use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ContainerControllerTester method addTenantAthenzDomain.
private AthenzDomain addTenantAthenzDomain(String domainName, String userName) {
AthenzClientFactoryMock mock = (AthenzClientFactoryMock) containerTester.container().components().getComponent(AthenzClientFactoryMock.class.getName());
AthenzDomain athensDomain = new AthenzDomain(domainName);
AthenzDbMock.Domain domain = new AthenzDbMock.Domain(athensDomain);
domain.markAsVespaTenant();
domain.admin(AthenzIdentities.from(new AthenzDomain("domain"), userName));
mock.getSetup().addDomain(domain);
return athensDomain;
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class NTokenValidator method validate.
AthenzPrincipal validate(NToken token) throws InvalidTokenException {
PrincipalToken principalToken = new PrincipalToken(token.getRawToken());
PublicKey zmsPublicKey = getPublicKey(principalToken.getKeyId()).orElseThrow(() -> new InvalidTokenException("NToken has an unknown keyId"));
validateSignatureAndExpiration(principalToken, zmsPublicKey);
return new AthenzPrincipal(AthenzIdentities.from(new AthenzDomain(principalToken.getDomain()), principalToken.getName()), token);
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class TenantController method updateAthenzDomain.
private void updateAthenzDomain(Tenant updatedTenant, Optional<NToken> token) {
Tenant existingTenant = tenant(updatedTenant.getId()).get();
if (!existingTenant.isAthensTenant())
return;
AthenzDomain existingDomain = existingTenant.getAthensDomain().get();
AthenzDomain newDomain = updatedTenant.getAthensDomain().get();
if (existingDomain.equals(newDomain))
return;
Optional<Tenant> existingTenantWithNewDomain = tenantHaving(newDomain);
if (existingTenantWithNewDomain.isPresent())
throw new IllegalArgumentException("Could not set domain of " + updatedTenant + " to '" + newDomain + "':" + existingTenantWithNewDomain.get() + " already has this domain");
ZmsClient zmsClient = athenzClientFactory.createZmsClientWithAuthorizedServiceToken(token.get());
zmsClient.createTenant(newDomain);
List<Application> applications = controller.applications().asList(TenantName.from(existingTenant.getId().id()));
applications.forEach(a -> zmsClient.addApplication(newDomain, new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(a.id().application().value())));
applications.forEach(a -> zmsClient.deleteApplication(existingDomain, new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(a.id().application().value())));
zmsClient.deleteTenant(existingDomain);
log.info("Updated Athens domain for " + updatedTenant + " from " + existingDomain + " to " + newDomain);
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiTest method testApplicationApi.
@Test
public void testApplicationApi() throws Exception {
ContainerControllerTester controllerTester = new ContainerControllerTester(container, responseFiles);
ContainerTester tester = controllerTester.containerTester();
tester.updateSystemVersion();
// (Necessary but not provided in this API)
createAthenzDomainWithAdmin(ATHENZ_TENANT_DOMAIN, USER_ID);
// GET API root
tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID), new File("root.json"));
// GET athens domains
tester.assertResponse(request("/application/v4/athensDomain/", GET).userIdentity(USER_ID), new File("athensDomain-list.json"));
// GET OpsDB properties
tester.assertResponse(request("/application/v4/property/", GET).userIdentity(USER_ID), new File("property-list.json"));
// GET cookie freshness
tester.assertResponse(request("/application/v4/cookiefreshness/", GET).userIdentity(USER_ID), new File("cookiefreshness.json"));
// POST (add) a tenant without property ID
tester.assertResponse(request("/application/v4/tenant/tenant1", POST).userIdentity(USER_ID).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}").nToken(N_TOKEN), new File("tenant-without-applications.json"));
// PUT (modify) a tenant
tester.assertResponse(request("/application/v4/tenant/tenant1", PUT).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"), new File("tenant-without-applications.json"));
// GET the authenticated user (with associated tenants)
tester.assertResponse(request("/application/v4/user", GET).userIdentity(USER_ID), new File("user.json"));
// GET all tenants
tester.assertResponse(request("/application/v4/tenant/", GET).userIdentity(USER_ID), new File("tenant-list.json"));
// Add another Athens domain, so we can try to create more tenants
// New domain to test tenant w/property ID
createAthenzDomainWithAdmin(new AthenzDomain("domain2"), USER_ID);
// Add property info for that property id, as well, in the mock organization.
addPropertyData((MockOrganization) controllerTester.controller().organization(), "1234");
// POST (add) a tenant with property ID
tester.assertResponse(request("/application/v4/tenant/tenant2", POST).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain2\", \"property\":\"property2\", \"propertyId\":\"1234\"}"), new File("tenant-without-applications-with-id.json"));
// PUT (modify) a tenant with property ID
tester.assertResponse(request("/application/v4/tenant/tenant2", PUT).userIdentity(USER_ID).nToken(N_TOKEN).data("{\"athensDomain\":\"domain2\", \"property\":\"property2\", \"propertyId\":\"1234\"}"), new File("tenant-without-applications-with-id.json"));
// GET a tenant with property ID
tester.assertResponse(request("/application/v4/tenant/tenant2", GET).userIdentity(USER_ID), new File("tenant-without-applications-with-id.json"));
// POST (create) an application
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST).userIdentity(USER_ID).nToken(N_TOKEN), new File("application-reference.json"));
// GET a tenant
tester.assertResponse(request("/application/v4/tenant/tenant1", GET).userIdentity(USER_ID), new File("tenant-with-application.json"));
// GET tenant applications
tester.assertResponse(request("/application/v4/tenant/tenant1/application/", GET).userIdentity(USER_ID), new File("application-list.json"));
addUserToHostedOperatorRole(HostedAthenzIdentities.from(HOSTED_VESPA_OPERATOR));
// POST (deploy) an application to a zone - manual user deployment
HttpEntity entity = createApplicationDeployData(applicationPackage, Optional.empty());
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default/deploy", POST).data(entity).userIdentity(USER_ID), new File("deploy-result.json"));
// POST (deploy) an application to a zone. This simulates calls done by our tenant pipeline.
ApplicationId id = ApplicationId.from("tenant1", "application1", "default");
long screwdriverProjectId = 123;
addScrewdriverUserToDeployRole(SCREWDRIVER_ID, ATHENZ_TENANT_DOMAIN, // (Necessary but not provided in this API)
new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(id.application().value()));
// Trigger deployment from completion of component job
controllerTester.jobCompletion(DeploymentJobs.JobType.component).application(id).projectId(screwdriverProjectId).uploadArtifact(applicationPackage).submit();
// ... systemtest
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/test/region/us-east-1/instance/default");
// Called through the separate screwdriver/v1 API
controllerTester.jobCompletion(DeploymentJobs.JobType.systemTest).application(id).projectId(screwdriverProjectId).submit();
// ... staging
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/staging/region/us-east-3/instance/default");
controllerTester.jobCompletion(DeploymentJobs.JobType.stagingTest).application(id).projectId(screwdriverProjectId).submit();
// ... prod zone
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/", POST).data(createApplicationDeployData(applicationPackage, Optional.of(screwdriverProjectId))).screwdriverIdentity(SCREWDRIVER_ID), new File("deploy-result.json"));
controllerTester.jobCompletion(DeploymentJobs.JobType.productionCorpUsEast1).application(id).projectId(screwdriverProjectId).unsuccessful().submit();
// GET tenant screwdriver projects
tester.assertResponse(request("/application/v4/tenant-pipeline/", GET).userIdentity(USER_ID), new File("tenant-pipelines.json"));
setDeploymentMaintainedInfo(controllerTester);
// GET tenant application deployments
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", GET).userIdentity(USER_ID), new File("application.json"));
// GET an application deployment
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", GET).userIdentity(USER_ID), new File("deployment.json"));
addIssues(controllerTester, ApplicationId.from("tenant1", "application1", "default"));
// GET at root, with "&recursive=deployment", returns info about all tenants, their applications and their deployments
tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID).recursive("deployment"), new File("recursive-root.json"));
// GET at root, with "&recursive=tenant", returns info about all tenants, with limited info about their applications.
tester.assertResponse(request("/application/v4/", GET).userIdentity(USER_ID).recursive("tenant"), new File("recursive-until-tenant-root.json"));
// GET at a tenant, with "&recursive=true", returns full info about their applications and their deployments
tester.assertResponse(request("/application/v4/tenant/tenant1/", GET).userIdentity(USER_ID).recursive("true"), new File("tenant1-recursive.json"));
// GET at an application, with "&recursive=true", returns full info about its deployments
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/", GET).userIdentity(USER_ID).recursive("true"), new File("application1-recursive.json"));
// DELETE (cancel) ongoing change
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", DELETE).userIdentity(HOSTED_VESPA_OPERATOR), new File("application-deployment-cancelled.json"));
// DELETE (cancel) again is a no-op
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", DELETE).userIdentity(HOSTED_VESPA_OPERATOR), new File("application-deployment-cancelled-no-op.json"));
// POST triggering of a full deployment to an application (if version is omitted, current system version is used)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/deploying", POST).userIdentity(HOSTED_VESPA_OPERATOR).data("6.1.0"), new File("application-deployment.json"));
// POST a 'restart application' command
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/restart", POST).screwdriverIdentity(SCREWDRIVER_ID), "Requested restart of tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
// POST a 'restart application' command with a host filter (other filters not supported yet)
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/restart?hostname=host1", POST).screwdriverIdentity(SCREWDRIVER_ID), "Requested restart of tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
// POST a 'log' command
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/log", POST).screwdriverIdentity(SCREWDRIVER_ID), // Proxied to config server, not sure about the expected return format
new File("log-response.json"));
// GET (wait for) convergence
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/converge", GET).userIdentity(USER_ID), new File("convergence.json"));
// GET services
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/service", GET).userIdentity(USER_ID), new File("services.json"));
// GET service
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default/service/storagenode-awe3slno6mmq2fye191y324jl/state/v1/", GET).userIdentity(USER_ID), new File("service.json"));
// DELETE application with active deployments fails
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(USER_ID), new File("delete-with-active-deployments.json"), 400);
// DELETE (deactivate) a deployment - dev
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default", DELETE).userIdentity(USER_ID), "Deactivated tenant/tenant1/application/application1/environment/dev/region/us-west-1/instance/default");
// DELETE (deactivate) a deployment - prod
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
// DELETE (deactivate) a deployment is idempotent
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default", DELETE).screwdriverIdentity(SCREWDRIVER_ID), "Deactivated tenant/tenant1/application/application1/environment/prod/region/corp-us-east-1/instance/default");
// PUT (create) the authenticated user
byte[] data = new byte[0];
tester.assertResponse(request("/application/v4/user?user=newuser&domain=by", PUT).data(data).userIdentity(new UserId("newuser")), new File("create-user-response.json"));
// OPTIONS return 200 OK
tester.assertResponse(request("/application/v4/", Request.Method.OPTIONS), "");
// GET global rotation status
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/global-rotation", GET).userIdentity(USER_ID), new File("global-rotation.json"));
// GET global rotation override status
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/global-rotation/override", GET).userIdentity(USER_ID), new File("global-rotation-get.json"));
// SET global rotation override status
tester.assertResponse(request("/application/v4/tenant/tenant2/application/application2/environment/prod/region/us-west-1/instance/default/global-rotation/override", PUT).userIdentity(USER_ID).data("{\"reason\":\"because i can\"}"), new File("global-rotation-put.json"));
// DELETE global rotation override status
tester.assertResponse(request("/application/v4/tenant/tenant2/application/application2/environment/prod/region/us-west-1/instance/default/global-rotation/override", DELETE).userIdentity(USER_ID).data("{\"reason\":\"because i can\"}"), new File("global-rotation-delete.json"));
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/promote", POST).screwdriverIdentity(SCREWDRIVER_ID), "{\"message\":\"Successfully copied environment hosted-verified-prod to hosted-instance_tenant1_application1_placeholder_component_default\"}");
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-west-1/instance/default/promote", POST).screwdriverIdentity(SCREWDRIVER_ID), "{\"message\":\"Successfully copied environment hosted-instance_tenant1_application1_placeholder_component_default to hosted-instance_tenant1_application1_us-west-1_prod_default\"}");
// DELETE an application
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(USER_ID).nToken(N_TOKEN), "");
// DELETE a tenant
tester.assertResponse(request("/application/v4/tenant/tenant1", DELETE).userIdentity(USER_ID).nToken(N_TOKEN), new File("tenant-without-applications.json"));
controllerTester.controller().deconstruct();
}
use of com.yahoo.vespa.athenz.api.AthenzDomain in project vespa by vespa-engine.
the class ApplicationApiTest method createAthenzDomainWithAdmin.
/**
* In production this happens outside hosted Vespa, so there is no API for it and we need to reach down into the
* mock setup to replicate the action.
*/
private void createAthenzDomainWithAdmin(AthenzDomain domain, UserId userId) {
AthenzClientFactoryMock mock = (AthenzClientFactoryMock) container.components().getComponent(AthenzClientFactoryMock.class.getName());
AthenzDbMock.Domain domainMock = new AthenzDbMock.Domain(domain);
domainMock.markAsVespaTenant();
domainMock.admin(AthenzUser.fromUserId(userId.id()));
mock.getSetup().addDomain(domainMock);
}
Aggregations