Enforce config server authorization in main

author: Martin Polden <mpolden@mpolden.no> 2018-03-26 09:39:39 +0200
committer: Martin Polden <mpolden@mpolden.no> 2018-03-26 09:44:44 +0200
commit: 2577fa84358c2be3a4984d7b5f84e1389ec09253 (patch)
tree: f81453e33eb61276246e0b81a3adb7630b8b671c /node-repository
parent: 182feefa361e6c939aa72d896af6270f8dd64038 (diff)
5 files changed, 6 insertions, 28 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index 12de9aeef30..fcefe73a8b9 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
 
 import com.google.inject.Inject;
-import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
@@ -34,7 +33,7 @@ public class AuthorizationFilter implements SecurityRequestFilter {
 
     @Inject
     public AuthorizationFilter(Zone zone, NodeRepository nodeRepository) {
-        this(new Authorizer(zone.system(), nodeRepository), rejectActionIn(zone.system()));
+        this(new Authorizer(zone.system(), nodeRepository), AuthorizationFilter::logAndReject);
     }
 
     AuthorizationFilter(BiPredicate<Principal, URI> authorizer,
@@ -63,17 +62,6 @@ public class AuthorizationFilter implements SecurityRequestFilter {
         }
     }
 
-    private static BiConsumer<ErrorResponse, ResponseHandler> rejectActionIn(SystemName system) {
-        if (system == SystemName.cd) {
-            return AuthorizationFilter::logAndReject;
-        }
-        return AuthorizationFilter::log;
-    }
-
-    private static void log(ErrorResponse response, @SuppressWarnings("unused") ResponseHandler handler) {
-        log.warning("Would reject request: " + response.getStatus() + " - " + response.message());
-    }
-
     private static void logAndReject(ErrorResponse response, ResponseHandler handler) {
         log.warning(response.message());
         FilterUtils.write(response, handler);
@@ -81,8 +69,7 @@ public class AuthorizationFilter implements SecurityRequestFilter {
 
     /** Read common name (CN) from certificate */
     private static Optional<String> commonName(X509Certificate certificate) {
-        return X509CertificateUtils.getCommonNames(certificate).stream()
-                .findFirst();
+        return X509CertificateUtils.getCommonNames(certificate).stream().findFirst();
     }
 
 }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java
index 368b464afff..f9900f9b0ec 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java
@@ -10,7 +10,7 @@ import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
 import java.net.InetAddress;
 
 /**
- * A security filter that only allows local requests.
+ * A security filter that only allows self-originating requests.
  *
  * @author mpolden
  */
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
index 1d59ed52b67..c6203c76347 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
@@ -22,7 +22,7 @@ public class AuthorizationFilterTest {
 
     @Before
     public void before() {
-        tester = filterTester(SystemName.cd);
+        tester = filterTester(SystemName.main);
     }
 
     @Test
@@ -43,14 +43,6 @@ public class AuthorizationFilterTest {
         tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/foo").commonName("foo"));
     }
 
-    // TODO: Remove once filter applies to all systems
-    @Test
-    public void filter_does_nothing_in_main_system() {
-        FilterTester tester = filterTester(SystemName.main);
-        tester.assertSuccess(new Request(Method.GET, "/").commonName("foo"));
-        tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/bar").commonName("foo"));
-    }
-
     private static FilterTester filterTester(SystemName system) {
         Zone zone = new Zone(system, Environment.prod, RegionName.defaultName());
         return new FilterTester(new AuthorizationFilter(zone, new MockNodeRepository(new MockCurator(),
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
index 5cd01755c26..3fdff46933c 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
@@ -87,8 +87,7 @@ public class FilterTester {
         Instant now = Instant.now();
         X500Principal subject = new X500Principal("CN=" + commonName);
         return X509CertificateBuilder
-                .fromKeypair(
-                        keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli())
+                .fromKeypair(keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli())
                 .setBasicConstraints(true, true)
                 .build();
     }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java
index b4e446f6818..cb1ac2ade72 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java
@@ -30,7 +30,7 @@ public class LocalhostFilterTest {
         tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.127.0.1"));
         tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("0:0:0:0:0:0:0:1"));
 
-        // Allow requests originating from same host
+        // Allow requests originating from self
         tester.assertSuccess(new Request(Method.GET, "/").localAddr("1.3.3.7").remoteAddr("1.3.3.7"));
     }
author	Martin Polden <mpolden@mpolden.no>	2018-03-26 09:39:39 +0200
committer	Martin Polden <mpolden@mpolden.no>	2018-03-26 09:44:44 +0200
commit	2577fa84358c2be3a4984d7b5f84e1389ec09253 (patch)
tree	f81453e33eb61276246e0b81a3adb7630b8b671c /node-repository
parent	182feefa361e6c939aa72d896af6270f8dd64038 (diff)