diff --git a/gate-saml/src/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java b/gate-saml/src/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java index 3887fd1428..b46d66b5f5 100644 --- a/gate-saml/src/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java +++ b/gate-saml/src/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java @@ -17,6 +17,7 @@ package com.netflix.spinnaker.gate.security.saml; +import com.netflix.spinnaker.gate.security.AllowedAccountsSupport; import com.netflix.spinnaker.gate.services.AuthenticationService; import com.netflix.spinnaker.security.User; import java.util.Collection; @@ -25,6 +26,7 @@ import lombok.RequiredArgsConstructor; import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.ObjectFactory; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.convert.converter.Converter; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.GrantedAuthority; @@ -45,6 +47,8 @@ public class ResponseAuthenticationConverter private final ObjectFactory userRolesExtractorFactory; private final ObjectFactory authenticationServiceFactory; + @Autowired AllowedAccountsSupport allowedAccountsSupport; + @Override public PreAuthenticatedAuthenticationToken convert(ResponseToken source) { UserIdentifierExtractor userIdentifierExtractor = userIdentifierExtractorFactory.getObject(); @@ -69,6 +73,8 @@ public PreAuthenticatedAuthenticationToken convert(ResponseToken source) { Set roles = userRolesExtractor.getRoles(principal); user.setRoles(roles); + user.setAllowedAccounts(allowedAccountsSupport.filterAllowedAccounts(userid, roles)); + if (!CollectionUtils.isEmpty(properties.getRequiredRoles())) { var requiredRoles = Set.copyOf(properties.getRequiredRoles()); // check for at least one common role in both sets