summaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2020-01-16 15:14:18 +0100
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2020-01-24 13:00:44 +0100
commitc0bed8d5605a4c00acdad5fc1db8e653920d0294 (patch)
tree2f838be4f265fb552a31dae600d0682b668e7c25 /vespa-athenz
parent861c507d4f3432f149807008675eeab217ba84b3 (diff)
Add checkAccessAllowed method that consumes access token + certificate
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java11
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java2
2 files changed, 13 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
index 579f9b1d9d4..47ae45a69ca 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -2,6 +2,7 @@
package com.yahoo.vespa.athenz.zpe;
import com.yahoo.athenz.zpe.AuthZpeClient;
+import com.yahoo.vespa.athenz.api.AthenzAccessToken;
import com.yahoo.vespa.athenz.api.AthenzResourceName;
import com.yahoo.vespa.athenz.api.AthenzRole;
import com.yahoo.vespa.athenz.api.ZToken;
@@ -37,6 +38,16 @@ public class DefaultZpe implements Zpe {
return createResult(returnedMatchedRole, rawResult, resourceName);
}
+ @Override
+ public AuthorizationResult checkAccessAllowed(
+ AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) {
+ StringBuilder returnedMatchedRole = new StringBuilder();
+ AuthZpeClient.AccessCheckStatus rawResult =
+ AuthZpeClient.allowAccess(
+ accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole);
+ return createResult(returnedMatchedRole, rawResult, resourceName);
+ }
+
private static AuthorizationResult createResult(
StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) {
return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName));
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
index e22e27f1508..51e5ee4dbb1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -1,6 +1,7 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.zpe;
+import com.yahoo.vespa.athenz.api.AthenzAccessToken;
import com.yahoo.vespa.athenz.api.AthenzResourceName;
import com.yahoo.vespa.athenz.api.ZToken;
@@ -14,4 +15,5 @@ import java.security.cert.X509Certificate;
public interface Zpe {
AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
+ AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action);
}