diff options
Diffstat (limited to 'jdisc-security-filters/src/main/java')
3 files changed, 9 insertions, 12 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java index ea627b49d5d..bfb9bb920db 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java @@ -20,12 +20,11 @@ record ClientPrincipal(Set<String> ids, Set<Permission> permissions) implements return "ids=%s,permissions=%s".formatted(ids, permissions.stream().map(Permission::asString).toList()); } - static ClientPrincipal createForRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) { + static void attachToRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) { var p = new ClientPrincipal(ids, permissions); req.setUserPrincipal(p); log.fine(() -> "Client with ids=%s, permissions=%s" .formatted(ids, permissions.stream().map(Permission::asString).toList())); - return p; } } diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java index 88e70e953b3..379973cd8cf 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java @@ -85,7 +85,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { } if (legacyMode) { log.fine("Legacy mode validation complete"); - ClientPrincipal.createForRequest(req, Set.of(), Set.of(READ, WRITE)); + ClientPrincipal.attachToRequest(req, Set.of(), Set.of(READ, WRITE)); return Optional.empty(); } var permission = Permission.getRequiredPermission(req).orElse(null); @@ -100,7 +100,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { permissions.addAll(c.permissions()); } if (clientIds.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); - ClientPrincipal.createForRequest(req, clientIds, permissions); + ClientPrincipal.attachToRequest(req, clientIds, permissions); return Optional.empty(); } diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java index 582aa2c8aee..6597f10198d 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java @@ -89,7 +89,7 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase { if (permission == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); var requestTokenHash = requestTokenHash(bearerToken); var clientIds = new TreeSet<String>(); - var permissions = new TreeSet<Permission>(); + var permissions = EnumSet.noneOf(Permission.class); var matchedTokens = new HashSet<TokenVersion>(); for (Client c : allowedClients) { if (!c.permissions().contains(permission)) continue; @@ -107,13 +107,11 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase { .formatted(matchedTokens.stream().map(TokenVersion::id).toList())); return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); } - var matchedToken = matchedTokens.stream().findAny().orElse(null); - if (matchedToken != null) { - addAccessLogEntry(req, "token.id", matchedToken.id()); - addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); - addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); - } - ClientPrincipal.createForRequest(req, clientIds, permissions); + var matchedToken = matchedTokens.stream().findAny().get(); + addAccessLogEntry(req, "token.id", matchedToken.id()); + addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); + addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); + ClientPrincipal.attachToRequest(req, clientIds, permissions); return Optional.empty(); } |