Limit reads under /configserver/v1 to operators

author: Valerij Fredriksen <valerijf@verizonmedia.com> 2019-10-31 23:44:50 +0100
committer: Valerij Fredriksen <valerijf@verizonmedia.com> 2019-10-31 23:46:22 +0100
commit: e5f23fcf991a0510d43d199701be6b4c7c50ed23 (patch)
tree: 4fac17f107b3a1733960c656fa9272e190bccc5b /controller-server
parent: 232caa29debc866d83ddc31ca46533b81fe4cab0 (diff)
1 files changed, 37 insertions, 4 deletions
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java
index 00e90114200..af10f8e9c49 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java
@@ -49,11 +49,11 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest {
     @Test
     public void test_requests() {
         // GET /configserver/v1
-        tester.containerTester().assertResponse(authenticatedRequest("http://localhost:8080/configserver/v1"),
+        tester.containerTester().assertResponse(operatorRequest("http://localhost:8080/configserver/v1"),
                 new File("root.json"));
 
         // GET /configserver/v1/nodes/v2/node/?recursive=true
-        tester.containerTester().assertResponse(authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node/?recursive=true"),
+        tester.containerTester().assertResponse(operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node/?recursive=true"),
                 "ok");
         assertLastRequest("https://cfg.prod.us-north-1.test.vip:4443/", "GET");
 
@@ -85,11 +85,11 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest {
     @Test
     public void test_allowed_apis() {
         // GET /configserver/v1/prod/us-north-1
-        tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1"),
+        tester.containerTester().assertResponse(() -> operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1"),
                 "{\"error-code\":\"FORBIDDEN\",\"message\":\"Cannot access '/' through /configserver/v1, following APIs are permitted: /flags/v1/, /nodes/v2/, /orchestrator/v1/\"}",
                 403);
 
-        tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/application/v2/tenant/vespa"),
+        tester.containerTester().assertResponse(() -> operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1/application/v2/tenant/vespa"),
                 "{\"error-code\":\"FORBIDDEN\",\"message\":\"Cannot access '/application/v2/tenant/vespa' through /configserver/v1, following APIs are permitted: /flags/v1/, /nodes/v2/, /orchestrator/v1/\"}",
                 403);
     }
@@ -103,6 +103,39 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest {
         assertFalse(proxy.lastReceived().isPresent());
     }
 
+    @Test
+    public void non_operators_are_forbidden() {
+        // Read request
+        tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node"),
+                "{\n" +
+                "  \"code\" : 403,\n" +
+                "  \"message\" : \"Access denied\"\n" +
+                "}", 403);
+
+        // Write request
+        tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.POST),
+                "{\n" +
+                "  \"code\" : 403,\n" +
+                "  \"message\" : \"Access denied\"\n" +
+                "}", 403);
+    }
+
+    @Test
+    public void unauthenticated_request_are_unauthorized() {
+        {
+            // Read request
+            Request request = new Request("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.GET);
+            tester.containerTester().assertResponse(() -> request, "{\n  \"message\" : \"Not authenticated\"\n}", 401);
+        }
+
+        {
+            // Write request
+            Request request = new Request("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.POST);
+            tester.containerTester().assertResponse(() -> request, "{\n  \"message\" : \"Not authenticated\"\n}", 401);
+        }
+    }
+
+
     private void assertLastRequest(String target, String method) {
         ProxyRequest last = proxy.lastReceived().orElseThrow();
         assertEquals(List.of(URI.create(target)), last.getTargets());
author	Valerij Fredriksen <valerijf@verizonmedia.com>	2019-10-31 23:44:50 +0100
committer	Valerij Fredriksen <valerijf@verizonmedia.com>	2019-10-31 23:46:22 +0100
commit	e5f23fcf991a0510d43d199701be6b4c7c50ed23 (patch)
tree	4fac17f107b3a1733960c656fa9272e190bccc5b /controller-server
parent	232caa29debc866d83ddc31ca46533b81fe4cab0 (diff)