diff options
author | Morten Tokle <mortent@yahooinc.com> | 2022-09-14 08:57:53 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-14 08:57:53 +0200 |
commit | c0043707d6a749968016c093057cc37c17186ae2 (patch) | |
tree | a613a96b5ed7480d06b23e5d6c604f4434f20b7d | |
parent | 90a5bc37eeac0ec786dca81d00e677ebba850ece (diff) | |
parent | da257339567d62531dd4731f1e3e673b2ca59bc2 (diff) |
Merge pull request #23944 from vespa-engine/bjorncs/secret-store-validation
Validate tenant name from path
2 files changed, 11 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java index 1f9a9b07f71..341cba60519 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java @@ -1028,6 +1028,8 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler { var awsRegion = request.getProperty("aws-region"); var parameterName = request.getProperty("parameter-name"); var applicationId = ApplicationId.fromFullString(request.getProperty("application-id")); + if (!applicationId.tenant().equals(TenantName.from(tenantName))) + return ErrorResponse.badRequest("Invalid application id"); var zoneId = requireZone(ZoneId.from(request.getProperty("zone"))); var deploymentId = new DeploymentId(applicationId, zoneId); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java index cfe25232408..af0a85f1a90 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java @@ -323,6 +323,15 @@ public class ApplicationApiCloudTest extends ControllerContainerCloudTest { request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1¶meter-name=foo&application-id=scoober.albums.default&zone=prod.aws-us-east-1c", GET) .roles(Set.of(Role.developer(tenantName))); tester.assertResponse(secretStoreRequest, "{\"target\":\"scoober.albums in prod.aws-us-east-1c\",\"result\":{\"settings\":{\"name\":\"foo\",\"role\":\"vespa-secretstore-access\",\"awsId\":\"892075328880\",\"externalId\":\"*****\",\"region\":\"us-east-1\"},\"status\":\"ok\"}}", 200); + + secretStoreRequest = + request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1¶meter-name=foo&application-id=scober.albums.default&zone=prod.aws-us-east-1c", GET) + .roles(Set.of(Role.developer(tenantName))); + tester.assertResponse(secretStoreRequest, "{" + + "\"error-code\":\"BAD_REQUEST\"," + + "\"message\":\"Invalid application id\"" + + "}", 400); + } @Test |