fix(authn): invalidatePermission from cache

During login we want to read a fresh view of the permission from fiat to support populating allowed accounts headers. Also some cleanup in FiatAuthenticationConfig for easier autoconfigging.
spinnaker · Jun 8, 2018 · 92b7c94 · 92b7c94
1 parent 6048e25
commit 92b7c94
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 7 deletions.
diff --git a/build.gradle b/build.gradle
@@ -16,7 +16,7 @@
 
 buildscript {
   ext {
-    springBootVersion = "1.5.7.RELEASE"
+    springBootVersion = "1.5.10.RELEASE"
   }
   repositories {
     jcenter()
@@ -36,7 +36,7 @@ allprojects {
   apply plugin: 'groovy'
 
   ext {
-    spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.155.1'
+    spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.157.3'
   }
 
   def checkLocalVersions = [spinnakerDependenciesVersion: spinnakerDependenciesVersion]

diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java
@@ -18,6 +18,7 @@
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spinnaker.config.OkHttpClientConfiguration;
 import com.netflix.spinnaker.okhttp.SpinnakerRequestInterceptor;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
@@ -39,6 +40,7 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import retrofit.Endpoints;
 import retrofit.RestAdapter;
+import retrofit.client.Client;
 import retrofit.client.OkClient;
 import retrofit.converter.JacksonConverter;
 
@@ -54,22 +56,19 @@ public class FiatAuthenticationConfig {
   @Setter
   private RestAdapter.LogLevel retrofitLogLevel = RestAdapter.LogLevel.BASIC;
 
-  @Autowired
-  SpinnakerRequestInterceptor spinnakerRequestInterceptor;
-
   @Bean
   @ConditionalOnMissingBean(FiatService.class) // Allows for override
   public FiatService fiatService(FiatClientConfigurationProperties fiatConfigurationProperties,
                                  SpinnakerRequestInterceptor interceptor,
-                                 OkClient okClient) {
+                                 OkHttpClientConfiguration okHttpClientConfiguration) {
     // New role providers break deserialization if this is not enabled.
     val objectMapper = new ObjectMapper();
     objectMapper.enable(DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_AS_NULL);
     objectMapper.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
     return new RestAdapter.Builder()
         .setEndpoint(Endpoints.newFixedEndpoint(fiatConfigurationProperties.getBaseUrl()))
         .setRequestInterceptor(interceptor)
-        .setClient(okClient)
+        .setClient(new OkClient(okHttpClientConfiguration.create()))
         .setConverter(new JacksonConverter(objectMapper))
         .setLogLevel(retrofitLogLevel)
         .setLog(new Slf4jRetrofitLogger(FiatService.class))

diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -123,6 +123,10 @@ private String getUsername(Authentication authentication) {
     return username;
   }
 
+  public void invalidatePermission(String username) {
+    permissionsCache.invalidate(username);
+  }
+
   public UserPermission.View getPermission(String username) {
     UserPermission.View view = null;
     if (StringUtils.isEmpty(username)) {