Add new Athenz security filter based on ZPE

- Allow flexible configuration of filter using a resource mapper
- Add helper class to extract role and identity from role certificates

2 files changed, 16 insertions, 0 deletions

diff --git a/jdisc-security-filters/src/main/resources/configdefinitions/athenz-authorization-filter.def b/jdisc-security-filters/src/main/resources/configdefinitions/athenz-authorization-filter.def
new file mode 100644
index 00000000000..c60b7a125f8
--- /dev/null
+++ b/jdisc-security-filters/src/main/resources/configdefinitions/athenz-authorization-filter.def
@@ -0,0 +1,8 @@
+# Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+namespace=jdisc.http.filter.security.athenz
+
+# Which credentials to verify. Note: ANY will prioritize token over certificate if both are present.
+credentialsToVerify enum { CERTIFICATE_ONLY, TOKEN_ONLY, ANY } default=ANY
+
+# Name of header which includes role token. Must be set if 'credentialsTypeRequired' is set to TOKEN_ONLY or ANY.
+roleTokenHeaderName string default=""
diff --git a/jdisc-security-filters/src/main/resources/configdefinitions/static-request-resource-mapper.def b/jdisc-security-filters/src/main/resources/configdefinitions/static-request-resource-mapper.def
new file mode 100644
index 00000000000..de89c1f9198
--- /dev/null
+++ b/jdisc-security-filters/src/main/resources/configdefinitions/static-request-resource-mapper.def
@@ -0,0 +1,8 @@
+# Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+namespace=jdisc.http.filter.security.athenz
+
+# Athenz resource name on format '<domain-name>:<entity-name>'
+resourceName string
+
+# Action name
+action string
\ No newline at end of file