Support additional auth types #1090
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This updates `AuthenticatedRequest::getSpinnakerUser` to support more principal types besides `UserDetails` including `AuthenticatedPrincipal` (used by OAuth2 and SAML2 Spring Security libraries) and `Principal` (the generic Java API). Also adds some related utility code for granted authorities.
…ipals This updates the filter for a few related things: - Support more types of `Authentication` principals - Add `AllowedAccountAuthority` for simpler authority representation of allowed accounts - Use the `SecurityContextRepository` API from Spring Security instead of relying on internal details of its API - Normalize anonymous users into the userid `anonymous` - Add allowed account authorities to `User` authorities - Use the `ROLE_` granted authority prefix for roles as already used in Fiat
|
Discovered a small issue with this idea, so putting back in draft. |
|
Going to have to redo the relevant changes from here as I've included some of these changes in a different PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This has a couple changes related to supporting principals with the type
AuthenticatedPrincipalin addition to the existing support forUserDetails. This allows for future migrations to the built-in SAML and OAuth2 Spring Security modules that we'll need to switch to at some point as those APIs rely on this API for federated identities. I've also ensured that anonymous users are using a consistent username.Another nicety is a dedicated
GrantedAuthorityimplementation for the allowed accounts concept. This can help with migrating that to regular security APIs over time.There are numerous places in Gate (and other services less so) that can be updated with these changes. In particular, all the uses of the deprecated
Userclass fromkork-securityshould be migrated over time, especially any of the APIs exposing data or requiring aUserparameter.