From 861c507d4f3432f149807008675eeab217ba84b3 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 16 Jan 2020 15:09:07 +0100 Subject: Return the matched role in checkAccessAllowed methods Rewrite AuthorizationResult to specify result type as a inner Type enum. Add matched role to AuthorizationResult. Propagate matched role to request object in AthenzAuthorizationFilter. --- .../security/athenz/AthenzAuthorizationFilterTest.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security') diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index b81b26d458b..197ba89f3e3 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -5,6 +5,7 @@ import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.ZToken; import com.yahoo.vespa.athenz.zpe.AuthorizationResult; import com.yahoo.vespa.athenz.zpe.Zpe; @@ -14,6 +15,7 @@ import org.mockito.Mockito; import java.security.cert.X509Certificate; import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilterConfig.CredentialsToVerify.Enum.ANY; +import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.*; import static java.util.Collections.emptyList; import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.assertEquals; @@ -64,7 +66,7 @@ public class AthenzAuthorizationFilterTest { assertNotNull(response); assertEquals(403, response.getStatus()); String content = responseHandler.readAll(); - assertThat(content, containsString(AuthorizationResult.DENY.getDescription())); + assertThat(content, containsString(Type.DENY.getDescription())); } private static DiscFilterRequest createRequest() { @@ -80,24 +82,24 @@ public class AthenzAuthorizationFilterTest { static class AllowingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return AuthorizationResult.ALLOW; + return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return AuthorizationResult.ALLOW; + return new AuthorizationResult(Type.ALLOW, new AthenzRole(resourceName.getDomain(), "rolename")); } } static class DenyingZpe implements Zpe { @Override public AuthorizationResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { - return AuthorizationResult.DENY; + return new AuthorizationResult(Type.DENY); } @Override public AuthorizationResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { - return AuthorizationResult.DENY; + return new AuthorizationResult(Type.DENY); } } -- cgit v1.2.3