diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-10-18 15:44:58 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-10-18 15:44:58 +0200 |
commit | 74cc0cc3bf2489bba14929cd056759042d340fd7 (patch) | |
tree | 14facb6f5a9918a6554f753e6ec68b159abdbf97 | |
parent | cd4f5b189210ed4ec24606f935ef9eae688b26fd (diff) |
Remove UserAuthWithAthenzPrincipalFilter
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java | 104 |
1 files changed, 0 insertions, 104 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java deleted file mode 100644 index 26cd9f2e9b8..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.athenz.filter; - -import com.google.inject.Inject; -import com.yahoo.jdisc.Response; -import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.security.athenz.AthenzPrincipalFilter; -import com.yahoo.jdisc.http.filter.security.athenz.AthenzPrincipalFilterConfig; -import com.yahoo.jdisc.http.filter.security.cors.CorsFilterConfig; -import com.yahoo.log.LogLevel; -import com.yahoo.vespa.athenz.api.AthenzPrincipal; -import com.yahoo.vespa.athenz.api.AthenzUser; -import com.yahoo.vespa.athenz.api.NToken; -import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; -import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; -import com.yahoo.yolean.chain.After; - -import java.security.Principal; -import java.util.Optional; -import java.util.logging.Logger; -import java.util.stream.Stream; - - -/** - * A variant of the {@link AthenzPrincipalFilter} to be used in combination with a cookie-based - * security filter for user authentication - * Assumes that the user authentication filter configured in the same filter chain and is configured to run before this filter. - * - * @author bjorncs - */ -// TODO Remove this filter once migrated to Okta -@After({"CorsPreflightRequestFilter", "BouncerFilter"}) -public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { - - private static final Logger log = Logger.getLogger(UserAuthWithAthenzPrincipalFilter.class.getName()); - - private final String userAuthenticationPassThruAttribute; - private final String principalHeaderName; - - @Inject - public UserAuthWithAthenzPrincipalFilter(AthenzPrincipalFilterConfig filterConfig, AthenzConfig athenzConfig, CorsFilterConfig corsConfig) { - super(filterConfig, corsConfig); - this.userAuthenticationPassThruAttribute = athenzConfig.userAuthenticationPassThruAttribute(); - this.principalHeaderName = filterConfig.principalHeaderName(); - } - - @Override - public Optional<ErrorResponse> filterRequest(DiscFilterRequest request) { - if (request.getMethod().equals("OPTIONS")) return Optional.empty(); // Skip authentication on OPTIONS - required for Javascript CORS - - try { - switch (getUserAuthenticationResult(request)) { - case USER_COOKIE_MISSING: - case USER_COOKIE_ALTERNATIVE_MISSING: - return super.filterRequest(request); // Cookie-based authentication failed, delegate to Athenz - case USER_COOKIE_OK: - rewriteUserPrincipalToAthenz(request); - return Optional.empty(); // Authenticated using user cookie - case USER_COOKIE_INVALID: - return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, "Your user cookie is invalid (either expired, tampered or invalid ip)")); - default: - return Optional.empty(); - } - } catch (Exception e) { - log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e); - return Optional.of(new ErrorResponse(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage())); - } - } - - private UserAuthenticationResult getUserAuthenticationResult(DiscFilterRequest request) { - if (!request.containsAttribute(userAuthenticationPassThruAttribute)) { - throw new IllegalStateException("User authentication filter passthru attribute missing"); - } - Integer statusCode = (Integer) request.getAttribute(userAuthenticationPassThruAttribute); - return Stream.of(UserAuthenticationResult.values()) - .filter(uar -> uar.statusCode == statusCode) - .findAny() - .orElseThrow(() -> new IllegalStateException("Invalid status code: " + statusCode)); - } - - private void rewriteUserPrincipalToAthenz(DiscFilterRequest request) { - Principal userPrincipal = request.getUserPrincipal(); - log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString()); - UserId userId = new UserId(userPrincipal.getName()); - AthenzUser athenzIdentity = AthenzUser.fromUserId(userId.id()); - request.setRemoteUser(athenzIdentity.getFullName()); - NToken nToken = Optional.ofNullable(request.getHeader(principalHeaderName)).map(NToken::new).orElse(null); - request.setUserPrincipal(new AthenzPrincipal(athenzIdentity, nToken)); - } - - private enum UserAuthenticationResult { - USER_COOKIE_MISSING(0), - USER_COOKIE_OK(1), - USER_COOKIE_INVALID(-1), - USER_COOKIE_ALTERNATIVE_MISSING(-2); - - final int statusCode; - - UserAuthenticationResult(int statusCode) { - this.statusCode = statusCode; - } - - } -} |