aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java22
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java10
2 files changed, 31 insertions, 1 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index f3d9fa9583c..81ccef651e9 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -21,6 +21,7 @@ import java.util.EnumSet;
import java.util.List;
import java.util.Optional;
import java.util.logging.Logger;
+import java.util.stream.Collectors;
import static com.yahoo.jdisc.Response.Status.FORBIDDEN;
import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED;
@@ -104,7 +105,7 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
return checkAccessWithRoleToken(request, resourceAndAction);
} else {
throw new IllegalArgumentException(
- "Not authorized - request did not contain any of the allowed credentials: " + enabledCredentials);
+ "Not authorized - request did not contain any of the allowed credentials: " + toPrettyString(enabledCredentials));
}
}
@@ -153,6 +154,25 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
return new ZToken(request.getHeader(roleTokenHeaderName));
}
+ private static String toPrettyString(EnumSet<EnabledCredentials.Enum> enabledCredentialSet) {
+ return enabledCredentialSet.stream()
+ .map(AthenzAuthorizationFilter::toPrettyString)
+ .collect(Collectors.joining(", ", "[", "]"));
+ }
+
+ private static String toPrettyString(EnabledCredentials.Enum enabledCredential) {
+ switch (enabledCredential) {
+ case ACCESS_TOKEN:
+ return "Athenz access token with X.509 identity certificate";
+ case ROLE_TOKEN:
+ return "Athenz role token (ZToken)";
+ case ROLE_CERTIFICATE:
+ return "Athenz X.509 role certificate";
+ default:
+ throw new IllegalArgumentException("Unknown credential type: " + enabledCredential);
+ }
+ }
+
private static void populateRequestWithResult(DiscFilterRequest request, Result result) {
request.setUserPrincipal(
new AthenzPrincipal(result.identity, result.zpeResult.matchedRole().map(List::of).orElse(List.of())));
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 74d09234902..e8da5fab2e2 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -36,6 +36,7 @@ import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFil
import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type;
+import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.notNullValue;
import static org.hamcrest.CoreMatchers.nullValue;
@@ -110,6 +111,8 @@ public class AthenzAuthorizationFilterTest {
filter.filter(request, responseHandler);
assertStatusCode(responseHandler, 401);
+ assertErrorMessage(responseHandler, "Not authorized - request did not contain any of the allowed credentials: " +
+ "[Athenz X.509 role certificate, Athenz access token with X.509 identity certificate]");
}
@Test
@@ -186,6 +189,13 @@ public class AthenzAuthorizationFilterTest {
verify(request).setAttribute(MATCHED_ROLE_ATTRIBUTE, role.roleName());
}
+ private static void assertErrorMessage(MockResponseHandler responseHandler, String errorMessage) {
+ Response response = responseHandler.getResponse();
+ assertThat(response, notNullValue());
+ String content = responseHandler.readAll();
+ assertThat(content, containsString(errorMessage));
+ }
+
private static class AllowingZpe implements Zpe {
@Override