diff options
Diffstat (limited to 'jdisc-security-filters')
4 files changed, 10 insertions, 14 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java index ea627b49d5d..bfb9bb920db 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java @@ -20,12 +20,11 @@ record ClientPrincipal(Set<String> ids, Set<Permission> permissions) implements return "ids=%s,permissions=%s".formatted(ids, permissions.stream().map(Permission::asString).toList()); } - static ClientPrincipal createForRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) { + static void attachToRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) { var p = new ClientPrincipal(ids, permissions); req.setUserPrincipal(p); log.fine(() -> "Client with ids=%s, permissions=%s" .formatted(ids, permissions.stream().map(Permission::asString).toList())); - return p; } } diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java index 88e70e953b3..379973cd8cf 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java @@ -85,7 +85,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { } if (legacyMode) { log.fine("Legacy mode validation complete"); - ClientPrincipal.createForRequest(req, Set.of(), Set.of(READ, WRITE)); + ClientPrincipal.attachToRequest(req, Set.of(), Set.of(READ, WRITE)); return Optional.empty(); } var permission = Permission.getRequiredPermission(req).orElse(null); @@ -100,7 +100,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { permissions.addAll(c.permissions()); } if (clientIds.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); - ClientPrincipal.createForRequest(req, clientIds, permissions); + ClientPrincipal.attachToRequest(req, clientIds, permissions); return Optional.empty(); } diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java index 582aa2c8aee..6597f10198d 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java @@ -89,7 +89,7 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase { if (permission == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); var requestTokenHash = requestTokenHash(bearerToken); var clientIds = new TreeSet<String>(); - var permissions = new TreeSet<Permission>(); + var permissions = EnumSet.noneOf(Permission.class); var matchedTokens = new HashSet<TokenVersion>(); for (Client c : allowedClients) { if (!c.permissions().contains(permission)) continue; @@ -107,13 +107,11 @@ public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase { .formatted(matchedTokens.stream().map(TokenVersion::id).toList())); return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); } - var matchedToken = matchedTokens.stream().findAny().orElse(null); - if (matchedToken != null) { - addAccessLogEntry(req, "token.id", matchedToken.id()); - addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); - addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); - } - ClientPrincipal.createForRequest(req, clientIds, permissions); + var matchedToken = matchedTokens.stream().findAny().get(); + addAccessLogEntry(req, "token.id", matchedToken.id()); + addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); + addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); + ClientPrincipal.attachToRequest(req, clientIds, permissions); return Optional.empty(); } diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java index cac7818a1fc..a34d2eb67c3 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java @@ -73,7 +73,6 @@ class CloudTokenDataPlaneFilterTest { @Test void fails_on_handler_with_custom_request_spec_with_invalid_action() { - // Spec that maps POST as action 'read' var spec = RequestHandlerSpec.builder() .withAclMapping(HttpMethodAclMapping.standard() .override(Method.GET, Action.custom("custom")).build()) @@ -192,4 +191,4 @@ class CloudTokenDataPlaneFilterTest { clock); } -}
\ No newline at end of file +} |