Search in sources :

Example 1 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class ApplicationApiTest method addScrewdriverUserToDeployRole.

/**
 * In production this happens outside hosted Vespa, so there is no API for it and we need to reach down into the
 * mock setup to replicate the action.
 */
private void addScrewdriverUserToDeployRole(ScrewdriverId screwdriverId, AthenzDomain domain, com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId applicationId) {
    AthenzClientFactoryMock mock = (AthenzClientFactoryMock) container.components().getComponent(AthenzClientFactoryMock.class.getName());
    AthenzIdentity screwdriverIdentity = HostedAthenzIdentities.from(screwdriverId);
    AthenzDbMock.Application athenzApplication = mock.getSetup().domains.get(domain).applications.get(applicationId);
    athenzApplication.addRoleMember(ApplicationAction.deploy, screwdriverIdentity);
}
Also used : AthenzClientFactoryMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)

Example 2 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class ControllerAuthorizationFilterTest method only_hosted_operator_and_screwdriver_project_with_deploy_role_can_access_tenant_pipeline_apis.

@Test
public void only_hosted_operator_and_screwdriver_project_with_deploy_role_can_access_tenant_pipeline_apis() {
    ControllerTester controllerTester = new ControllerTester();
    controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
    controllerTester.createTenant(TENANT.id(), TENANT_DOMAIN.getName(), null);
    controllerTester.createApplication(TENANT, APPLICATION.id(), "default", 12345);
    AthenzDbMock.Domain domainMock = controllerTester.athenzDb().domains.get(TENANT_DOMAIN);
    domainMock.admins.add(TENANT_ADMIN);
    domainMock.applications.get(APPLICATION).addRoleMember(ApplicationAction.deploy, TENANT_PIPELINE);
    ControllerAuthorizationFilter filter = createFilter(controllerTester);
    List<AthenzIdentity> allowed = asList(HOSTED_OPERATOR, TENANT_PIPELINE);
    List<AthenzIdentity> forbidden = asList(TENANT_ADMIN, USER);
    testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/environment/prod/region/myregion/instance/default/deploy", allowed, forbidden, filter);
    testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/jobreport", allowed, forbidden, filter);
    testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/promote", allowed, forbidden, filter);
}
Also used : AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) AthenzDbMock(com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock) ControllerTester(com.yahoo.vespa.hosted.controller.ControllerTester) Test(org.junit.Test)

Example 3 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class ControllerAuthorizationFilterTest method only_hosted_operator_can_access_operator_apis.

@Test
public void only_hosted_operator_can_access_operator_apis() {
    ControllerTester controllerTester = new ControllerTester();
    controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
    ControllerAuthorizationFilter filter = createFilter(controllerTester);
    List<AthenzIdentity> allowed = singletonList(HOSTED_OPERATOR);
    List<AthenzIdentity> forbidden = singletonList(USER);
    testApiAccess(PUT, "/application/v4/tenant/mytenant/application/myapp/deploying", allowed, forbidden, filter);
    testApiAccess(POST, "/screwdriver/v1/trigger/tenant/mytenant/application/myapp/", allowed, forbidden, filter);
    testApiAccess(DELETE, "/provision/v2/provision/enqueue", allowed, forbidden, filter);
}
Also used : AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) ControllerTester(com.yahoo.vespa.hosted.controller.ControllerTester) Test(org.junit.Test)

Example 4 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class AthenzIdentityVerifierTest method verifies_certificate_with_athenz_service_as_common_name.

@Test
public void verifies_certificate_with_athenz_service_as_common_name() throws Exception {
    AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice");
    AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory");
    KeyPair keyPair = createKeyPair();
    AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity));
    assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity))));
    assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity))));
}
Also used : AthenzService(com.yahoo.vespa.athenz.api.AthenzService) KeyPair(java.security.KeyPair) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) AthenzIdentityVerifier(com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier) Test(org.junit.Test)

Example 5 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class AthenzIdentitiesTest method athenz_identity_is_parsed_from_dot_separated_string.

@Test
public void athenz_identity_is_parsed_from_dot_separated_string() {
    AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
    String fullName = expectedIdentity.getFullName();
    AthenzIdentity actualIdentity = AthenzIdentities.from(fullName);
    assertEquals(expectedIdentity, actualIdentity);
}
Also used : AthenzService(com.yahoo.vespa.athenz.api.AthenzService) AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) Test(org.junit.Test)

Aggregations

AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)8 Test (org.junit.Test)5 ControllerTester (com.yahoo.vespa.hosted.controller.ControllerTester)3 AthenzService (com.yahoo.vespa.athenz.api.AthenzService)2 AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)2 AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1 AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1 NToken (com.yahoo.vespa.athenz.api.NToken)1 AthenzIdentityVerifier (com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier)1 AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)1 KeyPair (java.security.KeyPair)1 ForbiddenException (javax.ws.rs.ForbiddenException)1