Simplify Path by using HttpURL.Path for segments, and adding default validation

author: Jon Marius Venstad <jonmv@gmail.com> 2022-04-06 12:56:01 +0200
committer: Jon Marius Venstad <jonmv@gmail.com> 2022-04-06 12:56:01 +0200
commit: 51535b82b7b6e7516144980d424410615a026037 (patch)
tree: 14c6938d20b63faa330cc25d9a37bb9b56ae478b /controller-server
parent: 0a9fa49f691cec760cefc61af664e0506d0e7ef5 (diff)
3 files changed, 5 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 21e803800f5..a7472ced09c 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -4,12 +4,10 @@ package com.yahoo.vespa.hosted.controller.restapi.filter;
 import com.auth0.jwt.JWT;
 import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationName;
-import com.yahoo.config.provision.Environment;
-import com.yahoo.config.provision.RegionName;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
-import com.yahoo.config.provision.Zone;
 import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
 import com.yahoo.restapi.Path;
@@ -90,6 +88,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
         }
         catch (Exception e) {
             logger.log(Level.INFO, () -> "Exception mapping Athenz principal to roles: " + Exceptions.toMessageString(e));
+            return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access denied"));
         }
         return Optional.empty();
     }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
index f94f87b0f46..581c0160640 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
@@ -502,7 +502,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
 
         // Get content/../foo
         tester.assertResponse(request("/application/v4/tenant/tenant2/application/application1/instance/default/environment/dev/region/us-east-1/content/%2E%2E%2Ffoo", GET).userIdentity(USER_ID),
-                              "{\"error-code\":\"FORBIDDEN\",\"message\":\"Access denied\"}", 403);
+                              accessDenied, 403);
         // Get content - root
         tester.assertResponse(request("/application/v4/tenant/tenant2/application/application1/instance/default/environment/dev/region/us-east-1/content/", GET).userIdentity(USER_ID),
                 "{\"path\":\"/\"}");
@@ -1671,7 +1671,7 @@ public class ApplicationApiTest extends ControllerContainerTest {
         tester.assertResponse(request(serviceApi + "/storagenode-awe3slno6mmq2fye191y324jl/state%2Fv1%2F..%2F..%2Fdocument%2Fv1%2F", GET)
                                       .userIdentity(USER_ID)
                                       .oAuthCredentials(OKTA_CREDENTIALS),
-                              "{\"error-code\":\"FORBIDDEN\",\"message\":\"Access denied\"}",
+                              accessDenied,
                               403);
     }
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/os/OsApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/os/OsApiTest.java
index 7d17e97e66b..cf4deb7b4bf 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/os/OsApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/os/OsApiTest.java
@@ -125,7 +125,7 @@ public class OsApiTest extends ControllerContainerTest {
 
         // Error: Cancel firmware checks in an empty set of zones.
         assertResponse(new Request("http://localhost:8080/os/v1/firmware/dev/", "", Request.Method.DELETE),
-                       "{\"error-code\":\"NOT_FOUND\",\"message\":\"No zones at path '/os/v1/firmware/dev'\"}", 404);
+                       "{\"error-code\":\"NOT_FOUND\",\"message\":\"No zones at path '/os/v1/firmware/dev/'\"}", 404);
 
         assertFalse("Actions are logged to audit log", tester.controller().auditLogger().readLog().entries().isEmpty());
     }
author	Jon Marius Venstad <jonmv@gmail.com>	2022-04-06 12:56:01 +0200
committer	Jon Marius Venstad <jonmv@gmail.com>	2022-04-06 12:56:01 +0200
commit	51535b82b7b6e7516144980d424410615a026037 (patch)
tree	14c6938d20b63faa330cc25d9a37bb9b56ae478b /controller-server
parent	0a9fa49f691cec760cefc61af664e0506d0e7ef5 (diff)