diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-02-20 11:36:16 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-20 11:36:16 +0100 |
commit | 1c7914ffa2069d3185fc4c85df3d0d9879240227 (patch) | |
tree | 34c90f257f3110895b16b45bf45ef3da1e5f92ad | |
parent | 0d5f15860b4096ad12ed8375bfaa9c86102d1529 (diff) | |
parent | de334b6399043d59533381ae547b7d0797451219 (diff) |
Merge pull request #5074 from vespa-engine/bjorncs/enable-controller-authz-filter
Enforce authorization rules in ControllerAuthorizationFilter
2 files changed, 8 insertions, 26 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 13707772244..fddc2bb6fa1 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -3,11 +3,11 @@ package com.yahoo.vespa.hosted.controller.restapi.filter; import com.google.inject.Inject; import com.yahoo.config.provision.ApplicationName; +import com.yahoo.jdisc.Response; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.HttpRequest.Method; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.hosted.controller.Controller; @@ -27,7 +27,6 @@ import javax.ws.rs.WebApplicationException; import java.util.Arrays; import java.util.List; import java.util.Optional; -import java.util.logging.Logger; import static com.yahoo.jdisc.http.HttpRequest.Method.GET; import static com.yahoo.jdisc.http.HttpRequest.Method.HEAD; @@ -61,7 +60,7 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter { Controller controller, EntityService entityService, ZoneRegistry zoneRegistry) { - this(clientFactory, controller, entityService, zoneRegistry, new LoggingAuthorizationResponseHandler()); + this(clientFactory, controller, entityService, zoneRegistry, new DefaultAuthorizationResponseHandler()); } ControllerAuthorizationFilter(AthenzClientFactory clientFactory, @@ -197,27 +196,10 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter { .map(AthenzPrincipal.class::cast); } - private static class LoggingAuthorizationResponseHandler implements AuthorizationResponseHandler { - - @SuppressWarnings("LoggerInitializedWithForeignClass") - private static final Logger log = Logger.getLogger(ControllerAuthorizationFilter.class.getName()); - - @Override - public void handle(ResponseHandler responseHandler, - DiscFilterRequest request, - WebApplicationException exception) { - log.log(LogLevel.WARNING, - String.format("Access denied (%d): '%s'\nPath: %s\nIdentity: %s", - exception.getResponse().getStatus(), - exception.getMessage(), - request.getRequestURI(), - getPrincipal(request).map(p -> p.getIdentity().getFullName()).orElse("[none]"))); - } - } - - // TODO Use this as default once we are confident that the access control does not block legal operations - @SuppressWarnings("unused") - static class HttpRespondingAuthorizationResponseHandler implements AuthorizationResponseHandler { + /** + * Maps {@link WebApplicationException} to http response ({@link Response}. + */ + static class DefaultAuthorizationResponseHandler implements AuthorizationResponseHandler { @Override public void handle(ResponseHandler responseHandler, DiscFilterRequest request, diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java index fe1718de135..ff4ceae1c8e 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java @@ -17,7 +17,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationActio import com.yahoo.vespa.hosted.controller.api.integration.athenz.HostedAthenzIdentities; import com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock; import com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock; -import com.yahoo.vespa.hosted.controller.restapi.filter.ControllerAuthorizationFilter.HttpRespondingAuthorizationResponseHandler; +import com.yahoo.vespa.hosted.controller.restapi.filter.ControllerAuthorizationFilter.DefaultAuthorizationResponseHandler; import org.junit.Test; import java.io.IOException; @@ -149,7 +149,7 @@ public class ControllerAuthorizationFilterTest { controllerTester.controller(), controllerTester.entityService(), controllerTester.zoneRegistry(), - new HttpRespondingAuthorizationResponseHandler()); + new DefaultAuthorizationResponseHandler()); } private static Optional<AuthorizationResponse> invokeFilter(ControllerAuthorizationFilter filter, |