use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ApplicationApiTest method addScrewdriverUserToDeployRole.
/**
* In production this happens outside hosted Vespa, so there is no API for it and we need to reach down into the
* mock setup to replicate the action.
*/
private void addScrewdriverUserToDeployRole(ScrewdriverId screwdriverId, AthenzDomain domain, com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId applicationId) {
AthenzClientFactoryMock mock = (AthenzClientFactoryMock) container.components().getComponent(AthenzClientFactoryMock.class.getName());
AthenzIdentity screwdriverIdentity = HostedAthenzIdentities.from(screwdriverId);
AthenzDbMock.Application athenzApplication = mock.getSetup().domains.get(domain).applications.get(applicationId);
athenzApplication.addRoleMember(ApplicationAction.deploy, screwdriverIdentity);
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ControllerAuthorizationFilterTest method only_hosted_operator_and_screwdriver_project_with_deploy_role_can_access_tenant_pipeline_apis.
@Test
public void only_hosted_operator_and_screwdriver_project_with_deploy_role_can_access_tenant_pipeline_apis() {
ControllerTester controllerTester = new ControllerTester();
controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
controllerTester.createTenant(TENANT.id(), TENANT_DOMAIN.getName(), null);
controllerTester.createApplication(TENANT, APPLICATION.id(), "default", 12345);
AthenzDbMock.Domain domainMock = controllerTester.athenzDb().domains.get(TENANT_DOMAIN);
domainMock.admins.add(TENANT_ADMIN);
domainMock.applications.get(APPLICATION).addRoleMember(ApplicationAction.deploy, TENANT_PIPELINE);
ControllerAuthorizationFilter filter = createFilter(controllerTester);
List<AthenzIdentity> allowed = asList(HOSTED_OPERATOR, TENANT_PIPELINE);
List<AthenzIdentity> forbidden = asList(TENANT_ADMIN, USER);
testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/environment/prod/region/myregion/instance/default/deploy", allowed, forbidden, filter);
testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/jobreport", allowed, forbidden, filter);
testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/promote", allowed, forbidden, filter);
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ControllerAuthorizationFilterTest method only_hosted_operator_can_access_operator_apis.
@Test
public void only_hosted_operator_can_access_operator_apis() {
ControllerTester controllerTester = new ControllerTester();
controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
ControllerAuthorizationFilter filter = createFilter(controllerTester);
List<AthenzIdentity> allowed = singletonList(HOSTED_OPERATOR);
List<AthenzIdentity> forbidden = singletonList(USER);
testApiAccess(PUT, "/application/v4/tenant/mytenant/application/myapp/deploying", allowed, forbidden, filter);
testApiAccess(POST, "/screwdriver/v1/trigger/tenant/mytenant/application/myapp/", allowed, forbidden, filter);
testApiAccess(DELETE, "/provision/v2/provision/enqueue", allowed, forbidden, filter);
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class AthenzIdentityVerifierTest method verifies_certificate_with_athenz_service_as_common_name.
@Test
public void verifies_certificate_with_athenz_service_as_common_name() throws Exception {
AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice");
AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory");
KeyPair keyPair = createKeyPair();
AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity));
assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity))));
assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity))));
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class AthenzIdentitiesTest method athenz_identity_is_parsed_from_dot_separated_string.
@Test
public void athenz_identity_is_parsed_from_dot_separated_string() {
AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
String fullName = expectedIdentity.getFullName();
AthenzIdentity actualIdentity = AthenzIdentities.from(fullName);
assertEquals(expectedIdentity, actualIdentity);
}
Aggregations