Athenz jdisc filter: support proxied access token from trusted peer

3 files changed, 15 insertions, 3 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
index 16b923382b3..c085be7c205 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.api;
 
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 
 import java.time.Instant;
 import java.util.Objects;
@@ -41,6 +42,7 @@ public class AthenzAccessToken {
     public Instant getExpiryTime () {
         return jwt().getExpiresAt().toInstant();
     }
+    public AthenzIdentity getAthenzIdentity() { return AthenzIdentities.from(jwt().getClaim("client_id").asString()); }
 
     private DecodedJWT jwt() {
         if (jwt == null) {
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
index c010649ed24..4c5dc6c96b4 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -45,12 +45,21 @@ public class DefaultZpe implements Zpe {
     public AuthorizationResult checkAccessAllowed(
             AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
         StringBuilder returnedMatchedRole = new StringBuilder();
-        AuthZpeClient.AccessCheckStatus rawResult =
-                AuthZpeClient.allowAccess(
-                        accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole);
+        AuthZpeClient.AccessCheckStatus rawResult;
+        if (identityCertificate == null) {
+            rawResult = AuthZpeClient.allowAccess(accessToken.value(), resourceName.toResourceNameString(), action, returnedMatchedRole);
+        } else {
+            rawResult = AuthZpeClient.allowAccess(
+                    accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole);
+        }
         return createResult(returnedMatchedRole, rawResult, resourceName);
     }
 
+    @Override
+    public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, AthenzResourceName resourceName, String action) {
+        return checkAccessAllowed(accessToken, null, resourceName, action);
+    }
+
     private static AuthorizationResult createResult(
             StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) {
         return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName));
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
index 51e5ee4dbb1..f639480821d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -16,4 +16,5 @@ public interface Zpe {
     AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
     AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
     AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action);
+    AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, AthenzResourceName resourceName, String action);
 }