Revert "Bjorncs/update zpe"

author: Harald Musum <musum@verizonmedia.com> 2020-01-24 14:17:13 +0100
committer: GitHub <noreply@github.com> 2020-01-24 14:17:13 +0100
commit: 5eb436554c43ccc2d4b97421733b206081b2681d (patch)
tree: 78ad0c97295aad5f501bf9ab0072525baddebe43
parent: e2d7d10f664ec221708d051ec754d68fc6cee5b6 (diff)
6 files changed, 38 insertions, 161 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index 9151aa1b693..74e0ee36959 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -121,12 +121,11 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
                                                                   ZpeCheck<C> accessCheck,
                                                                   Function<C, AthenzPrincipal> principalFactory) {
         AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action());
-        if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) {
+        if (authorizationResult == AuthorizationResult.ALLOW) {
             request.setUserPrincipal(principalFactory.apply(credentials));
-            authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()}));
             return Optional.empty();
         }
-        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription()));
+        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription()));
     }
 
     private static AthenzPrincipal createPrincipal(X509Certificate certificate) {
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 197ba89f3e3..b81b26d458b 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -5,7 +5,6 @@ import com.yahoo.container.jdisc.RequestHandlerTestDriver;
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
-import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
 import com.yahoo.vespa.athenz.zpe.AuthorizationResult;
 import com.yahoo.vespa.athenz.zpe.Zpe;
@@ -15,7 +14,6 @@ import org.mockito.Mockito;
 import java.security.cert.X509Certificate;
 
 import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilterConfig.CredentialsToVerify.Enum.ANY;
-import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.*;
 import static java.util.Collections.emptyList;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.junit.Assert.assertEquals;
@@ -66,7 +64,7 @@ public class AthenzAuthorizationFilterTest {
         assertNotNull(response);
         assertEquals(403, response.getStatus());
         String content = responseHandler.readAll();
-        assertThat(content, containsString(Type.DENY.getDescription()));
+        assertThat(content, containsString(AuthorizationResult.DENY.getDescription()));
     }
 
     private static DiscFilterRequest createRequest() {
@@ -82,24 +80,24 @@ public class AthenzAuthorizationFilterTest {
     static class AllowingZpe implements Zpe {
         @Override
         public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-            return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
+            return AuthorizationResult.ALLOW;
         }
 
         @Override
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-            return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
+            return AuthorizationResult.ALLOW;
         }
     }
 
     static class DenyingZpe implements Zpe {
         @Override
         public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-            return new AuthorizationResult(Type.DENY);
+            return AuthorizationResult.DENY;
         }
 
         @Override
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-            return new AuthorizationResult(Type.DENY);
+            return AuthorizationResult.DENY;
         }
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
deleted file mode 100644
index 86deb0b59b3..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.api;
-
-import java.util.Objects;
-
-/**
- * Represents an Athenz Access Token
- *
- * @author bjorncs
- */
-public class AthenzAccessToken {
-
-    public static final String HTTP_HEADER_NAME = "Authorization";
-
-    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
-
-    private final String value;
-
-    public AthenzAccessToken(String value) {
-        this.value = stripBearerTokenPrefix(value);
-    }
-
-    private static String stripBearerTokenPrefix(String rawValue) {
-        String stripped = rawValue.strip();
-        return stripped.startsWith(BEARER_TOKEN_PREFIX)
-                ? stripped.substring(BEARER_TOKEN_PREFIX.length())
-                : stripped;
-    }
-
-    public String value() { return value; }
-
-    @Override public String toString() { return "AthenzAccessToken{value='" + value + "'}"; }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AthenzAccessToken that = (AthenzAccessToken) o;
-        return Objects.equals(value, that.value);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(value);
-    }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
index 28001e8e8d2..faf05011af9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
@@ -2,87 +2,45 @@
 package com.yahoo.vespa.athenz.zpe;
 
 import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus;
-import com.yahoo.vespa.athenz.api.AthenzRole;
 
 import java.util.Arrays;
-import java.util.Objects;
-import java.util.Optional;
 
 /**
  * The various types of access control results.
  *
  * @author bjorncs
  */
-public class AuthorizationResult {
-
-    private final Type type;
-    private final AthenzRole matchedRole;
-
-    public AuthorizationResult(Type type) {
-        this(type, null);
-    }
-
-    public AuthorizationResult(Type type, AthenzRole matchedRole) {
-        this.type = type;
-        this.matchedRole = matchedRole;
-    }
-
-    public Type type() { return type; }
-    public Optional<AthenzRole> matchedRole() { return Optional.ofNullable(matchedRole); }
-
-    public enum Type {
-        ALLOW(AccessCheckStatus.ALLOW),
-        DENY(AccessCheckStatus.DENY),
-        DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
-        DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
-        DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
-        DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
-        DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
-        DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
-        DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
-        DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
-        DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
-        DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
-        DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
-        DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
-
-        private final AccessCheckStatus wrappedElement;
-
-        Type(AccessCheckStatus wrappedElement) {
-            this.wrappedElement = wrappedElement;
-        }
-
-        public String getDescription() {
-            return wrappedElement.toString();
-        }
-
-        static Type fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
-            return Arrays.stream(values())
-                    .filter(value -> value.wrappedElement == accessCheckStatus)
-                    .findFirst()
-                    .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
-        }
+public enum AuthorizationResult {
+    ALLOW(AccessCheckStatus.ALLOW),
+    DENY(AccessCheckStatus.DENY),
+    DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
+    DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
+    DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
+    DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
+    DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
+    DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
+    DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
+    DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
+    DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
+    DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
+    DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
+    DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
+
+    private final AccessCheckStatus wrappedElement;
+
+    AuthorizationResult(AccessCheckStatus wrappedElement) {
+        this.wrappedElement = wrappedElement;
     }
 
-    @Override
-    public String toString() {
-        return "AuthorizationResult{" +
-                "type=" + type +
-                ", matchedRole=" + matchedRole +
-                '}';
+    public String getDescription() {
+        return wrappedElement.toString();
     }
 
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AuthorizationResult that = (AuthorizationResult) o;
-        return type == that.type &&
-                Objects.equals(matchedRole, that.matchedRole);
+    static AuthorizationResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
+        return Arrays.stream(values())
+                .filter(value -> value.wrappedElement == accessCheckStatus)
+                .findFirst()
+                .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
     }
 
-    @Override
-    public int hashCode() {
-        return Objects.hash(type, matchedRole);
-    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
index 47ae45a69ca..29044111ada 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -2,11 +2,8 @@
 package com.yahoo.vespa.athenz.zpe;
 
 import com.yahoo.athenz.zpe.AuthZpeClient;
-import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
-import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
-import com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type;
 
 import java.security.cert.X509Certificate;
 
@@ -24,41 +21,14 @@ public class DefaultZpe implements Zpe {
 
     @Override
     public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-        StringBuilder returnedMatchedRole = new StringBuilder();
-        AuthZpeClient.AccessCheckStatus rawResult =
-                AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action, returnedMatchedRole);
-        return createResult(returnedMatchedRole, rawResult, resourceName);
+        return AuthorizationResult.fromAccessCheckStatus(
+                AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action));
     }
 
     @Override
     public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-        StringBuilder returnedMatchedRole = new StringBuilder();
-        AuthZpeClient.AccessCheckStatus rawResult =
-                AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action, returnedMatchedRole);
-        return createResult(returnedMatchedRole, rawResult, resourceName);
-    }
-
-    @Override
-    public AuthorizationResult checkAccessAllowed(
-            AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
-        StringBuilder returnedMatchedRole = new StringBuilder();
-        AuthZpeClient.AccessCheckStatus rawResult =
-                AuthZpeClient.allowAccess(
-                        accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole);
-        return createResult(returnedMatchedRole, rawResult, resourceName);
-    }
-
-    private static AuthorizationResult createResult(
-            StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) {
-        return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName));
-    }
-
-    private static AthenzRole toRole(StringBuilder rawRole, AthenzResourceName resourceName) {
-        if (rawRole.length() == 0) {
-            return null;
-        } else {
-            return new AthenzRole(resourceName.getDomain(), rawRole.toString());
-        }
+        return AuthorizationResult.fromAccessCheckStatus(
+                AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action));
     }
 
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
index 51e5ee4dbb1..e22e27f1508 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -1,7 +1,6 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.zpe;
 
-import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.ZToken;
 
@@ -15,5 +14,4 @@ import java.security.cert.X509Certificate;
 public interface Zpe {
     AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
     AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
-    AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action);
 }
author	Harald Musum <musum@verizonmedia.com>	2020-01-24 14:17:13 +0100
committer	GitHub <noreply@github.com>	2020-01-24 14:17:13 +0100
commit	5eb436554c43ccc2d4b97421733b206081b2681d (patch)
tree	78ad0c97295aad5f501bf9ab0072525baddebe43
parent	e2d7d10f664ec221708d051ec754d68fc6cee5b6 (diff)