From ed652e9623ebb72b706227ee0b039b8df8725229 Mon Sep 17 00:00:00 2001 From: Stoyan Tzenkov Date: Mon, 11 Feb 2019 16:43:42 +0200 Subject: [PATCH] NY-6885: Additional validation in the interceptor. Signed-off-by: Stoyan Tzenkov --- .../permissions/PermissionsInterceptor.java | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java index 9b731b2..63c7b1d 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java @@ -74,31 +74,47 @@ public class PermissionsInterceptor implements ServerInterceptor { * Expected metadata is "Authorization" : "Bearer --accessTokenValue--" so we can skip validation as istio won't * allow this request through */ - String accessToken = (headers.get(ACCESS_TOKEN_METADATA).split(" "))[1]; - String rpc = getRpcName(call); boolean permitted = false; Context ctx = null; String[] requestingRoles = null; + String rpc = getRpcName(call); + + String metadataEntry = headers.get(ACCESS_TOKEN_METADATA); + if (metadataEntry == null) { + permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; + } + String[] parts = metadataEntry.split(" "); + if (parts.length < 2) { + permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; + } + String accessToken = parts[1]; + if (accessToken == null && accessToken.isEmpty()) { permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); + return NOOP_LISTENER; } ctx = Context.current().withValue(ACCESS_TOKEN_CTX, accessToken); DecodedJWT decodedToken = JWT.decode(accessToken); if (!accessPointAvailable(accessToken, decodedToken, rpc)) { permissionDenied(call, headers, "Permission denied for rpc {}. No access point available for this account and access token.", rpc ); + return NOOP_LISTENER; } requestingRoles = getRolesFromAccessToken(decodedToken); if (requestingRoles == null) { permissionDenied(call, headers, "Permission denied for rpc {}. No roles found for requesting account in access token.", rpc ); + return NOOP_LISTENER; } Method method = getMethod(rpc); if (method == null) { permissionDenied(call, headers, "Permission denied for rpc {}. Could not identify the method implementing this rpc.", rpc ); + return NOOP_LISTENER; } Permitted[] permittedRoles = method.getAnnotationsByType(Permitted.class); @@ -176,11 +192,10 @@ public class PermissionsInterceptor implements ServerInterceptor { return false; } - private ServerCall.Listener permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { + private void permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { logger.error(message, rpc); call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), headers); - return NOOP_LISTENER; } } -- GitLab