diff options
author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-04-24 14:15:31 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-04-24 14:15:31 +0200 |
commit | cdf49413038294cb36a95985d7987a7ffe5a81eb (patch) | |
tree | e7376c94e0a241b3d1644147cf28570926d1c121 /node-repository | |
parent | 6bacf54de46323c55af4171c3558bbdbb66a5f31 (diff) |
Create & use ConfigServerFilterConfig in Authorizer
Diffstat (limited to 'node-repository')
4 files changed, 31 insertions, 43 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index d15cd288f39..36d5c20a1b5 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -2,11 +2,10 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.google.inject.Inject; +import com.yahoo.config.provisioning.ConfigServerFilterConfig; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.FilterConfig; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; import com.yahoo.yolean.chain.After; @@ -32,12 +31,8 @@ public class AuthorizationFilter implements SecurityRequestFilter { private final BiConsumer<ErrorResponse, ResponseHandler> rejectAction; @Inject - public AuthorizationFilter(NodeRepository nodeRepository, FilterConfig filterConfig) { - this.authorizer = new Authorizer(nodeRepository, - AthenzIdentities.from(filterConfig.getInitParameter("controller.identity")), - AthenzIdentities.from(filterConfig.getInitParameter("configserver.identity")), - AthenzIdentities.from(filterConfig.getInitParameter("proxy.identity")), - AthenzIdentities.from(filterConfig.getInitParameter("tenant-host.identity"))); + public AuthorizationFilter(NodeRepository nodeRepository, ConfigServerFilterConfig filterConfig) { + this.authorizer = new Authorizer(nodeRepository, filterConfig); this.rejectAction = AuthorizationFilter::logAndReject; } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java index 44636727531..da38768c1b5 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java @@ -2,7 +2,9 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.yahoo.config.provision.NodeType; +import com.yahoo.config.provisioning.ConfigServerFilterConfig; import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; import org.apache.http.NameValuePair; @@ -28,16 +30,23 @@ import java.util.stream.Collectors; */ public class Authorizer implements BiPredicate<NodePrincipal, URI> { private final NodeRepository nodeRepository; - private final AthenzIdentity controllerIdentity; + private final String athenzProviderHostname; + private final AthenzIdentity controllerHostIdentity; private final Set<AthenzIdentity> trustedIdentities; private final Set<AthenzIdentity> hostAdminIdentities; - Authorizer(NodeRepository nodeRepository, AthenzIdentity controllerIdentity, AthenzIdentity configServerIdentity, - AthenzIdentity proxyIdentity, AthenzIdentity tenantIdentity) { + Authorizer(NodeRepository nodeRepository, ConfigServerFilterConfig filterConfig) { + AthenzIdentity configServerHostIdentity = AthenzIdentities.from(filterConfig.configServerHostIdentity()); + this.nodeRepository = nodeRepository; - this.controllerIdentity = controllerIdentity; - this.trustedIdentities = Set.of(controllerIdentity, configServerIdentity); - this.hostAdminIdentities = Set.of(controllerIdentity, configServerIdentity, proxyIdentity, tenantIdentity); + this.athenzProviderHostname = filterConfig.athenzProviderHostname(); + this.controllerHostIdentity = AthenzIdentities.from(filterConfig.controllerHostIdentity()); + this.trustedIdentities = Set.of(controllerHostIdentity, configServerHostIdentity); + this.hostAdminIdentities = Set.of( + controllerHostIdentity, + configServerHostIdentity, + AthenzIdentities.from(filterConfig.tenantHostIdentity()), + AthenzIdentities.from(filterConfig.proxyHostIdentity())); } /** Returns whether principal is authorized to access given URI */ @@ -51,7 +60,7 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { // Only controller can access everything else in flags if (uri.getPath().startsWith("/flags/v1/")) { - return principal.getAthenzIdentityName().get().equals(controllerIdentity); + return principal.getAthenzIdentityName().get().equals(controllerHostIdentity); } // Trusted services can access everything @@ -63,7 +72,7 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { if (principal.getHostname().isPresent()) { String hostname = principal.getHostname().get(); if (isAthenzProviderApi(uri)) { - return hostname.equals(NodeIdentifier.ZTS_AWS_IDENTITY) || hostname.equals(NodeIdentifier.ZTS_ON_PREM_IDENTITY); + return athenzProviderHostname.equals(hostname); } // Individual nodes can only access their own resources diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java index 2f1755dd106..62ebc62f564 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java @@ -2,23 +2,20 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.yahoo.application.container.handler.Request.Method; -import com.yahoo.container.FilterConfigProvider; import com.yahoo.vespa.curator.mock.MockCurator; import com.yahoo.vespa.hosted.provision.restapi.v2.filter.FilterTester.Request; import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors; import com.yahoo.vespa.hosted.provision.testutils.MockNodeRepository; import org.junit.Test; -import java.util.Map; -import java.util.stream.Collectors; -import java.util.stream.Stream; - /** * @author mpolden */ public class AuthorizationFilterTest { - private final FilterTester tester = filterTester(); + private final FilterTester tester = new FilterTester(new AuthorizationFilter( + new MockNodeRepository(new MockCurator(), new MockNodeFlavors()), + NodeIdentifierTest.FILTER_CONFIG)); @Test public void filter() { @@ -38,12 +35,4 @@ public class AuthorizationFilterTest { tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/foo").commonName("foo")); } - private static FilterTester filterTester() { - Map<String, String> params = Stream.of("controller", "configserver", "proxy", "tenant-host") - .collect(Collectors.toMap(e -> e + ".identity", e -> "vespa." + e)); - return new FilterTester(new AuthorizationFilter( - new MockNodeRepository(new MockCurator(), new MockNodeFlavors()), - FilterConfigProvider.from("my-filter", AuthorizationFilter.class.getName(), params).get())); - } - } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java index b539420a55a..241b37f8a63 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java @@ -4,7 +4,6 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.yahoo.config.provision.Flavor; import com.yahoo.config.provision.NodeFlavors; import com.yahoo.config.provision.NodeType; -import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.curator.mock.MockCurator; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors; @@ -17,6 +16,11 @@ import java.util.List; import java.util.Optional; import java.util.Set; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.ATHENZ_PROVIDER_HOSTNAME; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.CONFIG_SERVER_IDENTITY; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.CONTROLLER_IDENTITY; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.FILTER_CONFIG; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifierTest.TENANT_HOST_IDENTITY; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -25,22 +29,13 @@ import static org.junit.Assert.assertTrue; */ public class AuthorizerTest { - private static final String CONTROLLER_IDENTITY = "vespa.controller"; - private static final String CONFIG_SERVER_IDENTITY = "vespa.configserver"; - private static final String PROXY_IDENTITY = "vespa.proxy"; - private static final String TENANT_HOST_IDENTITY = "vespa.tenant-host"; - private Authorizer authorizer; @Before public void before() { NodeFlavors flavors = new MockNodeFlavors(); MockNodeRepository nodeRepository = new MockNodeRepository(new MockCurator(), flavors); - authorizer = new Authorizer(nodeRepository, - AthenzIdentities.from(CONTROLLER_IDENTITY), - AthenzIdentities.from(CONFIG_SERVER_IDENTITY), - AthenzIdentities.from(PROXY_IDENTITY), - AthenzIdentities.from(TENANT_HOST_IDENTITY)); + authorizer = new Authorizer(nodeRepository, FILTER_CONFIG); Set<String> ipAddresses = Set.of("127.0.0.1", "::1"); Flavor flavor = flavors.getFlavorOrThrow("default"); @@ -170,8 +165,8 @@ public class AuthorizerTest { @Test public void zts_allowed_for_athenz_provider_api() { - assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_AWS_IDENTITY, "/athenz/v1/provider/refresh")); - assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_ON_PREM_IDENTITY, "/athenz/v1/provider/instance")); + assertTrue(authorizedLegacyNode(ATHENZ_PROVIDER_HOSTNAME, "/athenz/v1/provider/refresh")); + assertTrue(authorizedLegacyNode(ATHENZ_PROVIDER_HOSTNAME, "/athenz/v1/provider/instance")); } private boolean authorizedTenantNode(String hostname, String path) { |