diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-09-26 15:42:26 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-09-26 15:42:26 +0200 |
commit | 81f767035fa85eb6fef48023be75c31021ea4637 (patch) | |
tree | a50718761217e0ad16e297a3082561a4c864bf73 /controller-server | |
parent | 84332a69d6e03d6566aad70a7a69dc7119263a86 (diff) |
Propagate expiration from Okta access token
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index e06c2c3ccbd..a93741fd8fb 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -2,6 +2,8 @@ package com.yahoo.vespa.hosted.controller.restapi.filter; import com.auth0.jwt.JWT; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.auth0.jwt.interfaces.Payload; import com.yahoo.component.annotation.Inject; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.SystemName; @@ -79,14 +81,17 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { try { Principal principal = request.getUserPrincipal(); if (principal instanceof AthenzPrincipal) { - Instant issuedAt = request.getClientCertificateChain().stream().findFirst() - .map(X509Certificate::getNotBefore) - .or(() -> Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(iat -> JWT.decode(iat).getIssuedAt())) - .map(Date::toInstant) - .orElse(Instant.EPOCH); + Optional<DecodedJWT> oktaAt = Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(JWT::decode); + Optional<X509Certificate> cert = request.getClientCertificateChain().stream().findFirst(); + Instant issuedAt = cert.map(X509Certificate::getNotBefore) + .or(() -> oktaAt.map(Payload::getIssuedAt)) + .map(Date::toInstant).orElse(Instant.EPOCH); + Instant expireAt = cert.map(X509Certificate::getNotAfter) + .or(() -> oktaAt.map(Payload::getExpiresAt)) + .map(Date::toInstant).orElse(Instant.MAX); request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(principal, roles((AthenzPrincipal) principal, request.getUri()), - issuedAt)); + issuedAt, expireAt)); } } catch (Exception e) { |