Example 6 with AthenzIdentity
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ApplicationApiHandler method throwIfNotAthenzDomainAdmin.
private void throwIfNotAthenzDomainAdmin(AthenzDomain tenantDomain, HttpRequest request) {
AthenzIdentity identity = getUserPrincipal(request).getIdentity();
boolean isDomainAdmin = athenzClientFactory.createZmsClientWithServicePrincipal().isDomainAdmin(identity, tenantDomain);
if (!isDomainAdmin) {
throw new ForbiddenException(String.format("The user '%s' is not admin in Athenz domain '%s'", identity.getFullName(), tenantDomain.getName()));
}
}
Also used :
ForbiddenException(javax.ws.rs.ForbiddenException)
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
Example 7 with AthenzIdentity
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class AthenzFilterMock method filter.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
if (request.getMethod().equalsIgnoreCase("OPTIONS"))
return;
String identityName = request.getHeader(IDENTITY_HEADER_NAME);
String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
if (identityName == null) {
sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
} else {
AthenzIdentity identity = AthenzIdentities.from(identityName);
AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
request.setUserPrincipal(principal);
}
}
Also used :
NToken(com.yahoo.vespa.athenz.api.NToken)
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)
Example 8 with AthenzIdentity
use of com.yahoo.vespa.athenz.api.AthenzIdentity in project vespa by vespa-engine.
the class ControllerAuthorizationFilterTest method only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis.
@Test
public void only_hosted_operator_or_tenant_admin_can_access_tenant_admin_apis() {
ControllerTester controllerTester = new ControllerTester();
controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR);
controllerTester.createTenant(TENANT.id(), TENANT_DOMAIN.getName(), null);
controllerTester.athenzDb().domains.get(TENANT_DOMAIN).admins.add(TENANT_ADMIN);
ControllerAuthorizationFilter filter = createFilter(controllerTester);
List<AthenzIdentity> allowed = asList(HOSTED_OPERATOR, TENANT_ADMIN);
List<AthenzIdentity> forbidden = singletonList(USER);
testApiAccess(DELETE, "/application/v4/tenant/mytenant", allowed, forbidden, filter);
testApiAccess(POST, "/application/v4/tenant/mytenant/application/myapp/environment/perf/region/myregion/instance/default/deploy", allowed, forbidden, filter);
testApiAccess(PUT, "/application/v4/tenant/mytenant/application/myapp/environment/prod/region/myregion/instance/default/global-rotation/override", allowed, forbidden, filter);
}
Also used :
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
ControllerTester(com.yahoo.vespa.hosted.controller.ControllerTester)
Test(org.junit.Test)
Aggregations
AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)8
Test (org.junit.Test)5
ControllerTester (com.yahoo.vespa.hosted.controller.ControllerTester)3
AthenzService (com.yahoo.vespa.athenz.api.AthenzService)2
AthenzDbMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock)2
AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1
AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)1
NToken (com.yahoo.vespa.athenz.api.NToken)1
AthenzIdentityVerifier (com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier)1
AthenzClientFactoryMock (com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock)1
KeyPair (java.security.KeyPair)1
ForbiddenException (javax.ws.rs.ForbiddenException)1
