diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-25 14:00:31 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-25 14:00:31 +0200 |
| commit | d36ba126b204c21406195291acbc67c2acb7db60 (patch) | |
| tree | 6232796a84b0a4afdfbe5864d80ce4dd5909269c /node-repository | |
| parent | b794c401644eeac293a53a14fff8d4bb6a40a0d1 (diff) | |
Modify AuthorizationFilter to assume AuthenticationFilter is part of filter chain
Diffstat (limited to 'node-repository')
3 files changed, 11 insertions, 14 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index c5c9336155f..5fd85bac096 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -35,7 +35,6 @@ public class AuthorizationFilter implements SecurityRequestFilter { private final BiPredicate<NodePrincipal, URI> authorizer; private final BiConsumer<ErrorResponse, ResponseHandler> rejectAction; - private final HostAuthenticator hostAuthenticator; @Inject public AuthorizationFilter(Zone zone, NodeRepository nodeRepository, NodeRepositoryConfig nodeRepositoryConfig) { @@ -47,17 +46,14 @@ public class AuthorizationFilter implements SecurityRequestFilter { Stream.of(HostName.getLocalhost()), Stream.of(nodeRepositoryConfig.hostnameWhitelist().split(",")) ).filter(hostname -> !hostname.isEmpty()).collect(Collectors.toSet())), - AuthorizationFilter::logAndReject, - new HostAuthenticator(zone, nodeRepository) + AuthorizationFilter::logAndReject ); } AuthorizationFilter(BiPredicate<NodePrincipal, URI> authorizer, - BiConsumer<ErrorResponse, ResponseHandler> rejectAction, - HostAuthenticator hostAuthenticator) { + BiConsumer<ErrorResponse, ResponseHandler> rejectAction) { this.authorizer = authorizer; this.rejectAction = rejectAction; - this.hostAuthenticator = hostAuthenticator; } @Override @@ -68,10 +64,9 @@ public class AuthorizationFilter implements SecurityRequestFilter { private Optional<ErrorResponse> validateAccess(DiscFilterRequest request) { try { - List<X509Certificate> clientCertificateChain = request.getClientCertificateChain(); - if (clientCertificateChain.isEmpty()) - return Optional.of(ErrorResponse.unauthorized(createErrorMessage(request, "Missing credentials"))); - NodePrincipal hostIdentity = hostAuthenticator.authenticate(clientCertificateChain); + NodePrincipal hostIdentity = (NodePrincipal) request.getUserPrincipal(); + if (hostIdentity == null) + return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. AuthenticationFilter has not been applied."))); if (!authorizer.test(hostIdentity, request.getUri())) return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials"))); request.setUserPrincipal(hostIdentity); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java index 536c6e4c700..99a72d89801 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java @@ -29,9 +29,9 @@ public class AuthorizationFilterTest { @Test public void filter() { // These are just rudimentary tests of the filter. See AuthorizerTest for more exhaustive tests - tester.assertRequest(new Request(Method.GET, "/"), 401, - "{\"error-code\":\"UNAUTHORIZED\",\"message\":\"GET / denied for " + - "remote-addr: Missing credentials\"}"); + tester.assertRequest(new Request(Method.GET, "/"), 500, + "{\"error-code\":\"INTERNAL_SERVER_ERROR\",\"message\":\"GET / denied for " + + "remote-addr: Principal is missing. AuthenticationFilter has not been applied.\"}"); tester.assertRequest(new Request(Method.GET, "/").commonName("foo"), 403, "{\"error-code\":\"FORBIDDEN\",\"message\":\"GET / " + diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java index 3fdff46933c..6420a5237e8 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java @@ -66,7 +66,9 @@ public class FilterTester { when(r.getLocalAddr()).thenReturn(request.localAddr()); if (request.commonName().isPresent()) { X509Certificate cert = certificateFor(request.commonName().get(), keyPair()); - when(r.getClientCertificateChain()).thenReturn(Collections.singletonList(cert)); + List<X509Certificate> certs = Collections.singletonList(cert); + when(r.getClientCertificateChain()).thenReturn(certs); + when(r.getUserPrincipal()).thenReturn(NodePrincipal.withLegacyIdentity(request.commonName().get(), certs)); } return r; } |