diff options
Diffstat (limited to 'jdisc-security-filters/src')
2 files changed, 10 insertions, 7 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java index 74e0ee36959..9151aa1b693 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java @@ -121,11 +121,12 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { ZpeCheck<C> accessCheck, Function<C, AthenzPrincipal> principalFactory) { AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action()); - if (authorizationResult == AuthorizationResult.ALLOW) { + if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) { request.setUserPrincipal(principalFactory.apply(credentials)); + authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()})); return Optional.empty(); } - return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription())); + return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription())); } private static AthenzPrincipal createPrincipal(X509Certificate certificate) { diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index b81b26d458b..197ba89f3e3 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -5,6 +5,7 @@ import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; import com.yahoo.vespa.athenz.zpe.AuthorizationResult; import com.yahoo.vespa.athenz.zpe.Zpe; @@ -14,6 +15,7 @@ import org.mockito.Mockito; import java.security.cert.X509Certificate; import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilterConfig.CredentialsToVerify.Enum.ANY; +import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.*; import static java.util.Collections.emptyList; import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.assertEquals; @@ -64,7 +66,7 @@ public class AthenzAuthorizationFilterTest { assertNotNull(response); assertEquals(403, response.getStatus()); String content = responseHandler.readAll(); - assertThat(content, containsString(AuthorizationResult.DENY.getDescription())); + assertThat(content, containsString(Type.DENY.getDescription())); } private static DiscFilterRequest createRequest() { @@ -80,24 +82,24 @@ public class AthenzAuthorizationFilterTest { static class AllowingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return AuthorizationResult.ALLOW; + return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return AuthorizationResult.ALLOW; + return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); } } static class DenyingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return AuthorizationResult.DENY; + return new AuthorizationResult(Type.DENY); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return AuthorizationResult.DENY; + return new AuthorizationResult(Type.DENY); } } |