diff options
author | Morten Tokle <mortent@yahooinc.com> | 2022-09-26 16:12:51 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-26 16:12:51 +0200 |
commit | 3f4e671782ab4d29cbf8f007beaa94cf5c062c2f (patch) | |
tree | 4b0a722a88449403899761527375b0fb4b9928ef | |
parent | 20c65bf7682c4b3ae4486859c67c95b8d6d37b6a (diff) | |
parent | 81f767035fa85eb6fef48023be75c31021ea4637 (diff) |
Merge pull request #24223 from vespa-engine/bjorncs/csrf-filter
Propagate expiration from Okta access token
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index e06c2c3ccbd..a93741fd8fb 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -2,6 +2,8 @@ package com.yahoo.vespa.hosted.controller.restapi.filter; import com.auth0.jwt.JWT; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.auth0.jwt.interfaces.Payload; import com.yahoo.component.annotation.Inject; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.SystemName; @@ -79,14 +81,17 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { try { Principal principal = request.getUserPrincipal(); if (principal instanceof AthenzPrincipal) { - Instant issuedAt = request.getClientCertificateChain().stream().findFirst() - .map(X509Certificate::getNotBefore) - .or(() -> Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(iat -> JWT.decode(iat).getIssuedAt())) - .map(Date::toInstant) - .orElse(Instant.EPOCH); + Optional<DecodedJWT> oktaAt = Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(JWT::decode); + Optional<X509Certificate> cert = request.getClientCertificateChain().stream().findFirst(); + Instant issuedAt = cert.map(X509Certificate::getNotBefore) + .or(() -> oktaAt.map(Payload::getIssuedAt)) + .map(Date::toInstant).orElse(Instant.EPOCH); + Instant expireAt = cert.map(X509Certificate::getNotAfter) + .or(() -> oktaAt.map(Payload::getExpiresAt)) + .map(Date::toInstant).orElse(Instant.MAX); request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(principal, roles((AthenzPrincipal) principal, request.getUri()), - issuedAt)); + issuedAt, expireAt)); } } catch (Exception e) { |