concord-server: move subject creation out of SecurityUtils#getSubject

Author: ibodrov

server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java

@@ -82,6 +82,9 @@ public byte[] serializePrincipals(PrincipalCollection src) {
 
     public void storeCurrentSubject(ProcessKey processKey) {
         Subject s = SecurityUtils.getSubject();
+        if (s == null) {
+            throw new IllegalStateException("Subject is not available. This is a bug.");
+        }
         PrincipalCollection src = s.getPrincipals();
         storeSubject(processKey, src);
     }
@@ -122,7 +125,7 @@ public <T> T runAs(UUID userID, Callable<T> c) throws Exception {
                     .principals(principals)
                     .buildSubject();
 
-            ThreadContext.bind(subject);
+            SecurityUtils.bindSubject(subject);
 
             return c.call();
         } finally {
@@ -143,7 +146,7 @@ public <T> T runAsCurrentUser(ProcessKey processKey, Callable<T> c) throws Excep
                 .buildSubject();
 
         try {
-            ThreadContext.bind(subject);
+            SecurityUtils.bindSubject(subject);
 
             return c.call();
         } finally {

server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java

@@ -30,6 +30,7 @@
 import com.walmartlabs.concord.server.sdk.ProcessKey;
 import com.walmartlabs.concord.server.sdk.metrics.WithTimer;
 import com.walmartlabs.concord.server.security.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -81,9 +82,14 @@ public Payload process(Chain chain, Payload payload) {
 
         String serializedHeaders = serialize(headers);
 
+        Subject initiator = SecurityUtils.getSubject();
+        if (initiator == null) {
+            throw new IllegalStateException("Subject is not available. This is a bug.");
+        }
+
         stateManager.tx(tx -> {
             stateManager.insertInitial(tx, processKey, "payload.json", serializedHeaders.getBytes());
-            stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(SecurityUtils.getSubject().getPrincipals()));
+            stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(initiator.getPrincipals()));
             stateManager.importPathInitial(tx, processKey, "attachments/", payload.getHeader(Payload.BASE_DIR), (path, basicFileAttributes) -> payload.getAttachments().containsValue(path));
         });
 

server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java

@@ -44,31 +44,37 @@ public final class SecurityUtils {
 
     public static void logout() {
         Subject subject = getSubject();
-        if (subject != null) {
-            subject.logout();
+        if (subject == null) {
+            return;
         }
+        subject.logout();
     }
 
     public static boolean hasRole(String role) {
-        Subject s = getSubject();
-        return s.hasRole(role);
+        Subject subject = getSubject();
+        if (subject == null) {
+            return false;
+        }
+        return subject.hasRole(role);
     }
 
     public static boolean isPermitted(String permission) {
-        Subject s = getSubject();
-        return s.isPermitted(permission);
+        Subject subject = getSubject();
+        if (subject == null) {
+            return false;
+        }
+        return subject.isPermitted(permission);
+    }
+
+    public static void bindSubject(Subject subject) {
+        ThreadContext.bind(subject);
     }
 
     public static Subject getSubject() {
-        Subject subject = ThreadContext.getSubject();
-        if (subject == null) {
-            subject = (new Subject.Builder()).buildSubject();
-            ThreadContext.bind(subject);
-        }
-        return subject;
+        return ThreadContext.getSubject();
     }
 
-    public static <T> T getCurrent(Class<T> type) {
+    public static <T> T getPrincipal(Class<T> type) {
         SecurityManager securityManager = ThreadContext.getSecurityManager();
         if (securityManager == null) {
             return null;
@@ -87,12 +93,12 @@ public static <T> T getCurrent(Class<T> type) {
         return principals.oneByType(type);
     }
 
-    public static <T> T assertCurrent(Class<T> type) {
-        T p = getCurrent(type);
-        if (p == null) {
+    public static <T> T assertPrincipal(Class<T> type) {
+        T principal = getPrincipal(type);
+        if (principal == null) {
             throw new AuthenticationException("Can't determine the current principal (" + type.getName() + ")");
         }
-        return p;
+        return principal;
     }
 
     public static byte[] serialize(PrincipalCollection data) {

server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java

@@ -35,11 +35,11 @@ public class UserPrincipal implements Serializable {
     private static final long serialVersionUID = 1L;
 
     public static UserPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(UserPrincipal.class);
+        return SecurityUtils.getPrincipal(UserPrincipal.class);
     }
 
     public static UserPrincipal assertCurrent() {
-        return SecurityUtils.assertCurrent(UserPrincipal.class);
+        return SecurityUtils.assertPrincipal(UserPrincipal.class);
     }
 
     private final String realm;

server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java

@@ -28,7 +28,7 @@
 public class GithubKey implements AuthenticationToken {
 
     public static GithubKey getCurrent() {
-        return SecurityUtils.getCurrent(GithubKey.class);
+        return SecurityUtils.getPrincipal(GithubKey.class);
     }
 
     private static final long serialVersionUID = 1L;

server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java

@@ -63,7 +63,7 @@ public LdapPrincipal(String username,
     }
 
     public static LdapPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(LdapPrincipal.class);
+        return SecurityUtils.getPrincipal(LdapPrincipal.class);
     }
 
     public String getUsername() {

server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java

@@ -26,7 +26,7 @@
 public class SessionKeyPrincipal {
 
     public static SessionKeyPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(SessionKeyPrincipal.class);
+        return SecurityUtils.getPrincipal(SessionKeyPrincipal.class);
     }
 
     private final PartialProcessKey processKey;

server/impl/src/test/java/com/walmartlabs/concord/server/org/secret/PasswordCheckerTest.java

@@ -20,6 +20,7 @@
  * =====
  */
 
+import com.walmartlabs.concord.server.security.SecurityUtils;
 import com.walmartlabs.concord.server.security.UserPrincipal;
 import com.walmartlabs.concord.server.user.UserEntry;
 import org.apache.shiro.mgt.DefaultSecurityManager;
@@ -53,7 +54,7 @@ public void bindUser() {
         ctx.setPrincipals(new SimplePrincipalCollection(p, p.getRealm()));
 
         Subject subject = securityManager.createSubject(ctx);
-        ThreadContext.bind(subject);
+        SecurityUtils.bindSubject(subject);
     }
 
     @AfterEach

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java

@@ -22,7 +22,6 @@
 
 
 import com.walmartlabs.concord.server.security.SecurityUtils;
-import org.apache.shiro.subject.Subject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -64,8 +63,7 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
             }
         }
         SsoCookies.clear(response);
-        Subject subject = SecurityUtils.getSubject();
-        subject.logout();
+        SecurityUtils.logout();
 
         redirectHelper.sendRedirect(response, "/#/logout/done");
     }