diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-01-10 15:24:12 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2020-01-10 15:24:12 +0100 |
commit | d505f288aa5d127a6c1b453eeae782671fe90234 (patch) | |
tree | cc85e137e3b29962f15d28592203c8f1d643b5a9 /controller-api | |
parent | f77006746634b570aac00847c2ebe426c5e40808 (diff) |
Check launch privilege when launching athenz service
Diffstat (limited to 'controller-api')
2 files changed, 43 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java index 8e21d8cbf20..976f1f08f1a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java @@ -11,6 +11,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.regex.Pattern; /** * @author bjorncs @@ -41,6 +42,7 @@ public class AthenzDbMock { public final Set<AthenzIdentity> tenantAdmins = new HashSet<>(); public final Map<ApplicationId, Application> applications = new HashMap<>(); public final Map<String, Service> services = new HashMap<>(); + public final List<Policy> policies = new ArrayList<>(); public boolean isVespaTenant = false; public Domain(AthenzDomain name) { @@ -49,6 +51,7 @@ public class AthenzDbMock { public Domain admin(AthenzIdentity identity) { admins.add(identity); + policies.add(new Policy(identity.getFullName(), ".*", ".*")); return this; } @@ -62,6 +65,19 @@ public class AthenzDbMock { return this; } + public Domain withPolicy(String principalRegex, String operation, String resource) { + policies.add(new Policy(principalRegex, operation, resource)); + return this; + } + + public boolean allows(AthenzIdentity identity, String action, String resource) { + return policies.stream() + .anyMatch(policy -> + policy.principalMatches(identity) && + policy.actionMatches(action) && + policy.resourceMatches(resource)); + } + /** * Simulates establishing Vespa tenancy in Athens. */ @@ -95,4 +111,28 @@ public class AthenzDbMock { this.allowLaunch = allowLaunch; } } + + public static class Policy { + private final Pattern principal; + private final Pattern action; + private final Pattern resource; + + public Policy(String principal, String action, String resource) { + this.principal = Pattern.compile(principal); + this.action = Pattern.compile(action); + this.resource = Pattern.compile(resource); + } + + public boolean principalMatches(AthenzIdentity athenzIdentity) { + return this.principal.matcher(athenzIdentity.getFullName()).matches(); + } + + public boolean actionMatches(String operation) { + return this.action.matcher(operation).matches(); + } + + public boolean resourceMatches(String resource) { + return this.resource.matcher(resource).matches(); + } + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 096a1af2824..0eda5146fb4 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -111,7 +111,7 @@ public class ZmsClientMock implements ZmsClient { if (resource.getEntityName().startsWith("service.hosting.tenant.")) { AthenzDomain tenantDomainName = getTenantDomain(resource); AthenzDbMock.Domain tenantDomain = getDomainOrThrow(tenantDomainName, true); - if (tenantDomain.admins.contains(identity)) { + if (tenantDomain.admins.contains(identity) || tenantDomain.tenantAdmins.contains(identity)) { return true; } if (resource.getEntityName().contains(".res_group.")) { @@ -125,14 +125,10 @@ public class ZmsClientMock implements ZmsClient { return false; } return false; - } else if ("launch".equals(action)){ + } else { AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false); - String serviceName = resource.getEntityName().replace("service.",""); - if(!domain.services.containsKey(serviceName)) return false; - AthenzDbMock.Service service = domain.services.get(serviceName); - return service.allowLaunch; + return domain.allows(identity, action, resource.getEntityName()); } - return false; } @Override |