Merge pull request #151 from OpsMx/OP-12772-handle-custom-gate-rbac

Added interceptor for custom gate trigger endpoints and made some bug…

gate-web/src/main/groovy/com/netflix/spinnaker/gate/config/GateWebConfig.groovy

@@ -28,6 +28,7 @@ import com.opsmx.spinnaker.gate.interceptors.ApplicationIdRbacInterceptor
 import com.opsmx.spinnaker.gate.interceptors.ApprovalGateIdRbacInterceptor
 import com.opsmx.spinnaker.gate.interceptors.ApprovalGateInstanceIdRbacInterceptor
 import com.opsmx.spinnaker.gate.interceptors.ApprovalPolicyIdInterceptor
+import com.opsmx.spinnaker.gate.interceptors.CustomGatesTriggerRbacInterceptor
 import com.opsmx.spinnaker.gate.interceptors.GateIdRbacInterceptor
 import com.opsmx.spinnaker.gate.interceptors.OesServiceInterceptor
 import com.opsmx.spinnaker.gate.interceptors.FeatureVisibilityRbacInterceptor
@@ -96,6 +97,9 @@ public class GateWebConfig implements WebMvcConfigurer {
   @Autowired(required = false)
   ApprovalPolicyIdInterceptor approvalPolicyIdInterceptor
 
+  @Autowired(required = false)
+  CustomGatesTriggerRbacInterceptor customGatesTriggerRbacInterceptor
+
   @Override
   public void addInterceptors(InterceptorRegistry registry) {
     registry.addInterceptor(
@@ -121,6 +125,7 @@ public class GateWebConfig implements WebMvcConfigurer {
       registry.addInterceptor(approvalGateIdRbacInterceptor).addPathPatterns(ApplicationFeatureRbac.endpointsWithApprovalGateId).order(6)
       registry.addInterceptor(approvalGateInstanceIdRbacInterceptor).addPathPatterns(ApplicationFeatureRbac.endpointsWithApprovalGateInstanceId).order(7)
       registry.addInterceptor(approvalPolicyIdInterceptor).addPathPatterns(ApplicationFeatureRbac.endpointsWithApprovalPolicyId).order(8)
+      registry.addInterceptor(customGatesTriggerRbacInterceptor).addPathPatterns(ApplicationFeatureRbac.runtime_access).order(9)
     }
 
   }

gate-web/src/main/groovy/com/opsmx/spinnaker/gate/controllers/OpsmxSaporPolicyController.groovy

@@ -17,6 +17,8 @@
 package com.opsmx.spinnaker.gate.controllers
 
 import com.netflix.spinnaker.gate.services.internal.OpsmxOesService
+import com.opsmx.spinnaker.gate.exception.XSpinnakerUserHeaderMissingException
+import com.opsmx.spinnaker.gate.rbac.ApplicationFeatureRbac
 import groovy.util.logging.Slf4j
 import io.swagger.annotations.ApiOperation
 import org.springframework.beans.factory.annotation.Autowired
@@ -37,13 +39,22 @@ class OpsmxSaporPolicyController {
   @Autowired
   OpsmxOesService opsmxOesService
 
+  @Autowired(required = false)
+  ApplicationFeatureRbac applicationFeatureRbac
+
   @ApiOperation(value = "Endpoint for sapor runtime policy evaluation rest services")
   @PostMapping(value = "{version}/data/**", consumes = MediaType.APPLICATION_JSON_VALUE)
   Object evaluateRuntimePolicy(@PathVariable("version") String version,
                          @RequestBody(required = false) Object data,
                           HttpServletRequest request) {
 
     String requestUri = request.getRequestURI()
+
+    if (applicationFeatureRbac!=null){
+//      String x_spinnaker_user = request.getHeader("x-spinnaker-user")
+//      applicationFeatureRbac.authorizeUserForPolicyGateTrigger(x_spinnaker_user, data, requestUri)
+    }
+
     return opsmxOesService.evaluateRuntimePolicy(version, data, requestUri)
   }
 

gate-web/src/main/java/com/opsmx/spinnaker/gate/exception/XSpinnakerUserHeaderMissingException.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2022 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.opsmx.spinnaker.gate.exception;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@Slf4j
+@ResponseStatus(HttpStatus.BAD_REQUEST)
+public class XSpinnakerUserHeaderMissingException extends RuntimeException {
+
+  public XSpinnakerUserHeaderMissingException(String message) {
+    super(message);
+    log.error(message);
+  }
+}

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApplicationIdRbacInterceptor.java

@@ -35,10 +35,14 @@ public class ApplicationIdRbacInterceptor implements HandlerInterceptor {
   @Override
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForApplicationId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForApplicationId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApprovalGateIdRbacInterceptor.java

@@ -36,10 +36,14 @@ public class ApprovalGateIdRbacInterceptor implements HandlerInterceptor {
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
 
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForApprovalGateId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForApprovalGateId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApprovalGateInstanceIdRbacInterceptor.java

@@ -36,10 +36,14 @@ public class ApprovalGateInstanceIdRbacInterceptor implements HandlerInterceptor
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
 
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForApprovalGateInstanceId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForApprovalGateInstanceId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ApprovalPolicyIdInterceptor.java

@@ -36,10 +36,14 @@ public class ApprovalPolicyIdInterceptor implements HandlerInterceptor {
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
 
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForApprovalPolicyId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForApprovalPolicyId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/CustomGatesTriggerRbacInterceptor.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2022 Netflix, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.opsmx.spinnaker.gate.interceptors;
+
+import com.opsmx.spinnaker.gate.exception.XSpinnakerUserHeaderMissingException;
+import com.opsmx.spinnaker.gate.rbac.ApplicationFeatureRbac;
+import java.util.Optional;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+@Slf4j
+@Component
+@ConditionalOnExpression("${rbac.enabled:false}")
+public class CustomGatesTriggerRbacInterceptor implements HandlerInterceptor {
+
+  @Autowired private ApplicationFeatureRbac applicationFeatureRbac;
+
+  @Override
+  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+      throws Exception {
+
+    Optional.ofNullable(request.getHeader("x-spinnaker-user"))
+        .orElseThrow(
+            () -> new XSpinnakerUserHeaderMissingException("x-spinnaker-user header missing"));
+
+    try {
+      String x_spinnaker_user = request.getHeader("x-spinnaker-user");
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      //      applicationFeatureRbac.authorizeUserForApprovalGateTrigger(
+      //        x_spinnaker_user, request.getRequestURI());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
+
+    return true;
+  }
+}

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/GateIdRbacInterceptor.java

@@ -36,10 +36,14 @@ public class GateIdRbacInterceptor implements HandlerInterceptor {
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
 
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForGateId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForGateId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/PipelineIdRbacInterceptor.java

@@ -35,10 +35,14 @@ public class PipelineIdRbacInterceptor implements HandlerInterceptor {
   @Override
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForPipelineId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForPipelineId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }

gate-web/src/main/java/com/opsmx/spinnaker/gate/interceptors/ServiceIdRbacInterceptor.java

@@ -35,10 +35,14 @@ public class ServiceIdRbacInterceptor implements HandlerInterceptor {
   @Override
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
       throws Exception {
-    log.info(
-        "Request intercepted for authorizing if the user is having enough access to perform the action");
-    applicationFeatureRbac.authorizeUserForServiceId(
-        request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    try {
+      log.info(
+          "Request intercepted for authorizing if the user is having enough access to perform the action");
+      applicationFeatureRbac.authorizeUserForServiceId(
+          request.getUserPrincipal().getName(), request.getRequestURI(), request.getMethod());
+    } catch (NumberFormatException nfe) {
+      log.debug("Ignoring the rbac check as it threw number format exception");
+    }
 
     return true;
   }