diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-16 15:14:18 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-24 13:00:44 +0100 |
commit | c0bed8d5605a4c00acdad5fc1db8e653920d0294 (patch) | |
tree | 2f838be4f265fb552a31dae600d0682b668e7c25 | |
parent | 861c507d4f3432f149807008675eeab217ba84b3 (diff) |
Add checkAccessAllowed method that consumes access token + certificate
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java | 11 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java | 2 |
2 files changed, 13 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index 579f9b1d9d4..47ae45a69ca 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient; +import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; @@ -37,6 +38,16 @@ public class DefaultZpe implements Zpe { return createResult(returnedMatchedRole, rawResult, resourceName); } + @Override + public AuthorizationResult checkAccessAllowed( + AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { + StringBuilder returnedMatchedRole = new StringBuilder(); + AuthZpeClient.AccessCheckStatus rawResult = + AuthZpeClient.allowAccess( + accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); + return createResult(returnedMatchedRole, rawResult, resourceName); + } + private static AuthorizationResult createResult( StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java index e22e27f1508..51e5ee4dbb1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.zpe; +import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.ZToken; @@ -14,4 +15,5 @@ import java.security.cert.X509Certificate; public interface Zpe { AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); + AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action); } |