feat(web): Add user origin to AuthenticatedRequest (#90)

.gitignore

@@ -6,3 +6,8 @@ build/
 *.iws
 /out/
 
+.classpath
+.vscode
+.settings
+.project
+bin

kork-security/src/main/java/com/netflix/spinnaker/security/AuthenticatedRequest.java

@@ -16,17 +16,19 @@
 
 package com.netflix.spinnaker.security;
 
+import org.slf4j.MDC;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.Callable;
-import org.slf4j.MDC;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 
 public class AuthenticatedRequest {
   public static final String SPINNAKER_USER = "X-SPINNAKER-USER";
   public static final String SPINNAKER_ACCOUNTS = "X-SPINNAKER-ACCOUNTS";
+  public static final String SPINNAKER_USER_ORIGIN = "X-SPINNAKER-USER-ORIGIN";
 
   public static <V> Callable<V> propagate(Callable<V> closure) {
     return propagate(closure, true, principal());
@@ -49,6 +51,7 @@ public static <V> Callable<V> propagate(Callable<V> closure, boolean restoreOrig
       return () -> {
         MDC.remove(SPINNAKER_USER);
         MDC.remove(SPINNAKER_ACCOUNTS);
+        MDC.remove(SPINNAKER_USER_ORIGIN);
         return closure.call();
       };
     }
@@ -88,6 +91,7 @@ public static Map<String, Optional<String>> getAuthenticationHeaders() {
     Map<String, Optional<String>> headers = new HashMap<>();
     headers.put(SPINNAKER_USER, getSpinnakerUser());
     headers.put(SPINNAKER_ACCOUNTS, getSpinnakerAccounts());
+    headers.put(SPINNAKER_USER_ORIGIN, getSpinnakerUserOrigin());
     return headers;
   }
 
@@ -128,4 +132,8 @@ private static Object principal() {
       .map(Authentication::getPrincipal)
       .orElse(null);
   }
+
+  public static Optional<String> getSpinnakerUserOrigin() {
+    return Optional.ofNullable(MDC.get(SPINNAKER_USER_ORIGIN));
+  }
 }

kork-web/src/main/groovy/com/netflix/spinnaker/filters/AuthenticatedRequestFilter.groovy

@@ -51,9 +51,11 @@ class AuthenticatedRequestFilter implements Filter {
   private static final String RFC822_NAME_ID = "1"
 
   private final boolean extractSpinnakerHeaders
+  private final boolean extractSpinnakerUserOriginHeader
 
-  public AuthenticatedRequestFilter(boolean extractSpinnakerHeaders = false) {
+  public AuthenticatedRequestFilter(boolean extractSpinnakerHeaders = false, boolean extractSpinnakerUserOriginHeader = false) {
     this.extractSpinnakerHeaders = extractSpinnakerHeaders
+    this.extractSpinnakerUserOriginHeader = extractSpinnakerUserOriginHeader
   }
 
   @Override
@@ -63,6 +65,7 @@ class AuthenticatedRequestFilter implements Filter {
   void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
     def spinnakerUser = null
     def spinnakerAccounts = null
+    def spinnakerUserOrigin = null
 
     try {
       if (request.isSecure()) {
@@ -95,6 +98,10 @@ class AuthenticatedRequestFilter implements Filter {
       def httpServletRequest = (HttpServletRequest) request
       spinnakerUser = spinnakerUser ?: httpServletRequest.getHeader(SPINNAKER_USER)
       spinnakerAccounts = spinnakerAccounts ?: httpServletRequest.getHeader(SPINNAKER_ACCOUNTS)
+      spinnakerUserOrigin = httpServletRequest.getHeader(SPINNAKER_USER_ORIGIN)
+    }
+    if (extractSpinnakerUserOriginHeader) {
+      spinnakerUserOrigin = "deck".equalsIgnoreCase(((HttpServletRequest) request).getHeader("X-RateLimit-App")) ? "deck" : "api"
     }
 
     try {
@@ -104,6 +111,9 @@ class AuthenticatedRequestFilter implements Filter {
       if (spinnakerAccounts) {
         MDC.put(SPINNAKER_ACCOUNTS, spinnakerAccounts)
       }
+      if (spinnakerUserOrigin) {
+        MDC.put(SPINNAKER_USER_ORIGIN, spinnakerUserOrigin)
+      }
 
       chain.doFilter(request, response)
     } finally {