSet());
+  }
+
+  @RequestMapping(value = "/{userId:.+}/applications/{applicationName:.+}", method = RequestMethod.GET)
+  public Application.View getUserApplication(@PathVariable String userId, @PathVariable String applicationName) {
+    return permissionsRepository.get(ControllerSupport.convert(userId))
+                                .orElseThrow(NotFoundException::new)
+                                .getApplications()
+                                .stream()
+                                .filter(application -> applicationName.equalsIgnoreCase(application.getName()))
+                                .findFirst()
+                                .map(Application::getView)
+                                .orElseThrow(NotFoundException::new);
+  }
+
+  @RequestMapping(value = "/{userId:.+}/serviceAccounts", method = RequestMethod.GET)
+  public Set<ServiceAccount.View> getServiceAccounts(@PathVariable String userId) {
+    return permissionsRepository.get(ControllerSupport.convert(userId))
+                                .orElseThrow(NotFoundException::new)
+                                .getServiceAccounts()
+                                .stream()
+                                .map(ServiceAccount::getView)
+                                .collect(Collectors.toSet());
+  }
+
+  @RequestMapping(value = "/{userId:.+}/serviceAccounts/{serviceAccountName:.+}", method = RequestMethod.GET)
+  public ServiceAccount.View getServiceAccount(@PathVariable String userId,
+                                               @PathVariable String serviceAccountName) {
+    return permissionsRepository.get(ControllerSupport.convert(userId))
+                                .orElseThrow(NotFoundException::new)
+                                .getServiceAccounts()
+                                .stream()
+                                .filter(serviceAccount ->
+                                            serviceAccount.getName()
+                                                          .equalsIgnoreCase(ControllerSupport.convert(serviceAccountName)))
+                                .findFirst()
+                                .orElseThrow(NotFoundException::new)
+                                .getView();
+  }
+
   @RequestMapping(value = "/{userId:.+}/{resourceType:.+}/{resourceName:.+}/{authorization:.+}", method = RequestMethod.GET)
   public void getUserAuthorization(@PathVariable String userId,
                                    @PathVariable String resourceType,
@@ -126,26 +174,4 @@ public void getUserAuthorization(@PathVariable String userId,
 
     response.setStatus(HttpServletResponse.SC_NOT_FOUND);
   }
-
-  @RequestMapping(value = "/{userId:.+}/applications", method = RequestMethod.GET)
-  public Set<Application.View> getUserApplications(@PathVariable String userId) {
-    return permissionsRepository.get(ControllerSupport.convert(userId))
-                                .orElseThrow(NotFoundException::new)
-                                .getApplications()
-                                .stream()
-                                .map(Application::getView)
-                                .collect(Collectors.toSet());
-  }
-
-  @RequestMapping(value = "/{userId:.+}/applications/{applicationName:.+}", method = RequestMethod.GET)
-  public Application.View getUserApplication(@PathVariable String userId, @PathVariable String applicationName) {
-    return permissionsRepository.get(ControllerSupport.convert(userId))
-                                .orElseThrow(NotFoundException::new)
-                                .getApplications()
-                                .stream()
-                                .filter(application -> applicationName.equalsIgnoreCase(application.getName()))
-                                .findFirst()
-                                .map(Application::getView)
-                                .orElseThrow(NotFoundException::new);
-  }
 }

fiat-web/src/test/groovy/com/netflix/spinnaker/fiat/controllers/AuthorizeControllerSpec.groovy

@@ -190,4 +190,26 @@ class AuthorizeControllerSpec extends Specification {
     1 * repository.get("foo") >> Optional.of(foo)
     result == bar.view
   }
+
+  def "should get service accounts from repo"() {
+    setup:
+    permissionsRepository.put(unrestrictedUser)
+    permissionsRepository.put(roleServiceAccountUser)
+
+    when:
+    def expected = objectMapper.writeValueAsString([serviceAccount.view])
+
+    then:
+    mockMvc.perform(get("/authorize/roleServiceAccountUser/serviceAccounts"))
+           .andExpect(status().isOk())
+           .andExpect(content().json(expected))
+
+    when:
+    expected = objectMapper.writeValueAsString(serviceAccount.view)
+
+    then:
+    mockMvc.perform(get("/authorize/roleServiceAccountUser/serviceAccounts/svcAcct%40group.com"))
+           .andExpect(status().isOk())
+           .andExpect(content().json(expected))
+  }
 }

fiat-web/src/test/groovy/com/netflix/spinnaker/fiat/controllers/FiatSystemTestSupport.groovy

@@ -54,4 +54,8 @@ class FiatSystemTestSupport {
                                                       .setRoles([roleA, roleB] as Set)
                                                       .setAccounts([restrictedAccount] as Set)
                                                       .setApplications([restrictedApp] as Set)
+
+  UserPermission roleServiceAccountUser = new UserPermission().setId("roleServiceAccountUser")
+                                                              .setRoles([roleServiceAccount] as Set)
+                                                              .setServiceAccounts([serviceAccount] as Set)
 }