diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-22 09:49:49 +0100 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-22 09:49:49 +0100 |
commit | c97621406dc6c21918189f9df7e6a650bb81beac (patch) | |
tree | 33bfab7f4e7260cf0572761768c59343a3e468cb /controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java | |
parent | 6d8b531082e0b23649ce7efe7b092c1b37733c5f (diff) |
Disallow overriding tenant domain on requests
Diffstat (limited to 'controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java index be79f5fb8d4..c85eea2f2e9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java @@ -14,6 +14,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.PropertyId; import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant; import java.security.Principal; +import java.util.NoSuchElementException; import java.util.Objects; import java.util.Optional; @@ -34,20 +35,16 @@ public class AthenzAccessControlRequests implements AccessControlRequests { @Override public TenantSpec specification(TenantName tenant, Inspector requestObject) { return new AthenzTenantSpec(tenant, + new AthenzDomain(required("athensDomain", requestObject)), new Property(required("property", requestObject)), optional("propertyId", requestObject).map(PropertyId::new)); } @Override public Credentials credentials(TenantName tenant, Inspector requestObject, HttpRequest request) { - // Get domain from request if present, which it should be for create and update requests. - Optional<AthenzDomain> requestDomain = optional("athensDomain", requestObject).map(AthenzDomain::new); - // Otherwise the tenant should already exist, and we use the domain stored under the tenant. - Optional<AthenzDomain> tenantDomain = tenants.get(tenant).map(AthenzTenant.class::cast).map(AthenzTenant::domain); - return new AthenzCredentials(requireAthenzPrincipal(request), - requestDomain.orElseGet(() -> tenantDomain - .orElseThrow(() -> new IllegalArgumentException("Must specify 'athensDomain'."))), + tenants.get(tenant).map(AthenzTenant.class::cast).map(AthenzTenant::domain) + .orElseGet(() -> new AthenzDomain(required("athensDomain", requestObject))), requireOktaAccessToken(request)); } |