Improve policy matching. Don't reuse 'admin' policy name

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-10-01 09:55:07 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-10-01 09:59:12 +0200
commit: 2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch)
tree: 5094f63b1545c7f88e924fb6d4c8c64bc1804077 /controller-api
parent: 869209d6cf7bfd59780a08faba7c7ee14da2029d (diff)
2 files changed, 15 insertions, 28 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
index 2b784a75760..a9b20040f20 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
@@ -67,8 +67,8 @@ public class AthenzDbMock {
             return this;
         }
 
-        public Domain withPolicy(String principalRegex, String operation, String resource) {
-            policies.put("admin", new Policy("admin", principalRegex, operation, resource));
+        public Domain withPolicy(String name, String principalRegex, String operation, String resource) {
+            policies.put(name, new Policy(name, principalRegex, operation, resource));
             return this;
         }
 
@@ -83,6 +83,9 @@ public class AthenzDbMock {
 
         public boolean hasPolicy(String name) { return policies.containsKey(name); }
 
+        public boolean checkAccess(AthenzIdentity principal, String action, String resource) {
+            return policies.values().stream().anyMatch(a -> a.matches(principal, action, resource));
+        }
     }
 
     public static class Application {
@@ -125,20 +128,12 @@ public class AthenzDbMock {
             return name;
         }
 
-        public boolean principalMatches(AthenzIdentity athenzIdentity) {
-            return assertions.get(0).principalMatches(athenzIdentity);
-        }
-
-        public boolean actionMatches(String operation) {
-            return assertions.get(0).actionMatches(operation);
-        }
-
-        public boolean resourceMatches(String resource) {
-            return assertions.get(0).resourceMatches(resource);
+        public boolean matches(String assertion) {
+            return assertions.stream().anyMatch(a -> a.matches(assertion));
         }
 
-        public boolean hasAssertionMatching(String assertion) {
-            return assertions.stream().anyMatch(a -> a.asString().equals(assertion));
+        public boolean matches(AthenzIdentity principal, String action, String resource) {
+            return assertions.stream().anyMatch(a -> a.matches(principal, action, resource));
         }
     }
 
@@ -157,17 +152,13 @@ public class AthenzDbMock {
 
         public Assertion(String role, String action, String resource) { this("grant", role, action, resource); }
 
-        public boolean principalMatches(AthenzIdentity athenzIdentity) {
-            return Pattern.compile(role).matcher(athenzIdentity.getFullName()).matches();
-        }
-
-        public boolean actionMatches(String operation) {
-            return Pattern.compile(action).matcher(operation).matches();
+        public boolean matches(AthenzIdentity principal, String action, String resource) {
+            return Pattern.compile(this.role).matcher(principal.getFullName()).matches()
+                    &&  Pattern.compile(this.action).matcher(action).matches()
+                    && Pattern.compile(this.resource).matcher(resource).matches();
         }
 
-        public boolean resourceMatches(String resource) {
-            return Pattern.compile(resource).matcher(resource).matches();
-        }
+        public boolean matches(String assertion) { return asString().equals(assertion); }
 
         public String asString() { return String.format("%s %s to %s on %s", effect, action, role, resource).toLowerCase(); }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index dd49f3a1e7c..b362a0c7a47 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -158,11 +158,7 @@ public class ZmsClientMock implements ZmsClient {
             return false;
         } else {
             AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false);
-            return domain.policies.values().stream()
-                    .anyMatch(policy ->
-                            policy.principalMatches(identity) &&
-                            policy.actionMatches(action) &&
-                            policy.resourceMatches(resource.getEntityName()));
+            return domain.checkAccess(identity, action, resource.getEntityName());
         }
     }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-10-01 09:55:07 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-10-01 09:59:12 +0200
commit	2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch)
tree	5094f63b1545c7f88e924fb6d4c8c64bc1804077 /controller-api
parent	869209d6cf7bfd59780a08faba7c7ee14da2029d (diff)