diff options
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java | 96 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java | 27 |
2 files changed, 92 insertions, 31 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java index faf05011af9..28001e8e8d2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java @@ -2,45 +2,87 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus; +import com.yahoo.vespa.athenz.api.AthenzRole; import java.util.Arrays; +import java.util.Objects; +import java.util.Optional; /** * The various types of access control results. * * @author bjorncs */ -public enum AuthorizationResult { - ALLOW(AccessCheckStatus.ALLOW), - DENY(AccessCheckStatus.DENY), - DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), - DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), - DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), - DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), - DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), - DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), - DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), - DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), - DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), - DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), - DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), - DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); - - private final AccessCheckStatus wrappedElement; - - AuthorizationResult(AccessCheckStatus wrappedElement) { - this.wrappedElement = wrappedElement; +public class AuthorizationResult { + + private final Type type; + private final AthenzRole matchedRole; + + public AuthorizationResult(Type type) { + this(type, null); + } + + public AuthorizationResult(Type type, AthenzRole matchedRole) { + this.type = type; + this.matchedRole = matchedRole; + } + + public Type type() { return type; } + public Optional<AthenzRole> matchedRole() { return Optional.ofNullable(matchedRole); } + + public enum Type { + ALLOW(AccessCheckStatus.ALLOW), + DENY(AccessCheckStatus.DENY), + DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), + DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), + DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), + DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), + DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), + DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), + DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), + DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), + DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), + DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), + DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), + DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); + + private final AccessCheckStatus wrappedElement; + + Type(AccessCheckStatus wrappedElement) { + this.wrappedElement = wrappedElement; + } + + public String getDescription() { + return wrappedElement.toString(); + } + + static Type fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { + return Arrays.stream(values()) + .filter(value -> value.wrappedElement == accessCheckStatus) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); + } } - public String getDescription() { - return wrappedElement.toString(); + @Override + public String toString() { + return "AuthorizationResult{" + + "type=" + type + + ", matchedRole=" + matchedRole + + '}'; } - static AuthorizationResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { - return Arrays.stream(values()) - .filter(value -> value.wrappedElement == accessCheckStatus) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + AuthorizationResult that = (AuthorizationResult) o; + return type == that.type && + Objects.equals(matchedRole, that.matchedRole); } + @Override + public int hashCode() { + return Objects.hash(type, matchedRole); + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index 29044111ada..579f9b1d9d4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -3,7 +3,9 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient; import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; +import com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type; import java.security.cert.X509Certificate; @@ -21,14 +23,31 @@ public class DefaultZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return AuthorizationResult.fromAccessCheckStatus( - AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action)); + StringBuilder returnedMatchedRole = new StringBuilder(); + AuthZpeClient.AccessCheckStatus rawResult = + AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action, returnedMatchedRole); + return createResult(returnedMatchedRole, rawResult, resourceName); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return AuthorizationResult.fromAccessCheckStatus( - AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action)); + StringBuilder returnedMatchedRole = new StringBuilder(); + AuthZpeClient.AccessCheckStatus rawResult = + AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action, returnedMatchedRole); + return createResult(returnedMatchedRole, rawResult, resourceName); + } + + private static AuthorizationResult createResult( + StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { + return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); + } + + private static AthenzRole toRole(StringBuilder rawRole, AthenzResourceName resourceName) { + if (rawRole.length() == 0) { + return null; + } else { + return new AthenzRole(resourceName.getDomain(), rawRole.toString()); + } } } |