diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java b/server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java index 65568109d0..456bc8d212 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java @@ -72,16 +72,14 @@ public byte[] serializePrincipals(PrincipalCollection src) { return SecurityUtils.serialize(dst); } - // TODO: invalidate cache for processKey? public void storeCurrentSubject(ProcessKey processKey) { - Subject s = SecurityUtils.getSubject(); - PrincipalCollection src = s.getPrincipals(); - storeSubject(processKey, src); + Subject subject = SecurityUtils.assertSubject(); + storeSubject(processKey, subject.getPrincipals()); } - // TODO: invalidate cache for processKey? public void storeSubject(ProcessKey processKey, PrincipalCollection src) { stateManager.replace(processKey, PRINCIPAL_FILE_PATH, serializePrincipals(src)); + principalCache.invalidate(processKey); } public PrincipalCollection getPrincipals(PartialProcessKey processKey) { diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java b/server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java index 38ee833808..099a0ddd1e 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java @@ -30,6 +30,7 @@ import com.walmartlabs.concord.server.sdk.ProcessKey; import com.walmartlabs.concord.server.sdk.metrics.WithTimer; import com.walmartlabs.concord.server.security.SecurityUtils; +import org.apache.shiro.subject.PrincipalCollection; import javax.inject.Inject; import java.nio.file.Path; @@ -79,9 +80,11 @@ public Payload process(Chain chain, Payload payload) { String serializedHeaders = serialize(headers); + PrincipalCollection initiator = SecurityUtils.assertSubject().getPrincipals(); + stateManager.tx(tx -> { stateManager.insertInitial(tx, processKey, "payload.json", serializedHeaders.getBytes()); - stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(SecurityUtils.getSubject().getPrincipals())); + stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(initiator)); stateManager.importPathInitial(tx, processKey, "attachments/", payload.getHeader(Payload.BASE_DIR), (path, basicFileAttributes) -> payload.getAttachments().containsValue(path)); }); diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java index ae47e84230..f7eb1fd7a5 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java @@ -44,31 +44,41 @@ public final class SecurityUtils { public static void logout() { Subject subject = getSubject(); - if (subject != null) { - subject.logout(); + if (subject == null) { + return; } + subject.logout(); } public static boolean hasRole(String role) { Subject s = getSubject(); + if (s == null) { + return false; + } return s.hasRole(role); } public static boolean isPermitted(String permission) { Subject s = getSubject(); + if (s == null) { + return false; + } return s.isPermitted(permission); } public static Subject getSubject() { - Subject subject = ThreadContext.getSubject(); + return ThreadContext.getSubject(); + } + + public static Subject assertSubject() { + Subject subject = getSubject(); if (subject == null) { - subject = (new Subject.Builder()).buildSubject(); - ThreadContext.bind(subject); + throw new AuthenticationException("Can't determine the current security subject"); } return subject; } - public static T getCurrent(Class type) { + public static T getPrincipal(Class type) { SecurityManager securityManager = ThreadContext.getSecurityManager(); if (securityManager == null) { return null; @@ -87,8 +97,8 @@ public static T getCurrent(Class type) { return principals.oneByType(type); } - public static T assertCurrent(Class type) { - T p = getCurrent(type); + public static T assertPrincipal(Class type) { + T p = getPrincipal(type); if (p == null) { throw new AuthenticationException("Can't determine the current principal (" + type.getName() + ")"); } diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java index 08bdd82e14..13f9f2e373 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java @@ -37,11 +37,11 @@ public class UserPrincipal implements Serializable { private static final long serialVersionUID = 1L; public static UserPrincipal getCurrent() { - return SecurityUtils.getCurrent(UserPrincipal.class); + return SecurityUtils.getPrincipal(UserPrincipal.class); } public static UserPrincipal assertCurrent() { - return SecurityUtils.assertCurrent(UserPrincipal.class); + return SecurityUtils.assertPrincipal(UserPrincipal.class); } private final String realm; diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java index 0e1ea4d49a..3de310dd2e 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java @@ -28,7 +28,7 @@ public class GithubKey implements AuthenticationToken { public static GithubKey getCurrent() { - return SecurityUtils.getCurrent(GithubKey.class); + return SecurityUtils.getPrincipal(GithubKey.class); } private static final long serialVersionUID = 1L; diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java index f17b09f1a4..699f7ad22d 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java @@ -63,7 +63,7 @@ public LdapPrincipal(String username, } public static LdapPrincipal getCurrent() { - return SecurityUtils.getCurrent(LdapPrincipal.class); + return SecurityUtils.getPrincipal(LdapPrincipal.class); } public String getUsername() { diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java index d974d8849c..45503e0f4e 100644 --- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java +++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java @@ -26,7 +26,7 @@ public class SessionKeyPrincipal { public static SessionKeyPrincipal getCurrent() { - return SecurityUtils.getCurrent(SessionKeyPrincipal.class); + return SecurityUtils.getPrincipal(SessionKeyPrincipal.class); } private final PartialProcessKey processKey; diff --git a/server/impl/src/test/java/com/walmartlabs/concord/server/ConcordObjectMapperTest.java b/server/impl/src/test/java/com/walmartlabs/concord/server/ConcordObjectMapperTest.java index e792b036f5..1406d7c04f 100644 --- a/server/impl/src/test/java/com/walmartlabs/concord/server/ConcordObjectMapperTest.java +++ b/server/impl/src/test/java/com/walmartlabs/concord/server/ConcordObjectMapperTest.java @@ -1,5 +1,25 @@ package com.walmartlabs.concord.server; +/*- + * ***** + * Concord + * ----- + * Copyright (C) 2017 - 2025 Walmart Inc. + * ----- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ===== + */ + import com.fasterxml.jackson.databind.ObjectMapper; import com.walmartlabs.concord.common.ObjectMapperProvider; import org.junit.jupiter.api.Test; diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java index 175b50ce3f..41936167b3 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java @@ -65,7 +65,9 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F } SsoCookies.clear(response); Subject subject = SecurityUtils.getSubject(); - subject.logout(); + if (subject != null) { + subject.logout(); + } redirectHelper.sendRedirect(response, "/#/logout/done"); }