diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-27 11:49:53 +0100 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-28 10:24:34 +0100 |
commit | 64d9c30b34dc66e85e3a140540b65532d3446d96 (patch) | |
tree | a90eb4eb34203f4b5c39b0c786824fa57961ac39 /controller-server | |
parent | b5a78dba54345b2f7f23c66d5bc80305dd5c74f4 (diff) |
Move path to Resolver.membership(...) signature (for now)
Diffstat (limited to 'controller-server')
2 files changed, 8 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 68a4bdf9a98..717704b9736 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -80,14 +80,14 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { if (principal == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access denied")); - Path path = new Path(request.getRequestURI()); Action action = Action.from(HttpRequest.Method.valueOf(request.getMethod())); // Avoid expensive lookups when request is always legal. if (RoleMembership.everyoneIn(controller.system()).allows(action, request.getRequestURI())) return Optional.empty(); - RoleMembership roles = new AthenzRoleResolver(athenz, controller, path).membership(principal); + RoleMembership roles = new AthenzRoleResolver(athenz, controller).membership(principal, + Optional.of(request.getRequestURI())); if (roles.allows(action, request.getRequestURI())) return Optional.empty(); @@ -106,13 +106,11 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { private final AthenzFacade athenz; private final TenantController tenants; - private final Path path; private final SystemName system; - public AthenzRoleResolver(AthenzFacade athenz, Controller controller, Path path) { + public AthenzRoleResolver(AthenzFacade athenz, Controller controller) { this.athenz = athenz; this.tenants = controller.tenants(); - this.path = path; this.system = controller.system(); } @@ -145,10 +143,12 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { } @Override - public RoleMembership membership(Principal principal) { + public RoleMembership membership(Principal principal, Optional<String> uriPath) { if ( ! (principal instanceof AthenzPrincipal)) throw new IllegalStateException("Expected an AthenzPrincipal to be set on the request."); + Path path = new Path(uriPath.orElseThrow(() -> new IllegalArgumentException("This resolver needs the request path."))); + path.matches("/application/v4/tenant/{tenant}/{*}"); Optional<Tenant> tenant = Optional.ofNullable(path.get("tenant")).map(TenantName::from).flatMap(tenants::get); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java index c21eef2c29e..322279d28b6 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java @@ -10,6 +10,7 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Objects; +import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; @@ -55,7 +56,7 @@ public class RoleMembership { * membership to a {@link RoleMembership}. */ public interface Resolver { - RoleMembership membership(Principal user); + RoleMembership membership(Principal user, Optional<String> path); // TODO get rid of path. } public interface Builder { |