use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzPrincipalFilter method filter.
@Override
public void filter(DiscFilterRequest request, ResponseHandler responseHandler) {
try {
Optional<AthenzPrincipal> certificatePrincipal = getClientCertificate(request).map(AthenzIdentities::from).map(AthenzPrincipal::new);
Optional<AthenzPrincipal> nTokenPrincipal = getPrincipalToken(request, principalTokenHeader).map(validator::validate);
if (!certificatePrincipal.isPresent() && !nTokenPrincipal.isPresent()) {
String errorMessage = "Unable to authenticate Athenz identity. " + "Either client certificate or principal token is required.";
sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, errorMessage);
return;
}
if (certificatePrincipal.isPresent() && nTokenPrincipal.isPresent() && !certificatePrincipal.get().getIdentity().equals(nTokenPrincipal.get().getIdentity())) {
String errorMessage = String.format("Identity in principal token does not match x509 CN: token-identity=%s, cert-identity=%s", nTokenPrincipal.get().getIdentity().getFullName(), certificatePrincipal.get().getIdentity().getFullName());
sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, errorMessage);
return;
}
AthenzPrincipal principal = nTokenPrincipal.orElseGet(certificatePrincipal::get);
request.setUserPrincipal(principal);
request.setRemoteUser(principal.getName());
} catch (Exception e) {
sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, e.getMessage());
}
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzFilterMock method filter.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
if (request.getMethod().equalsIgnoreCase("OPTIONS"))
return;
String identityName = request.getHeader(IDENTITY_HEADER_NAME);
String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
if (identityName == null) {
sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
} else {
AthenzIdentity identity = AthenzIdentities.from(identityName);
AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
request.setUserPrincipal(principal);
}
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class AthenzPrincipalFilterTest method conflicting_ntoken_and_certificate_is_unauthorized.
@Test
public void conflicting_ntoken_and_certificate_is_unauthorized() {
DiscFilterRequest request = mock(DiscFilterRequest.class);
AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
when(request.getClientCertificateChain()).thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
filter.filter(request, responseHandler);
assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class NTokenValidatorTest method valid_token_is_accepted.
@Test
public void valid_token_is_accepted() throws NoSuchAlgorithmException, InvalidTokenException {
NTokenValidator validator = new NTokenValidator(createKeystore());
NToken token = createNToken(IDENTITY, Instant.now(), TRUSTED_KEY.getPrivate(), "0");
AthenzPrincipal principal = validator.validate(token);
assertEquals("user.myuser", principal.getIdentity().getFullName());
}
use of com.yahoo.vespa.athenz.api.AthenzPrincipal in project vespa by vespa-engine.
the class NTokenValidator method validate.
AthenzPrincipal validate(NToken token) throws InvalidTokenException {
PrincipalToken principalToken = new PrincipalToken(token.getRawToken());
PublicKey zmsPublicKey = getPublicKey(principalToken.getKeyId()).orElseThrow(() -> new InvalidTokenException("NToken has an unknown keyId"));
validateSignatureAndExpiration(principalToken, zmsPublicKey);
return new AthenzPrincipal(AthenzIdentities.from(new AthenzDomain(principalToken.getDomain()), principalToken.getName()), token);
}
Aggregations