Return the matched role in checkAccessAllowed methods

Rewrite AuthorizationResult to specify result type as a inner Type enum. Add matched role to AuthorizationResult. Propagate matched role to request object in AthenzAuthorizationFilter.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-01-16 15:09:07 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-01-24 14:44:09 +0100
commit: 2d8e7e65a9ea6e80cee667ec7bcff3d488df8a2c (patch)
tree: c49c7b29331e78f48bc96e7ac344f667dec0c73c /jdisc-security-filters
parent: 08c7d357ee6a826afbf9f044473aaa3d59406f84 (diff)
2 files changed, 10 insertions, 7 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index 74e0ee36959..9151aa1b693 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -121,11 +121,12 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
                                                                   ZpeCheck<C> accessCheck,
                                                                   Function<C, AthenzPrincipal> principalFactory) {
         AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action());
-        if (authorizationResult == AuthorizationResult.ALLOW) {
+        if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) {
             request.setUserPrincipal(principalFactory.apply(credentials));
+            authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()}));
             return Optional.empty();
         }
-        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription()));
+        return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription()));
     }
 
     private static AthenzPrincipal createPrincipal(X509Certificate certificate) {
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index b81b26d458b..197ba89f3e3 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -5,6 +5,7 @@ import com.yahoo.container.jdisc.RequestHandlerTestDriver;
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
 import com.yahoo.vespa.athenz.zpe.AuthorizationResult;
 import com.yahoo.vespa.athenz.zpe.Zpe;
@@ -14,6 +15,7 @@ import org.mockito.Mockito;
 import java.security.cert.X509Certificate;
 
 import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilterConfig.CredentialsToVerify.Enum.ANY;
+import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.*;
 import static java.util.Collections.emptyList;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.junit.Assert.assertEquals;
@@ -64,7 +66,7 @@ public class AthenzAuthorizationFilterTest {
         assertNotNull(response);
         assertEquals(403, response.getStatus());
         String content = responseHandler.readAll();
-        assertThat(content, containsString(AuthorizationResult.DENY.getDescription()));
+        assertThat(content, containsString(Type.DENY.getDescription()));
     }
 
     private static DiscFilterRequest createRequest() {
@@ -80,24 +82,24 @@ public class AthenzAuthorizationFilterTest {
     static class AllowingZpe implements Zpe {
         @Override
         public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-            return AuthorizationResult.ALLOW;
+            return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
         }
 
         @Override
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-            return AuthorizationResult.ALLOW;
+            return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename"));
         }
     }
 
     static class DenyingZpe implements Zpe {
         @Override
         public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-            return AuthorizationResult.DENY;
+            return new AuthorizationResult(Type.DENY);
         }
 
         @Override
         public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-            return AuthorizationResult.DENY;
+            return new AuthorizationResult(Type.DENY);
         }
     }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-01-16 15:09:07 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-01-24 14:44:09 +0100
commit	2d8e7e65a9ea6e80cee667ec7bcff3d488df8a2c (patch)
tree	c49c7b29331e78f48bc96e7ac344f667dec0c73c /jdisc-security-filters
parent	08c7d357ee6a826afbf9f044473aaa3d59406f84 (diff)