Search in sources :

Example 1 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class ControllerAuthorizationFilterTest method createRequest.

private static DiscFilterRequest createRequest(Method method, String path, AthenzIdentity identity) {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    when(request.getMethod()).thenReturn(method.name());
    when(request.getRequestURI()).thenReturn(path);
    when(request.getUserPrincipal()).thenReturn(new AthenzPrincipal(identity));
    return request;
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest)

Example 2 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method valid_ntoken_is_accepted.

@Test
public void valid_ntoken_is_accepted() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN);
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
    when(request.getClientCertificateChain()).thenReturn(emptyList());
    when(validator.validate(NTOKEN)).thenReturn(principal);
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, new ResponseHandlerMock());
    verify(request).setUserPrincipal(principal);
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) Test(org.junit.Test)

Example 3 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method both_ntoken_and_certificate_is_accepted.

@Test
public void both_ntoken_and_certificate_is_accepted() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN);
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
    when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
    when(validator.validate(NTOKEN)).thenReturn(principalWithToken);
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    verify(request).setUserPrincipal(principalWithToken);
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) Test(org.junit.Test)

Example 4 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method certificate_is_accepted.

@Test
public void certificate_is_accepted() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
    when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    AthenzPrincipal expectedPrincipal = new AthenzPrincipal(IDENTITY);
    verify(request).setUserPrincipal(expectedPrincipal);
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) Test(org.junit.Test)

Example 5 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class ControllerAuthorizationFilter method filter.

// NOTE: Be aware of the ordering of the path pattern matching. Semantics may change if the patterns are evaluated
// in different order.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
    Method method = getMethod(request);
    if (isWhiteListedMethod(method))
        return;
    try {
        Path path = new Path(request.getRequestURI());
        AthenzPrincipal principal = getPrincipalOrThrow(request);
        if (isWhiteListedOperation(path, method)) {
        // no authz check
        } else if (isHostedOperatorOperation(path, method)) {
            verifyIsHostedOperator(principal);
        } else if (isTenantAdminOperation(path, method)) {
            verifyIsTenantAdmin(principal, getTenantId(path));
        } else if (isTenantPipelineOperation(path, method)) {
            verifyIsTenantPipelineOperator(principal, getTenantId(path), getApplicationName(path));
        } else {
            throw new ForbiddenException("No access control is explicitly declared for this api.");
        }
    } catch (WebApplicationException e) {
        authorizationResponseHandler.handle(handler, request, e);
    }
}
Also used : Path(com.yahoo.vespa.hosted.controller.restapi.Path) ForbiddenException(javax.ws.rs.ForbiddenException) WebApplicationException(javax.ws.rs.WebApplicationException) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) Method(com.yahoo.jdisc.http.HttpRequest.Method)

Aggregations

AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)11 DiscFilterRequest (com.yahoo.jdisc.http.filter.DiscFilterRequest)5 Test (org.junit.Test)5 NToken (com.yahoo.vespa.athenz.api.NToken)3 AthenzUser (com.yahoo.vespa.athenz.api.AthenzUser)2 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1 Method (com.yahoo.jdisc.http.HttpRequest.Method)1 AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1 AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)1 UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)1 InvalidTokenException (com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException)1 Path (com.yahoo.vespa.hosted.controller.restapi.Path)1 Principal (java.security.Principal)1 PublicKey (java.security.PublicKey)1 ForbiddenException (javax.ws.rs.ForbiddenException)1 WebApplicationException (javax.ws.rs.WebApplicationException)1