diff options
author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-10-31 23:44:50 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-10-31 23:46:22 +0100 |
commit | e5f23fcf991a0510d43d199701be6b4c7c50ed23 (patch) | |
tree | 4fac17f107b3a1733960c656fa9272e190bccc5b /controller-server | |
parent | 232caa29debc866d83ddc31ca46533b81fe4cab0 (diff) |
Limit reads under /configserver/v1 to operators
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java | 41 |
1 files changed, 37 insertions, 4 deletions
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java index 00e90114200..af10f8e9c49 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/configserver/ConfigServerApiHandlerTest.java @@ -49,11 +49,11 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest { @Test public void test_requests() { // GET /configserver/v1 - tester.containerTester().assertResponse(authenticatedRequest("http://localhost:8080/configserver/v1"), + tester.containerTester().assertResponse(operatorRequest("http://localhost:8080/configserver/v1"), new File("root.json")); // GET /configserver/v1/nodes/v2/node/?recursive=true - tester.containerTester().assertResponse(authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node/?recursive=true"), + tester.containerTester().assertResponse(operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node/?recursive=true"), "ok"); assertLastRequest("https://cfg.prod.us-north-1.test.vip:4443/", "GET"); @@ -85,11 +85,11 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest { @Test public void test_allowed_apis() { // GET /configserver/v1/prod/us-north-1 - tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1"), + tester.containerTester().assertResponse(() -> operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1"), "{\"error-code\":\"FORBIDDEN\",\"message\":\"Cannot access '/' through /configserver/v1, following APIs are permitted: /flags/v1/, /nodes/v2/, /orchestrator/v1/\"}", 403); - tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/application/v2/tenant/vespa"), + tester.containerTester().assertResponse(() -> operatorRequest("http://localhost:8080/configserver/v1/prod/us-north-1/application/v2/tenant/vespa"), "{\"error-code\":\"FORBIDDEN\",\"message\":\"Cannot access '/application/v2/tenant/vespa' through /configserver/v1, following APIs are permitted: /flags/v1/, /nodes/v2/, /orchestrator/v1/\"}", 403); } @@ -103,6 +103,39 @@ public class ConfigServerApiHandlerTest extends ControllerContainerTest { assertFalse(proxy.lastReceived().isPresent()); } + @Test + public void non_operators_are_forbidden() { + // Read request + tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node"), + "{\n" + + " \"code\" : 403,\n" + + " \"message\" : \"Access denied\"\n" + + "}", 403); + + // Write request + tester.containerTester().assertResponse(() -> authenticatedRequest("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.POST), + "{\n" + + " \"code\" : 403,\n" + + " \"message\" : \"Access denied\"\n" + + "}", 403); + } + + @Test + public void unauthenticated_request_are_unauthorized() { + { + // Read request + Request request = new Request("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.GET); + tester.containerTester().assertResponse(() -> request, "{\n \"message\" : \"Not authenticated\"\n}", 401); + } + + { + // Write request + Request request = new Request("http://localhost:8080/configserver/v1/prod/us-north-1/nodes/v2/node", "", Request.Method.POST); + tester.containerTester().assertResponse(() -> request, "{\n \"message\" : \"Not authenticated\"\n}", 401); + } + } + + private void assertLastRequest(String target, String method) { ProxyRequest last = proxy.lastReceived().orElseThrow(); assertEquals(List.of(URI.create(target)), last.getTargets()); |