use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class ControllerAuthorizationFilterTest method createRequest.
private static DiscFilterRequest createRequest(Method method, String path, AthenzIdentity identity) {
DiscFilterRequest request = mock(DiscFilterRequest.class);
when(request.getMethod()).thenReturn(method.name());
when(request.getRequestURI()).thenReturn(path);
when(request.getUserPrincipal()).thenReturn(new AthenzPrincipal(identity));
return request;
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzPrincipalFilterTest method valid_ntoken_is_accepted.
@Test
public void valid_ntoken_is_accepted() {
DiscFilterRequest request = mock(DiscFilterRequest.class);
AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN);
when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
when(request.getClientCertificateChain()).thenReturn(emptyList());
when(validator.validate(NTOKEN)).thenReturn(principal);
AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
filter.filter(request, new ResponseHandlerMock());
verify(request).setUserPrincipal(principal);
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzPrincipalFilterTest method both_ntoken_and_certificate_is_accepted.
@Test
public void both_ntoken_and_certificate_is_accepted() {
DiscFilterRequest request = mock(DiscFilterRequest.class);
AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN);
when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
when(validator.validate(NTOKEN)).thenReturn(principalWithToken);
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
filter.filter(request, responseHandler);
verify(request).setUserPrincipal(principalWithToken);
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzPrincipalFilterTest method certificate_is_accepted.
@Test
public void certificate_is_accepted() {
DiscFilterRequest request = mock(DiscFilterRequest.class);
when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
filter.filter(request, responseHandler);
AthenzPrincipal expectedPrincipal = new AthenzPrincipal(IDENTITY);
verify(request).setUserPrincipal(expectedPrincipal);
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class ControllerAuthorizationFilter method filter.
// NOTE: Be aware of the ordering of the path pattern matching. Semantics may change if the patterns are evaluated
// in different order.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
Method method = getMethod(request);
if (isWhiteListedMethod(method))
return;
try {
Path path = new Path(request.getRequestURI());
AthenzPrincipal principal = getPrincipalOrThrow(request);
if (isWhiteListedOperation(path, method)) {
// no authz check
} else if (isHostedOperatorOperation(path, method)) {
verifyIsHostedOperator(principal);
} else if (isTenantAdminOperation(path, method)) {
verifyIsTenantAdmin(principal, getTenantId(path));
} else if (isTenantPipelineOperation(path, method)) {
verifyIsTenantPipelineOperator(principal, getTenantId(path), getApplicationName(path));
} else {
throw new ForbiddenException("No access control is explicitly declared for this api.");
}
} catch (WebApplicationException e) {
authorizationResponseHandler.handle(handler, request, e);
}
}
Aggregations