upgrades fiat to boot2 and new BOM dependency management

build.gradle

@@ -15,48 +15,30 @@
  */
 
 buildscript {
+  ext {
+    korkVersion = "5.0.0"
+  }
   repositories {
     jcenter()
     maven { url "https://spinnaker.bintray.com/gradle" }
     maven { url "https://plugins.gradle.org/m2/" }
   }
   dependencies {
-    classpath 'com.netflix.spinnaker.gradle:spinnaker-dev-plugin:5.2.2'
+    classpath 'com.netflix.spinnaker.gradle:spinnaker-dev-plugin:6.0.0'
+    if (Boolean.valueOf(enablePublishing)) {
+      classpath 'com.netflix.spinnaker.gradle:spinnaker-gradle-project:6.0.0'
+    }
   }
 }
 
 allprojects {
   group = "com.netflix.spinnaker.fiat"
   apply plugin: 'spinnaker.base-project'
-  apply plugin: 'java'
-  apply plugin: 'groovy'
-
-  ext {
-    spinnakerDependenciesVersion = '1.40.0'
-    if (project.hasProperty('spinnakerDependenciesVersion')) {
-      spinnakerDependenciesVersion = project.property('spinnakerDependenciesVersion')
-    }
-  }
-
-  def checkLocalVersions = [spinnakerDependenciesVersion: spinnakerDependenciesVersion]
-  if (ext.has('versions')) {
-    def extVers = ext.get('versions')
-    if (extVers instanceof Map) {
-      checkLocalVersions.putAll(extVers)
-    }
-  }
-
-  def localVersions = checkLocalVersions.findAll { it.value.endsWith('-SNAPSHOT') }
-  if (localVersions) {
-    logger.info("Enabling mavenLocal repo for $localVersions")
-    repositories {
-      mavenLocal()
-    }
-  }
-
-  spinnaker {
-    dependenciesVersion = spinnakerDependenciesVersion
+  if (Boolean.valueOf(enablePublishing)) {
+    apply plugin: 'spinnaker.project'
   }
+  apply plugin: 'java-library'
+  apply plugin: 'groovy'
 
   test {
     testLogging {
@@ -78,16 +60,23 @@ allprojects {
 
 subprojects { project ->
   dependencies {
-    spinnaker.group('test')
+    implementation platform("com.netflix.spinnaker.kork:kork-bom:$korkVersion")
+    compileOnly "org.projectlombok:lombok"
+    annotationProcessor platform("com.netflix.spinnaker.kork:kork-bom:$korkVersion")
+    annotationProcessor "org.projectlombok:lombok"
+    testAnnotationProcessor platform("com.netflix.spinnaker.kork:kork-bom:$korkVersion")
+    testAnnotationProcessor "org.projectlombok:lombok"
 
-    testCompile spinnaker.dependency('groovy')
-  }
+    implementation "org.springframework.boot:spring-boot-properties-migrator"
 
-  //c&p this because NetflixOss reverts it to 1.7 and ends up getting applied last..
-  project.plugins.withType(JavaBasePlugin) {
-    JavaPluginConvention convention = project.convention.getPlugin(JavaPluginConvention)
-    convention.sourceCompatibility = JavaVersion.VERSION_1_8
-    convention.targetCompatibility = JavaVersion.VERSION_1_8
+    testImplementation "org.springframework.boot:spring-boot-starter-test"
+    testImplementation "org.spockframework:spock-core"
+    testImplementation "org.spockframework:spock-spring"
+    testImplementation "org.springframework:spring-test"
+    testImplementation "org.hamcrest:hamcrest-core"
+    testRuntimeOnly "cglib:cglib-nodep"
+    testRuntimeOnly "org.objenesis:objenesis"
+    testImplementation "org.codehaus.groovy:groovy-all"
   }
 }
 

fiat-api/fiat-api.gradle

@@ -15,33 +15,22 @@
  */
 
 dependencies {
-  compile project(":fiat-core")
+  implementation project(":fiat-core")
 
-  compileOnly spinnaker.dependency("bootWeb")
-  compileOnly spinnaker.dependency("frigga")
-  compileOnly spinnaker.dependency("korkSecurity")
-  compileOnly spinnaker.dependency("korkWeb")
-  compileOnly spinnaker.dependency("kork")
-  compileOnly spinnaker.dependency("lombok")
-  annotationProcessor spinnaker.dependency("lombok")
-  compileOnly spinnaker.dependency("okHttp")
-  compileOnly spinnaker.dependency("okHttpUrlconnection")
-  compileOnly spinnaker.dependency("okHttpApache")
-  compileOnly spinnaker.dependency("retrofit")
-  compileOnly spinnaker.dependency("retrofitJackson")
-  compileOnly spinnaker.dependency("spectatorApi")
+  implementation "org.springframework:spring-aop"
+  implementation "org.springframework:spring-web"
+  implementation "org.springframework.security:spring-security-core"
+  implementation "org.springframework.security:spring-security-web"
+  implementation "com.netflix.spectator:spectator-api"
+  implementation "com.netflix.spinnaker.kork:kork-core"
+  implementation "com.netflix.spinnaker.kork:kork-security"
+  implementation "com.netflix.spinnaker.kork:kork-web"
+  implementation "com.squareup.retrofit:retrofit"
+  implementation "com.squareup.retrofit:converter-jackson"
 
-  compile spinnaker.dependency("guava")
-  compile spinnaker.dependency("springSecurityConfig")
-  compile spinnaker.dependency("springSecurityCore")
-  compile spinnaker.dependency("springSecurityWeb")
+  compileOnly "javax.servlet:javax.servlet-api"
 
-  testCompile spinnaker.dependency("retrofit")
-  testCompile spinnaker.dependency("okHttp")
-  testCompile spinnaker.dependency("slf4jApi")
-  testCompile spinnaker.dependency("frigga")
-  testCompile spinnaker.dependency("korkSecurity")
-  testCompile spinnaker.dependency("kork")
-  testCompile spinnaker.dependency("bootAutoConfigure")
-  testCompile spinnaker.dependency("spectatorApi")
+  implementation "com.github.ben-manes.caffeine:caffeine"
+
+  testImplementation "org.slf4j:slf4j-api"
 }

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java

@@ -18,15 +18,13 @@
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.netflix.spectator.api.Registry;
 import com.netflix.spinnaker.config.OkHttpClientConfiguration;
 import com.netflix.spinnaker.okhttp.SpinnakerRequestInterceptor;
+import com.netflix.spinnaker.retrofit.Slf4jRetrofitLogger;
 import com.squareup.okhttp.OkHttpClient;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
@@ -37,6 +35,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import retrofit.Endpoints;
 import retrofit.RestAdapter;
@@ -59,8 +58,7 @@ public class FiatAuthenticationConfig {
 
   @Bean
   @ConditionalOnMissingBean(FiatService.class) // Allows for override
-  public FiatService fiatService(Registry registry,
-                                 FiatClientConfigurationProperties fiatConfigurationProperties,
+  public FiatService fiatService(FiatClientConfigurationProperties fiatConfigurationProperties,
                                  SpinnakerRequestInterceptor interceptor,
                                  OkHttpClientConfiguration okHttpClientConfiguration) {
     // New role providers break deserialization if this is not enabled.
@@ -98,40 +96,16 @@ private class FiatWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap
     private final FiatStatus fiatStatus;
 
     private FiatWebSecurityConfigurerAdapter(FiatStatus fiatStatus) {
+      super(true);
       this.fiatStatus = fiatStatus;
     }
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        /*
-         * Having `FiatAuthenticationFilter` prior to `SecurityContextPersistenceFilter` results in the
-         * `SecurityContextHolder` being overridden with a null value.
-         *
-         * The null value then causes the `AnonymousAuthenticationFilter` to inject an "anonymousUser" which when
-         * passed over the wire to fiat is promptly rejected.
-         *
-         * This behavior is triggered when `management.security.enabled` is `false`.
-         */
-        http
-            .csrf().disable()
-            .addFilterAfter(new FiatAuthenticationFilter(fiatStatus), SecurityContextPersistenceFilter.class);
-    }
-  }
-
-  private static class Slf4jRetrofitLogger implements RestAdapter.Log {
-    private final Logger logger;
-
-    Slf4jRetrofitLogger(Class type) {
-      this(LoggerFactory.getLogger(type));
-    }
-
-    Slf4jRetrofitLogger(Logger logger) {
-      this.logger = logger;
-    }
-
-    @Override
-    public void log(String message) {
-      logger.info(message);
+        http.servletApi().and()
+            .exceptionHandling().and()
+            .anonymous().and()
+            .addFilterBefore(new FiatAuthenticationFilter(fiatStatus), AnonymousAuthenticationFilter.class);
     }
   }
 }

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatClientConfigurationProperties.java

@@ -52,16 +52,15 @@ public RetryConfiguration getRetry() {
   }
 
   @Data
-  class PermissionsCache {
+  public static class PermissionsCache {
     private Integer maxEntries = 1000;
 
     private Integer expiresAfterWriteSeconds = 20;
   }
 
   @Data
-  class RetryConfiguration {
+  public static class RetryConfiguration {
     private DynamicConfigService dynamicConfigService;
-
     private long maxBackoffMillis = 10000;
     private long initialBackoffMillis = 500;
     private double retryMultiplier = 1.5;

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java

@@ -17,9 +17,8 @@
 
 package com.netflix.spinnaker.fiat.shared;
 
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.util.concurrent.UncheckedExecutionException;
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
 import com.netflix.spectator.api.Id;
 import com.netflix.spectator.api.Registry;
 import com.netflix.spinnaker.fiat.model.Authorization;
@@ -46,7 +45,6 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicReference;
@@ -130,7 +128,7 @@ private static RetryHandler buildRetryHandler(FiatClientConfigurationProperties
     this.fiatStatus = fiatStatus;
     this.retryHandler = retryHandler;
 
-    this.permissionsCache = CacheBuilder
+    this.permissionsCache = Caffeine
         .newBuilder()
         .maximumSize(configProps.getCache().getMaxEntries())
         .expireAfterWrite(configProps.getCache().getExpiresAfterWriteSeconds(), TimeUnit.SECONDS)
@@ -205,35 +203,41 @@ public UserPermission.View getPermission(String username) {
     AtomicReference<Throwable> exception = new AtomicReference<>();
 
     try {
-      view = permissionsCache.get(username, () -> {
+      view = permissionsCache.get(username, (loadUserName) -> {
         cacheHit.set(false);
-        return AuthenticatedRequest.propagate(() -> {
-          try {
-            return retryHandler.retry("getUserPermission for " + username, () -> fiatService.getUserPermission(username));
-          } catch (Exception e) {
-            if (!fiatStatus.isLegacyFallbackEnabled()) {
-              throw e;
+        try {
+          return AuthenticatedRequest.propagate(() -> {
+            try {
+              return retryHandler.retry("getUserPermission for " + loadUserName, () -> fiatService.getUserPermission(loadUserName));
+            } catch (Exception e) {
+              if (!fiatStatus.isLegacyFallbackEnabled()) {
+                throw e;
+              }
+
+              legacyFallback.set(true);
+              successfulLookup.set(false);
+              exception.set(e);
+
+              // this fallback permission will be temporarily cached in the permissions cache
+              return new UserPermission.View(
+                  new UserPermission()
+                      .setId(AuthenticatedRequest.getSpinnakerUser().orElse("anonymous"))
+                      .setAccounts(
+                          Arrays
+                              .stream(AuthenticatedRequest.getSpinnakerAccounts().orElse("").split(","))
+                              .map(a -> new Account().setName(a))
+                              .collect(Collectors.toSet())
+                      )
+              ).setLegacyFallback(true).setAllowAccessToUnknownApplications(true);
             }
-
-            legacyFallback.set(true);
-            successfulLookup.set(false);
-            exception.set(e);
-
-            // this fallback permission will be temporarily cached in the permissions cache
-            return new UserPermission.View(
-                new UserPermission()
-                    .setId(AuthenticatedRequest.getSpinnakerUser().orElse("anonymous"))
-                    .setAccounts(
-                        Arrays
-                            .stream(AuthenticatedRequest.getSpinnakerAccounts().orElse("").split(","))
-                            .map(a -> new Account().setName(a))
-                            .collect(Collectors.toSet())
-                    )
-            ).setLegacyFallback(true).setAllowAccessToUnknownApplications(true);
-          }
-        }).call();
+          }).call();
+        } catch (RuntimeException re) {
+          throw re;
+        } catch (Exception e) {
+          throw new RuntimeException(e);
+        }
       });
-    } catch (ExecutionException | UncheckedExecutionException e) {
+    } catch (Exception e) {
       successfulLookup.set(false);
       exception.set(e.getCause() != null ? e.getCause() : e);
     }
@@ -352,7 +356,7 @@ public boolean isAdmin(Authentication authentication) {
     return permission != null && permission.isAdmin();
   }
 
-  public class AuthorizationFailure {
+  public static class AuthorizationFailure {
     private final Authorization authorization;
     private final ResourceType resourceType;
     private final String resourceName;

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatService.java

@@ -17,7 +17,7 @@
 package com.netflix.spinnaker.fiat.shared;
 
 import com.netflix.spinnaker.fiat.model.UserPermission;
-import com.squareup.okhttp.Response;
+import retrofit.client.Response;
 import retrofit.http.Body;
 import retrofit.http.DELETE;
 import retrofit.http.GET;

fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatStatus.java

@@ -17,6 +17,7 @@
 package com.netflix.spinnaker.fiat.shared;
 
 import com.netflix.spectator.api.Registry;
+import com.netflix.spectator.api.patterns.PolledMeter;
 import com.netflix.spinnaker.kork.dynamicconfig.DynamicConfigService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -46,8 +47,8 @@ public FiatStatus(Registry registry,
     this.enabled = new AtomicBoolean(fiatClientConfigurationProperties.isEnabled());
     this.legacyFallbackEnabled = new AtomicBoolean(fiatClientConfigurationProperties.isLegacyFallback());
 
-    registry.gauge("fiat.enabled", enabled, value -> enabled.get() ? 1 : 0);
-    registry.gauge("fiat.legacyFallback.enabled", legacyFallbackEnabled, value -> legacyFallbackEnabled.get() ? 1 : 0);
+    PolledMeter.using(registry).withName("fiat.enabled").monitorValue(enabled, value -> enabled.get() ? 1 : 0);
+    PolledMeter.using(registry).withName("fiat.legacyFallback.enabled").monitorValue(legacyFallbackEnabled, value -> legacyFallbackEnabled.get() ? 1 : 0);
   }
 
   public boolean isEnabled() {