diff options
author | Martin Polden <mpolden@mpolden.no> | 2018-03-22 09:45:31 +0100 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2018-03-22 09:45:31 +0100 |
commit | 74066e996c6befbf32de24300f0d83570fb7660d (patch) | |
tree | 54a0f68af11c38c7b07bd25ff7318fd7622ea3e2 /node-repository | |
parent | 7637c48bd181e9344f0c682141ef0e0ea1029270 (diff) |
Allow proxyhost to access /routing/v1
Diffstat (limited to 'node-repository')
2 files changed, 19 insertions, 9 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java index 9559b2e59e4..3d72c9eaca9 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/Authorizer.java @@ -13,6 +13,7 @@ import java.net.URI; import java.nio.charset.StandardCharsets; import java.security.Principal; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Optional; @@ -51,12 +52,12 @@ public class Authorizer implements BiPredicate<Principal, URI> { } // Individual nodes can only access their own resources - if (canAccess(hostnamesFrom(uri), principal, this::isSelfOrParent)) { + if (canAccessAll(hostnamesFrom(uri), principal, this::isSelfOrParent)) { return true; } - // Nodes of a specific type can access whitelisted resources - if (canAccess(nodeTypesFor(uri), principal, this::isNodeType)) { + // Nodes can access this resource if its type matches any of the valid node types + if (canAccessAny(nodeTypesFor(uri), principal, this::isNodeType)) { return true; } @@ -93,10 +94,15 @@ public class Authorizer implements BiPredicate<Principal, URI> { } /** Returns whether principal can access all given resources */ - private <T> boolean canAccess(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) { + private <T> boolean canAccessAll(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) { return !resources.isEmpty() && resources.stream().allMatch(resource -> predicate.test(resource, principal)); } + /** Returns whether principal can access any of the given resources */ + private <T> boolean canAccessAny(List<T> resources, Principal principal, BiPredicate<T, Principal> predicate) { + return !resources.isEmpty() && resources.stream().anyMatch(resource -> predicate.test(resource, principal)); + } + /** Trusted service name for this system */ private String trustedService() { if (system != SystemName.main) { @@ -153,7 +159,7 @@ public class Authorizer implements BiPredicate<Principal, URI> { /** Returns node types which can access given URI */ private static List<NodeType> nodeTypesFor(URI uri) { if (isChildOf("/routing/v1/", uri.getPath())) { - return Collections.singletonList(NodeType.proxy); + return Arrays.asList(NodeType.proxy, NodeType.proxyhost); } return Collections.emptyList(); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java index 9aa23436d45..330262e84be 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/AuthorizerTest.java @@ -35,7 +35,7 @@ public class AuthorizerTest { public void before() { NodeFlavors flavors = new MockNodeFlavors(); nodeRepository = new MockNodeRepository(new MockCurator(), flavors); - authorizer = new Authorizer(SystemName.main, nodeRepository, () -> "cfg-host"); + authorizer = new Authorizer(SystemName.main, nodeRepository, () -> "cfg1"); { // Populate with nodes used in this test. Note that only nodes requiring node repository lookup are added here Set<String> ipAddresses = new HashSet<>(Arrays.asList("127.0.0.1", "::1")); Flavor flavor = flavors.getFlavorOrThrow("default"); @@ -54,6 +54,9 @@ public class AuthorizerTest { nodes.add(nodeRepository.createNode("proxy1", "proxy1", ipAddresses, Optional.empty(), flavor, NodeType.proxy)); + + nodes.add(nodeRepository.createNode("proxy1-host1", "proxy1-host", ipAddresses, + Optional.empty(), flavor, NodeType.proxyhost)); nodeRepository.addNodes(nodes); } } @@ -131,15 +134,16 @@ public class AuthorizerTest { @Test public void routing_authorization() { - // Node of proxy type can access routing resource + // Node of proxy or proxyhost type can access routing resource assertFalse(authorized("node1", "/routing/v1/status")); assertTrue(authorized("proxy1", "/routing/v1/status")); + assertTrue(authorized("proxy1-host", "/routing/v1/status")); } @Test public void host_authorization() { - assertTrue(authorized("cfg-host", "/")); - assertTrue(authorized("cfg-host", "/application/v2")); + assertTrue(authorized("cfg1", "/")); + assertTrue(authorized("cfg1", "/application/v2")); } private boolean authorized(String principal, String path) { |