use of com.yahoo.vespa.athenz.api.AthenzUser in project vespa by vespa-engine.
the class AthenzPrincipalFilterTest method conflicting_ntoken_and_certificate_is_unauthorized.
@Test
public void conflicting_ntoken_and_certificate_is_unauthorized() {
DiscFilterRequest request = mock(DiscFilterRequest.class);
AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
when(request.getClientCertificateChain()).thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
filter.filter(request, responseHandler);
assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
}
use of com.yahoo.vespa.athenz.api.AthenzUser in project vespa by vespa-engine.
the class UserAuthWithAthenzPrincipalFilter method rewriteUserPrincipalToAthenz.
private void rewriteUserPrincipalToAthenz(DiscFilterRequest request) {
Principal userPrincipal = request.getUserPrincipal();
log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString());
UserId userId = new UserId(userPrincipal.getName());
AthenzUser athenzIdentity = AthenzUser.fromUserId(userId.id());
request.setRemoteUser(athenzIdentity.getFullName());
NToken nToken = Optional.ofNullable(request.getHeader(principalHeaderName)).map(NToken::new).orElse(null);
request.setUserPrincipal(new AthenzPrincipal(athenzIdentity, nToken));
}
Aggregations