Create & use ConfigServerFilterConfig in Authorizer

4 files changed, 31 insertions, 43 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index d15cd288f39..36d5c20a1b5 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -2,11 +2,10 @@
 package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
 
 import com.google.inject.Inject;
+import com.yahoo.config.provisioning.ConfigServerFilterConfig;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
-import com.yahoo.jdisc.http.filter.FilterConfig;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
 import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
 import com.yahoo.yolean.chain.After;
@@ -32,12 +31,8 @@ public class AuthorizationFilter implements SecurityRequestFilter {
     private final BiConsumer<ErrorResponse, ResponseHandler> rejectAction;
 
     @Inject
-    public AuthorizationFilter(NodeRepository nodeRepository, FilterConfig filterConfig) {
-        this.authorizer = new Authorizer(nodeRepository,
-                AthenzIdentities.from(filterConfig.getInitParameter("controller.identity")),
-                AthenzIdentities.from(filterConfig.getInitParameter("configserver.identity")),
-                AthenzIdentities.from(filterConfig.getInitParameter("proxy.identity")),
-                AthenzIdentities.from(filterConfig.getInitParameter("tenant-host.identity")));
+    public AuthorizationFilter(NodeRepository nodeRepository, ConfigServerFilterConfig filterConfig) {
+        this.authorizer = new Authorizer(nodeRepository, filterConfig);
         this.rejectAction = AuthorizationFilter::logAndReject;
     }
 
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
index 44636727531..da38768c1b5 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
@@ -2,7 +2,9 @@
 package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
 
 import com.yahoo.config.provision.NodeType;
+import com.yahoo.config.provisioning.ConfigServerFilterConfig;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
 import org.apache.http.NameValuePair;
@@ -28,16 +30,23 @@ import java.util.stream.Collectors;
  */
 public class Authorizer implements BiPredicate<NodePrincipal, URI> {
     private final NodeRepository nodeRepository;
-    private final AthenzIdentity controllerIdentity;
+    private final String athenzProviderHostname;
+    private final AthenzIdentity controllerHostIdentity;
     private final Set<AthenzIdentity> trustedIdentities;
     private final Set<AthenzIdentity> hostAdminIdentities;
 
-    Authorizer(NodeRepository nodeRepository, AthenzIdentity controllerIdentity, AthenzIdentity configServerIdentity,
-               AthenzIdentity proxyIdentity, AthenzIdentity tenantIdentity) {
+    Authorizer(NodeRepository nodeRepository, ConfigServerFilterConfig filterConfig) {
+        AthenzIdentity configServerHostIdentity = AthenzIdentities.from(filterConfig.configServerHostIdentity());
+
         this.nodeRepository = nodeRepository;
-        this.controllerIdentity = controllerIdentity;
-        this.trustedIdentities = Set.of(controllerIdentity, configServerIdentity);
-        this.hostAdminIdentities = Set.of(controllerIdentity, configServerIdentity, proxyIdentity, tenantIdentity);
+        this.athenzProviderHostname = filterConfig.athenzProviderHostname();
+        this.controllerHostIdentity = AthenzIdentities.from(filterConfig.controllerHostIdentity());
+        this.trustedIdentities = Set.of(controllerHostIdentity, configServerHostIdentity);
+        this.hostAdminIdentities = Set.of(
+                controllerHostIdentity,
+                configServerHostIdentity,
+                AthenzIdentities.from(filterConfig.tenantHostIdentity()),
+                AthenzIdentities.from(filterConfig.proxyHostIdentity()));
     }
 
     /** Returns whether principal is authorized to access given URI */
@@ -51,7 +60,7 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> {
 
             // Only controller can access everything else in flags
             if (uri.getPath().startsWith("/flags/v1/")) {
-                return principal.getAthenzIdentityName().get().equals(controllerIdentity);
+                return principal.getAthenzIdentityName().get().equals(controllerHostIdentity);
             }
 
             // Trusted services can access everything
@@ -63,7 +72,7 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> {
         if (principal.getHostname().isPresent()) {
             String hostname = principal.getHostname().get();
             if (isAthenzProviderApi(uri)) {
-                return hostname.equals(NodeIdentifier.ZTS_AWS_IDENTITY) || hostname.equals(NodeIdentifier.ZTS_ON_PREM_IDENTITY);
+                return athenzProviderHostname.equals(hostname);
             }
 
             // Individual nodes can only access their own resources
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
index 2f1755dd106..62ebc62f564 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
@@ -2,23 +2,20 @@
 package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
 
 import com.yahoo.application.container.handler.Request.Method;
-import com.yahoo.container.FilterConfigProvider;
 import com.yahoo.vespa.curator.mock.MockCurator;
 import com.yahoo.vespa.hosted.provision.restapi.v2.filter.FilterTester.Request;
 import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors;
 import com.yahoo.vespa.hosted.provision.testutils.MockNodeRepository;
 import org.junit.Test;
 
-import java.util.Map;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
 /**
  * @author mpolden
  */
 public class AuthorizationFilterTest {
 
-    private final FilterTester tester = filterTester();
+    private final FilterTester tester = new FilterTester(new AuthorizationFilter(
+            new MockNodeRepository(new MockCurator(), new MockNodeFlavors()),
+            NodeIdentifierTest.FILTER_CONFIG));
 
     @Test
     public void filter() {
@@ -38,12 +35,4 @@ public class AuthorizationFilterTest {
         tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/foo").commonName("foo"));
     }
 
-    private static FilterTester filterTester() {
-        Map<String, String> params = Stream.of("controller", "configserver", "proxy", "tenant-host")
-                .collect(Collectors.toMap(e -> e + ".identity", e -> "vespa." + e));
-        return new FilterTester(new AuthorizationFilter(
-                new MockNodeRepository(new MockCurator(), new MockNodeFlavors()),
-                FilterConfigProvider.from("my-filter", AuthorizationFilter.class.getName(), params).get()));
-    }
-
 }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
index b539420a55a..241b37f8a63 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
@@ -4,7 +4,6 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
 import com.yahoo.config.provision.Flavor;
 import com.yahoo.config.provision.NodeFlavors;
 import com.yahoo.config.provision.NodeType;
-import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.vespa.curator.mock.MockCurator;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors;
@@ -17,6 +16,11 @@ import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 
+import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.ATHENZ_PROVIDER_HOSTNAME;
+import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.CONFIG_SERVER_IDENTITY;
+import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.CONTROLLER_IDENTITY;
+import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.FILTER_CONFIG;
+import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.TENANT_HOST_IDENTITY;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
@@ -25,22 +29,13 @@ import static org.junit.Assert.assertTrue;
  */
 public class AuthorizerTest {
 
-    private static final String CONTROLLER_IDENTITY = "vespa.controller";
-    private static final String CONFIG_SERVER_IDENTITY = "vespa.configserver";
-    private static final String PROXY_IDENTITY = "vespa.proxy";
-    private static final String TENANT_HOST_IDENTITY = "vespa.tenant-host";
-
     private Authorizer authorizer;
 
     @Before
     public void before() {
         NodeFlavors flavors = new MockNodeFlavors();
         MockNodeRepository nodeRepository = new MockNodeRepository(new MockCurator(), flavors);
-        authorizer = new Authorizer(nodeRepository,
-                AthenzIdentities.from(CONTROLLER_IDENTITY),
-                AthenzIdentities.from(CONFIG_SERVER_IDENTITY),
-                AthenzIdentities.from(PROXY_IDENTITY),
-                AthenzIdentities.from(TENANT_HOST_IDENTITY));
+        authorizer = new Authorizer(nodeRepository, FILTER_CONFIG);
 
         Set<String> ipAddresses = Set.of("127.0.0.1", "::1");
         Flavor flavor = flavors.getFlavorOrThrow("default");
@@ -170,8 +165,8 @@ public class AuthorizerTest {
 
     @Test
     public void zts_allowed_for_athenz_provider_api() {
-        assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_AWS_IDENTITY, "/athenz/v1/provider/refresh"));
-        assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_ON_PREM_IDENTITY, "/athenz/v1/provider/instance"));
+        assertTrue(authorizedLegacyNode(ATHENZ_PROVIDER_HOSTNAME, "/athenz/v1/provider/refresh"));
+        assertTrue(authorizedLegacyNode(ATHENZ_PROVIDER_HOSTNAME, "/athenz/v1/provider/instance"));
     }
 
     private boolean authorizedTenantNode(String hostname, String path) {