diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-05-03 13:37:16 +0200 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-05-03 13:37:16 +0200 |
commit | cccb67efbb512b4de13ba44243d6d8f728c00e84 (patch) | |
tree | ef9849aace9b2a13b147b3a7da2d75ef9d1cb591 /controller-server | |
parent | c4a609eee2f5dca31435c7395af466e414ecaa89 (diff) |
Let key authentication imply applicationDeveloper role as well
Diffstat (limited to 'controller-server')
2 files changed, 8 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java index 5cf29179d2a..0526c69e2bd 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java @@ -59,7 +59,8 @@ public class SignatureFilter extends JsonSecurityRequestFilterBase { if (verified) request.setAttribute(SecurityContext.ATTRIBUTE_NAME, new SecurityContext(() -> "buildService@" + id.tenant() + "." + id.application(), - Set.of(Role.buildService(id.tenant(), id.application())))); + Set.of(Role.buildService(id.tenant(), id.application()), + Role.applicationDeveloper(id.tenant(), id.application())))); } catch (Exception e) { logger.log(LogLevel.DEBUG, () -> "Exception verifying signed request: " + Exceptions.toMessageString(e)); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java index bf44481c110..970cd6071d0 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java @@ -83,7 +83,9 @@ public class SignatureFilterTest { assertTrue(filter.filter(signed).isEmpty()); SecurityContext securityContext = (SecurityContext) signed.getAttribute(SecurityContext.ATTRIBUTE_NAME); assertEquals("buildService@my-tenant.my-app", securityContext.principal().getName()); - assertEquals(Set.of(Role.buildService(id.tenant(), id.application())), securityContext.roles()); + assertEquals(Set.of(Role.buildService(id.tenant(), id.application()), + Role.applicationDeveloper(id.tenant(), id.application())), + securityContext.roles()); // Signed POST request also gets a build service role. byte[] hiBytes = new byte[]{0x48, 0x69}; @@ -91,7 +93,9 @@ public class SignatureFilterTest { filter.filter(signed); securityContext = (SecurityContext) signed.getAttribute(SecurityContext.ATTRIBUTE_NAME); assertEquals("buildService@my-tenant.my-app", securityContext.principal().getName()); - assertEquals(Set.of(Role.buildService(id.tenant(), id.application())), securityContext.roles()); + assertEquals(Set.of(Role.buildService(id.tenant(), id.application()), + Role.applicationDeveloper(id.tenant(), id.application())), + securityContext.roles()); // Unsigned requests still get no roles. filter.filter(unsigned); |