Search in sources :

Example 6 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzPrincipalFilter method filter.

@Override
public void filter(DiscFilterRequest request, ResponseHandler responseHandler) {
    try {
        Optional<AthenzPrincipal> certificatePrincipal = getClientCertificate(request).map(AthenzIdentities::from).map(AthenzPrincipal::new);
        Optional<AthenzPrincipal> nTokenPrincipal = getPrincipalToken(request, principalTokenHeader).map(validator::validate);
        if (!certificatePrincipal.isPresent() && !nTokenPrincipal.isPresent()) {
            String errorMessage = "Unable to authenticate Athenz identity. " + "Either client certificate or principal token is required.";
            sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, errorMessage);
            return;
        }
        if (certificatePrincipal.isPresent() && nTokenPrincipal.isPresent() && !certificatePrincipal.get().getIdentity().equals(nTokenPrincipal.get().getIdentity())) {
            String errorMessage = String.format("Identity in principal token does not match x509 CN: token-identity=%s, cert-identity=%s", nTokenPrincipal.get().getIdentity().getFullName(), certificatePrincipal.get().getIdentity().getFullName());
            sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, errorMessage);
            return;
        }
        AthenzPrincipal principal = nTokenPrincipal.orElseGet(certificatePrincipal::get);
        request.setUserPrincipal(principal);
        request.setRemoteUser(principal.getName());
    } catch (Exception e) {
        sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, e.getMessage());
    }
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)

Example 7 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzFilterMock method filter.

@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
    if (request.getMethod().equalsIgnoreCase("OPTIONS"))
        return;
    String identityName = request.getHeader(IDENTITY_HEADER_NAME);
    String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
    if (identityName == null) {
        sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
    } else {
        AthenzIdentity identity = AthenzIdentities.from(identityName);
        AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
        request.setUserPrincipal(principal);
    }
}
Also used : NToken(com.yahoo.vespa.athenz.api.NToken) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)

Example 8 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method conflicting_ntoken_and_certificate_is_unauthorized.

@Test
public void conflicting_ntoken_and_certificate_is_unauthorized() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
    when(request.getClientCertificateChain()).thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
    when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) AthenzUser(com.yahoo.vespa.athenz.api.AthenzUser) Test(org.junit.Test)

Example 9 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class NTokenValidatorTest method valid_token_is_accepted.

@Test
public void valid_token_is_accepted() throws NoSuchAlgorithmException, InvalidTokenException {
    NTokenValidator validator = new NTokenValidator(createKeystore());
    NToken token = createNToken(IDENTITY, Instant.now(), TRUSTED_KEY.getPrivate(), "0");
    AthenzPrincipal principal = validator.validate(token);
    assertEquals("user.myuser", principal.getIdentity().getFullName());
}
Also used : NToken(com.yahoo.vespa.athenz.api.NToken) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) Test(org.junit.Test)

Example 10 with AthenzPrincipal

use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.

the class NTokenValidator method validate.

AthenzPrincipal validate(NToken token) throws InvalidTokenException {
    PrincipalToken principalToken = new PrincipalToken(token.getRawToken());
    PublicKey zmsPublicKey = getPublicKey(principalToken.getKeyId()).orElseThrow(() -> new InvalidTokenException("NToken has an unknown keyId"));
    validateSignatureAndExpiration(principalToken, zmsPublicKey);
    return new AthenzPrincipal(AthenzIdentities.from(new AthenzDomain(principalToken.getDomain()), principalToken.getName()), token);
}
Also used : InvalidTokenException(com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) PublicKey(java.security.PublicKey) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)

Aggregations

AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)11 DiscFilterRequest (com.yahoo.jdisc.http.filter.DiscFilterRequest)5 Test (org.junit.Test)5 NToken (com.yahoo.vespa.athenz.api.NToken)3 AthenzUser (com.yahoo.vespa.athenz.api.AthenzUser)2 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1 Method (com.yahoo.jdisc.http.HttpRequest.Method)1 AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1 AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)1 UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)1 InvalidTokenException (com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException)1 Path (com.yahoo.vespa.hosted.controller.restapi.Path)1 Principal (java.security.Principal)1 PublicKey (java.security.PublicKey)1 ForbiddenException (javax.ws.rs.ForbiddenException)1 WebApplicationException (javax.ws.rs.WebApplicationException)1