Add checkAccessAllowed method that consumes access token + certificate

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-01-16 15:14:18 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-01-24 14:48:09 +0100
commit: a4a2092b9eebec9f24b9818fe51113ea6341640d (patch)
tree: c7fe8458a28a98b8f383df7d0ab1b2ee7092221c
parent: 2d8e7e65a9ea6e80cee667ec7bcff3d488df8a2c (diff)
3 files changed, 24 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 197ba89f3e3..ecf746179a3 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -4,6 +4,7 @@ package com.yahoo.jdisc.http.filter.security.athenz;
 import com.yahoo.container.jdisc.RequestHandlerTestDriver;
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
@@ -89,6 +90,11 @@ public class AthenzAuthorizationFilterTest {
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
             return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
         }
+
+        @Override
+        public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
+            return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
+        }
     }
 
     static class DenyingZpe implements Zpe {
@@ -101,6 +107,11 @@ public class AthenzAuthorizationFilterTest {
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
             return new AuthorizationResult(Type.DENY);
         }
+
+        @Override
+        public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
+            return new AuthorizationResult(Type.DENY);
+        }
     }
 
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
index 579f9b1d9d4..47ae45a69ca 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.athenz.zpe;
 
 import com.yahoo.athenz.zpe.AuthZpeClient;
+import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
@@ -37,6 +38,16 @@ public class DefaultZpe implements Zpe {
         return createResult(returnedMatchedRole, rawResult, resourceName);
     }
 
+    @Override
+    public AuthorizationResult checkAccessAllowed(
+            AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
+        StringBuilder returnedMatchedRole = new StringBuilder();
+        AuthZpeClient.AccessCheckStatus rawResult =
+                AuthZpeClient.allowAccess(
+                        accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole);
+        return createResult(returnedMatchedRole, rawResult, resourceName);
+    }
+
     private static AuthorizationResult createResult(
             StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) {
         return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName));
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
index e22e27f1508..51e5ee4dbb1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -1,6 +1,7 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.zpe;
 
+import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.ZToken;
 
@@ -14,4 +15,5 @@ import java.security.cert.X509Certificate;
 public interface Zpe {
     AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
     AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
+    AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action);
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-01-16 15:14:18 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-01-24 14:48:09 +0100
commit	a4a2092b9eebec9f24b9818fe51113ea6341640d (patch)
tree	c7fe8458a28a98b8f383df7d0ab1b2ee7092221c
parent	2d8e7e65a9ea6e80cee667ec7bcff3d488df8a2c (diff)