Allow proxyhost to access /routing/v1

author: Martin Polden <mpolden@mpolden.no> 2018-03-22 09:45:31 +0100
committer: Martin Polden <mpolden@mpolden.no> 2018-03-22 09:45:31 +0100
commit: 74066e996c6befbf32de24300f0d83570fb7660d (patch)
tree: 54a0f68af11c38c7b07bd25ff7318fd7622ea3e2 /node-repository
parent: 7637c48bd181e9344f0c682141ef0e0ea1029270 (diff)
2 files changed, 19 insertions, 9 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java
index 9559b2e59e4..3d72c9eaca9 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java
@@ -13,6 +13,7 @@ import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -51,12 +52,12 @@ public class Authorizer implements BiPredicate<Principal, URI> {
         }
 
         // Individual nodes can only access their own resources
-        if (canAccess(hostnamesFrom(uri), principal, this::isSelfOrParent)) {
+        if (canAccessAll(hostnamesFrom(uri), principal, this::isSelfOrParent)) {
             return true;
         }
 
-        // Nodes of a specific type can access whitelisted resources
-        if (canAccess(nodeTypesFor(uri), principal, this::isNodeType)) {
+        // Nodes can access this resource if its type matches any of the valid node types
+        if (canAccessAny(nodeTypesFor(uri), principal, this::isNodeType)) {
             return true;
         }
 
@@ -93,10 +94,15 @@ public class Authorizer implements BiPredicate<Principal, URI> {
     }
 
     /** Returns whether principal can access all given resources */
-    private <T> boolean canAccess(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) {
+    private <T> boolean canAccessAll(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) {
         return !resources.isEmpty() && resources.stream().allMatch(resource -> predicate.test(resource, principal));
     }
 
+    /** Returns whether principal can access any of the given resources */
+    private <T> boolean canAccessAny(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) {
+        return !resources.isEmpty() && resources.stream().anyMatch(resource -> predicate.test(resource, principal));
+    }
+
     /** Trusted service name for this system */
     private String trustedService() {
         if (system != SystemName.main) {
@@ -153,7 +159,7 @@ public class Authorizer implements BiPredicate<Principal, URI> {
     /** Returns node types which can access given URI */
     private static List<NodeType> nodeTypesFor(URI uri) {
         if (isChildOf("/routing/v1/", uri.getPath())) {
-            return Collections.singletonList(NodeType.proxy);
+            return Arrays.asList(NodeType.proxy, NodeType.proxyhost);
         }
         return Collections.emptyList();
     }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java
index 9aa23436d45..330262e84be 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java
@@ -35,7 +35,7 @@ public class AuthorizerTest {
     public void before() {
         NodeFlavors flavors = new MockNodeFlavors();
         nodeRepository = new MockNodeRepository(new MockCurator(), flavors);
-        authorizer = new Authorizer(SystemName.main, nodeRepository, () -> "cfg-host");
+        authorizer = new Authorizer(SystemName.main, nodeRepository, () -> "cfg1");
         { // Populate with nodes used in this test. Note that only nodes requiring node repository lookup are added here
             Set<String> ipAddresses = new HashSet<>(Arrays.asList("127.0.0.1", "::1"));
             Flavor flavor = flavors.getFlavorOrThrow("default");
@@ -54,6 +54,9 @@ public class AuthorizerTest {
 
             nodes.add(nodeRepository.createNode("proxy1", "proxy1", ipAddresses, Optional.empty(),
                                                 flavor, NodeType.proxy));
+
+            nodes.add(nodeRepository.createNode("proxy1-host1", "proxy1-host", ipAddresses,
+                                                Optional.empty(), flavor, NodeType.proxyhost));
             nodeRepository.addNodes(nodes);
         }
     }
@@ -131,15 +134,16 @@ public class AuthorizerTest {
 
     @Test
     public void routing_authorization() {
-        // Node of proxy type can access routing resource
+        // Node of proxy or proxyhost type can access routing resource
         assertFalse(authorized("node1", "/routing/v1/status"));
         assertTrue(authorized("proxy1", "/routing/v1/status"));
+        assertTrue(authorized("proxy1-host", "/routing/v1/status"));
     }
 
     @Test
     public void host_authorization() {
-        assertTrue(authorized("cfg-host", "/"));
-        assertTrue(authorized("cfg-host", "/application/v2"));
+        assertTrue(authorized("cfg1", "/"));
+        assertTrue(authorized("cfg1", "/application/v2"));
     }
 
     private boolean authorized(String principal, String path) {
author	Martin Polden <mpolden@mpolden.no>	2018-03-22 09:45:31 +0100
committer	Martin Polden <mpolden@mpolden.no>	2018-03-22 09:45:31 +0100
commit	74066e996c6befbf32de24300f0d83570fb7660d (patch)
tree	54a0f68af11c38c7b07bd25ff7318fd7622ea3e2 /node-repository
parent	7637c48bd181e9344f0c682141ef0e0ea1029270 (diff)