Merge pull request #4240 from vespa-engine/bjorncs/rewrite-user-principal-to-athenz

Bjorncs/rewrite user principal to athenz
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2017-11-22 16:41:38 +0100
committer: GitHub <noreply@github.com> 2017-11-22 16:41:38 +0100
commit: 47a72fee625e178d82b494a1f172e9f4b0745fa4 (patch)
tree: 2d0bde3dee821c9f55847433008f23151a198d47 /controller-server
parent: a322c3a6b7a17c89e6d277b09c646029229b6ad2 (diff)
parent: b47f22c74798850abe3e78aebb4450c78998940a (diff)
1 files changed, 27 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
index d125f279b63..62c54b10a00 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
@@ -2,13 +2,21 @@
 package com.yahoo.vespa.hosted.controller.athenz.filter;
 
 import com.google.inject.Inject;
+import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import com.yahoo.log.LogLevel;
+import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
+import com.yahoo.vespa.hosted.controller.athenz.AthenzPrincipal;
+import com.yahoo.vespa.hosted.controller.athenz.AthenzUtils;
 import com.yahoo.vespa.hosted.controller.athenz.ZmsKeystore;
 import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
+import com.yahoo.vespa.hosted.controller.restapi.application.Authorizer;
 import com.yahoo.yolean.chain.Provides;
 
+import java.security.Principal;
 import java.util.concurrent.Executor;
+import java.util.logging.Logger;
 import java.util.stream.Stream;
 
 import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized;
@@ -24,6 +32,8 @@ import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtil
 // TODO Remove this filter once migrated to Okta
 public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter {
 
+    private static final Logger log = Logger.getLogger(UserAuthWithAthenzPrincipalFilter.class.getName());
+
     private final String userAuthenticationPassThruAttribute;
 
     @Inject
@@ -36,20 +46,21 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter {
     public void filter(DiscFilterRequest request, ResponseHandler responseHandler) {
         if (request.getMethod().equals("OPTIONS")) return; // Skip authentication on OPTIONS - required for Javascript CORS
 
-        switch (fromHttpRequest(request)) {
+        switch (getUserAuthenticationResult(request)) {
             case USER_COOKIE_MISSING:
             case USER_COOKIE_ALTERNATIVE_MISSING:
                 super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz
                 break;
             case USER_COOKIE_OK:
+                rewriteUserPrincipalToAthenz(request);
                 return; // Authenticated using user cookie
             case USER_COOKIE_INVALID:
-                sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired or tampered)");
+                sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired, tampered or invalid ip)");
                 break;
         }
     }
 
-    private UserAuthenticationResult fromHttpRequest(DiscFilterRequest request) {
+    private UserAuthenticationResult getUserAuthenticationResult(DiscFilterRequest request) {
         if (!request.containsAttribute(userAuthenticationPassThruAttribute)) {
             throw new IllegalStateException("User authentication filter passthru attribute missing");
         }
@@ -60,6 +71,19 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter {
                 .orElseThrow(() -> new IllegalStateException("Invalid status code: " + statusCode));
     }
 
+    /**
+     * NOTE: The Bouncer user roles ({@link DiscFilterRequest#roles} are still intact as they are required
+     * for {@link Authorizer#isMemberOfVespaBouncerGroup(HttpRequest)}.
+     */
+    private static void rewriteUserPrincipalToAthenz(DiscFilterRequest request) {
+        Principal userPrincipal = request.getUserPrincipal();
+        log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString());
+        UserId userId = new UserId(userPrincipal.getName());
+        AthenzPrincipal athenzPrincipal = AthenzUtils.createPrincipal(userId);
+        request.setUserPrincipal(athenzPrincipal);
+        request.setRemoteUser(athenzPrincipal.toYRN());
+    }
+
     private enum UserAuthenticationResult {
         USER_COOKIE_MISSING(0),
         USER_COOKIE_OK(1),
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2017-11-22 16:41:38 +0100
committer	GitHub <noreply@github.com>	2017-11-22 16:41:38 +0100
commit	47a72fee625e178d82b494a1f172e9f4b0745fa4 (patch)
tree	2d0bde3dee821c9f55847433008f23151a198d47 /controller-server
parent	a322c3a6b7a17c89e6d277b09c646029229b6ad2 (diff)
parent	b47f22c74798850abe3e78aebb4450c78998940a (diff)