Improve policy matching. Don't reuse 'admin' policy name

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-10-01 09:55:07 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-10-01 09:59:12 +0200
commit: 2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch)
tree: 5094f63b1545c7f88e924fb6d4c8c64bc1804077
parent: 869209d6cf7bfd59780a08faba7c7ee14da2029d (diff)
3 files changed, 18 insertions, 30 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
index 2b784a75760..a9b20040f20 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
@@ -67,8 +67,8 @@ public class AthenzDbMock {
             return this;
         }
 
-        public Domain withPolicy(String principalRegex, String operation, String resource) {
-            policies.put("admin", new Policy("admin", principalRegex, operation, resource));
+        public Domain withPolicy(String name, String principalRegex, String operation, String resource) {
+            policies.put(name, new Policy(name, principalRegex, operation, resource));
             return this;
         }
 
@@ -83,6 +83,9 @@ public class AthenzDbMock {
 
         public boolean hasPolicy(String name) { return policies.containsKey(name); }
 
+        public boolean checkAccess(AthenzIdentity principal, String action, String resource) {
+            return policies.values().stream().anyMatch(a -> a.matches(principal, action, resource));
+        }
     }
 
     public static class Application {
@@ -125,20 +128,12 @@ public class AthenzDbMock {
             return name;
         }
 
-        public boolean principalMatches(AthenzIdentity athenzIdentity) {
-            return assertions.get(0).principalMatches(athenzIdentity);
-        }
-
-        public boolean actionMatches(String operation) {
-            return assertions.get(0).actionMatches(operation);
-        }
-
-        public boolean resourceMatches(String resource) {
-            return assertions.get(0).resourceMatches(resource);
+        public boolean matches(String assertion) {
+            return assertions.stream().anyMatch(a -> a.matches(assertion));
         }
 
-        public boolean hasAssertionMatching(String assertion) {
-            return assertions.stream().anyMatch(a -> a.asString().equals(assertion));
+        public boolean matches(AthenzIdentity principal, String action, String resource) {
+            return assertions.stream().anyMatch(a -> a.matches(principal, action, resource));
         }
     }
 
@@ -157,17 +152,13 @@ public class AthenzDbMock {
 
         public Assertion(String role, String action, String resource) { this("grant", role, action, resource); }
 
-        public boolean principalMatches(AthenzIdentity athenzIdentity) {
-            return Pattern.compile(role).matcher(athenzIdentity.getFullName()).matches();
-        }
-
-        public boolean actionMatches(String operation) {
-            return Pattern.compile(action).matcher(operation).matches();
+        public boolean matches(AthenzIdentity principal, String action, String resource) {
+            return Pattern.compile(this.role).matcher(principal.getFullName()).matches()
+                    &&  Pattern.compile(this.action).matcher(action).matches()
+                    && Pattern.compile(this.resource).matcher(resource).matches();
         }
 
-        public boolean resourceMatches(String resource) {
-            return Pattern.compile(resource).matcher(resource).matches();
-        }
+        public boolean matches(String assertion) { return asString().equals(assertion); }
 
         public String asString() { return String.format("%s %s to %s on %s", effect, action, role, resource).toLowerCase(); }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index dd49f3a1e7c..b362a0c7a47 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -158,11 +158,7 @@ public class ZmsClientMock implements ZmsClient {
             return false;
         } else {
             AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false);
-            return domain.policies.values().stream()
-                    .anyMatch(policy ->
-                            policy.principalMatches(identity) &&
-                            policy.actionMatches(action) &&
-                            policy.resourceMatches(resource.getEntityName()));
+            return domain.checkAccess(identity, action, resource.getEntityName());
         }
     }
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
index 596a0b186db..d2eb43d31f8 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
@@ -1479,7 +1479,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
 
         // Allow developer launch privilege to domain1.service. Deployment now completes.
         AthenzDbMock.Domain domainMock = tester.athenzClientFactory().getSetup().getOrCreateDomain(ATHENZ_TENANT_DOMAIN);
-        domainMock.withPolicy("user." + developer.id(), "launch", "service.service");
+        domainMock.withPolicy("launch-" +developer.id(), "user." + developer.id(), "launch", "service.service");
 
 
         tester.assertResponse(request("/application/v4/tenant/sandbox/application/myapp/instance/default/deploy/dev-us-east-1", POST)
@@ -1757,7 +1757,8 @@ public class ApplicationApiTest extends ControllerContainerTest {
      */
     private void allowLaunchOfService(com.yahoo.vespa.athenz.api.AthenzService service) {
         AthenzDbMock.Domain domainMock = tester.athenzClientFactory().getSetup().getOrCreateDomain(service.getDomain());
-        domainMock.withPolicy(tester.controller().zoneRegistry().accessControlDomain().value()+".provider.*","launch", "service." + service.getName());
+        String principalRegex = tester.controller().zoneRegistry().accessControlDomain().value() + ".provider.*";
+        domainMock.withPolicy("provider-launch", principalRegex,"launch", "service." + service.getName());
     }
 
     /**
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-10-01 09:55:07 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-10-01 09:59:12 +0200
commit	2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch)
tree	5094f63b1545c7f88e924fb6d4c8c64bc1804077
parent	869209d6cf7bfd59780a08faba7c7ee14da2029d (diff)