diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-11 15:46:05 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-11 15:46:18 +0100 |
commit | 06ea9cecdddcf44c13cf42d53b3df415c2146361 (patch) | |
tree | 29856d7589d2decdcd571b2f7731e8e656c2aa52 /jdisc-security-filters/src/main/java/com/yahoo | |
parent | a782d867784893696b3f505f547b9ccc1a5fcf2b (diff) |
Athenz jdisc filter: support proxied access token from trusted peer
Diffstat (limited to 'jdisc-security-filters/src/main/java/com/yahoo')
-rw-r--r-- | jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java index 18cd6cf02c1..50369b5ede3 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java @@ -6,7 +6,6 @@ import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.security.athenz.RequestResourceMapper.ResourceNameAndAction; import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; -import java.util.logging.Level; import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; @@ -22,6 +21,8 @@ import java.util.EnumSet; import java.util.List; import java.util.Map; import java.util.Optional; +import java.util.Set; +import java.util.logging.Level; import java.util.logging.Logger; import java.util.stream.Collectors; @@ -54,6 +55,7 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { private final Zpe zpe; private final RequestResourceMapper requestResourceMapper; private final Metric metric; + private final Set<AthenzIdentity> allowedProxyIdentities; @Inject public AthenzAuthorizationFilter(AthenzAuthorizationFilterConfig config, RequestResourceMapper resourceMapper, Metric metric) { @@ -72,6 +74,9 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { this.requestResourceMapper = resourceMapper; this.zpe = zpe; this.metric = metric; + this.allowedProxyIdentities = config.allowedProxyIdentities().stream() + .map(AthenzIdentities::from) + .collect(Collectors.toSet()); } @Override @@ -123,8 +128,21 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { private Result checkAccessWithAccessToken(DiscFilterRequest request, ResourceNameAndAction resourceAndAction) { AthenzAccessToken accessToken = getAccessToken(request); X509Certificate identityCertificate = getClientCertificate(request); - var zpeResult = zpe.checkAccessAllowed( - accessToken, identityCertificate, resourceAndAction.resourceName(), resourceAndAction.action()); + AthenzIdentity peerIdentity = AthenzIdentities.from(identityCertificate); + if (allowedProxyIdentities.contains(peerIdentity)) { + return checkAccessWithProxiedAccessToken(resourceAndAction, accessToken, identityCertificate); + } else { + var zpeResult = zpe.checkAccessAllowed( + accessToken, identityCertificate, resourceAndAction.resourceName(), resourceAndAction.action()); + return new Result(ACCESS_TOKEN, peerIdentity, zpeResult); + } + } + + private Result checkAccessWithProxiedAccessToken(ResourceNameAndAction resourceAndAction, AthenzAccessToken accessToken, X509Certificate identityCertificate) { + AthenzIdentity proxyIdentity = AthenzIdentities.from(identityCertificate); + log.log(Level.FINE, + () -> String.format("Checking proxied access token. Proxy identity: '%s'. Allowed identities: %s", proxyIdentity, allowedProxyIdentities)); + var zpeResult = zpe.checkAccessAllowed(accessToken, resourceAndAction.resourceName(), resourceAndAction.action()); return new Result(ACCESS_TOKEN, AthenzIdentities.from(identityCertificate), zpeResult); } |