Allow for different tenants (with auth things)

author: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-15 22:10:41 +0100
committer: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-17 13:24:13 +0100
commit: 32ce5d092445669babe25f0f0e6ab9da8fb42c20 (patch)
tree: 32b71328d83dd9cc6d8d2631be1d469022d35a5b /controller-server/src/test
parent: aaa14842338452de481f7b31213e572412399dde (diff)
10 files changed, 69 insertions, 33 deletions
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java
index cf5f8fac69d..38f26427558 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java
@@ -12,6 +12,7 @@ import com.yahoo.config.provision.InstanceName;
 import com.yahoo.config.provision.RegionName;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
+import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
 import com.yahoo.vespa.hosted.controller.api.application.v4.model.DeployOptions;
 import com.yahoo.vespa.hosted.controller.api.application.v4.model.EndpointStatus;
@@ -29,6 +30,7 @@ import com.yahoo.vespa.hosted.controller.application.JobStatus;
 import com.yahoo.vespa.hosted.controller.deployment.ApplicationPackageBuilder;
 import com.yahoo.vespa.hosted.controller.deployment.BuildJob;
 import com.yahoo.vespa.hosted.controller.deployment.DeploymentTester;
+import com.yahoo.vespa.hosted.controller.permits.AthenzApplicationPermit;
 import com.yahoo.vespa.hosted.controller.rotation.RotationId;
 import com.yahoo.vespa.hosted.controller.rotation.RotationLock;
 import org.junit.Test;
@@ -348,7 +350,7 @@ public class ControllerTest {
             tester.deployAndNotify(app1, applicationPackage, true, systemTest);
             tester.applications().deactivate(app1.id(), ZoneId.from(Environment.test, RegionName.from("us-east-1")));
             tester.applications().deactivate(app1.id(), ZoneId.from(Environment.staging, RegionName.from("us-east-3")));
-            tester.applications().deleteApplication(app1.id(), Optional.of(new OktaAccessToken("okta-token")));
+            tester.applications().deleteApplication(app1.id(), tester.controllerTester().permitFor(app1.id()));
             try (RotationLock lock = tester.applications().rotationRepository().lock()) {
                 assertTrue("Rotation is unassigned",
                            tester.applications().rotationRepository().availableRotations(lock)
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTester.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTester.java
index e573c12af3b..c7fc4732368 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTester.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTester.java
@@ -8,6 +8,8 @@ import com.yahoo.config.provision.TenantName;
 import com.yahoo.slime.Slime;
 import com.yahoo.test.ManualClock;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzPrincipal;
+import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
 import com.yahoo.vespa.curator.Lock;
 import com.yahoo.vespa.curator.mock.MockCurator;
@@ -41,6 +43,9 @@ import com.yahoo.vespa.hosted.controller.integration.ConfigServerMock;
 import com.yahoo.vespa.hosted.controller.integration.MetricsServiceMock;
 import com.yahoo.vespa.hosted.controller.integration.RoutingGeneratorMock;
 import com.yahoo.vespa.hosted.controller.integration.ZoneRegistryMock;
+import com.yahoo.vespa.hosted.controller.permits.ApplicationPermit;
+import com.yahoo.vespa.hosted.controller.permits.AthenzApplicationPermit;
+import com.yahoo.vespa.hosted.controller.permits.AthenzTenantPermit;
 import com.yahoo.vespa.hosted.controller.persistence.ApplicationSerializer;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
 import com.yahoo.vespa.hosted.controller.persistence.MockCuratorDb;
@@ -241,21 +246,33 @@ public final class ControllerTester {
         }
     }
 
-    public AthenzDomain createDomain(String domainName) {
+    public AthenzDomain createDomainWithAdmin(String domainName, AthenzUser user) {
         AthenzDomain domain = new AthenzDomain(domainName);
         athenzDb.addDomain(new AthenzDbMock.Domain(domain));
+        athenzDb.domains.get(domain).admin(user);
         return domain;
     }
 
+    public Optional<AthenzDomain> domainOf(ApplicationId id) {
+        Tenant tenant = controller().tenants().require(id.tenant());
+        return tenant.type() == Tenant.Type.athenz ? Optional.of(((AthenzTenant) tenant).domain()) : Optional.empty();
+    }
+
     public TenantName createTenant(String tenantName, String domainName, Long propertyId, Optional<Contact> contact) {
         TenantName name = TenantName.from(tenantName);
         Optional<Tenant> existing = controller().tenants().get(name);
         if (existing.isPresent()) return name;
-        AthenzTenant tenant = AthenzTenant.create(name, createDomain(domainName), new Property("Property"+propertyId),
-                                                  Optional.ofNullable(propertyId)
-                                                          .map(Object::toString)
-                                                          .map(PropertyId::new), contact);
-        controller().tenants().create(tenant, new OktaAccessToken("okta-token"));
+        AthenzUser user = new AthenzUser("user");
+        AthenzTenantPermit permit = new AthenzTenantPermit(name,
+                                                           new AthenzPrincipal(user),
+                                                           Optional.of(createDomainWithAdmin(domainName, user)),
+                                                           Optional.of(new Property("Property" + propertyId)),
+                                                           Optional.ofNullable(propertyId).map(Object::toString).map(PropertyId::new),
+                                                           new OktaAccessToken("okta-token"));
+        controller().tenants().create(permit);
+        if (contact.isPresent())
+            controller().tenants().lockOrThrow(name, LockedTenant.Athenz.class, tenant ->
+                    controller().tenants().store(tenant.with(contact.get())));
         assertNotNull(controller().tenants().get(name));
         return name;
     }
@@ -264,14 +281,22 @@ public final class ControllerTester {
         return createTenant(tenantName, domainName, propertyId, Optional.empty());
     }
 
+    public Optional<ApplicationPermit> permitFor(ApplicationId id) {
+        return domainOf(id).map(domain -> new AthenzApplicationPermit(id, domain, new OktaAccessToken("okta-token")));
+    }
+
     public Application createApplication(TenantName tenant, String applicationName, String instanceName, long projectId) {
         ApplicationId applicationId = ApplicationId.from(tenant.value(), applicationName, instanceName);
-        controller().applications().createApplication(applicationId, Optional.of(new OktaAccessToken("okta-token")));
+        controller().applications().createApplication(applicationId, permitFor(applicationId));
         controller().applications().lockOrThrow(applicationId, lockedApplication ->
                 controller().applications().store(lockedApplication.withProjectId(OptionalLong.of(projectId))));
         return controller().applications().require(applicationId);
     }
 
+    public void deleteApplication(ApplicationId id) {
+        controller().applications().deleteApplication(id, permitFor(id));
+    }
+
     public void deploy(Application application, ZoneId zone) {
         deploy(application, zone, new ApplicationPackage(new byte[0]));
     }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/application/ZipStreamReaderTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/application/ZipStreamReaderTest.java
index fa78ce7bb12..fe5680e2a58 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/application/ZipStreamReaderTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/application/ZipStreamReaderTest.java
@@ -8,7 +8,6 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Path;
 import java.util.Map;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipOutputStream;
@@ -75,13 +74,4 @@ public class ZipStreamReaderTest {
         return zip.toByteArray();
     }
 
-    @Test
-    public void lul() {
-        String name = "./artif/../yolo/../../hi/";
-        Path path = Path.of(name);
-        System.err.println(name);
-        System.err.println(path);
-        System.err.println(path.normalize());
-    }
-
 }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/DeploymentTester.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/DeploymentTester.java
index 9eac6e61b99..c84f8ed7c58 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/DeploymentTester.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/DeploymentTester.java
@@ -6,6 +6,7 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.test.ManualClock;
+import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.hosted.controller.Application;
 import com.yahoo.vespa.hosted.controller.ApplicationController;
 import com.yahoo.vespa.hosted.controller.Controller;
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ApplicationOwnershipConfirmerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ApplicationOwnershipConfirmerTest.java
index 75c287e700f..1ca8f7ba2b4 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ApplicationOwnershipConfirmerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ApplicationOwnershipConfirmerTest.java
@@ -46,7 +46,7 @@ public class ApplicationOwnershipConfirmerTest {
         Supplier<Application> propertyApp = () -> tester.controller().applications().require(ApplicationId.from("property", "application", "default"));
 
         UserTenant user = UserTenant.create("by-user", contact);
-        tester.controller().tenants().create(user);
+        tester.controller().tenants().createUser(user);
         tester.createAndDeploy(user.name(), "application", 2, "default");
         Supplier<Application> userApp = () -> tester.controller().applications().require(ApplicationId.from("by-user", "application", "default"));
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/DnsMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/DnsMaintainerTest.java
index 578e7824913..23c7ec537f5 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/DnsMaintainerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/DnsMaintainerTest.java
@@ -100,7 +100,7 @@ public class DnsMaintainerTest {
         tester.deployAndNotify(application, applicationPackage, true, systemTest);
         tester.applications().deactivate(application.id(), ZoneId.from(Environment.test, RegionName.from("us-east-1")));
         tester.applications().deactivate(application.id(), ZoneId.from(Environment.staging, RegionName.from("us-east-3")));
-        tester.applications().deleteApplication(application.id(), Optional.of(new OktaAccessToken("okta-token")));
+        tester.controllerTester().deleteApplication(application.id());
 
         // DnsMaintainer removes records
         for (int i = 0; i < ControllerTester.availableRotations; i++) {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/JobRunnerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/JobRunnerTest.java
index 2539687ea4d..843a4cfedd6 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/JobRunnerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/JobRunnerTest.java
@@ -212,7 +212,7 @@ public class JobRunnerTest {
 
         // Thread is still trying to deploy tester -- delete application, and see all data is garbage collected.
         assertEquals(Collections.singletonList(runId), jobs.active().stream().map(run -> run.id()).collect(Collectors.toList()));
-        tester.controller().applications().deleteApplication(id, Optional.of(new OktaAccessToken("okta-token")));
+        tester.controllerTester().deleteApplication(id);
         assertEquals(Collections.emptyList(), jobs.active());
         assertEquals(runId, jobs.last(id, systemTest).get().id());
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ContainerControllerTester.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ContainerControllerTester.java
index 11e8a82dd42..e9136ad3adf 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ContainerControllerTester.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ContainerControllerTester.java
@@ -6,6 +6,8 @@ import com.yahoo.application.container.handler.Request;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzPrincipal;
+import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
 import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.vespa.hosted.controller.Application;
@@ -27,9 +29,10 @@ import com.yahoo.vespa.hosted.controller.deployment.BuildJob;
 import com.yahoo.vespa.hosted.controller.integration.ArtifactRepositoryMock;
 import com.yahoo.vespa.hosted.controller.maintenance.JobControl;
 import com.yahoo.vespa.hosted.controller.maintenance.Upgrader;
+import com.yahoo.vespa.hosted.controller.permits.AthenzApplicationPermit;
+import com.yahoo.vespa.hosted.controller.permits.AthenzTenantPermit;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
 import com.yahoo.vespa.hosted.controller.persistence.MockCuratorDb;
-import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
 
 import java.io.File;
 import java.time.Duration;
@@ -73,13 +76,20 @@ public class ContainerControllerTester {
     }
 
     public Application createApplication(String athensDomain, String tenant, String application) {
-        AthenzDomain domain1 = addTenantAthenzDomain(athensDomain, "mytenant");
-        controller().tenants().create(AthenzTenant.create(TenantName.from(tenant), domain1,
-                                                          new Property("property1"),
-                                                          Optional.of(new PropertyId("1234"))),
-                                      new OktaAccessToken("okta-token"));
+        AthenzDomain domain1 = addTenantAthenzDomain(athensDomain, "user");
+        AthenzTenantPermit tenantPermit = new AthenzTenantPermit(TenantName.from(tenant),
+                                                                 new AthenzPrincipal(new AthenzUser("user")),
+                                                                 Optional.of(domain1),
+                                                                 Optional.of(new Property("property1")),
+                                                                 Optional.of(new PropertyId("1234")),
+                                                                 new OktaAccessToken("okta-token"));
+        controller().tenants().create(tenantPermit);
+
         ApplicationId app = ApplicationId.from(tenant, application, "default");
-        return controller().applications().createApplication(app, Optional.of(new OktaAccessToken("okta-token")));
+        AthenzApplicationPermit applicationPermit = new AthenzApplicationPermit(app,
+                                                                                domain1,
+                                                                                new OktaAccessToken("okta-token"));
+        return controller().applications().createApplication(app, Optional.of(applicationPermit));
     }
 
     public Application deploy(Application application, ApplicationPackage applicationPackage, ZoneId zone) {
@@ -132,7 +142,7 @@ public class ContainerControllerTester {
         AthenzDomain athensDomain = new AthenzDomain(domainName);
         AthenzDbMock.Domain domain = new AthenzDbMock.Domain(athensDomain);
         domain.markAsVespaTenant();
-        domain.admin(AthenzIdentities.from(new AthenzDomain("domain"), userName));
+        domain.admin(AthenzIdentities.from(new AthenzDomain("user"), userName));
         mock.getSetup().addDomain(domain);
         return athensDomain;
     }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
index f051818a12f..b9a59a34664 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
@@ -93,6 +93,7 @@ public class ControllerContainerTest {
             "  <component id='com.yahoo.vespa.hosted.controller.integration.ApplicationStoreMock'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockTesterCloud'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockMailer'/>\n" +
+            "  <component id='com.yahoo.vespa.hosted.controller.permits.AthenzPermitExtractor'/>\n" +
             "  <handler id='com.yahoo.vespa.hosted.controller.restapi.application.ApplicationApiHandler'>\n" +
             "    <binding>http://*/application/v4/*</binding>\n" +
             "  </handler>\n" +
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
index 705fc8adbac..e077ad0c1c9 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
@@ -56,6 +56,8 @@ import com.yahoo.vespa.hosted.controller.deployment.BuildJob;
 import com.yahoo.vespa.hosted.controller.deployment.DeploymentTrigger;
 import com.yahoo.vespa.hosted.controller.integration.ConfigServerMock;
 import com.yahoo.vespa.hosted.controller.integration.MetricsServiceMock;
+import com.yahoo.vespa.hosted.controller.permits.AthenzTenantPermit;
+import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
 import com.yahoo.vespa.hosted.controller.restapi.ContainerControllerTester;
 import com.yahoo.vespa.hosted.controller.restapi.ContainerTester;
 import com.yahoo.vespa.hosted.controller.restapi.ControllerContainerTest;
@@ -473,7 +475,9 @@ public class ApplicationApiTest extends ControllerContainerTest {
                               new File("service.json"));
 
         // DELETE application with active deployments fails
-        tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE).userIdentity(USER_ID),
+        tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE)
+                                      .userIdentity(USER_ID)
+                                      .oktaAccessToken(OKTA_AT),
                               new File("delete-with-active-deployments.json"), 400);
 
         // DELETE (deactivate) a deployment - dev
@@ -806,6 +810,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
         // PUT (update) non-existing tenant
         tester.assertResponse(request("/application/v4/tenant/tenant1", PUT)
                                       .userIdentity(USER_ID)
+                                      .oktaAccessToken(OKTA_AT)
                                       .data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}"),
                               "{\"error-code\":\"NOT_FOUND\",\"message\":\"Tenant 'tenant1' does not exist\"}",
                               404);
@@ -875,6 +880,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
 
         // Create the same application again
         tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", POST)
+                                      .oktaAccessToken(OKTA_AT)
                                       .userIdentity(USER_ID),
                               "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Could not create 'tenant1.application1': Application already exists\"}",
                               400);
@@ -924,6 +930,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
                               "");
         // DELETE application again - should produce 404
         tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1", DELETE)
+                                      .oktaAccessToken(OKTA_AT)
                                       .userIdentity(USER_ID),
                               "{\"error-code\":\"NOT_FOUND\",\"message\":\"Could not delete application 'tenant1.application1': Application not found\"}",
                               404);
@@ -945,9 +952,8 @@ public class ApplicationApiTest extends ControllerContainerTest {
                               500);
 
         // Create legancy tenant name containing underscores
-        tester.controller().tenants().create(new AthenzTenant(TenantName.from("my_tenant"), ATHENZ_TENANT_DOMAIN,
-                                                              new Property("property1"), Optional.empty(), Optional.empty()),
-                                             OKTA_AT);
+        tester.controller().curator().writeTenant(new AthenzTenant(TenantName.from("my_tenant"), ATHENZ_TENANT_DOMAIN,
+                                                                   new Property("property1"), Optional.empty(), Optional.empty()));
         // POST (add) a Athenz tenant with dashes duplicates existing one with underscores
         tester.assertResponse(request("/application/v4/tenant/my-tenant", POST)
                                       .userIdentity(USER_ID)
@@ -980,6 +986,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
         // Creating a tenant for an Athens domain the user is not admin for is disallowed
         tester.assertResponse(request("/application/v4/tenant/tenant1", POST)
                                       .data("{\"athensDomain\":\"domain1\", \"property\":\"property1\"}")
+                                      .oktaAccessToken(OKTA_AT)
                                       .userIdentity(unauthorizedUser),
                               "{\"error-code\":\"FORBIDDEN\",\"message\":\"The user 'user.othertenant' is not admin in Athenz domain 'domain1'\"}",
                               403);
author	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-15 22:10:41 +0100
committer	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-17 13:24:13 +0100
commit	32ce5d092445669babe25f0f0e6ab9da8fb42c20 (patch)
tree	32b71328d83dd9cc6d8d2631be1d469022d35a5b /controller-server/src/test
parent	aaa14842338452de481f7b31213e572412399dde (diff)