update AzureIstioSecurityFilter to exclude roles when setting authentication (!373) · Merge requests · OSDU Software / OSDU Data Platform / System / Partition

Mina Otgonbold requested to merge update-AzureIstioSecurityFilter into master Apr 06, 2023

Type of change

Bug Fix
Feature

Does this introduce a change in the core logic?

[NO]

Does this introduce a change in the cloud provider implementation, if so which cloud?

AWS
Azure
GCP
IBM

Does this introduce a breaking change?

[NO]

What is the current behavior?

AzureIstioSecurityFilter sets roles when setting authentication. Passing roles are redundant as the Partition service does not perform role checks on the SA token. If a user accidentally assigns the roles then AzureIstioSecurityFilter throws the following error. The issue itself is caused due to spring-boot upgrade as mentioned in this post:

final JSONArray roles = Optional.ofNullable((JSONArray) claimsSet.getClaims().get("roles"))
                        .filter(r -> !r.isEmpty())
                        .orElse(DEFAULT_ROLE_CLAIM);

java.lang.ClassCastException
com.nimbusds.jose.shaded.json.JSONArray cannot be cast to net.minidev.json.JSONArray

What is the new/expected behavior?

AzureIstioSecurityFilter doesn't set roles when setting authentication. This will not impact as the partition service does not perform role checks on the SA token. Partition service only authorizes token of a type service principal and issuer with v1 or v2 aad url.

Edited Apr 10, 2023 by Mina Otgonbold

update AzureIstioSecurityFilter to exclude roles when setting authentication