diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-22 13:37:57 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-22 14:04:41 +0100 |
commit | 79cbcb72758672421a5a05b857f655d55f54c80b (patch) | |
tree | 61b5104d74f0d0fe3c534b9db2a81f2c29e558ef /controller-server | |
parent | 9f9e7e5f9b2b9b28c3bba4bdc2f185db7dc071da (diff) |
Rewrite user principal as Athenz principal
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java index d125f279b63..206c1adfbac 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java @@ -2,13 +2,21 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.google.inject.Inject; +import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.log.LogLevel; +import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; +import com.yahoo.vespa.hosted.controller.athenz.AthenzPrincipal; +import com.yahoo.vespa.hosted.controller.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; +import com.yahoo.vespa.hosted.controller.restapi.application.Authorizer; import com.yahoo.yolean.chain.Provides; +import java.security.Principal; import java.util.concurrent.Executor; +import java.util.logging.Logger; import java.util.stream.Stream; import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized; @@ -24,6 +32,8 @@ import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtil // TODO Remove this filter once migrated to Okta public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { + private static final Logger log = Logger.getLogger(UserAuthWithAthenzPrincipalFilter.class.getName()); + private final String userAuthenticationPassThruAttribute; @Inject @@ -42,6 +52,7 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz break; case USER_COOKIE_OK: + rewriteUserPrincipalToAthenz(request); return; // Authenticated using user cookie case USER_COOKIE_INVALID: sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired or tampered)"); @@ -60,6 +71,19 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { .orElseThrow(() -> new IllegalStateException("Invalid status code: " + statusCode)); } + /** + * NOTE: The Bouncer user roles ({@link DiscFilterRequest#roles} are still intact as they are required + * for {@link Authorizer#isMemberOfVespaBouncerGroup(HttpRequest)}. + */ + private static void rewriteUserPrincipalToAthenz(DiscFilterRequest request) { + Principal userPrincipal = request.getUserPrincipal(); + log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString()); + UserId userId = new UserId(userPrincipal.getName()); + AthenzPrincipal athenzPrincipal = AthenzUtils.createPrincipal(userId); + request.setUserPrincipal(athenzPrincipal); + request.setRemoteUser(athenzPrincipal.toYRN()); + } + private enum UserAuthenticationResult { USER_COOKIE_MISSING(0), USER_COOKIE_OK(1), |