Add passthrough mode to AthenzPrincipalFilter

- No http response when passthrough mode is enable - Introduce attributes for error code and message - Introduce attribute for AthenzPrincipal instance
author: Bjørn Christian Seime <bjorncs@oath.com> 2018-10-04 15:41:15 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-10-04 15:41:15 +0200
commit: db93461fbcb56af55d08a81d9b93db07846646a0 (patch)
tree: 3d00b6c7cf7c94ba445a76fdc03d315910c11ead /jdisc-security-filters/src/test/java
parent: 963d16440f7534e39cbe36be695c272a95b7e3fb (diff)
1 files changed, 38 insertions, 12 deletions
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
index fdab450b435..3bbc606cf2b 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
@@ -14,6 +14,7 @@ import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator;
+import org.jetbrains.annotations.NotNull;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -40,6 +41,7 @@ import static java.util.stream.Collectors.joining;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.hamcrest.CoreMatchers.nullValue;
 import static org.junit.Assert.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -72,10 +74,10 @@ public class AthenzPrincipalFilterTest {
         when(request.getClientCertificateChain()).thenReturn(emptyList());
         when(validator.validate(NTOKEN)).thenReturn(principal);
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, new ResponseHandlerMock());
 
-        verify(request).setUserPrincipal(principal);
+        assertAuthenticated(request, principal);
     }
 
     private DiscFilterRequest createRequestMock() {
@@ -92,10 +94,10 @@ public class AthenzPrincipalFilterTest {
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, responseHandler);
 
-        assertUnauthorized(responseHandler, "Unable to authenticate Athenz identity");
+        assertUnauthorized(request, responseHandler, "Unable to authenticate Athenz identity");
     }
 
     @Test
@@ -108,10 +110,10 @@ public class AthenzPrincipalFilterTest {
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, responseHandler);
 
-        assertUnauthorized(responseHandler, errorMessage);
+        assertUnauthorized(request, responseHandler, errorMessage);
     }
 
     @Test
@@ -122,11 +124,16 @@ public class AthenzPrincipalFilterTest {
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, responseHandler);
 
         AthenzPrincipal expectedPrincipal = new AthenzPrincipal(IDENTITY);
+        assertAuthenticated(request, expectedPrincipal);
+    }
+
+    private void assertAuthenticated(DiscFilterRequest request, AthenzPrincipal expectedPrincipal) {
         verify(request).setUserPrincipal(expectedPrincipal);
+        verify(request).setAttribute(AthenzPrincipalFilter.RESULT_PRINCIPAL, expectedPrincipal);
     }
 
     @Test
@@ -139,10 +146,10 @@ public class AthenzPrincipalFilterTest {
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, responseHandler);
 
-        verify(request).setUserPrincipal(principalWithToken);
+        assertAuthenticated(request, principalWithToken);
     }
 
     @Test
@@ -156,16 +163,35 @@ public class AthenzPrincipalFilterTest {
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
-        AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS);
+        AthenzPrincipalFilter filter = createFilter(false);
         filter.filter(request, responseHandler);
 
-        assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
+        assertUnauthorized(request, responseHandler, "Identity in principal token does not match x509 CN");
+    }
+
+    @Test
+    public void no_response_produced_when_passthrough_mode_is_enabled() {
+        DiscFilterRequest request = createRequestMock();
+        when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
+
+        ResponseHandlerMock responseHandler = new ResponseHandlerMock();
+
+        AthenzPrincipalFilter filter = createFilter(true);
+        filter.filter(request, responseHandler);
+
+        assertThat(responseHandler.response, nullValue());
+    }
+
+    private AthenzPrincipalFilter createFilter(boolean passthroughModeEnabled) {
+        return new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, CORS_ALLOWED_URLS, passthroughModeEnabled);
     }
 
-    private static void assertUnauthorized(ResponseHandlerMock responseHandler, String expectedMessageSubstring) {
+    private static void assertUnauthorized(DiscFilterRequest request, ResponseHandlerMock responseHandler, String expectedMessageSubstring) {
         assertThat(responseHandler.response, notNullValue());
         assertThat(responseHandler.response.getStatus(), equalTo(UNAUTHORIZED));
         assertThat(responseHandler.getResponseContent(), containsString(expectedMessageSubstring));
+        verify(request).setAttribute(AthenzPrincipalFilter.RESULT_ERROR_CODE_ATTRIBUTE, UNAUTHORIZED);
     }
 
     private static class ResponseHandlerMock implements ResponseHandler {
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-10-04 15:41:15 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-10-04 15:41:15 +0200
commit	db93461fbcb56af55d08a81d9b93db07846646a0 (patch)
tree	3d00b6c7cf7c94ba445a76fdc03d315910c11ead /jdisc-security-filters/src/test/java
parent	963d16440f7534e39cbe36be695c272a95b7e3fb (diff)