diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2017-11-22 16:41:38 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-22 16:41:38 +0100 |
commit | 47a72fee625e178d82b494a1f172e9f4b0745fa4 (patch) | |
tree | 2d0bde3dee821c9f55847433008f23151a198d47 /controller-server | |
parent | a322c3a6b7a17c89e6d277b09c646029229b6ad2 (diff) | |
parent | b47f22c74798850abe3e78aebb4450c78998940a (diff) |
Merge pull request #4240 from vespa-engine/bjorncs/rewrite-user-principal-to-athenz
Bjorncs/rewrite user principal to athenz
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java index d125f279b63..62c54b10a00 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java @@ -2,13 +2,21 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.google.inject.Inject; +import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.log.LogLevel; +import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; +import com.yahoo.vespa.hosted.controller.athenz.AthenzPrincipal; +import com.yahoo.vespa.hosted.controller.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; +import com.yahoo.vespa.hosted.controller.restapi.application.Authorizer; import com.yahoo.yolean.chain.Provides; +import java.security.Principal; import java.util.concurrent.Executor; +import java.util.logging.Logger; import java.util.stream.Stream; import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized; @@ -24,6 +32,8 @@ import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtil // TODO Remove this filter once migrated to Okta public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { + private static final Logger log = Logger.getLogger(UserAuthWithAthenzPrincipalFilter.class.getName()); + private final String userAuthenticationPassThruAttribute; @Inject @@ -36,20 +46,21 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { public void filter(DiscFilterRequest request, ResponseHandler responseHandler) { if (request.getMethod().equals("OPTIONS")) return; // Skip authentication on OPTIONS - required for Javascript CORS - switch (fromHttpRequest(request)) { + switch (getUserAuthenticationResult(request)) { case USER_COOKIE_MISSING: case USER_COOKIE_ALTERNATIVE_MISSING: super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz break; case USER_COOKIE_OK: + rewriteUserPrincipalToAthenz(request); return; // Authenticated using user cookie case USER_COOKIE_INVALID: - sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired or tampered)"); + sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired, tampered or invalid ip)"); break; } } - private UserAuthenticationResult fromHttpRequest(DiscFilterRequest request) { + private UserAuthenticationResult getUserAuthenticationResult(DiscFilterRequest request) { if (!request.containsAttribute(userAuthenticationPassThruAttribute)) { throw new IllegalStateException("User authentication filter passthru attribute missing"); } @@ -60,6 +71,19 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { .orElseThrow(() -> new IllegalStateException("Invalid status code: " + statusCode)); } + /** + * NOTE: The Bouncer user roles ({@link DiscFilterRequest#roles} are still intact as they are required + * for {@link Authorizer#isMemberOfVespaBouncerGroup(HttpRequest)}. + */ + private static void rewriteUserPrincipalToAthenz(DiscFilterRequest request) { + Principal userPrincipal = request.getUserPrincipal(); + log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString()); + UserId userId = new UserId(userPrincipal.getName()); + AthenzPrincipal athenzPrincipal = AthenzUtils.createPrincipal(userId); + request.setUserPrincipal(athenzPrincipal); + request.setRemoteUser(athenzPrincipal.toYRN()); + } + private enum UserAuthenticationResult { USER_COOKIE_MISSING(0), USER_COOKIE_OK(1), |