Let key authentication imply applicationDeveloper role as well

author: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-05-03 13:37:16 +0200
committer: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-05-03 13:37:16 +0200
commit: cccb67efbb512b4de13ba44243d6d8f728c00e84 (patch)
tree: ef9849aace9b2a13b147b3a7da2d75ef9d1cb591 /controller-server
parent: c4a609eee2f5dca31435c7395af466e414ecaa89 (diff)
2 files changed, 8 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java
index 5cf29179d2a..0526c69e2bd 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java
@@ -59,7 +59,8 @@ public class SignatureFilter extends JsonSecurityRequestFilterBase {
                 if (verified)
                     request.setAttribute(SecurityContext.ATTRIBUTE_NAME,
                                          new SecurityContext(() -> "buildService@" + id.tenant() + "." + id.application(),
-                                                             Set.of(Role.buildService(id.tenant(), id.application()))));
+                                                             Set.of(Role.buildService(id.tenant(), id.application()),
+                                                                    Role.applicationDeveloper(id.tenant(), id.application()))));
             }
             catch (Exception e) {
                 logger.log(LogLevel.DEBUG, () -> "Exception verifying signed request: " + Exceptions.toMessageString(e));
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
index bf44481c110..970cd6071d0 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
@@ -83,7 +83,9 @@ public class SignatureFilterTest {
         assertTrue(filter.filter(signed).isEmpty());
         SecurityContext securityContext = (SecurityContext) signed.getAttribute(SecurityContext.ATTRIBUTE_NAME);
         assertEquals("buildService@my-tenant.my-app", securityContext.principal().getName());
-        assertEquals(Set.of(Role.buildService(id.tenant(), id.application())), securityContext.roles());
+        assertEquals(Set.of(Role.buildService(id.tenant(), id.application()),
+                            Role.applicationDeveloper(id.tenant(), id.application())),
+                     securityContext.roles());
 
         // Signed POST request also gets a build service role.
         byte[] hiBytes = new byte[]{0x48, 0x69};
@@ -91,7 +93,9 @@ public class SignatureFilterTest {
         filter.filter(signed);
         securityContext = (SecurityContext) signed.getAttribute(SecurityContext.ATTRIBUTE_NAME);
         assertEquals("buildService@my-tenant.my-app", securityContext.principal().getName());
-        assertEquals(Set.of(Role.buildService(id.tenant(), id.application())), securityContext.roles());
+        assertEquals(Set.of(Role.buildService(id.tenant(), id.application()),
+                            Role.applicationDeveloper(id.tenant(), id.application())),
+                     securityContext.roles());
 
         // Unsigned requests still get no roles.
         filter.filter(unsigned);
author	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-05-03 13:37:16 +0200
committer	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-05-03 13:37:16 +0200
commit	cccb67efbb512b4de13ba44243d6d8f728c00e84 (patch)
tree	ef9849aace9b2a13b147b3a7da2d75ef9d1cb591 /controller-server
parent	c4a609eee2f5dca31435c7395af466e414ecaa89 (diff)