Merge pull request #23944 from vespa-engine/bjorncs/secret-store-validation

Validate tenant name from path
author: Morten Tokle <mortent@yahooinc.com> 2022-09-14 08:57:53 +0200
committer: GitHub <noreply@github.com> 2022-09-14 08:57:53 +0200
commit: c0043707d6a749968016c093057cc37c17186ae2 (patch)
tree: a613a96b5ed7480d06b23e5d6c604f4434f20b7d
parent: 90a5bc37eeac0ec786dca81d00e677ebba850ece (diff)
parent: da257339567d62531dd4731f1e3e673b2ca59bc2 (diff)
2 files changed, 11 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
index 1f9a9b07f71..341cba60519 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
@@ -1028,6 +1028,8 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
         var awsRegion = request.getProperty("aws-region");
         var parameterName = request.getProperty("parameter-name");
         var applicationId = ApplicationId.fromFullString(request.getProperty("application-id"));
+        if (!applicationId.tenant().equals(TenantName.from(tenantName)))
+            return ErrorResponse.badRequest("Invalid application id");
         var zoneId = requireZone(ZoneId.from(request.getProperty("zone")));
         var deploymentId = new DeploymentId(applicationId, zoneId);
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
index cfe25232408..af0a85f1a90 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
@@ -323,6 +323,15 @@ public class ApplicationApiCloudTest extends ControllerContainerCloudTest {
                 request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1&parameter-name=foo&application-id=scoober.albums.default&zone=prod.aws-us-east-1c", GET)
                         .roles(Set.of(Role.developer(tenantName)));
         tester.assertResponse(secretStoreRequest, "{\"target\":\"scoober.albums in prod.aws-us-east-1c\",\"result\":{\"settings\":{\"name\":\"foo\",\"role\":\"vespa-secretstore-access\",\"awsId\":\"892075328880\",\"externalId\":\"*****\",\"region\":\"us-east-1\"},\"status\":\"ok\"}}", 200);
+
+        secretStoreRequest =
+                request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1&parameter-name=foo&application-id=scober.albums.default&zone=prod.aws-us-east-1c", GET)
+                        .roles(Set.of(Role.developer(tenantName)));
+        tester.assertResponse(secretStoreRequest, "{" +
+                "\"error-code\":\"BAD_REQUEST\"," +
+                "\"message\":\"Invalid application id\"" +
+                "}", 400);
+
     }
 
     @Test
author	Morten Tokle <mortent@yahooinc.com>	2022-09-14 08:57:53 +0200
committer	GitHub <noreply@github.com>	2022-09-14 08:57:53 +0200
commit	c0043707d6a749968016c093057cc37c17186ae2 (patch)
tree	a613a96b5ed7480d06b23e5d6c604f4434f20b7d
parent	90a5bc37eeac0ec786dca81d00e677ebba850ece (diff)
parent	da257339567d62531dd4731f1e3e673b2ca59bc2 (diff)