Propagate expiration from Okta access token

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-09-26 15:42:26 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-09-26 15:42:26 +0200
commit: 81f767035fa85eb6fef48023be75c31021ea4637 (patch)
tree: a50718761217e0ad16e297a3082561a4c864bf73 /controller-server
parent: 84332a69d6e03d6566aad70a7a69dc7119263a86 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index e06c2c3ccbd..a93741fd8fb 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -2,6 +2,8 @@
 package com.yahoo.vespa.hosted.controller.restapi.filter;
 
 import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.Payload;
 import com.yahoo.component.annotation.Inject;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.SystemName;
@@ -79,14 +81,17 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
         try {
             Principal principal = request.getUserPrincipal();
             if (principal instanceof AthenzPrincipal) {
-                Instant issuedAt = request.getClientCertificateChain().stream().findFirst()
-                        .map(X509Certificate::getNotBefore)
-                        .or(() -> Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(iat -> JWT.decode(iat).getIssuedAt()))
-                        .map(Date::toInstant)
-                        .orElse(Instant.EPOCH);
+                Optional<DecodedJWT> oktaAt = Optional.ofNullable((String) request.getAttribute("okta.access-token")).map(JWT::decode);
+                Optional<X509Certificate> cert = request.getClientCertificateChain().stream().findFirst();
+                Instant issuedAt = cert.map(X509Certificate::getNotBefore)
+                        .or(() -> oktaAt.map(Payload::getIssuedAt))
+                        .map(Date::toInstant).orElse(Instant.EPOCH);
+                Instant expireAt = cert.map(X509Certificate::getNotAfter)
+                        .or(() -> oktaAt.map(Payload::getExpiresAt))
+                        .map(Date::toInstant).orElse(Instant.MAX);
                 request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(principal,
                         roles((AthenzPrincipal) principal, request.getUri()),
-                        issuedAt));
+                        issuedAt, expireAt));
             }
         }
         catch (Exception e) {
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-09-26 15:42:26 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-09-26 15:42:26 +0200
commit	81f767035fa85eb6fef48023be75c31021ea4637 (patch)
tree	a50718761217e0ad16e297a3082561a4c864bf73 /controller-server
parent	84332a69d6e03d6566aad70a7a69dc7119263a86 (diff)