diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-16 15:09:07 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-01-24 13:00:44 +0100 |
commit | 861c507d4f3432f149807008675eeab217ba84b3 (patch) | |
tree | 252a720d2838933610347cea937e485f8cf265c5 /jdisc-security-filters/src/main/java | |
parent | c1bc5a249a5807b80dd11d78dd3464fac6b7ae7f (diff) |
Return the matched role in checkAccessAllowed methods
Rewrite AuthorizationResult to specify result type as a inner Type enum.
Add matched role to AuthorizationResult.
Propagate matched role to request object in AthenzAuthorizationFilter.
Diffstat (limited to 'jdisc-security-filters/src/main/java')
-rw-r--r-- | jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java index 74e0ee36959..9151aa1b693 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java @@ -121,11 +121,12 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { ZpeCheck<C> accessCheck, Function<C, AthenzPrincipal> principalFactory) { AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action()); - if (authorizationResult == AuthorizationResult.ALLOW) { + if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) { request.setUserPrincipal(principalFactory.apply(credentials)); + authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()})); return Optional.empty(); } - return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription())); + return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription())); } private static AthenzPrincipal createPrincipal(X509Certificate certificate) { |