Search in sources :

Example 6 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class ApplicationApiHandler method throwIfNotAthenzDomainAdmin.

private void throwIfNotAthenzDomainAdmin(AthenzDomain tenantDomain, HttpRequest request) {
    AthenzIdentity identity = getUserPrincipal(request).getIdentity();
    boolean isDomainAdmin = athenzClientFactory.createZmsClientWithServicePrincipal().isDomainAdmin(identity, tenantDomain);
    if (!isDomainAdmin) {
        throw new ForbiddenException(String.format("The user '%s' is not admin in Athenz domain '%s'", identity.getFullName(), tenantDomain.getName()));
    }
}
Also used : ForbiddenException(javax.ws.rs.ForbiddenException) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)

Example 7 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class AthenzFilterMock method filter.

@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
    if (request.getMethod().equalsIgnoreCase("OPTIONS"))
        return;
    String identityName = request.getHeader(IDENTITY_HEADER_NAME);
    String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
    if (identityName == null) {
        sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
    } else {
        AthenzIdentity identity = AthenzIdentities.from(identityName);
        AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
        request.setUserPrincipal(principal);
    }
}
Also used : NToken(com.yahoo.vespa.athenz.api.NToken) AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)

Example 8 with AthenzIdentity

use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.

the class ControllerAuthorizationFilterTest method only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis.

@Test
public void only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis() {
    ControllerTester controllerTester = new ControllerTester();
    controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
    controllerTester.createTenant(TENANT.id(), TENANT_DOMAIN.getName(), null);
    controllerTester.athenzDb().domains.get(TENANT_DOMAIN).admins.add(TENANT_ADMIN);
    ControllerAuthorizationFilter filter = createFilter(controllerTester);
    List<AthenzIdentity> allowed = asList(HOSTED_OPERATOR, TENANT_ADMIN);
    List<AthenzIdentity> forbidden = singletonList(USER);
    testApiAccess(DELETE, "/application/v4/tenant/mytenant", allowed, forbidden, filter);
    testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/environment/perf/region/myregion/instance/default/deploy", allowed, forbidden, filter);
    testApiAccess(PUT, "/application/v4/tenant/mytenant/application/myapp/environment/prod/region/myregion/instance/default/global-rotation/override", allowed, forbidden, filter);
}
Also used : AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity) ControllerTester(com.yahoo.vespa.hosted.controller.ControllerTester) Test(org.junit.Test)

Aggregations

AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)8 Test (org.junit.Test)5 ControllerTester (com.yahoo.vespa.hosted.controller.ControllerTester)3 AthenzService (com.yahoo.vespa.athenz.api.AthenzService)2 AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)2 AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1 AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1 NToken (com.yahoo.vespa.athenz.api.NToken)1 AthenzIdentityVerifier (com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier)1 AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)1 KeyPair (java.security.KeyPair)1 ForbiddenException (javax.ws.rs.ForbiddenException)1