aboutsummaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'jdisc-security-filters/src/main/java')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java3
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java4
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java14
3 files changed, 9 insertions, 12 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java
index ea627b49d5d..bfb9bb920db 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java
@@ -20,12 +20,11 @@ record ClientPrincipal(Set<String> ids, Set<Permission> permissions) implements
return "ids=%s,permissions=%s".formatted(ids, permissions.stream().map(Permission::asString).toList());
}
- static ClientPrincipal createForRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) {
+ static void attachToRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) {
var p = new ClientPrincipal(ids, permissions);
req.setUserPrincipal(p);
log.fine(() -> "Client with ids=%s, permissions=%s"
.formatted(ids, permissions.stream().map(Permission::asString).toList()));
- return p;
}
}
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
index 88e70e953b3..379973cd8cf 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
@@ -85,7 +85,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase {
}
if (legacyMode) {
log.fine("Legacy mode validation complete");
- ClientPrincipal.createForRequest(req, Set.of(), Set.of(READ, WRITE));
+ ClientPrincipal.attachToRequest(req, Set.of(), Set.of(READ, WRITE));
return Optional.empty();
}
var permission = Permission.getRequiredPermission(req).orElse(null);
@@ -100,7 +100,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase {
permissions.addAll(c.permissions());
}
if (clientIds.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden"));
- ClientPrincipal.createForRequest(req, clientIds, permissions);
+ ClientPrincipal.attachToRequest(req, clientIds, permissions);
return Optional.empty();
}
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java
index 582aa2c8aee..6597f10198d 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java
@@ -89,7 +89,7 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase {
if (permission == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden"));
var requestTokenHash = requestTokenHash(bearerToken);
var clientIds = new TreeSet<String>();
- var permissions = new TreeSet<Permission>();
+ var permissions = EnumSet.noneOf(Permission.class);
var matchedTokens = new HashSet<TokenVersion>();
for (Client c : allowedClients) {
if (!c.permissions().contains(permission)) continue;
@@ -107,13 +107,11 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase {
.formatted(matchedTokens.stream().map(TokenVersion::id).toList()));
return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden"));
}
- var matchedToken = matchedTokens.stream().findAny().orElse(null);
- if (matchedToken != null) {
- addAccessLogEntry(req, "token.id", matchedToken.id());
- addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString());
- addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>"));
- }
- ClientPrincipal.createForRequest(req, clientIds, permissions);
+ var matchedToken = matchedTokens.stream().findAny().get();
+ addAccessLogEntry(req, "token.id", matchedToken.id());
+ addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString());
+ addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>"));
+ ClientPrincipal.attachToRequest(req, clientIds, permissions);
return Optional.empty();
}