diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-16 15:14:18 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-24 14:48:09 +0100 |
commit | a4a2092b9eebec9f24b9818fe51113ea6341640d (patch) | |
tree | c7fe8458a28a98b8f383df7d0ab1b2ee7092221c | |
parent | 2d8e7e65a9ea6e80cee667ec7bcff3d488df8a2c (diff) |
Add checkAccessAllowed method that consumes access token + certificate
3 files changed, 24 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index 197ba89f3e3..ecf746179a3 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -4,6 +4,7 @@ package com.yahoo.jdisc.http.filter.security.athenz; import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; @@ -89,6 +90,11 @@ public class AthenzAuthorizationFilterTest { public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); } + + @Override + public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { + return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); + } } static class DenyingZpe implements Zpe { @@ -101,6 +107,11 @@ public class AthenzAuthorizationFilterTest { public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { return new AuthorizationResult(Type.DENY); } + + @Override + public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { + return new AuthorizationResult(Type.DENY); + } } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index 579f9b1d9d4..47ae45a69ca 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient; +import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; @@ -37,6 +38,16 @@ public class DefaultZpe implements Zpe { return createResult(returnedMatchedRole, rawResult, resourceName); } + @Override + public AuthorizationResult checkAccessAllowed( + AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { + StringBuilder returnedMatchedRole = new StringBuilder(); + AuthZpeClient.AccessCheckStatus rawResult = + AuthZpeClient.allowAccess( + accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); + return createResult(returnedMatchedRole, rawResult, resourceName); + } + private static AuthorizationResult createResult( StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java index e22e27f1508..51e5ee4dbb1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.zpe; +import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.ZToken; @@ -14,4 +15,5 @@ import java.security.cert.X509Certificate; public interface Zpe { AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); + AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action); } |