Search in sources :

Example 1 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ApplicationApiTest method testAuthorization.

@Test
public void testAuthorization() throws Exception {
    ContainerTester tester = new ContainerTester(container, responseFiles);
    UserId authorizedUser = USER_ID;
    UserId unauthorizedUser = new UserId("othertenant");
    // Mutation without an user is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "{\n  \"message\" : \"Not authenticated\"\n}", 401);
    // ... but read methods are allowed for authenticated user
    tester.assertResponse(request("/application/v4/tenant/", GET).userIdentity(USER_ID).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "[]", 200);
    createAthenzDomainWithAdmin(ATHENZ_TENANT_DOMAIN, USER_ID);
    // Creating a tenant for an Athens domain the user is not admin for is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\"error-code\":\"FORBIDDEN\",\"message\":\"The user 'user.othertenant' is not admin in Athenz domain 'domain1'\"}", 403);
    // (Create it with the right tenant id)
    tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), new File("tenant-without-applications.json"), 200);
    // Creating an application for an Athens domain the user is not admin for is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(unauthorizedUser).nToken(N_TOKEN), "{\n  \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
    // (Create it with the right tenant id)
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(authorizedUser).nToken(N_TOKEN), new File("application-reference.json"), 200);
    // Deploy to an authorized zone by a user tenant is disallowed
    HttpEntity entity = createApplicationDeployData(applicationPackage, Optional.empty());
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/deploy", POST).data(entity).userIdentity(USER_ID), "{\n  \"message\" : \"'user.myuser' is not a Screwdriver identity. Only Screwdriver is allowed to deploy to this environment.\"\n}", 403);
    // Deleting an application for an Athens domain the user is not admin for is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(unauthorizedUser), "{\n  \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
    // (Deleting it with the right tenant id)
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(authorizedUser).nToken(N_TOKEN), "", 200);
    // Updating a tenant for an Athens domain the user is not admin for is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\n  \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
    // Change Athens domain
    createAthenzDomainWithAdmin(new AthenzDomain("domain2"), USER_ID);
    tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain2\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), "{\"tenant\":\"tenant1\",\"type\":\"ATHENS\",\"athensDomain\":\"domain2\",\"property\":\"property1\",\"applications\":[]}", 200);
    // Deleting a tenant for an Athens domain the user is not admin for is disallowed
    tester.assertResponse(request("/application/v4/tenant/tenant1", DELETE).userIdentity(unauthorizedUser), "{\n  \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
}
Also used : HttpEntity(org.apache.http.HttpEntity) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) UserId(com.yahoo.vespa.hosted.controller.api.identifiers.UserId) ContainerTester(com.yahoo.vespa.hosted.controller.restapi.ContainerTester) File(java.io.File) ControllerContainerTest(com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest) Test(org.junit.Test)

Example 2 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ControllerTester method createDomain.

public AthenzDomain createDomain(String domainName) {
    AthenzDomain domain = new AthenzDomain(domainName);
    athenzDb.addDomain(new AthenzDbMock.Domain(domain));
    return domain;
}
Also used : AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)

Example 3 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class AthenzIdentitiesTest method athenz_identity_is_parsed_from_dot_separated_string.

@Test
public void athenz_identity_is_parsed_from_dot_separated_string() {
    AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
    String fullName = expectedIdentity.getFullName();
    AthenzIdentity actualIdentity = AthenzIdentities.from(fullName);
    assertEquals(expectedIdentity, actualIdentity);
}
Also used : AthenzService(com.yahoo.vespa.athenz.api.AthenzService) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) Test(org.junit.Test)

Example 4 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class AthenzIdentities method from.

public static AthenzIdentity from(String fullName) {
    int domainIdentityNameSeparatorIndex = fullName.lastIndexOf('.');
    if (domainIdentityNameSeparatorIndex == -1 || domainIdentityNameSeparatorIndex == 0 || domainIdentityNameSeparatorIndex == fullName.length() - 1) {
        throw new IllegalArgumentException("Invalid Athenz identity: " + fullName);
    }
    AthenzDomain domain = new AthenzDomain(fullName.substring(0, domainIdentityNameSeparatorIndex));
    String identityName = fullName.substring(domainIdentityNameSeparatorIndex + 1, fullName.length());
    return from(domain, identityName);
}
Also used : AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)

Example 5 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ApplicationApiHandler method createTenant.

private HttpResponse createTenant(String tenantName, HttpRequest request) {
    if (new TenantId(tenantName).isUser())
        return ErrorResponse.badRequest("Use User API to create user tenants.");
    Inspector requestData = toSlime(request.getData()).get();
    Tenant tenant = new Tenant(new TenantId(tenantName), optional("property", requestData).map(Property::new), optional("athensDomain", requestData).map(AthenzDomain::new), optional("propertyId", requestData).map(PropertyId::new));
    if (tenant.isAthensTenant())
        throwIfNotAthenzDomainAdmin(new AthenzDomain(mandatory("athensDomain", requestData).asString()), request);
    NToken token = getUserPrincipal(request).getNToken().orElseThrow(() -> new IllegalArgumentException("Could not create " + tenant + ": No NToken provided"));
    controller.tenants().createAthenzTenant(tenant, token);
    return tenant(tenant, request, true);
}
Also used : TenantId(com.yahoo.vespa.hosted.controller.api.identifiers.TenantId) Tenant(com.yahoo.vespa.hosted.controller.api.Tenant) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) NToken(com.yahoo.vespa.athenz.api.NToken) Inspector(com.yahoo.slime.Inspector)

Aggregations

AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)15 Tenant (com.yahoo.vespa.hosted.controller.api.Tenant)5 TenantId (com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)4 AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)3 Test (org.junit.Test)3 ApplicationId (com.yahoo.config.provision.ApplicationId)2 Inspector (com.yahoo.slime.Inspector)2 Property (com.yahoo.vespa.hosted.controller.api.identifiers.Property)2 UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)2 AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)2 ContainerTester (com.yahoo.vespa.hosted.controller.restapi.ContainerTester)2 ControllerContainerTest (com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest)2 File (java.io.File)2 HttpEntity (org.apache.http.HttpEntity)2 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1 Cursor (com.yahoo.slime.Cursor)1 Slime (com.yahoo.slime.Slime)1 AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)1 AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1 AthenzService (com.yahoo.vespa.athenz.api.AthenzService)1