Search in sources :

Example 1 with AthenzUser

use of com.yahoo.vespa.athenz.api.AthenzUser in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method conflicting_ntoken_and_certificate_is_unauthorized.

@Test
public void conflicting_ntoken_and_certificate_is_unauthorized() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
    when(request.getClientCertificateChain()).thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
    when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) AthenzUser(com.yahoo.vespa.athenz.api.AthenzUser) Test(org.junit.Test)

Example 2 with AthenzUser

use of com.yahoo.vespa.athenz.api.AthenzUser in project vespa by vespa-engine.

the class UserAuthWithAthenzPrincipalFilter method rewriteUserPrincipalToAthenz.

private void rewriteUserPrincipalToAthenz(DiscFilterRequest request) {
    Principal userPrincipal = request.getUserPrincipal();
    log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString());
    UserId userId = new UserId(userPrincipal.getName());
    AthenzUser athenzIdentity = AthenzUser.fromUserId(userId.id());
    request.setRemoteUser(athenzIdentity.getFullName());
    NToken nToken = Optional.ofNullable(request.getHeader(principalHeaderName)).map(NToken::new).orElse(null);
    request.setUserPrincipal(new AthenzPrincipal(athenzIdentity, nToken));
}
Also used : UserId(com.yahoo.vespa.hosted.controller.api.identifiers.UserId) NToken(com.yahoo.vespa.athenz.api.NToken) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) AthenzUser(com.yahoo.vespa.athenz.api.AthenzUser) Principal(java.security.Principal) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)

Aggregations

AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)2 AthenzUser (com.yahoo.vespa.athenz.api.AthenzUser)2 DiscFilterRequest (com.yahoo.jdisc.http.filter.DiscFilterRequest)1 NToken (com.yahoo.vespa.athenz.api.NToken)1 UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)1 Principal (java.security.Principal)1 Test (org.junit.Test)1