summaryrefslogtreecommitdiffstats
path: root/controller-server
diff options
context:
space:
mode:
authorAndreas Eriksen <andreer@verizonmedia.com>2020-06-16 10:04:27 +0200
committerGitHub <noreply@github.com>2020-06-16 10:04:27 +0200
commit06bacbd04910e9645d39033f2aef1c1a25ef6b13 (patch)
tree71a3ef48a46e8962223004ca55bc7e29d71ee090 /controller-server
parent53111482af2edeba310bac489c41fe24a5b69fa5 (diff)
verify tenant creation with roles from auth0 (#13594)
Diffstat (limited to 'controller-server')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java2
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java5
2 files changed, 4 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
index 787f0f27d40..a908b341039 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
@@ -23,7 +23,7 @@ public class Auth0Credentials extends Credentials {
}
/** The set of roles set in the auth0 cookie, extracted by CloudAccessControlRequests. */
- public Set<Role> getRoles() {
+ public Set<Role> getRolesFromCookie() {
return roles;
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
index af55da630c7..dc3dbabcc07 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
@@ -73,7 +73,7 @@ public class CloudAccessControl implements AccessControl {
}
private boolean allowedByPrivilegedRole(Auth0Credentials auth0Credentials) {
- return auth0Credentials.getRoles().stream()
+ return auth0Credentials.getRolesFromCookie().stream()
.map(Role::definition)
.anyMatch(rd -> rd == hostedOperator || rd == hostedSupporter);
}
@@ -83,7 +83,8 @@ public class CloudAccessControl implements AccessControl {
}
private long administeredTenants(Auth0Credentials auth0Credentials) {
- return auth0Credentials.getRoles().stream()
+ // We have to verify the roles with auth0 to ensure the user is not using an "old" cookie to make too many tenants.
+ return userManagement.listRoles(new UserId(auth0Credentials.user().getName())).stream()
.map(Role::definition)
.filter(rd -> rd == administrator)
.count();