diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-10-01 09:55:07 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-10-01 09:59:12 +0200 |
commit | 2a43b4c0e6ddbf9acd64f1ff07ba5d4d9340c26c (patch) | |
tree | 5094f63b1545c7f88e924fb6d4c8c64bc1804077 /controller-api | |
parent | 869209d6cf7bfd59780a08faba7c7ee14da2029d (diff) |
Improve policy matching. Don't reuse 'admin' policy name
Diffstat (limited to 'controller-api')
2 files changed, 15 insertions, 28 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java index 2b784a75760..a9b20040f20 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java @@ -67,8 +67,8 @@ public class AthenzDbMock { return this; } - public Domain withPolicy(String principalRegex, String operation, String resource) { - policies.put("admin", new Policy("admin", principalRegex, operation, resource)); + public Domain withPolicy(String name, String principalRegex, String operation, String resource) { + policies.put(name, new Policy(name, principalRegex, operation, resource)); return this; } @@ -83,6 +83,9 @@ public class AthenzDbMock { public boolean hasPolicy(String name) { return policies.containsKey(name); } + public boolean checkAccess(AthenzIdentity principal, String action, String resource) { + return policies.values().stream().anyMatch(a -> a.matches(principal, action, resource)); + } } public static class Application { @@ -125,20 +128,12 @@ public class AthenzDbMock { return name; } - public boolean principalMatches(AthenzIdentity athenzIdentity) { - return assertions.get(0).principalMatches(athenzIdentity); - } - - public boolean actionMatches(String operation) { - return assertions.get(0).actionMatches(operation); - } - - public boolean resourceMatches(String resource) { - return assertions.get(0).resourceMatches(resource); + public boolean matches(String assertion) { + return assertions.stream().anyMatch(a -> a.matches(assertion)); } - public boolean hasAssertionMatching(String assertion) { - return assertions.stream().anyMatch(a -> a.asString().equals(assertion)); + public boolean matches(AthenzIdentity principal, String action, String resource) { + return assertions.stream().anyMatch(a -> a.matches(principal, action, resource)); } } @@ -157,17 +152,13 @@ public class AthenzDbMock { public Assertion(String role, String action, String resource) { this("grant", role, action, resource); } - public boolean principalMatches(AthenzIdentity athenzIdentity) { - return Pattern.compile(role).matcher(athenzIdentity.getFullName()).matches(); - } - - public boolean actionMatches(String operation) { - return Pattern.compile(action).matcher(operation).matches(); + public boolean matches(AthenzIdentity principal, String action, String resource) { + return Pattern.compile(this.role).matcher(principal.getFullName()).matches() + && Pattern.compile(this.action).matcher(action).matches() + && Pattern.compile(this.resource).matcher(resource).matches(); } - public boolean resourceMatches(String resource) { - return Pattern.compile(resource).matcher(resource).matches(); - } + public boolean matches(String assertion) { return asString().equals(assertion); } public String asString() { return String.format("%s %s to %s on %s", effect, action, role, resource).toLowerCase(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index dd49f3a1e7c..b362a0c7a47 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -158,11 +158,7 @@ public class ZmsClientMock implements ZmsClient { return false; } else { AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false); - return domain.policies.values().stream() - .anyMatch(policy -> - policy.principalMatches(identity) && - policy.actionMatches(action) && - policy.resourceMatches(resource.getEntityName())); + return domain.checkAccess(identity, action, resource.getEntityName()); } } |