diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-05 17:51:37 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-07 11:44:56 +0100 |
commit | a3d37d934b5dba841d04d283ff66cb57f4eb33fe (patch) | |
tree | 295739870c334ad50f56b7a91e4a4340627c510f /controller-server | |
parent | b555a9a8d6fd30f46ecf079efb82a44dcd9b67fb (diff) |
Deprecate use of SecurityContext
Diffstat (limited to 'controller-server')
4 files changed, 18 insertions, 10 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java index 28564e92ce3..9d45b9a6e09 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java @@ -66,8 +66,7 @@ public class Authorizer { /** Returns the principal or throws forbidden */ // TODO: Avoid REST exceptions public AthenzPrincipal getPrincipal(HttpRequest request) { - return securityContextOf(request) - .map(SecurityContext::getUserPrincipal) + return Optional.ofNullable(request.getJDiscRequest().getUserPrincipal()) .map(AthenzPrincipal.class::cast) .orElseThrow(() -> loggedForbiddenException("User is not authenticated")); } @@ -152,6 +151,8 @@ public class Authorizer { return securityContext.get().isUserInRole(Authorizer.VESPA_HOSTED_ADMIN_ROLE); } + @Deprecated + // TODO: Remove once Bouncer filter is no longer needed protected Optional<SecurityContext> securityContextOf(HttpRequest request) { return Optional.ofNullable((SecurityContext)request.getJDiscRequest().context().get(ContextAttributes.SECURITY_CONTEXT_ATTRIBUTE)); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/CreateSecurityContextFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/CreateSecurityContextFilter.java index 6073307bafa..5fc15f4baa6 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/CreateSecurityContextFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/CreateSecurityContextFilter.java @@ -20,6 +20,8 @@ import java.security.Principal; @After("BouncerFilter") @Provides("SecurityContext") @SuppressWarnings("unused") // Injected +@Deprecated +// TODO Remove once Bouncer filter is gone public class CreateSecurityContextFilter implements SecurityRequestFilter { @Override diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/PropagateSecurityContextFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/PropagateSecurityContextFilter.java index 17c86e89362..23f94f2fc21 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/PropagateSecurityContextFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/securitycontext/PropagateSecurityContextFilter.java @@ -18,6 +18,8 @@ import java.io.IOException; */ @PreMatching @Provider +// TODO Remove once Bouncer filter is gone +@Deprecated public class PropagateSecurityContextFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/MockAuthorizer.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/MockAuthorizer.java index 1e284c11c93..f2fc4b12096 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/MockAuthorizer.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/MockAuthorizer.java @@ -11,6 +11,7 @@ import com.yahoo.vespa.hosted.controller.TestIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.integration.entity.EntityService; +import javax.ws.rs.ForbiddenException; import javax.ws.rs.core.SecurityContext; import java.security.Principal; import java.util.Optional; @@ -30,14 +31,16 @@ public class MockAuthorizer extends Authorizer { } /** Returns a principal given by the request parameters 'domain' and 'user' */ - private static Optional<AthenzPrincipal> getPrincipalIfAny(HttpRequest request) { + @Override + public AthenzPrincipal getPrincipal(HttpRequest request) { String domain = request.getHeader("Athenz-Identity-Domain"); String name = request.getHeader("Athenz-Identity-Name"); - if (domain == null || name == null) return Optional.empty(); - return Optional.of( - new AthenzPrincipal( - AthenzIdentities.from(new AthenzDomain(domain), name), - new NToken("dummy"))); + if (domain == null || name == null) { + throw new ForbiddenException("User is not authenticated"); + } + return new AthenzPrincipal( + AthenzIdentities.from(new AthenzDomain(domain), name), + new NToken("dummy")); } /** Returns the hardcoded NToken of {@link TestIdentities#userId} */ @@ -49,9 +52,9 @@ public class MockAuthorizer extends Authorizer { @Override protected Optional<SecurityContext> securityContextOf(HttpRequest request) { - return getPrincipalIfAny(request).map(MockSecurityContext::new); + return Optional.of(new MockSecurityContext(getPrincipal(request))); } - + private static final class MockSecurityContext implements SecurityContext { private final Principal principal; |