Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support additional auth types #1090

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

jvz
Copy link
Contributor

@jvz jvz commented Aug 14, 2023

This has a couple changes related to supporting principals with the type AuthenticatedPrincipal in addition to the existing support for UserDetails. This allows for future migrations to the built-in SAML and OAuth2 Spring Security modules that we'll need to switch to at some point as those APIs rely on this API for federated identities. I've also ensured that anonymous users are using a consistent username.

Another nicety is a dedicated GrantedAuthority implementation for the allowed accounts concept. This can help with migrating that to regular security APIs over time.

There are numerous places in Gate (and other services less so) that can be updated with these changes. In particular, all the uses of the deprecated User class from kork-security should be migrated over time, especially any of the APIs exposing data or requiring a User parameter.

jvz added 3 commits July 31, 2023 11:52
This updates `AuthenticatedRequest::getSpinnakerUser` to support more principal types besides `UserDetails` including `AuthenticatedPrincipal` (used by OAuth2 and SAML2 Spring Security libraries) and `Principal` (the generic Java API). Also adds some related utility code for granted authorities.
…ipals

This updates the filter for a few related things:

- Support more types of `Authentication` principals
- Add `AllowedAccountAuthority` for simpler authority representation of allowed accounts
- Use the `SecurityContextRepository` API from Spring Security instead of relying on internal details of its API
- Normalize anonymous users into the userid `anonymous`
- Add allowed account authorities to `User` authorities
- Use the `ROLE_` granted authority prefix for roles as already used in Fiat
@jvz jvz marked this pull request as draft August 16, 2023 17:50
@jvz
Copy link
Contributor Author

jvz commented Aug 16, 2023

Discovered a small issue with this idea, so putting back in draft.

@jvz
Copy link
Contributor Author

jvz commented Dec 20, 2023

Going to have to redo the relevant changes from here as I've included some of these changes in a different PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant