From 711d0f8b435dd73c6227131395ae22bad19828fb Mon Sep 17 00:00:00 2001
From: Travis Tomsu <ttomsu@google.com>
Date: Thu, 28 Apr 2016 15:45:58 -0400
Subject: [PATCH] Re-enable X509 authentication

---
 .../gate/controllers/UserController.groovy    |  1 -
 .../x509/X509AuthenticationProvider.groovy    |  3 +-
 .../gate/security/x509/X509Config.groovy      | 33 ++++++++++++-------
 3 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/UserController.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/UserController.groovy
index ab89ca6e30..f94db13dff 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/UserController.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/UserController.groovy
@@ -18,7 +18,6 @@ package com.netflix.spinnaker.gate.controllers
 
 import com.netflix.spinnaker.gate.security.SpinnakerUser
 import com.netflix.spinnaker.security.User
-import org.springframework.security.web.bind.annotation.AuthenticationPrincipal
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509AuthenticationProvider.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509AuthenticationProvider.groovy
index 1d28ef9353..09d2b154f1 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509AuthenticationProvider.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509AuthenticationProvider.groovy
@@ -58,7 +58,8 @@ class X509AuthenticationProvider implements AuthenticationProvider {
 
     return new PreAuthenticatedAuthenticationToken(
       new User(rfc822Name as String, null, null, [], anonymousAccountsService.allowedAccounts),
-      authentication.credentials)
+      authentication.credentials,
+      [])
   }
 
   @Override
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509Config.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509Config.groovy
index f4dc80aac2..e7c237b113 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509Config.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509Config.groovy
@@ -18,32 +18,41 @@ package com.netflix.spinnaker.gate.security.x509
 
 import com.netflix.spinnaker.gate.security.AnonymousAccountsService
 import com.netflix.spinnaker.gate.security.AuthConfig
-
+import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression
 import org.springframework.context.annotation.Configuration
-import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
-import org.springframework.security.core.userdetails.UserDetailsService
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter
 
-@ConditionalOnExpression('${auth.x509.enabled:false}')
+@ConditionalOnExpression('${x509.enabled:false}')
+@SpinnakerAuthConfig
 @Configuration
-class X509Config {
+@EnableWebMvcSecurity
+class X509Config extends WebSecurityConfigurerAdapter {
 
   @Autowired
   AnonymousAccountsService anonymousAccountsService
 
-  void configure(HttpSecurity http,
-                 UserDetailsService userDetailsService,
-                 AuthenticationManager authenticationManager) {
-    def filter = new X509AuthenticationFilter()
-    filter.setAuthenticationManager(authenticationManager)
-    http.addFilter(filter)
-  }
 
+  @Override
   void configure(AuthenticationManagerBuilder auth) {
     auth.authenticationProvider(new X509AuthenticationProvider(anonymousAccountsService))
   }
+
+  @Override
+  void configure(HttpSecurity http) {
+    // Specify which endpoints to lock down.
+    AuthConfig.configure(http)
+
+    // We don't use http.x509() here because there is no way to override it to use our
+    // Spinnaker User as the Principal. The {@link X509AuthenticationProvider} configured
+    // above (in tandem with this config) enable us to insert this custom Principal.
+    def filter = new X509AuthenticationFilter()
+    filter.setAuthenticationManager(authenticationManager())
+    http.addFilter(filter)
+  }
 }