Example 1 with NToken
use of com.yahoo.vespa.athenz.api.NToken in project vespa by vespa-engine.
the class NTokenValidatorTest method failing_to_find_key_should_throw_exception.
@Test
public void failing_to_find_key_should_throw_exception() throws InvalidTokenException {
ZmsKeystore keystore = (athensService, keyId) -> {
throw new RuntimeException();
};
NTokenValidator validator = new NTokenValidator(keystore);
NToken token = createNToken(IDENTITY, Instant.now(), TRUSTED_KEY.getPrivate(), "0");
exceptionRule.expect(InvalidTokenException.class);
exceptionRule.expectMessage("Failed to retrieve public key");
validator.validate(token);
}
Also used :
KeyPair(java.security.KeyPair)
InvalidTokenException(com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException)
AthenzUser(com.yahoo.vespa.athenz.api.AthenzUser)
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
Test(org.junit.Test)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
Instant(java.time.Instant)
NToken(com.yahoo.vespa.athenz.api.NToken)
ZmsKeystore(com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore)
ZMS_ATHENZ_SERVICE(com.yahoo.vespa.athenz.utils.AthenzIdentities.ZMS_ATHENZ_SERVICE)
Rule(org.junit.Rule)
AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)
PrivateKey(java.security.PrivateKey)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Optional(java.util.Optional)
ExpectedException(org.junit.rules.ExpectedException)
Assert.assertEquals(org.junit.Assert.assertEquals)
NToken(com.yahoo.vespa.athenz.api.NToken)
ZmsKeystore(com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore)
Test(org.junit.Test)
Example 2 with NToken
use of com.yahoo.vespa.athenz.api.NToken in project vespa by vespa-engine.
the class ControllerTest method testPullRequestDeployment.
@Test
public void testPullRequestDeployment() {
// Setup system
ControllerTester tester = new ControllerTester();
ApplicationController applications = tester.controller().applications();
// staging deployment
long app1ProjectId = 22;
ApplicationId app1 = tester.createAndDeploy("tenant1", "domain1", "application1", Environment.staging, app1ProjectId).id();
// pull-request deployment - uses different instance id
ApplicationId app1pr = tester.createAndDeploy("tenant1", "domain1", "application1", "1", Environment.staging, app1ProjectId, null).id();
assertTrue(applications.get(app1).isPresent());
assertEquals(app1, applications.get(app1).get().id());
assertTrue(applications.get(app1pr).isPresent());
assertEquals(app1pr, applications.get(app1pr).get().id());
// Simulate restart
tester.createNewController();
applications = tester.controller().applications();
assertTrue(applications.get(app1).isPresent());
assertEquals(app1, applications.get(app1).get().id());
assertTrue(applications.get(app1pr).isPresent());
assertEquals(app1pr, applications.get(app1pr).get().id());
// Deleting application also removes PR instance
ApplicationId app2 = tester.createAndDeploy("tenant1", "domain1", "application2", Environment.staging, 33).id();
tester.controller().applications().deleteApplication(app1, Optional.of(new NToken("ntoken")));
assertEquals("All instances deleted", 0, tester.controller().applications().asList(app1.tenant()).stream().filter(app -> app.id().application().equals(app1.application())).count());
assertEquals("Other application survives", 1, tester.controller().applications().asList(app1.tenant()).stream().filter(app -> app.id().application().equals(app2.application())).count());
}
Also used :
NToken(com.yahoo.vespa.athenz.api.NToken)
ApplicationId(com.yahoo.config.provision.ApplicationId)
JobType.stagingTest(com.yahoo.vespa.hosted.controller.application.DeploymentJobs.JobType.stagingTest)
JobType.systemTest(com.yahoo.vespa.hosted.controller.application.DeploymentJobs.JobType.systemTest)
Test(org.junit.Test)
Example 3 with NToken
use of com.yahoo.vespa.athenz.api.NToken in project vespa by vespa-engine.
the class ApplicationApiHandler method createTenant.
private HttpResponse createTenant(String tenantName, HttpRequest request) {
if (new TenantId(tenantName).isUser())
return ErrorResponse.badRequest("Use User API to create user tenants.");
Inspector requestData = toSlime(request.getData()).get();
Tenant tenant = new Tenant(new TenantId(tenantName), optional("property", requestData).map(Property::new), optional("athensDomain", requestData).map(AthenzDomain::new), optional("propertyId", requestData).map(PropertyId::new));
if (tenant.isAthensTenant())
throwIfNotAthenzDomainAdmin(new AthenzDomain(mandatory("athensDomain", requestData).asString()), request);
NToken token = getUserPrincipal(request).getNToken().orElseThrow(() -> new IllegalArgumentException("Could not create " + tenant + ": No NToken provided"));
controller.tenants().createAthenzTenant(tenant, token);
return tenant(tenant, request, true);
}
Also used :
TenantId(com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)
Tenant(com.yahoo.vespa.hosted.controller.api.Tenant)
AthenzDomain(com.yahoo.vespa.athenz.api.AthenzDomain)
NToken(com.yahoo.vespa.athenz.api.NToken)
Inspector(com.yahoo.slime.Inspector)
Example 4 with NToken
use of com.yahoo.vespa.athenz.api.NToken in project vespa by vespa-engine.
the class ApplicationController method deleteApplication.
/**
* Deletes the the given application. All known instances of the applications will be deleted,
* including PR instances.
*
* @throws IllegalArgumentException if the application has deployments or the caller is not authorized
* @throws NotExistsException if no instances of the application exist
*/
public void deleteApplication(ApplicationId applicationId, Optional<NToken> token) {
// Find all instances of the application
List<ApplicationId> instances = controller.applications().asList(applicationId.tenant()).stream().map(Application::id).filter(id -> id.application().equals(applicationId.application()) && id.tenant().equals(applicationId.tenant())).collect(Collectors.toList());
if (instances.isEmpty()) {
throw new NotExistsException("Could not delete application '" + applicationId + "': Application not found");
}
// TODO: Make this one transaction when database is moved to ZooKeeper
instances.forEach(id -> lockOrThrow(id, application -> {
if (!application.deployments().isEmpty())
throw new IllegalArgumentException("Could not delete '" + application + "': It has active deployments");
Tenant tenant = controller.tenants().tenant(new TenantId(id.tenant().value())).get();
if (tenant.isAthensTenant() && !token.isPresent())
throw new IllegalArgumentException("Could not delete '" + application + "': No NToken provided");
// Only delete in Athenz once
if (id.instance().isDefault() && tenant.isAthensTenant()) {
zmsClientFactory.createZmsClientWithAuthorizedServiceToken(token.get()).deleteApplication(tenant.getAthensDomain().get(), new com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId(id.application().value()));
}
db.deleteApplication(id);
log.info("Deleted " + application);
}));
}
Also used :
ArtifactRepository(com.yahoo.vespa.hosted.controller.api.integration.deployment.ArtifactRepository)
ZmsClient(com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient)
EndpointStatus(com.yahoo.vespa.hosted.controller.api.application.v4.model.EndpointStatus)
DeploymentTrigger(com.yahoo.vespa.hosted.controller.deployment.DeploymentTrigger)
URISyntaxException(java.net.URISyntaxException)
DeploymentJobs(com.yahoo.vespa.hosted.controller.application.DeploymentJobs)
ValidationId(com.yahoo.config.application.api.ValidationId)
JobReport(com.yahoo.vespa.hosted.controller.application.DeploymentJobs.JobReport)
TenantName(com.yahoo.config.provision.TenantName)
Tenant(com.yahoo.vespa.hosted.controller.api.Tenant)
ZoneId(com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId)
DeploymentExpirer(com.yahoo.vespa.hosted.controller.maintenance.DeploymentExpirer)
RevisionId(com.yahoo.vespa.hosted.controller.api.identifiers.RevisionId)
Duration(java.time.Duration)
Map(java.util.Map)
DeployOptions(com.yahoo.vespa.hosted.controller.api.application.v4.model.DeployOptions)
URI(java.net.URI)
Rotation(com.yahoo.vespa.hosted.controller.rotation.Rotation)
Exceptions(com.yahoo.yolean.Exceptions)
RotationRepository(com.yahoo.vespa.hosted.controller.rotation.RotationRepository)
ApplicationVersion(com.yahoo.vespa.hosted.controller.application.ApplicationVersion)
Set(java.util.Set)
Logger(java.util.logging.Logger)
Collectors(java.util.stream.Collectors)
List(java.util.List)
Optional(java.util.Optional)
Deployment(com.yahoo.vespa.hosted.controller.application.Deployment)
RotationsConfig(com.yahoo.vespa.hosted.rotation.config.RotationsConfig)
Log(com.yahoo.vespa.hosted.controller.api.integration.configserver.Log)
AthenzClientFactory(com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory)
Version(com.yahoo.component.Version)
ApplicationId(com.yahoo.config.provision.ApplicationId)
DeploymentId(com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId)
RecordId(com.yahoo.vespa.hosted.controller.api.integration.dns.RecordId)
ConfigServerClient(com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServerClient)
HashMap(java.util.HashMap)
NToken(com.yahoo.vespa.athenz.api.NToken)
ArrayList(java.util.ArrayList)
Level(java.util.logging.Level)
HashSet(java.util.HashSet)
ConfigChangeActions(com.yahoo.vespa.hosted.controller.api.application.v4.model.configserverbindings.ConfigChangeActions)
ImmutableList(com.google.common.collect.ImmutableList)
TenantId(com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)
RecordData(com.yahoo.vespa.hosted.controller.api.integration.dns.RecordData)
RoutingEndpoint(com.yahoo.vespa.hosted.controller.api.integration.routing.RoutingEndpoint)
RoutingGenerator(com.yahoo.vespa.hosted.controller.api.integration.routing.RoutingGenerator)
ActivateResult(com.yahoo.vespa.hosted.controller.api.ActivateResult)
NoInstanceException(com.yahoo.vespa.hosted.controller.api.integration.configserver.NoInstanceException)
Lock(com.yahoo.vespa.curator.Lock)
Hostname(com.yahoo.vespa.hosted.controller.api.identifiers.Hostname)
Environment(com.yahoo.config.provision.Environment)
ControllerDb(com.yahoo.vespa.hosted.controller.persistence.ControllerDb)
CuratorDb(com.yahoo.vespa.hosted.controller.persistence.CuratorDb)
IOException(java.io.IOException)
ApplicationPackage(com.yahoo.vespa.hosted.controller.application.ApplicationPackage)
Consumer(java.util.function.Consumer)
Pair(com.yahoo.collections.Pair)
DeploymentSpec(com.yahoo.config.application.api.DeploymentSpec)
RecordName(com.yahoo.vespa.hosted.controller.api.integration.dns.RecordName)
Clock(java.time.Clock)
NameService(com.yahoo.vespa.hosted.controller.api.integration.dns.NameService)
PrepareResponse(com.yahoo.vespa.hosted.controller.api.integration.configserver.PrepareResponse)
Collections(java.util.Collections)
Record(com.yahoo.vespa.hosted.controller.api.integration.dns.Record)
RotationLock(com.yahoo.vespa.hosted.controller.rotation.RotationLock)
TenantId(com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)
Tenant(com.yahoo.vespa.hosted.controller.api.Tenant)
ApplicationId(com.yahoo.config.provision.ApplicationId)
Example 5 with NToken
use of com.yahoo.vespa.athenz.api.NToken in project vespa by vespa-engine.
the class AthenzFilterMock method filter.
@Override
public void filter(DiscFilterRequest request, ResponseHandler handler) {
if (request.getMethod().equalsIgnoreCase("OPTIONS"))
return;
String identityName = request.getHeader(IDENTITY_HEADER_NAME);
String nToken = request.getHeader(ATHENZ_NTOKEN_HEADER_NAME);
if (identityName == null) {
sendErrorResponse(handler, HttpResponse.Status.UNAUTHORIZED, "Not authenticated");
} else {
AthenzIdentity identity = AthenzIdentities.from(identityName);
AthenzPrincipal principal = nToken == null ? new AthenzPrincipal(identity) : new AthenzPrincipal(identity, new NToken(nToken));
request.setUserPrincipal(principal);
}
}
Also used :
NToken(com.yahoo.vespa.athenz.api.NToken)
AthenzIdentity(com.yahoo.vespa.athenz.api.AthenzIdentity)
AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal)
Aggregations
NToken (com.yahoo.vespa.athenz.api.NToken)12
Test (org.junit.Test)7
AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)4
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)2
ApplicationId (com.yahoo.config.provision.ApplicationId)2
AthenzIdentity (com.yahoo.vespa.athenz.api.AthenzIdentity)2
AthenzUser (com.yahoo.vespa.athenz.api.AthenzUser)2
Tenant (com.yahoo.vespa.hosted.controller.api.Tenant)2
TenantId (com.yahoo.vespa.hosted.controller.api.identifiers.TenantId)2
Record (com.yahoo.vespa.hosted.controller.api.integration.dns.Record)2
Optional (java.util.Optional)2
ImmutableList (com.google.common.collect.ImmutableList)1
Pair (com.yahoo.collections.Pair)1
Version (com.yahoo.component.Version)1
DeploymentSpec (com.yahoo.config.application.api.DeploymentSpec)1
ValidationId (com.yahoo.config.application.api.ValidationId)1
Environment (com.yahoo.config.provision.Environment)1
TenantName (com.yahoo.config.provision.TenantName)1
Inspector (com.yahoo.slime.Inspector)1
AthenzDomain (com.yahoo.vespa.athenz.api.AthenzDomain)1
