Search in sources :

Example 11 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ContainerControllerTester method addTenantAthenzDomain.

private AthenzDomain addTenantAthenzDomain(String domainName, String userName) {
    AthenzClientFactoryMock mock = (AthenzClientFactoryMock) containerTester.container().components().getComponent(AthenzClientFactoryMock.class.getName());
    AthenzDomain athensDomain = new AthenzDomain(domainName);
    AthenzDbMock.Domain domain = new AthenzDbMock.Domain(athensDomain);
    domain.markAsVespaTenant();
    domain.admin(AthenzIdentities.from(new AthenzDomain("domain"), userName));
    mock.getSetup().addDomain(domain);
    return athensDomain;
}
Also used : AthenzClientFactoryMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)

Example 12 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class NTokenValidator method validate.

AthenzPrincipal validate(NToken token) throws InvalidTokenException {
    PrincipalToken principalToken = new PrincipalToken(token.getRawToken());
    PublicKey zmsPublicKey = getPublicKey(principalToken.getKeyId()).orElseThrow(() -> new InvalidTokenException("NToken has an unknown keyId"));
    validateSignatureAndExpiration(principalToken, zmsPublicKey);
    return new AthenzPrincipal(AthenzIdentities.from(new AthenzDomain(principalToken.getDomain()), principalToken.getName()), token);
}
Also used : InvalidTokenException(com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) PublicKey(java.security.PublicKey) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)

Example 13 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class TenantController method updateAthenzDomain.

private void updateAthenzDomain(Tenant updatedTenant, Optional<NToken> token) {
    Tenant existingTenant = tenant(updatedTenant.getId()).get();
    if (!existingTenant.isAthensTenant())
        return;
    AthenzDomain existingDomain = existingTenant.getAthensDomain().get();
    AthenzDomain newDomain = updatedTenant.getAthensDomain().get();
    if (existingDomain.equals(newDomain))
        return;
    Optional<Tenant> existingTenantWithNewDomain = tenantHaving(newDomain);
    if (existingTenantWithNewDomain.isPresent())
        throw new IllegalArgumentException("Could not set domain of " + updatedTenant + " to '" + newDomain + "':" + existingTenantWithNewDomain.get() + " already has this domain");
    ZmsClient zmsClient = athenzClientFactory.createZmsClientWithAuthorizedServiceToken(token.get());
    zmsClient.createTenant(newDomain);
    List<Application> applications = controller.applications().asList(TenantName.from(existingTenant.getId().id()));
    applications.forEach(a -> zmsClient.addApplication(newDomain, new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(a.id().application().value())));
    applications.forEach(a -> zmsClient.deleteApplication(existingDomain, new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(a.id().application().value())));
    zmsClient.deleteTenant(existingDomain);
    log.info("Updated Athens domain for " + updatedTenant + " from " + existingDomain + " to " + newDomain);
}
Also used : Tenant(com.yahoo.vespa.hosted.controller.api.Tenant) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) ZmsClient(com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient)

Example 14 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ApplicationApiTest method testApplicationApi.

@Test
public void testApplicationApi() throws Exception {
    ContainerControllerTester controllerTester = new ContainerControllerTester(container, responseFiles);
    ContainerTester tester = controllerTester.containerTester();
    tester.updateSystemVersion();
    // (Necessary but not provided in this API)
    createAthenzDomainWithAdmin(ATHENZ_TENANT_DOMAIN, USER_ID);
    // GET API root
    tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID), new File("root.json"));
    // GET athens domains
    tester.assertResponse(request("/application/v4/athensDomain/", GET).userIdentity(USER_ID), new File("athensDomain-list.json"));
    // GET OpsDB properties
    tester.assertResponse(request("/application/v4/property/", GET).userIdentity(USER_ID), new File("property-list.json"));
    // GET cookie freshness
    tester.assertResponse(request("/application/v4/cookiefreshness/", GET).userIdentity(USER_ID), new File("cookiefreshness.json"));
    // POST (add) a tenant without property ID
    tester.assertResponse(request("/application/v4/tenant/tenant1", POST).userIdentity(USER_ID).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").nToken(N_TOKEN), new File("tenant-without-applications.json"));
    // PUT (modify) a tenant
    tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), new File("tenant-without-applications.json"));
    // GET the authenticated user (with associated tenants)
    tester.assertResponse(request("/application/v4/user", GET).userIdentity(USER_ID), new File("user.json"));
    // GET all tenants
    tester.assertResponse(request("/application/v4/tenant/", GET).userIdentity(USER_ID), new File("tenant-list.json"));
    // Add another Athens domain, so we can try to create more tenants
    // New domain to test tenant w/property ID
    createAthenzDomainWithAdmin(new AthenzDomain("domain2"), USER_ID);
    // Add property info for that property id, as well, in the mock organization.
    addPropertyData((MockOrganization) controllerTester.controller().organization(), "1234");
    // POST (add) a tenant with property ID
    tester.assertResponse(request("/application/v4/tenant/tenant2", POST).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain2\", \"property\":\"property2\", \"propertyId\":\"1234\"}"), new File("tenant-without-applications-with-id.json"));
    // PUT (modify) a tenant with property ID
    tester.assertResponse(request("/application/v4/tenant/tenant2", PUT).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain2\", \"property\":\"property2\", \"propertyId\":\"1234\"}"), new File("tenant-without-applications-with-id.json"));
    // GET a tenant with property ID
    tester.assertResponse(request("/application/v4/tenant/tenant2", GET).userIdentity(USER_ID), new File("tenant-without-applications-with-id.json"));
    // POST (create) an application
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(USER_ID).nToken(N_TOKEN), new File("application-reference.json"));
    // GET a tenant
    tester.assertResponse(request("/application/v4/tenant/tenant1", GET).userIdentity(USER_ID), new File("tenant-with-application.json"));
    // GET tenant applications
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/", GET).userIdentity(USER_ID), new File("application-list.json"));
    addUserToHostedOperatorRole(HostedAthenzIdentities.from(HOSTED_VESPA_OPERATOR));
    // POST (deploy) an application to a zone - manual user deployment
    HttpEntity entity = createApplicationDeployData(applicationPackage, Optional.empty());
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default/deploy", POST).data(entity).userIdentity(USER_ID), new File("deploy-result.json"));
    // POST (deploy) an application to a zone. This simulates calls done by our tenant pipeline.
    ApplicationId id = ApplicationId.from("tenant1", "application1", "default");
    long screwdriverProjectId = 123;
    addScrewdriverUserToDeployRole(SCREWDRIVER_ID, ATHENZ_TENANT_DOMAIN, // (Necessary but not provided in this API)
    new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(id.application().value()));
    // Trigger deployment from completion of component job
    controllerTester.jobCompletion(DeploymentJobs.JobType.component).application(id).projectId(screwdriverProjectId).uploadArtifact(applicationPackage).submit();
    // ... systemtest
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default");
    // Called through the separate screwdriver/v1 API
    controllerTester.jobCompletion(DeploymentJobs.JobType.systemTest).application(id).projectId(screwdriverProjectId).submit();
    // ... staging
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default");
    controllerTester.jobCompletion(DeploymentJobs.JobType.stagingTest).application(id).projectId(screwdriverProjectId).submit();
    // ... prod zone
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
    controllerTester.jobCompletion(DeploymentJobs.JobType.productionCorpUsEast1).application(id).projectId(screwdriverProjectId).unsuccessful().submit();
    // GET tenant screwdriver projects
    tester.assertResponse(request("/application/v4/tenant-pipeline/", GET).userIdentity(USER_ID), new File("tenant-pipelines.json"));
    setDeploymentMaintainedInfo(controllerTester);
    // GET tenant application deployments
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", GET).userIdentity(USER_ID), new File("application.json"));
    // GET an application deployment
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", GET).userIdentity(USER_ID), new File("deployment.json"));
    addIssues(controllerTester, ApplicationId.from("tenant1", "application1", "default"));
    // GET at root, with "&recursive=deployment", returns info about all tenants, their applications and their deployments
    tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID).recursive("deployment"), new File("recursive-root.json"));
    // GET at root, with "&recursive=tenant", returns info about all tenants, with limited info about their applications.
    tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID).recursive("tenant"), new File("recursive-until-tenant-root.json"));
    // GET at a tenant, with "&recursive=true", returns full info about their applications and their deployments
    tester.assertResponse(request("/application/v4/tenant/tenant1/", GET).userIdentity(USER_ID).recursive("true"), new File("tenant1-recursive.json"));
    // GET at an application, with "&recursive=true", returns full info about its deployments
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/", GET).userIdentity(USER_ID).recursive("true"), new File("application1-recursive.json"));
    // DELETE (cancel) ongoing change
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", DELETE).userIdentity(HOSTED_VESPA_OPERATOR), new File("application-deployment-cancelled.json"));
    // DELETE (cancel) again is a no-op
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", DELETE).userIdentity(HOSTED_VESPA_OPERATOR), new File("application-deployment-cancelled-no-op.json"));
    // POST triggering of a full deployment to an application (if version is omitted, current system version is used)
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", POST).userIdentity(HOSTED_VESPA_OPERATOR).data("6.1.0"), new File("application-deployment.json"));
    // POST a 'restart application' command
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/restart", POST).screwdriverIdentity(SCREWDRIVER_ID), "Requested restart of tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
    // POST a 'restart application' command with a host filter (other filters not supported yet)
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/restart?hostname=host1", POST).screwdriverIdentity(SCREWDRIVER_ID), "Requested restart of tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
    // POST a 'log' command
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/log", POST).screwdriverIdentity(SCREWDRIVER_ID), // Proxied to config server, not sure about the expected return format
    new File("log-response.json"));
    // GET (wait for) convergence
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/converge", GET).userIdentity(USER_ID), new File("convergence.json"));
    // GET services
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/service", GET).userIdentity(USER_ID), new File("services.json"));
    // GET service
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/service/storagenode-awe3slno6mmq2fye191y324jl/state/v1/", GET).userIdentity(USER_ID), new File("service.json"));
    // DELETE application with active deployments fails
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(USER_ID), new File("delete-with-active-deployments.json"), 400);
    // DELETE (deactivate) a deployment - dev
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default", DELETE).userIdentity(USER_ID), "Deactivated tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default");
    // DELETE (deactivate) a deployment - prod
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
    // DELETE (deactivate) a deployment is idempotent
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
    // PUT (create) the authenticated user
    byte[] data = new byte[0];
    tester.assertResponse(request("/application/v4/user?user=newuser&domain=by", PUT).data(data).userIdentity(new UserId("newuser")), new File("create-user-response.json"));
    // OPTIONS return 200 OK
    tester.assertResponse(request("/application/v4/", Request.Method.OPTIONS), "");
    // GET global rotation status
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/global-rotation", GET).userIdentity(USER_ID), new File("global-rotation.json"));
    // GET global rotation override status
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/global-rotation/override", GET).userIdentity(USER_ID), new File("global-rotation-get.json"));
    // SET global rotation override status
    tester.assertResponse(request("/application/v4/tenant/tenant2/application/application2/environment/prod/region/us-west-1/instance/default/global-rotation/override", PUT).userIdentity(USER_ID).data("{\"reason\":\"because i can\"}"), new File("global-rotation-put.json"));
    // DELETE global rotation override status
    tester.assertResponse(request("/application/v4/tenant/tenant2/application/application2/environment/prod/region/us-west-1/instance/default/global-rotation/override", DELETE).userIdentity(USER_ID).data("{\"reason\":\"because i can\"}"), new File("global-rotation-delete.json"));
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/promote", POST).screwdriverIdentity(SCREWDRIVER_ID), "{\"message\":\"Successfully copied environment hosted-verified-prod to hosted-instance_tenant1_application1_placeholder_component_default\"}");
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/promote", POST).screwdriverIdentity(SCREWDRIVER_ID), "{\"message\":\"Successfully copied environment hosted-instance_tenant1_application1_placeholder_component_default to hosted-instance_tenant1_application1_us-west-1_prod_default\"}");
    // DELETE an application
    tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(USER_ID).nToken(N_TOKEN), "");
    // DELETE a tenant
    tester.assertResponse(request("/application/v4/tenant/tenant1", DELETE).userIdentity(USER_ID).nToken(N_TOKEN), new File("tenant-without-applications.json"));
    controllerTester.controller().deconstruct();
}
Also used : AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) HttpEntity(org.apache.http.HttpEntity) ContainerTester(com.yahoo.vespa.hosted.controller.restapi.ContainerTester) ContainerControllerTester(com.yahoo.vespa.hosted.controller.restapi.ContainerControllerTester) UserId(com.yahoo.vespa.hosted.controller.api.identifiers.UserId) ApplicationId(com.yahoo.config.provision.ApplicationId) File(java.io.File) ControllerContainerTest(com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest) Test(org.junit.Test)

Example 15 with AthenzDomain

use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.

the class ApplicationApiTest method createAthenzDomainWithAdmin.

/**
 * In production this happens outside hosted Vespa, so there is no API for it and we need to reach down into the
 * mock setup to replicate the action.
 */
private void createAthenzDomainWithAdmin(AthenzDomain domain, UserId userId) {
    AthenzClientFactoryMock mock = (AthenzClientFactoryMock) container.components().getComponent(AthenzClientFactoryMock.class.getName());
    AthenzDbMock.Domain domainMock = new AthenzDbMock.Domain(domain);
    domainMock.markAsVespaTenant();
    domainMock.admin(AthenzUser.fromUserId(userId.id()));
    mock.getSetup().addDomain(domainMock);
}
Also used : AthenzClientFactoryMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock) AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)

Aggregations

AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)15 Tenant (com.yahoo.vespa.hosted.controller.api.Tenant)5 TenantId (com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)4 AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)3 Test (org.junit.Test)3 ApplicationId (com.yahoo.config.provision.ApplicationId)2 Inspector (com.yahoo.slime.Inspector)2 Property (com.yahoo.vespa.hosted.controller.api.identifiers.Property)2 UserId (com.yahoo.vespa.hosted.controller.api.identifiers.UserId)2 AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)2 ContainerTester (com.yahoo.vespa.hosted.controller.restapi.ContainerTester)2 ControllerContainerTest (com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest)2 File (java.io.File)2 HttpEntity (org.apache.http.HttpEntity)2 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1 Cursor (com.yahoo.slime.Cursor)1 Slime (com.yahoo.slime.Slime)1 AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)1 AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1 AthenzService (com.yahoo.vespa.athenz.api.AthenzService)1