Return the matched role in checkAccessAllowed methods

Rewrite AuthorizationResult to specify result type as a inner Type enum.
Add matched role to AuthorizationResult.
Propagate matched role to request object in AthenzAuthorizationFilter.

1 files changed, 3 insertions, 2 deletions

diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index 74e0ee36959..9151aa1b693 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -121,11 +121,12 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
                                                                   ZpeCheck<C> accessCheck,
                                                                   Function<C, AthenzPrincipal> principalFactory) {
         AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action());
-        if (authorizationResult == AuthorizationResult.ALLOW) {
+        if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) {
             request.setUserPrincipal(principalFactory.apply(credentials));
+            authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()}));
             return Optional.empty();
         }
-        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription()));
+        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription()));
     }
 
     private static AthenzPrincipal createPrincipal(X509Certificate certificate) {