diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-11 15:46:05 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-11 15:46:18 +0100 |
commit | 06ea9cecdddcf44c13cf42d53b3df415c2146361 (patch) | |
tree | 29856d7589d2decdcd571b2f7731e8e656c2aa52 /vespa-athenz | |
parent | a782d867784893696b3f505f547b9ccc1a5fcf2b (diff) |
Athenz jdisc filter: support proxied access token from trusted peer
Diffstat (limited to 'vespa-athenz')
3 files changed, 15 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java index 16b923382b3..c085be7c205 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.api; import com.auth0.jwt.JWT; import com.auth0.jwt.interfaces.DecodedJWT; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; import java.time.Instant; import java.util.Objects; @@ -41,6 +42,7 @@ public class AthenzAccessToken { public Instant getExpiryTime () { return jwt().getExpiresAt().toInstant(); } + public AthenzIdentity getAthenzIdentity() { return AthenzIdentities.from(jwt().getClaim("client_id").asString()); } private DecodedJWT jwt() { if (jwt == null) { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index c010649ed24..4c5dc6c96b4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -45,12 +45,21 @@ public class DefaultZpe implements Zpe { public AuthorizationResult checkAccessAllowed( AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess( - accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); + AuthZpeClient.AccessCheckStatus rawResult; + if (identityCertificate == null) { + rawResult = AuthZpeClient.allowAccess(accessToken.value(), resourceName.toResourceNameString(), action, returnedMatchedRole); + } else { + rawResult = AuthZpeClient.allowAccess( + accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); + } return createResult(returnedMatchedRole, rawResult, resourceName); } + @Override + public AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, AthenzResourceName resourceName, String action) { + return checkAccessAllowed(accessToken, null, resourceName, action); + } + private static AuthorizationResult createResult( StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java index 51e5ee4dbb1..f639480821d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -16,4 +16,5 @@ public interface Zpe { AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action); + AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, AthenzResourceName resourceName, String action); } |