use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiTest method testAuthorization.
@Test
public void testAuthorization() throws Exception {
ContainerTester tester = new ContainerTester(container, responseFiles);
UserId authorizedUser = USER_ID;
UserId unauthorizedUser = new UserId("othertenant");
// Mutation without an user is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "{\n \"message\" : \"Not authenticated\"\n}", 401);
// ... but read methods are allowed for authenticated user
tester.assertResponse(request("/application/v4/tenant/", GET).userIdentity(USER_ID).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), "[]", 200);
createAthenzDomainWithAdmin(ATHENZ_TENANT_DOMAIN, USER_ID);
// Creating a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\"error-code\":\"FORBIDDEN\",\"message\":\"The user 'user.othertenant' is not admin in Athenz domain 'domain1'\"}", 403);
// (Create it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), new File("tenant-without-applications.json"), 200);
// Creating an application for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(unauthorizedUser).nToken(N_TOKEN), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// (Create it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(authorizedUser).nToken(N_TOKEN), new File("application-reference.json"), 200);
// Deploy to an authorized zone by a user tenant is disallowed
HttpEntity entity = createApplicationDeployData(applicationPackage, Optional.empty());
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/deploy", POST).data(entity).userIdentity(USER_ID), "{\n \"message\" : \"'user.myuser' is not a Screwdriver identity. Only Screwdriver is allowed to deploy to this environment.\"\n}", 403);
// Deleting an application for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// (Deleting it with the right tenant id)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(authorizedUser).nToken(N_TOKEN), "", 200);
// Updating a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
// Change Athens domain
createAthenzDomainWithAdmin(new AthenzDomain("domain2"), USER_ID);
tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).data("{\"athensDomain\":\"domain2\", \"property\":\"property1\"}").userIdentity(authorizedUser).nToken(N_TOKEN), "{\"tenant\":\"tenant1\",\"type\":\"ATHENS\",\"athensDomain\":\"domain2\",\"property\":\"property1\",\"applications\":[]}", 200);
// Deleting a tenant for an Athens domain the user is not admin for is disallowed
tester.assertResponse(request("/application/v4/tenant/tenant1", DELETE).userIdentity(unauthorizedUser), "{\n \"message\" : \"Tenant admin or Vespa operator role required\"\n}", 403);
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ControllerTester method createDomain.
public AthenzDomain createDomain(String domainName) {
AthenzDomain domain = new AthenzDomain(domainName);
athenzDb.addDomain(new AthenzDbMock.Domain(domain));
return domain;
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class AthenzIdentitiesTest method athenz_identity_is_parsed_from_dot_separated_string.
@Test
public void athenz_identity_is_parsed_from_dot_separated_string() {
AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
String fullName = expectedIdentity.getFullName();
AthenzIdentity actualIdentity = AthenzIdentities.from(fullName);
assertEquals(expectedIdentity, actualIdentity);
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class AthenzIdentities method from.
public static AthenzIdentity from(String fullName) {
int domainIdentityNameSeparatorIndex = fullName.lastIndexOf('.');
if (domainIdentityNameSeparatorIndex == -1 || domainIdentityNameSeparatorIndex == 0 || domainIdentityNameSeparatorIndex == fullName.length() - 1) {
throw new IllegalArgumentException("Invalid Athenz identity: " + fullName);
}
AthenzDomain domain = new AthenzDomain(fullName.substring(0, domainIdentityNameSeparatorIndex));
String identityName = fullName.substring(domainIdentityNameSeparatorIndex + 1, fullName.length());
return from(domain, identityName);
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiHandler method createTenant.
private HttpResponse createTenant(String tenantName, HttpRequest request) {
if (new TenantId(tenantName).isUser())
return ErrorResponse.badRequest("Use User API to create user tenants.");
Inspector requestData = toSlime(request.getData()).get();
Tenant tenant = new Tenant(new TenantId(tenantName), optional("property", requestData).map(Property::new), optional("athensDomain", requestData).map(AthenzDomain::new), optional("propertyId", requestData).map(PropertyId::new));
if (tenant.isAthensTenant())
throwIfNotAthenzDomainAdmin(new AthenzDomain(mandatory("athensDomain", requestData).asString()), request);
NToken token = getUserPrincipal(request).getNToken().orElseThrow(() -> new IllegalArgumentException("Could not create " + tenant + ": No NToken provided"));
controller.tenants().createAthenzTenant(tenant, token);
return tenant(tenant, request, true);
}
Aggregations