Example 1 with AthenzDomain
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiTest method testAuthorization.
@Test
public void testAuthorization() throws Exception {
ContainerTester tester = new ContainerTester(container, responseFiles);
UserId authorizedUser = USER_ID;
UserId unauthorizedUser = new UserId("othertenant");
// Mutation without an user is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "{\n \"message\" : \"Not authenticated\"\n}", 401);
// ... but read methods are allowed for authenticated user
tester.assertResponse(request("/application/v4/tenant/", GET).userIdentity(USER_ID).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "[]", 200);
createAthenzDomainWithAdmin(ATHENZ_TENANT_DOMAIN, USER_ID);
// Creating a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\"error-code\":\"FORBIDDEN\",\"message\":\"The user 'user.othertenant' is not admin in Athenz domain 'domain1'\"}", 403);
// (Create it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), new File("tenant-without-applications.json"), 200);
// Creating an application for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(unauthorizedUser).nToken(N_TOKEN), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// (Create it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(authorizedUser).nToken(N_TOKEN), new File("application-reference.json"), 200);
// Deploy to an authorized zone by a user tenant is disallowed
HttpEntity entity = createApplicationDeployData(applicationPackage, Optional.empty());
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/deploy", POST).data(entity).userIdentity(USER_ID), "{\n \"message\" : \"'user.myuser' is not a Screwdriver identity. Only Screwdriver is allowed to deploy to this environment.\"\n}", 403);
// Deleting an application for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// (Deleting it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(authorizedUser).nToken(N_TOKEN), "", 200);
// Updating a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// Change Athens domain
createAthenzDomainWithAdmin(new AthenzDomain("domain2"), USER_ID);
tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain2\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), "{\"tenant\":\"tenant1\",\"type\":\"ATHENS\",\"athensDomain\":\"domain2\",\"property\":\"property1\",\"applications\":[]}", 200);
// Deleting a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", DELETE).userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
}
Also used :
HttpEntity(org.apache.http.HttpEntity)
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
UserId(com.yahoo.vespa.hosted.controller.api.identifiers.UserId)
ContainerTester(com.yahoo.vespa.hosted.controller.restapi.ContainerTester)
File(java.io.File)
ControllerContainerTest(com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest)
Test(org.junit.Test)
Example 2 with AthenzDomain
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ControllerTester method createDomain.
public AthenzDomain createDomain(String domainName) {
AthenzDomain domain = new AthenzDomain(domainName);
athenzDb.addDomain(new AthenzDbMock.Domain(domain));
return domain;
}
Also used :
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)
Example 3 with AthenzDomain
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class AthenzIdentitiesTest method athenz_identity_is_parsed_from_dot_separated_string.
@Test
public void athenz_identity_is_parsed_from_dot_separated_string() {
AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
String fullName = expectedIdentity.getFullName();
AthenzIdentity actualIdentity = AthenzIdentities.from(fullName);
assertEquals(expectedIdentity, actualIdentity);
}
Also used :
AthenzService(com.yahoo.vespa.athenz.api.AthenzService)
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
Test(org.junit.Test)
Example 4 with AthenzDomain
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class AthenzIdentities method from.
public static AthenzIdentity from(String fullName) {
int domainIdentityNameSeparatorIndex = fullName.lastIndexOf('.');
if (domainIdentityNameSeparatorIndex == -1 || domainIdentityNameSeparatorIndex == 0 || domainIdentityNameSeparatorIndex == fullName.length() - 1) {
throw new IllegalArgumentException("Invalid Athenz identity: " + fullName);
}
AthenzDomain domain = new AthenzDomain(fullName.substring(0, domainIdentityNameSeparatorIndex));
String identityName = fullName.substring(domainIdentityNameSeparatorIndex + 1, fullName.length());
return from(domain, identityName);
}
Also used :
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
Example 5 with AthenzDomain
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiHandler method createTenant.
private HttpResponse createTenant(String tenantName, HttpRequest request) {
if (new TenantId(tenantName).isUser())
return ErrorResponse.badRequest("Use User API to create user tenants.");
Inspector requestData = toSlime(request.getData()).get();
Tenant tenant = new Tenant(new TenantId(tenantName), optional("property", requestData).map(Property::new), optional("athensDomain", requestData).map(AthenzDomain::new), optional("propertyId", requestData).map(PropertyId::new));
if (tenant.isAthensTenant())
throwIfNotAthenzDomainAdmin(new AthenzDomain(mandatory("athensDomain", requestData).asString()), request);
NToken token = getUserPrincipal(request).getNToken().orElseThrow(() -> new IllegalArgumentException("Could not create " + tenant + ": No NToken provided"));
controller.tenants().createAthenzTenant(tenant, token);
return tenant(tenant, request, true);
}
Also used :
TenantId(com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)
Tenant(com.yahoo.vespa.hosted.controller.api.Tenant)
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
NToken(com.yahoo.vespa.athenz.api.NToken)
Inspector(com.yahoo.slime.Inspector)
Aggregations
AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)15
Tenant (com.yahoo.vespa.hosted.controller.api.Tenant)5
TenantId (com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)4
AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)3
Test (org.junit.Test)3
ApplicationId (com.yahoo.config.provision.ApplicationId)2
Inspector (com.yahoo.slime.Inspector)2
Property (com.yahoo.vespa.hosted.controller.api.identifiers.Property)2
UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)2
AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)2
ContainerTester (com.yahoo.vespa.hosted.controller.restapi.ContainerTester)2
ControllerContainerTest (com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest)2
File (java.io.File)2
HttpEntity (org.apache.http.HttpEntity)2
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1
Cursor (com.yahoo.slime.Cursor)1
Slime (com.yahoo.slime.Slime)1
AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)1
AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1
AthenzService (com.yahoo.vespa.athenz.api.AthenzService)1
