use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ApplicationApiHandler method throwIfNotAthenzDomainAdmin.
private void throwIfNotAthenzDomainAdmin(AthenzDomain tenantDomain, HttpRequest request) {
AthenzIdentity identity = getUserPrincipal(request).getIdentity();
boolean isDomainAdmin = athenzClientFactory.createZmsClientWithServicePrincipal().isDomainAdmin(identity, tenantDomain);
if (!isDomainAdmin) {
throw new ForbiddenException(String.format("The user '%s' is not admin in Athenz domain '%s'", identity.getFullName(), tenantDomain.getName()));
}
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class AthenzFilterMock method filter.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
if (request.getMethod().equalsIgnoreCase("OPTIONS"))
return;
String identityName = request.getHeader(IDENTITY_HEADER_NAME);
String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
if (identityName == null) {
sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
} else {
AthenzIdentity identity = AthenzIdentities.from(identityName);
AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
request.setUserPrincipal(principal);
}
}
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ControllerAuthorizationFilterTest method only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis.
@Test
public void only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis() {
ControllerTester controllerTester = new ControllerTester();
controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
controllerTester.createTenant(TENANT.id(), TENANT_DOMAIN.getName(), null);
controllerTester.athenzDb().domains.get(TENANT_DOMAIN).admins.add(TENANT_ADMIN);
ControllerAuthorizationFilter filter = createFilter(controllerTester);
List<AthenzIdentity> allowed = asList(HOSTED_OPERATOR, TENANT_ADMIN);
List<AthenzIdentity> forbidden = singletonList(USER);
testApiAccess(DELETE, "/application/v4/tenant/mytenant", allowed, forbidden, filter);
testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/environment/perf/region/myregion/instance/default/deploy", allowed, forbidden, filter);
testApiAccess(PUT, "/application/v4/tenant/mytenant/application/myapp/environment/prod/region/myregion/instance/default/global-rotation/override", allowed, forbidden, filter);
}
Aggregations