Return the matched role in checkAccessAllowed methods

Rewrite AuthorizationResult to specify result type as a inner Type enum.
Add matched role to AuthorizationResult.
Propagate matched role to request object in AthenzAuthorizationFilter.

2 files changed, 92 insertions, 31 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
index faf05011af9..28001e8e8d2 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java
@@ -2,45 +2,87 @@
 package com.yahoo.vespa.athenz.zpe;
 
 import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus;
+import com.yahoo.vespa.athenz.api.AthenzRole;
 
 import java.util.Arrays;
+import java.util.Objects;
+import java.util.Optional;
 
 /**
  * The various types of access control results.
  *
  * @author bjorncs
  */
-public enum AuthorizationResult {
-    ALLOW(AccessCheckStatus.ALLOW),
-    DENY(AccessCheckStatus.DENY),
-    DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
-    DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
-    DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
-    DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
-    DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
-    DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
-    DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
-    DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
-    DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
-    DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
-    DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
-    DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
-
-    private final AccessCheckStatus wrappedElement;
-
-    AuthorizationResult(AccessCheckStatus wrappedElement) {
-        this.wrappedElement = wrappedElement;
+public class AuthorizationResult {
+
+    private final Type type;
+    private final AthenzRole matchedRole;
+
+    public AuthorizationResult(Type type) {
+        this(type, null);
+    }
+
+    public AuthorizationResult(Type type, AthenzRole matchedRole) {
+        this.type = type;
+        this.matchedRole = matchedRole;
+    }
+
+    public Type type() { return type; }
+    public Optional<AthenzRole> matchedRole() { return Optional.ofNullable(matchedRole); }
+
+    public enum Type {
+        ALLOW(AccessCheckStatus.ALLOW),
+        DENY(AccessCheckStatus.DENY),
+        DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
+        DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
+        DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
+        DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
+        DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
+        DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
+        DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
+        DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
+        DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
+        DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
+        DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
+        DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
+
+        private final AccessCheckStatus wrappedElement;
+
+        Type(AccessCheckStatus wrappedElement) {
+            this.wrappedElement = wrappedElement;
+        }
+
+        public String getDescription() {
+            return wrappedElement.toString();
+        }
+
+        static Type fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
+            return Arrays.stream(values())
+                    .filter(value -> value.wrappedElement == accessCheckStatus)
+                    .findFirst()
+                    .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
+        }
     }
 
-    public String getDescription() {
-        return wrappedElement.toString();
+    @Override
+    public String toString() {
+        return "AuthorizationResult{" +
+                "type=" + type +
+                ", matchedRole=" + matchedRole +
+                '}';
     }
 
-    static AuthorizationResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
-        return Arrays.stream(values())
-                .filter(value -> value.wrappedElement == accessCheckStatus)
-                .findFirst()
-                .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        AuthorizationResult that = (AuthorizationResult) o;
+        return type == that.type &&
+                Objects.equals(matchedRole, that.matchedRole);
     }
 
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, matchedRole);
+    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
index 29044111ada..579f9b1d9d4 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -3,7 +3,9 @@ package com.yahoo.vespa.athenz.zpe;
 
 import com.yahoo.athenz.zpe.AuthZpeClient;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.ZToken;
+import com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type;
 
 import java.security.cert.X509Certificate;
 
@@ -21,14 +23,31 @@ public class DefaultZpe implements Zpe {
 
     @Override
     public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
-        return AuthorizationResult.fromAccessCheckStatus(
-                AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action));
+        StringBuilder returnedMatchedRole = new StringBuilder();
+        AuthZpeClient.AccessCheckStatus rawResult =
+                AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action, returnedMatchedRole);
+        return createResult(returnedMatchedRole, rawResult, resourceName);
     }
 
     @Override
     public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
-        return AuthorizationResult.fromAccessCheckStatus(
-                AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action));
+        StringBuilder returnedMatchedRole = new StringBuilder();
+        AuthZpeClient.AccessCheckStatus rawResult =
+                AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action, returnedMatchedRole);
+        return createResult(returnedMatchedRole, rawResult, resourceName);
+    }
+
+    private static AuthorizationResult createResult(
+            StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) {
+        return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName));
+    }
+
+    private static AthenzRole toRole(StringBuilder rawRole, AthenzResourceName resourceName) {
+        if (rawRole.length() == 0) {
+            return null;
+        } else {
+            return new AthenzRole(resourceName.getDomain(), rawRole.toString());
+        }
     }
 
 }