From 5eb436554c43ccc2d4b97421733b206081b2681d Mon Sep 17 00:00:00 2001 From: Harald Musum Date: Fri, 24 Jan 2020 14:17:13 +0100 Subject: Revert "Bjorncs/update zpe" --- .../security/athenz/AthenzAuthorizationFilter.java | 5 +- .../athenz/AthenzAuthorizationFilterTest.java | 12 ++- .../yahoo/vespa/athenz/api/AthenzAccessToken.java | 46 ----------- .../vespa/athenz/zpe/AuthorizationResult.java | 96 ++++++---------------- .../com/yahoo/vespa/athenz/zpe/DefaultZpe.java | 38 +-------- .../main/java/com/yahoo/vespa/athenz/zpe/Zpe.java | 2 - 6 files changed, 38 insertions(+), 161 deletions(-) delete mode 100644 vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java index 9151aa1b693..74e0ee36959 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java @@ -121,12 +121,11 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase { ZpeCheck accessCheck, Function principalFactory) { AuthorizationResult authorizationResult = accessCheck.checkAccess(credentials, resAndAction.resourceName(), resAndAction.action()); - if (authorizationResult.type() == AuthorizationResult.Type.ALLOW) { + if (authorizationResult == AuthorizationResult.ALLOW) { request.setUserPrincipal(principalFactory.apply(credentials)); - authorizationResult.matchedRole().ifPresent(role -> request.setUserRoles(new String[] {role.roleName()})); return Optional.empty(); } - return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.type().getDescription())); + return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access forbidden: " + authorizationResult.getDescription())); } private static AthenzPrincipal createPrincipal(X509Certificate certificate) { diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index 197ba89f3e3..b81b26d458b 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -5,7 +5,6 @@ import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.vespa.athenz.api.AthenzResourceName; -import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; import com.yahoo.vespa.athenz.zpe.AuthorizationResult; import com.yahoo.vespa.athenz.zpe.Zpe; @@ -15,7 +14,6 @@ import org.mockito.Mockito; import java.security.cert.X509Certificate; import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilterConfig.CredentialsToVerify.Enum.ANY; -import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.*; import static java.util.Collections.emptyList; import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.assertEquals; @@ -66,7 +64,7 @@ public class AthenzAuthorizationFilterTest { assertNotNull(response); assertEquals(403, response.getStatus()); String content = responseHandler.readAll(); - assertThat(content, containsString(Type.DENY.getDescription())); + assertThat(content, containsString(AuthorizationResult.DENY.getDescription())); } private static DiscFilterRequest createRequest() { @@ -82,24 +80,24 @@ public class AthenzAuthorizationFilterTest { static class AllowingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); + return AuthorizationResult.ALLOW; } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); + return AuthorizationResult.ALLOW; } } static class DenyingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return new AuthorizationResult(Type.DENY); + return AuthorizationResult.DENY; } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return new AuthorizationResult(Type.DENY); + return AuthorizationResult.DENY; } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java deleted file mode 100644 index 86deb0b59b3..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.api; - -import java.util.Objects; - -/** - * Represents an Athenz Access Token - * - * @author bjorncs - */ -public class AthenzAccessToken { - - public static final String HTTP_HEADER_NAME = "Authorization"; - - private static final String BEARER_TOKEN_PREFIX = "Bearer "; - - private final String value; - - public AthenzAccessToken(String value) { - this.value = stripBearerTokenPrefix(value); - } - - private static String stripBearerTokenPrefix(String rawValue) { - String stripped = rawValue.strip(); - return stripped.startsWith(BEARER_TOKEN_PREFIX) - ? stripped.substring(BEARER_TOKEN_PREFIX.length()) - : stripped; - } - - public String value() { return value; } - - @Override public String toString() { return "AthenzAccessToken{value='" + value + "'}"; } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzAccessToken that = (AthenzAccessToken) o; - return Objects.equals(value, that.value); - } - - @Override - public int hashCode() { - return Objects.hash(value); - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java index 28001e8e8d2..faf05011af9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AuthorizationResult.java @@ -2,87 +2,45 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus; -import com.yahoo.vespa.athenz.api.AthenzRole; import java.util.Arrays; -import java.util.Objects; -import java.util.Optional; /** * The various types of access control results. * * @author bjorncs */ -public class AuthorizationResult { - - private final Type type; - private final AthenzRole matchedRole; - - public AuthorizationResult(Type type) { - this(type, null); - } - - public AuthorizationResult(Type type, AthenzRole matchedRole) { - this.type = type; - this.matchedRole = matchedRole; - } - - public Type type() { return type; } - public Optional matchedRole() { return Optional.ofNullable(matchedRole); } - - public enum Type { - ALLOW(AccessCheckStatus.ALLOW), - DENY(AccessCheckStatus.DENY), - DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), - DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), - DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), - DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), - DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), - DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), - DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), - DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), - DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), - DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), - DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), - DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); - - private final AccessCheckStatus wrappedElement; - - Type(AccessCheckStatus wrappedElement) { - this.wrappedElement = wrappedElement; - } - - public String getDescription() { - return wrappedElement.toString(); - } - - static Type fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { - return Arrays.stream(values()) - .filter(value -> value.wrappedElement == accessCheckStatus) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); - } +public enum AuthorizationResult { + ALLOW(AccessCheckStatus.ALLOW), + DENY(AccessCheckStatus.DENY), + DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), + DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), + DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), + DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), + DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), + DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), + DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), + DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), + DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), + DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), + DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), + DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); + + private final AccessCheckStatus wrappedElement; + + AuthorizationResult(AccessCheckStatus wrappedElement) { + this.wrappedElement = wrappedElement; } - @Override - public String toString() { - return "AuthorizationResult{" + - "type=" + type + - ", matchedRole=" + matchedRole + - '}'; + public String getDescription() { + return wrappedElement.toString(); } - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AuthorizationResult that = (AuthorizationResult) o; - return type == that.type && - Objects.equals(matchedRole, that.matchedRole); + static AuthorizationResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { + return Arrays.stream(values()) + .filter(value -> value.wrappedElement == accessCheckStatus) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); } - @Override - public int hashCode() { - return Objects.hash(type, matchedRole); - } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java index 47ae45a69ca..29044111ada 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -2,11 +2,8 @@ package com.yahoo.vespa.athenz.zpe; import com.yahoo.athenz.zpe.AuthZpeClient; -import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; -import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; -import com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type; import java.security.cert.X509Certificate; @@ -24,41 +21,14 @@ public class DefaultZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); + return AuthorizationResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action)); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); - } - - @Override - public AuthorizationResult checkAccessAllowed( - AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action) { - StringBuilder returnedMatchedRole = new StringBuilder(); - AuthZpeClient.AccessCheckStatus rawResult = - AuthZpeClient.allowAccess( - accessToken.value(), identityCertificate, /*certHash*/null, resourceName.toResourceNameString(), action, returnedMatchedRole); - return createResult(returnedMatchedRole, rawResult, resourceName); - } - - private static AuthorizationResult createResult( - StringBuilder matchedRole, AuthZpeClient.AccessCheckStatus rawResult, AthenzResourceName resourceName) { - return new AuthorizationResult(Type.fromAccessCheckStatus(rawResult), toRole(matchedRole, resourceName)); - } - - private static AthenzRole toRole(StringBuilder rawRole, AthenzResourceName resourceName) { - if (rawRole.length() == 0) { - return null; - } else { - return new AthenzRole(resourceName.getDomain(), rawRole.toString()); - } + return AuthorizationResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action)); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java index 51e5ee4dbb1..e22e27f1508 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -1,7 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.zpe; -import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.ZToken; @@ -15,5 +14,4 @@ import java.security.cert.X509Certificate; public interface Zpe { AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); - AuthorizationResult checkAccessAllowed(AthenzAccessToken accessToken, X509Certificate identityCertificate, AthenzResourceName resourceName, String action); } -- cgit v1.2.3