diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-15 10:06:49 +0200 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-15 10:18:15 +0200 |
commit | aaf2c85afad1ab84adef9c2674565f43f3d71ad1 (patch) | |
tree | b80cb8f42ce31ec963db6b022d21371b5b66f9bd /controller-api | |
parent | c0cfa08a3f6d538a684135e2711442a18bd7ddf0 (diff) |
Call enforcer.allows rather than role.allows(..., enforcer)
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java | 5 | ||||
-rw-r--r-- | controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java | 32 |
2 files changed, 16 insertions, 21 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index 61f3f11db94..f36107db228 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -86,11 +86,6 @@ public abstract class Role { /** Returns the role definition of this bound role. */ public RoleDefinition definition() { return roleDefinition; } - /** Returns whether this role is allowed to perform the given action on the given resource. */ - public final boolean allows(Action action, URI uri, Enforcer enforcer) { - return enforcer.allows(this, action, uri); - } - /** Returns whether the other role is a parent of this, and has a context included in this role's context. */ public boolean implies(Role other) { return (context.tenant().isEmpty() || context.tenant().equals(other.context.tenant())) diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index 2ce565de01a..4c11da3b697 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -24,34 +24,34 @@ public class RoleTest { Role role = Role.hostedOperator(); // Operator actions - assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), mainEnforcer)); - assertTrue(role.allows(Action.create, URI.create("/controller/v1/foo"), mainEnforcer)); - assertTrue(role.allows(Action.update, URI.create("/os/v1/bar"), mainEnforcer)); - assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), mainEnforcer)); - assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t2/application/a2"), mainEnforcer)); + assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined"))); + assertTrue(mainEnforcer.allows(role, Action.create, URI.create("/controller/v1/foo"))); + assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/os/v1/bar"))); + assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); + assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2"))); } @Test public void tenant_membership() { Role role = Role.athenzTenantAdmin(TenantName.from("t1")); - assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), mainEnforcer)); - assertFalse("Deny access to operator API", role.allows(Action.create, URI.create("/controller/v1/foo"), mainEnforcer)); - assertFalse("Deny access to other tenant and app", role.allows(Action.update, URI.create("/application/v4/tenant/t2/application/a2"), mainEnforcer)); - assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), mainEnforcer)); + assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined"))); + assertFalse("Deny access to operator API", mainEnforcer.allows(role, Action.create, URI.create("/controller/v1/foo"))); + assertFalse("Deny access to other tenant and app", mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2"))); + assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); Role publicSystem = Role.athenzTenantAdmin(TenantName.from("t1")); - assertFalse(publicSystem.allows(Action.read, URI.create("/controller/v1/foo"), vaasEnforcer)); - assertTrue(publicSystem.allows(Action.read, URI.create("/badge/v1/badge"), vaasEnforcer)); - assertTrue(publicSystem.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), vaasEnforcer)); + assertFalse(vaasEnforcer.allows(publicSystem, Action.read, URI.create("/controller/v1/foo"))); + assertTrue(vaasEnforcer.allows(publicSystem, Action.read, URI.create("/badge/v1/badge"))); + assertTrue(vaasEnforcer.allows(publicSystem, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); } @Test public void build_service_membership() { Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1")); - assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), vaasEnforcer)); - assertFalse(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), vaasEnforcer)); - assertTrue(role.allows(Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport"), vaasEnforcer)); - assertFalse("No global read access", role.allows(Action.read, URI.create("/controller/v1/foo"), vaasEnforcer)); + assertFalse(vaasEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined"))); + assertFalse(vaasEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); + assertTrue(vaasEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport"))); + assertFalse("No global read access", vaasEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo"))); } @Test |