diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-10-01 09:55:07 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-10-01 09:59:12 +0200 |
commit | 2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch) | |
tree | 5094f63b1545c7f88e924fb6d4c8c64bc1804077 | |
parent | 869209d6cf7bfd59780a08faba7c7ee14da2029d (diff) |
Improve policy matching. Don't reuse 'admin' policy name
3 files changed, 18 insertions, 30 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java index 2b784a75760..a9b20040f20 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java @@ -67,8 +67,8 @@ public class AthenzDbMock { return this; } - public Domain withPolicy(String principalRegex, String operation, String resource) { - policies.put("admin", new Policy("admin", principalRegex, operation, resource)); + public Domain withPolicy(String name, String principalRegex, String operation, String resource) { + policies.put(name, new Policy(name, principalRegex, operation, resource)); return this; } @@ -83,6 +83,9 @@ public class AthenzDbMock { public boolean hasPolicy(String name) { return policies.containsKey(name); } + public boolean checkAccess(AthenzIdentity principal, String action, String resource) { + return policies.values().stream().anyMatch(a -> a.matches(principal, action, resource)); + } } public static class Application { @@ -125,20 +128,12 @@ public class AthenzDbMock { return name; } - public boolean principalMatches(AthenzIdentity athenzIdentity) { - return assertions.get(0).principalMatches(athenzIdentity); - } - - public boolean actionMatches(String operation) { - return assertions.get(0).actionMatches(operation); - } - - public boolean resourceMatches(String resource) { - return assertions.get(0).resourceMatches(resource); + public boolean matches(String assertion) { + return assertions.stream().anyMatch(a -> a.matches(assertion)); } - public boolean hasAssertionMatching(String assertion) { - return assertions.stream().anyMatch(a -> a.asString().equals(assertion)); + public boolean matches(AthenzIdentity principal, String action, String resource) { + return assertions.stream().anyMatch(a -> a.matches(principal, action, resource)); } } @@ -157,17 +152,13 @@ public class AthenzDbMock { public Assertion(String role, String action, String resource) { this("grant", role, action, resource); } - public boolean principalMatches(AthenzIdentity athenzIdentity) { - return Pattern.compile(role).matcher(athenzIdentity.getFullName()).matches(); - } - - public boolean actionMatches(String operation) { - return Pattern.compile(action).matcher(operation).matches(); + public boolean matches(AthenzIdentity principal, String action, String resource) { + return Pattern.compile(this.role).matcher(principal.getFullName()).matches() + && Pattern.compile(this.action).matcher(action).matches() + && Pattern.compile(this.resource).matcher(resource).matches(); } - public boolean resourceMatches(String resource) { - return Pattern.compile(resource).matcher(resource).matches(); - } + public boolean matches(String assertion) { return asString().equals(assertion); } public String asString() { return String.format("%s %s to %s on %s", effect, action, role, resource).toLowerCase(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index dd49f3a1e7c..b362a0c7a47 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -158,11 +158,7 @@ public class ZmsClientMock implements ZmsClient { return false; } else { AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false); - return domain.policies.values().stream() - .anyMatch(policy -> - policy.principalMatches(identity) && - policy.actionMatches(action) && - policy.resourceMatches(resource.getEntityName())); + return domain.checkAccess(identity, action, resource.getEntityName()); } } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java index 596a0b186db..d2eb43d31f8 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java @@ -1479,7 +1479,7 @@ public class ApplicationApiTest extends ControllerContainerTest { // Allow developer launch privilege to domain1.service. Deployment now completes. AthenzDbMock.Domain domainMock = tester.athenzClientFactory().getSetup().getOrCreateDomain(ATHENZ_TENANT_DOMAIN); - domainMock.withPolicy("user." + developer.id(), "launch", "service.service"); + domainMock.withPolicy("launch-" +developer.id(), "user." + developer.id(), "launch", "service.service"); tester.assertResponse(request("/application/v4/tenant/sandbox/application/myapp/instance/default/deploy/dev-us-east-1", POST) @@ -1757,7 +1757,8 @@ public class ApplicationApiTest extends ControllerContainerTest { */ private void allowLaunchOfService(com.yahoo.vespa.athenz.api.AthenzService service) { AthenzDbMock.Domain domainMock = tester.athenzClientFactory().getSetup().getOrCreateDomain(service.getDomain()); - domainMock.withPolicy(tester.controller().zoneRegistry().accessControlDomain().value()+".provider.*","launch", "service." + service.getName()); + String principalRegex = tester.controller().zoneRegistry().accessControlDomain().value() + ".provider.*"; + domainMock.withPolicy("provider-launch", principalRegex,"launch", "service." + service.getName()); } /** |