Disallow overriding tenant domain on requests

author: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-22 09:49:49 +0100
committer: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-22 09:49:49 +0100
commit: c97621406dc6c21918189f9df7e6a650bb81beac (patch)
tree: 33bfab7f4e7260cf0572761768c59343a3e468cb /controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java
parent: 6d8b531082e0b23649ce7efe7b092c1b37733c5f (diff)
1 files changed, 4 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java
index be79f5fb8d4..c85eea2f2e9 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java
@@ -14,6 +14,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.PropertyId;
 import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
 
 import java.security.Principal;
+import java.util.NoSuchElementException;
 import java.util.Objects;
 import java.util.Optional;
 
@@ -34,20 +35,16 @@ public class AthenzAccessControlRequests implements AccessControlRequests {
     @Override
     public TenantSpec specification(TenantName tenant, Inspector requestObject) {
         return new AthenzTenantSpec(tenant,
+                                    new AthenzDomain(required("athensDomain", requestObject)),
                                     new Property(required("property", requestObject)),
                                     optional("propertyId", requestObject).map(PropertyId::new));
     }
 
     @Override
     public Credentials credentials(TenantName tenant, Inspector requestObject, HttpRequest request) {
-        // Get domain from request if present, which it should be for create and update requests.
-        Optional<AthenzDomain> requestDomain = optional("athensDomain", requestObject).map(AthenzDomain::new);
-        // Otherwise the tenant should already exist, and we use the domain stored under the tenant.
-        Optional<AthenzDomain> tenantDomain = tenants.get(tenant).map(AthenzTenant.class::cast).map(AthenzTenant::domain);
-
         return new AthenzCredentials(requireAthenzPrincipal(request),
-                                     requestDomain.orElseGet(() -> tenantDomain
-                                             .orElseThrow(() -> new IllegalArgumentException("Must specify 'athensDomain'."))),
+                                     tenants.get(tenant).map(AthenzTenant.class::cast).map(AthenzTenant::domain)
+                                            .orElseGet(() -> new AthenzDomain(required("athensDomain", requestObject))),
                                      requireOktaAccessToken(request));
     }
author	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-22 09:49:49 +0100
committer	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-22 09:49:49 +0100
commit	c97621406dc6c21918189f9df7e6a650bb81beac (patch)
tree	33bfab7f4e7260cf0572761768c59343a3e468cb /controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java
parent	6d8b531082e0b23649ce7efe7b092c1b37733c5f (diff)