diff options
author | Harald Musum <musum@verizonmedia.com> | 2020-01-24 14:17:13 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-24 14:17:13 +0100 |
commit | 5eb436554c43ccc2d4b97421733b206081b2681d (patch) | |
tree | 78ad0c97295aad5f501bf9ab0072525baddebe43 /vespa-athenz | |
parent | e2d7d10f664ec221708d051ec754d68fc6cee5b6 (diff) |
Revert "Bjorncs/update zpe"
Diffstat (limited to 'vespa-athenz')
4 files changed, 31 insertions, 151 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java deleted file mode 100644 index 86deb0b59b3..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.api; - -import java.util.Objects; - -/** - * Represents an Athenz Access Token - * - * @author bjorncs - */ -public class AthenzAccessToken { - - public static final String HTTP_HEADER_NAME = "Authorization"; - - private static final String BEARER_TOKEN_PREFIX = "Bearer "; - - private final String value; - - public AthenzAccessToken(String value) { - this.value = stripBearerTokenPrefix(value); - } - - private static String stripBearerTokenPrefix(String rawValue) { - String stripped = rawValue.strip(); - return stripped.startsWith(BEARER_TOKEN_PREFIX) - ? stripped.substring(BEARER_TOKEN_PREFIX.length()) - : stripped; - } - - public String value() { return value; } - - @Override public String toString() { return "AthenzAccessToken{value='" + value + "'}"; } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzAccessToken that = (AthenzAccessToken) o; - return Objects.equals(value, that.value); - } - - @Override - public int hashCode() { - return Objects.hash(value); - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java index 28001e8e8d2..faf05011af9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java @@ -2,87 +2,45 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus; -import com.yahoo.vespa.athenz.api.AthenzRole; import java.util.Arrays; -import java.util.Objects; -import java.util.Optional; /** * The various types of access control results. * * @author bjorncs */ -public class AuthorizationResult { - - private final Type type; - private final AthenzRole matchedRole; - - public AuthorizationResult(Type type) { - this(type, null); - } - - public AuthorizationResult(Type type, AthenzRole matchedRole) { - this.type = type; - this.matchedRole = matchedRole; - } - - public Type type() { return type; } - public Optional<AthenzRole> matchedRole() { return Optional.ofNullable(matchedRole); } - - public enum Type { - ALLOW(AccessCheckStatus.ALLOW), - DENY(AccessCheckStatus.DENY), - DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), - DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), - DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), - DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), - DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), - DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), - DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), - DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), - DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), - DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), - DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), - DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); - - private final AccessCheckStatus wrappedElement; - - Type(AccessCheckStatus wrappedElement) { - this.wrappedElement = wrappedElement; - } - - public String getDescription() { - return wrappedElement.toString(); - } - - static Type fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { - return Arrays.stream(values()) - .filter(value -> value.wrappedElement == accessCheckStatus) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); - } +public enum AuthorizationResult { + ALLOW(AccessCheckStatus.ALLOW), + DENY(AccessCheckStatus.DENY), + DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), + DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), + DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), + DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), + DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), + DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), + DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), + DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), + DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), + DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), + DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), + DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); + + private final AccessCheckStatus wrappedElement; + + AuthorizationResult(AccessCheckStatus wrappedElement) { + this.wrappedElement = wrappedElement; } - @Override - public String toString() { - return "AuthorizationResult{" + - "type=" + type + - ", matchedRole=" + matchedRole + - '}'; + public String getDescription() { + return wrappedElement.toString(); } - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AuthorizationResult that = (AuthorizationResult) o; - return type == that.type && - Objects.equals(matchedRole, that.matchedRole); + static AuthorizationResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { + return Arrays.stream(values()) + .filter(value -> value.wrappedElement == accessCheckStatus) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); } - @Override - public int hashCode() { - return Objects.hash(type, matchedRole); - } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index 47ae45a69ca..29044111ada 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -2,11 +2,8 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient; -import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; -import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; -import com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type; import java.security.cert.X509Certificate; @@ -24,41 +21,14 @@ public class DefaultZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); + return AuthorizationResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action)); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); - } - - @Override - public AuthorizationResult checkAccessAllowed( - AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess( - accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); - } - - private static AuthorizationResult createResult( - StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { - return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); - } - - private static AthenzRole toRole(StringBuilder rawRole, AthenzResourceName resourceName) { - if (rawRole.length() == 0) { - return null; - } else { - return new AthenzRole(resourceName.getDomain(), rawRole.toString()); - } + return AuthorizationResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action)); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java index 51e5ee4dbb1..e22e27f1508 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -1,7 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.zpe; -import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.ZToken; @@ -15,5 +14,4 @@ import java.security.cert.X509Certificate; public interface Zpe { AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); - AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action); } |