diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-26 11:33:54 +0100 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-26 11:33:54 +0100 |
commit | 6d73b7fd9256b10fd54f8567f90e8dd91a1cccae (patch) | |
tree | 1c4cc88ca222922ebd3cfb1a8e6f6d04cb5b98f3 | |
parent | be8dafbc6824f6eb4545aa5f02764fe29a9e6ba7 (diff) |
Include all roles principal has in returned RoleMembership
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 982442c028e..2c96cfee72d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -35,6 +35,7 @@ import javax.ws.rs.ForbiddenException; import javax.ws.rs.InternalServerErrorException; import javax.ws.rs.WebApplicationException; import java.security.Principal; +import java.util.HashMap; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -139,15 +140,16 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { if ( ! (principal instanceof AthenzPrincipal)) throw new IllegalStateException("Expected an AthenzPrincipal to be set on the request."); + Map<Role, Set<Context>> memberships = new HashMap<>(); AthenzIdentity identity = ((AthenzPrincipal) principal).getIdentity(); - Optional<Tenant> tenant = tenant(path); + Optional<Tenant> tenant = tenant(); Context context = context(tenant); Set<Context> contexts = Set.of(context); if (isHostedOperator(identity)) { - return new RoleMembership(Map.of(Role.hostedOperator, contexts)); + memberships.put(Role.hostedOperator, contexts); } if (tenant.isPresent() && isTenantAdmin(identity, tenant.get())) { - return new RoleMembership(Map.of(Role.tenantAdmin, contexts)); + memberships.put(Role.tenantAdmin, contexts); } AthenzDomain principalDomain = identity.getDomain(); if (principalDomain.equals(SCREWDRIVER_DOMAIN)) { @@ -155,16 +157,17 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { if (context.application().isPresent() && tenant.isPresent() && tenant.get() instanceof AthenzTenant) { AthenzDomain tenantDomain = ((AthenzTenant) tenant.get()).domain(); if (hasDeployerAccess(identity, tenantDomain, context.application().get())) { - return new RoleMembership(Map.of(Role.tenantPipelineOperator, contexts)); + memberships.put(Role.tenantPipelineOperator, contexts); } } else { - return new RoleMembership(Map.of(Role.tenantPipelineOperator, contexts)); + memberships.put(Role.tenantPipelineOperator, contexts); } } - return new RoleMembership(Map.of(Role.everyone, contexts)); + memberships.put(Role.everyone, contexts); + return new RoleMembership(memberships); } - private Optional<Tenant> tenant(Path path) { + private Optional<Tenant> tenant() { if (!path.matches("/application/v4/tenant/{tenant}/{*}")) { return Optional.empty(); } |