diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-16 16:14:26 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 12:35:44 +0100 |
commit | 96f5cb0fe8b72b5c322f6d8b022a51ec4ef8788d (patch) | |
tree | b4b46d136f92b9832788ac414de5cc38317dea85 /controller-server/src/main | |
parent | ac0e0340fd7989ae4410aaf7e33eb2e1e848a88b (diff) |
Move Athenz types from controller-api to vespa-athenz
Diffstat (limited to 'controller-server/src/main')
18 files changed, 67 insertions, 65 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 03eb5689024..08924438736 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -22,7 +22,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.Hostname; import com.yahoo.vespa.hosted.controller.api.identifiers.RevisionId; import com.yahoo.vespa.hosted.controller.api.identifiers.TenantId; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServerClient; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index 16775358458..9ee83bec26a 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -13,8 +13,8 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.UserGroup; import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; import com.yahoo.vespa.hosted.controller.api.integration.entity.EntityService; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUser; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; import com.yahoo.vespa.hosted.controller.persistence.ControllerDb; @@ -67,7 +67,7 @@ public class TenantController { public List<Tenant> asList(UserId user) { Set<UserGroup> userGroups = entityService.getUserGroups(user); Set<AthenzDomain> userDomains = new HashSet<>(athenzClientFactory.createZtsClientWithServicePrincipal() - .getTenantDomainsForUser(AthenzUser.fromUserId(user))); + .getTenantDomainsForUser(AthenzUser.fromUserId(user.id()))); Predicate<Tenant> hasUsersGroup = (tenant) -> tenant.getUserGroup().isPresent() && userGroups.contains(tenant.getUserGroup().get()); Predicate<Tenant> hasUsersDomain = (tenant) -> tenant.getAthensDomain().isPresent() && userDomains.contains(tenant.getAthensDomain().get()); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java index 7aaaad534db..af9ad71e7eb 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java @@ -6,9 +6,9 @@ import com.yahoo.jdisc.Response; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; @@ -28,7 +28,7 @@ import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtil * * @author bjorncs */ -// TODO bjorncs: Move this class into separate container-security bundle +// TODO bjorncs: Move this class to vespa-athenz bundle public class AthenzPrincipalFilter implements SecurityRequestFilter { private final NTokenValidator validator; @@ -52,7 +52,7 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter { public void filter(DiscFilterRequest request, ResponseHandler responseHandler) { try { Optional<AthenzPrincipal> certificatePrincipal = getClientCertificate(request) - .map(AthenzUtils::createAthenzIdentity) + .map(AthenzIdentities::from) .map(AthenzPrincipal::new); Optional<AthenzPrincipal> nTokenPrincipal = getPrincipalToken(request, principalTokenHeader) .map(validator::validate); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/NTokenValidator.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/NTokenValidator.java index 3169d295359..4dcca519058 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/NTokenValidator.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/NTokenValidator.java @@ -4,10 +4,10 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.yahoo.athenz.auth.token.PrincipalToken; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; import java.security.PublicKey; @@ -15,7 +15,8 @@ import java.time.Duration; import java.util.Optional; import java.util.logging.Logger; -import static com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils.ZMS_ATHENZ_SERVICE; +import static com.yahoo.vespa.athenz.utils.AthenzIdentities.ZMS_ATHENZ_SERVICE; + /** * Validates the content of an NToken: @@ -24,6 +25,7 @@ import static com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUti * * @author bjorncs */ +// TODO Move to vespa-athenz class NTokenValidator { // Max allowed skew in token timestamp (only for creation, not expiry timestamp) @@ -47,7 +49,7 @@ class NTokenValidator { .orElseThrow(() -> new InvalidTokenException("NToken has an unknown keyId")); validateSignatureAndExpiration(principalToken, zmsPublicKey); return new AthenzPrincipal( - AthenzUtils.createAthenzIdentity( + AthenzIdentities.from( new AthenzDomain(principalToken.getDomain()), principalToken.getName()), token); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java index b4859220667..80e14ca7f83 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java @@ -8,9 +8,9 @@ import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.log.LogLevel; import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUser; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import com.yahoo.vespa.hosted.controller.restapi.application.Authorizer; @@ -89,7 +89,7 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { Principal userPrincipal = request.getUserPrincipal(); log.log(LogLevel.DEBUG, () -> "Original user principal: " + userPrincipal.toString()); UserId userId = new UserId(userPrincipal.getName()); - AthenzUser athenzIdentity = AthenzUser.fromUserId(userId); + AthenzUser athenzIdentity = AthenzUser.fromUserId(userId.id()); request.setRemoteUser(athenzIdentity.getFullName()); NToken nToken = Optional.ofNullable(request.getHeader(principalHeaderName)).map(NToken::new).orElse(null); request.setUserPrincipal(new AthenzPrincipal(athenzIdentity, nToken)); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index 266b4a0bd2e..1fb02299b46 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -10,8 +10,9 @@ import com.yahoo.athenz.auth.token.PrincipalToken; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zms.ZMSClient; import com.yahoo.athenz.zts.ZTSClient; +import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.api.integration.security.KeyService; @@ -20,8 +21,6 @@ import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.security.PrivateKey; import java.time.Duration; -import static com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils.USER_PRINCIPAL_DOMAIN; - /** * @author bjorncs */ @@ -65,7 +64,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { config.domain() + "." + service.name(), service.publicKeyId(), getServicePrivateKey()); Principal dualPrincipal = SimplePrincipal.create( - USER_PRINCIPAL_DOMAIN.getName(), signedToken.getName(), signedToken.getSignedToken(), athenzPrincipalAuthority); + AthenzIdentities.USER_PRINCIPAL_DOMAIN.getName(), signedToken.getName(), signedToken.getSignedToken(), athenzPrincipalAuthority); return new ZmsClientImpl(new ZMSClient(config.zmsUrl(), dualPrincipal), config); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index 3a7a72ac8ae..f463d04b454 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -3,7 +3,7 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityCertificate; +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java index d54dbb2aed0..8b62a93f8d9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java @@ -14,9 +14,9 @@ import com.yahoo.log.LogLevel; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPublicKey; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPublicKey; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsKeystoreImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsKeystoreImpl.java index 513434f7273..4b194651439 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsKeystoreImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsKeystoreImpl.java @@ -3,8 +3,8 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; import com.yahoo.log.LogLevel; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPublicKey; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzPublicKey; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java index 4c6f717549d..0166c02db2e 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java @@ -9,10 +9,10 @@ import com.yahoo.athenz.zts.ZTSClient; import com.yahoo.athenz.zts.ZTSClientException; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityCertificate; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzRoleCertificate; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; +import com.yahoo.vespa.athenz.api.AthenzRoleCertificate; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsException; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java index 52a1f2d477d..f7939422170 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java @@ -3,7 +3,7 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java index a265d92dde2..0524cf18568 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java @@ -4,7 +4,7 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import java.util.HashMap; import java.util.HashSet; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java index e43f17fa12b..ba8bfc2405e 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java @@ -4,9 +4,9 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPublicKey; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPublicKey; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java index 4bdaadd5155..7aea79a93c6 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java @@ -3,9 +3,9 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityCertificate; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzRoleCertificate; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; +import com.yahoo.vespa.athenz.api.AthenzRoleCertificate; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.operator.OperatorCreationException; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 81388ccce03..1226b3bbbbe 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -7,10 +7,10 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Environment; import com.yahoo.jdisc.http.HttpRequest.Method; import com.yahoo.log.LogLevel; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; +import com.yahoo.vespa.athenz.utils.AthenzIdentityVerifier; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; @@ -290,7 +290,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { @Override public void verify(String hostname, X509Certificate certificate) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); + AthenzIdentity identity = AthenzIdentities.from(certificate); if (!verifier.isTrusted(identity)) { throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); } @@ -298,7 +298,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { @Override public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); + AthenzIdentity identity = AthenzIdentities.from(cns[0]); if (!verifier.isTrusted(identity)) { throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java index bad3ca30496..dc816d70b7f 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java @@ -64,10 +64,10 @@ import com.yahoo.vespa.hosted.controller.application.DeploymentMetrics; import com.yahoo.vespa.hosted.controller.application.JobStatus; import com.yahoo.vespa.hosted.controller.application.SourceRevision; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUser; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; import com.yahoo.vespa.hosted.controller.restapi.ErrorResponse; import com.yahoo.vespa.hosted.controller.restapi.MessageResponse; @@ -875,7 +875,8 @@ public class ApplicationApiHandler extends LoggingRequestHandler { .map(AthenzPrincipal::getIdentity) .filter(AthenzUser.class::isInstance) .map(AthenzUser.class::cast) - .map(AthenzUser::getUserId); + .map(AthenzUser::getName) + .map(UserId::new); } private void toSlime(Cursor object, Tenant tenant, HttpRequest request, boolean listApplications) { @@ -991,9 +992,9 @@ public class ApplicationApiHandler extends LoggingRequestHandler { throw new ForbiddenException("Identity not an user: " + identity.getFullName()); } AthenzUser user = (AthenzUser) identity; - if (!authorizer.isSuperUser(request) && !authorizer.isGroupMember(user.getUserId(), userGroup) ) { + if (!authorizer.isSuperUser(request) && !authorizer.isGroupMember(new UserId(user.getName()), userGroup) ) { throw new ForbiddenException(String.format("User '%s' is not super user or part of the OpsDB user group '%s'", - user.getUserId().id(), userGroup.id())); + user.getName(), userGroup.id())); } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java index 85d966ead34..06d078e8a36 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/Authorizer.java @@ -10,10 +10,10 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.TenantId; import com.yahoo.vespa.hosted.controller.api.identifiers.UserGroup; import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUser; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.NToken; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.hosted.controller.api.integration.entity.EntityService; import com.yahoo.vespa.hosted.controller.common.ContextAttributes; @@ -100,14 +100,14 @@ public class Authorizer { return false; } AthenzUser user = (AthenzUser) identity; - return isGroupMember(user.getUserId(), tenant.getUserGroup().get()); + return isGroupMember(new UserId(user.getName()), tenant.getUserGroup().get()); } case USER: { if (!(identity instanceof AthenzUser)) { return false; } AthenzUser user = (AthenzUser) identity; - return isUserTenantOwner(tenant.getId(), user.getUserId()); + return isUserTenantOwner(tenant.getId(), new UserId(user.getName())); } } throw new IllegalArgumentException("Unknown tenant type: " + tenant.tenantType()); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/DeployAuthorizer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/DeployAuthorizer.java index 36c3dcdf514..323da24b47d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/DeployAuthorizer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/DeployAuthorizer.java @@ -3,15 +3,14 @@ package com.yahoo.vespa.hosted.controller.restapi.application; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Environment; -import com.yahoo.vespa.hosted.controller.api.Tenant; import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; -import com.yahoo.vespa.hosted.controller.application.ApplicationPackage; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.hosted.controller.api.Tenant; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzPrincipal; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsException; +import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; +import com.yahoo.vespa.hosted.controller.application.ApplicationPackage; import javax.ws.rs.ForbiddenException; import javax.ws.rs.NotAuthorizedException; @@ -19,6 +18,7 @@ import java.security.Principal; import java.util.Objects; import java.util.logging.Logger; +import static com.yahoo.vespa.hosted.controller.api.integration.athenz.HostedAthenzIdentities.SCREWDRIVER_DOMAIN; import static com.yahoo.vespa.hosted.controller.restapi.application.Authorizer.environmentRequiresAuthorization; /** @@ -72,10 +72,10 @@ public class DeployAuthorizer { AthenzPrincipal athenzPrincipal = (AthenzPrincipal) principal; AthenzDomain principalDomain = athenzPrincipal.getDomain(); - if (!principalDomain.equals(AthenzUtils.SCREWDRIVER_DOMAIN)) { + if (!principalDomain.equals(SCREWDRIVER_DOMAIN)) { throw loggedForbiddenException( "Principal '%s' is not a Screwdriver principal. Excepted principal with Athenz domain '%s', got '%s'.", - principal.getName(), AthenzUtils.SCREWDRIVER_DOMAIN.getName(), principalDomain.getName()); + principal.getName(), SCREWDRIVER_DOMAIN.getName(), principalDomain.getName()); } // NOTE: no fine-grained deploy authorization for non-Athenz tenants |