Merge pull request #5074 from vespa-engine/bjorncs/enable-controller-authz-filter

Enforce authorization rules in ControllerAuthorizationFilter

2 files changed, 8 insertions, 26 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
index 13707772244..fddc2bb6fa1 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
@@ -3,11 +3,11 @@ package com.yahoo.vespa.hosted.controller.restapi.filter;
 
 import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationName;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.HttpRequest.Method;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzPrincipal;
 import com.yahoo.vespa.hosted.controller.Controller;
@@ -27,7 +27,6 @@ import javax.ws.rs.WebApplicationException;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
-import java.util.logging.Logger;
 
 import static com.yahoo.jdisc.http.HttpRequest.Method.GET;
 import static com.yahoo.jdisc.http.HttpRequest.Method.HEAD;
@@ -61,7 +60,7 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
                                          Controller controller,
                                          EntityService entityService,
                                          ZoneRegistry zoneRegistry) {
-        this(clientFactory, controller, entityService, zoneRegistry, new LoggingAuthorizationResponseHandler());
+        this(clientFactory, controller, entityService, zoneRegistry, new DefaultAuthorizationResponseHandler());
     }
 
     ControllerAuthorizationFilter(AthenzClientFactory clientFactory,
@@ -197,27 +196,10 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
                 .map(AthenzPrincipal.class::cast);
     }
 
-    private static class LoggingAuthorizationResponseHandler implements AuthorizationResponseHandler {
-
-        @SuppressWarnings("LoggerInitializedWithForeignClass")
-        private static final Logger log = Logger.getLogger(ControllerAuthorizationFilter.class.getName());
-
-        @Override
-        public void handle(ResponseHandler responseHandler,
-                           DiscFilterRequest request,
-                           WebApplicationException exception) {
-            log.log(LogLevel.WARNING,
-                    String.format("Access denied (%d): '%s'\nPath: %s\nIdentity: %s",
-                                  exception.getResponse().getStatus(),
-                                  exception.getMessage(),
-                                  request.getRequestURI(),
-                                  getPrincipal(request).map(p -> p.getIdentity().getFullName()).orElse("[none]")));
-        }
-    }
-
-    // TODO Use this as default once we are confident that the access control does not block legal operations
-    @SuppressWarnings("unused")
-    static class HttpRespondingAuthorizationResponseHandler implements AuthorizationResponseHandler {
+    /**
+     * Maps {@link WebApplicationException} to http response ({@link Response}.
+     */
+    static class DefaultAuthorizationResponseHandler implements AuthorizationResponseHandler {
         @Override
         public void handle(ResponseHandler responseHandler,
                            DiscFilterRequest request,
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
index fe1718de135..ff4ceae1c8e 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
@@ -17,7 +17,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationActio
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.HostedAthenzIdentities;
 import com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock;
 import com.yahoo.vespa.hosted.controller.athenz.mock.AthenzDbMock;
-import com.yahoo.vespa.hosted.controller.restapi.filter.ControllerAuthorizationFilter.HttpRespondingAuthorizationResponseHandler;
+import com.yahoo.vespa.hosted.controller.restapi.filter.ControllerAuthorizationFilter.DefaultAuthorizationResponseHandler;
 import org.junit.Test;
 
 import java.io.IOException;
@@ -149,7 +149,7 @@ public class ControllerAuthorizationFilterTest {
                                                  controllerTester.controller(),
                                                  controllerTester.entityService(),
                                                  controllerTester.zoneRegistry(),
-                                                 new HttpRespondingAuthorizationResponseHandler());
+                                                 new DefaultAuthorizationResponseHandler());
     }
 
     private static Optional<AuthorizationResponse> invokeFilter(ControllerAuthorizationFilter filter,