Ignore access token header if client has Athenz role certificate

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-03-02 13:55:50 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-03-02 14:07:27 +0100
commit: 6b1cc96cb17d327509543f1589c0d824d0699d1b (patch)
tree: 0fb3bfc5811493882780af6c522a8420e4b82085 /jdisc-security-filters
parent: bfd326596ca51f9a0725cd8595ab67dcead3aeb7 (diff)
1 files changed, 36 insertions, 8 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index 50369b5ede3..56dd3bcbf5b 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -111,10 +111,10 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
         // Note: the ordering of the if-constructs determines the precedence of the credential types
         if (enabledCredentials.contains(ACCESS_TOKEN)
                 && isAccessTokenPresent(request)
-                && isClientCertificatePresent(request)) {
+                && isIdentityCertificatePresent(request)) {
             return checkAccessWithAccessToken(request, resourceAndAction);
         } else if (enabledCredentials.contains(ROLE_CERTIFICATE)
-                && isClientCertificatePresent(request)) {
+                && isRoleCertificatePresent(request)) {
             return checkAccessWithRoleCertificate(request, resourceAndAction);
         } else if (enabledCredentials.contains(ROLE_TOKEN)
                 && isRoleTokenPresent(request)) {
@@ -127,7 +127,7 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
 
     private Result checkAccessWithAccessToken(DiscFilterRequest request, ResourceNameAndAction resourceAndAction) {
         AthenzAccessToken accessToken = getAccessToken(request);
-        X509Certificate identityCertificate = getClientCertificate(request);
+        X509Certificate identityCertificate = getClientCertificate(request).get();
         AthenzIdentity peerIdentity = AthenzIdentities.from(identityCertificate);
         if (allowedProxyIdentities.contains(peerIdentity)) {
             return checkAccessWithProxiedAccessToken(resourceAndAction, accessToken, identityCertificate);
@@ -147,7 +147,7 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
     }
 
     private Result checkAccessWithRoleCertificate(DiscFilterRequest request, ResourceNameAndAction resourceAndAction) {
-        X509Certificate roleCertificate = getClientCertificate(request);
+        X509Certificate roleCertificate = getClientCertificate(request).get();
         var zpeResult = zpe.checkAccessAllowed(roleCertificate, resourceAndAction.resourceName(), resourceAndAction.action());
         AthenzIdentity identity = AthenzX509CertificateUtils.getIdentityFromRoleCertificate(roleCertificate);
         return new Result(ROLE_CERTIFICATE, identity, zpeResult);
@@ -163,8 +163,34 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
         return request.getHeader(AthenzAccessToken.HTTP_HEADER_NAME) != null;
     }
 
-    private static boolean isClientCertificatePresent(DiscFilterRequest request) {
-        return !request.getClientCertificateChain().isEmpty();
+    // Check that client certificate looks like a role certificate
+    private static boolean isRoleCertificatePresent(DiscFilterRequest request) {
+        return getClientCertificate(request)
+                .filter(cert -> {
+                    try {
+                        AthenzX509CertificateUtils.getRolesFromRoleCertificate(cert);
+                        return true;
+                    } catch (Exception e) {
+                        log.log(Level.FINE, e, () -> "Not a role certificate: " + e.getMessage());
+                        return false;
+                    }
+                })
+                .isPresent();
+    }
+
+    // Check that client certificate looks like an identity certificate
+    private static boolean isIdentityCertificatePresent(DiscFilterRequest request) {
+        return getClientCertificate(request)
+                .filter(cert -> {
+                    try {
+                        AthenzIdentities.from(cert);
+                        return true;
+                    } catch (Exception e) {
+                        log.log(Level.FINE, e, () -> "Not an identity certificate: " + e.getMessage());
+                        return false;
+                    }
+                })
+                .isPresent();
     }
 
     private boolean isRoleTokenPresent(DiscFilterRequest request) {
@@ -175,8 +201,10 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
         return new AthenzAccessToken(request.getHeader(AthenzAccessToken.HTTP_HEADER_NAME));
     }
 
-    private static X509Certificate getClientCertificate(DiscFilterRequest request) {
-        return request.getClientCertificateChain().get(0);
+    private static Optional<X509Certificate> getClientCertificate(DiscFilterRequest request) {
+        List<X509Certificate> certificates = request.getClientCertificateChain();
+        if (certificates.isEmpty()) return Optional.empty();
+        return Optional.of(certificates.get(0));
     }
 
     private ZToken getRoleToken(DiscFilterRequest request) {
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-03-02 13:55:50 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-03-02 14:07:27 +0100
commit	6b1cc96cb17d327509543f1589c0d824d0699d1b (patch)
tree	0fb3bfc5811493882780af6c522a8420e4b82085 /jdisc-security-filters
parent	bfd326596ca51f9a0725cd8595ab67dcead3aeb7 (diff)