diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-05-02 16:01:39 +0200 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-05-02 16:01:39 +0200 |
commit | 3fd4744df8ec2480f66298080e1bcf7e04a2954a (patch) | |
tree | 731308255bb6ee2b94e0a8c47bbe140daf0b5227 /controller-server | |
parent | b8b9b593c0219bab713b1cdbbdd5786c561b53a4 (diff) |
Make AthenzRoleFilter skip requests without valid Athenz roles
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 789a99b4783..5f9313053f8 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -25,6 +25,7 @@ import com.yahoo.vespa.hosted.controller.tenant.UserTenant; import com.yahoo.yolean.Exceptions; import java.net.URI; +import java.security.Principal; import java.util.HashSet; import java.util.Optional; import java.util.Set; @@ -33,7 +34,7 @@ import java.util.logging.Logger; import static com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities.SCREWDRIVER_DOMAIN; /** - * Enriches the request principal with roles from Athenz. + * Enriches the request principal with roles from Athenz, if an AthenzPrincipal is set on the request. * * @author jonmv */ @@ -53,15 +54,17 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { @Override protected Optional<ErrorResponse> filter(DiscFilterRequest request) { try { - AthenzPrincipal athenzPrincipal = (AthenzPrincipal) request.getUserPrincipal(); - request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(athenzPrincipal, - roles(athenzPrincipal, request.getUri()))); - return Optional.empty(); + Principal principal = request.getUserPrincipal(); + if (principal instanceof AthenzPrincipal) { + request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(principal, + roles((AthenzPrincipal) principal, + request.getUri()))); + } } catch (Exception e) { - logger.log(LogLevel.DEBUG, () -> "Exception mapping Athenz principal to roles: " + Exceptions.toMessageString(e)); - return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, "Access denied")); + logger.log(LogLevel.INFO, () -> "Exception mapping Athenz principal to roles: " + Exceptions.toMessageString(e)); } + return Optional.empty(); } Set<Role> roles(AthenzPrincipal principal, URI uri) { |