summaryrefslogtreecommitdiffstats
path: root/controller-api
diff options
context:
space:
mode:
authorJon Marius Venstad <jvenstad@yahoo-inc.com>2019-04-15 10:06:49 +0200
committerJon Marius Venstad <jvenstad@yahoo-inc.com>2019-04-15 10:18:15 +0200
commitaaf2c85afad1ab84adef9c2674565f43f3d71ad1 (patch)
treeb80cb8f42ce31ec963db6b022d21371b5b66f9bd /controller-api
parentc0cfa08a3f6d538a684135e2711442a18bd7ddf0 (diff)
Call enforcer.allows rather than role.allows(..., enforcer)
Diffstat (limited to 'controller-api')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java5
-rw-r--r--controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java32
2 files changed, 16 insertions, 21 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index 61f3f11db94..f36107db228 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -86,11 +86,6 @@ public abstract class Role {
/** Returns the role definition of this bound role. */
public RoleDefinition definition() { return roleDefinition; }
- /** Returns whether this role is allowed to perform the given action on the given resource. */
- public final boolean allows(Action action, URI uri, Enforcer enforcer) {
- return enforcer.allows(this, action, uri);
- }
-
/** Returns whether the other role is a parent of this, and has a context included in this role's context. */
public boolean implies(Role other) {
return (context.tenant().isEmpty() || context.tenant().equals(other.context.tenant()))
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index 2ce565de01a..4c11da3b697 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -24,34 +24,34 @@ public class RoleTest {
Role role = Role.hostedOperator();
// Operator actions
- assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), mainEnforcer));
- assertTrue(role.allows(Action.create, URI.create("/controller/v1/foo"), mainEnforcer));
- assertTrue(role.allows(Action.update, URI.create("/os/v1/bar"), mainEnforcer));
- assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), mainEnforcer));
- assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t2/application/a2"), mainEnforcer));
+ assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
+ assertTrue(mainEnforcer.allows(role, Action.create, URI.create("/controller/v1/foo")));
+ assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/os/v1/bar")));
+ assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
+ assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2")));
}
@Test
public void tenant_membership() {
Role role = Role.athenzTenantAdmin(TenantName.from("t1"));
- assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), mainEnforcer));
- assertFalse("Deny access to operator API", role.allows(Action.create, URI.create("/controller/v1/foo"), mainEnforcer));
- assertFalse("Deny access to other tenant and app", role.allows(Action.update, URI.create("/application/v4/tenant/t2/application/a2"), mainEnforcer));
- assertTrue(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), mainEnforcer));
+ assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
+ assertFalse("Deny access to operator API", mainEnforcer.allows(role, Action.create, URI.create("/controller/v1/foo")));
+ assertFalse("Deny access to other tenant and app", mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2")));
+ assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
Role publicSystem = Role.athenzTenantAdmin(TenantName.from("t1"));
- assertFalse(publicSystem.allows(Action.read, URI.create("/controller/v1/foo"), vaasEnforcer));
- assertTrue(publicSystem.allows(Action.read, URI.create("/badge/v1/badge"), vaasEnforcer));
- assertTrue(publicSystem.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), vaasEnforcer));
+ assertFalse(vaasEnforcer.allows(publicSystem, Action.read, URI.create("/controller/v1/foo")));
+ assertTrue(vaasEnforcer.allows(publicSystem, Action.read, URI.create("/badge/v1/badge")));
+ assertTrue(vaasEnforcer.allows(publicSystem, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
}
@Test
public void build_service_membership() {
Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1"));
- assertFalse(role.allows(Action.create, URI.create("/not/explicitly/defined"), vaasEnforcer));
- assertFalse(role.allows(Action.update, URI.create("/application/v4/tenant/t1/application/a1"), vaasEnforcer));
- assertTrue(role.allows(Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport"), vaasEnforcer));
- assertFalse("No global read access", role.allows(Action.read, URI.create("/controller/v1/foo"), vaasEnforcer));
+ assertFalse(vaasEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
+ assertFalse(vaasEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
+ assertTrue(vaasEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport")));
+ assertFalse("No global read access", vaasEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo")));
}
@Test