diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java index 9b731b258f1ff891383ab94247b8a153d24dfbb4..63c7b1de41e34d79b0b3cf34e1424473204e5455 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java @@ -74,31 +74,47 @@ public class PermissionsInterceptor implements ServerInterceptor { * Expected metadata is "Authorization" : "Bearer --accessTokenValue--" so we can skip validation as istio won't * allow this request through */ - String accessToken = (headers.get(ACCESS_TOKEN_METADATA).split(" "))[1]; - String rpc = getRpcName(call); boolean permitted = false; Context ctx = null; String[] requestingRoles = null; + String rpc = getRpcName(call); + + String metadataEntry = headers.get(ACCESS_TOKEN_METADATA); + if (metadataEntry == null) { + permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; + } + String[] parts = metadataEntry.split(" "); + if (parts.length < 2) { + permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; + } + String accessToken = parts[1]; + if (accessToken == null && accessToken.isEmpty()) { permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; } ctx = Context.current().withValue(ACCESS_TOKEN_CTX, accessToken); DecodedJWT decodedToken = JWT.decode(accessToken); if (!accessPointAvailable(accessToken, decodedToken, rpc)) { permissionDenied(call, headers, "Permission denied for rpc {}. No access point available for this account and access token.", rpc ); + return NOOP_LISTENER; } requestingRoles = getRolesFromAccessToken(decodedToken); if (requestingRoles == null) { permissionDenied(call, headers, "Permission denied for rpc {}. No roles found for requesting account in access token.", rpc ); + return NOOP_LISTENER; } Method method = getMethod(rpc); if (method == null) { permissionDenied(call, headers, "Permission denied for rpc {}. Could not identify the method implementing this rpc.", rpc ); + return NOOP_LISTENER; } Permitted[] permittedRoles = method.getAnnotationsByType(Permitted.class); @@ -176,11 +192,10 @@ public class PermissionsInterceptor implements ServerInterceptor { return false; } - private ServerCall.Listener permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { + private void permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { logger.error(message, rpc); call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), headers); - return NOOP_LISTENER; } }