Add access control for identity document api + identity provider api

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-06-12 12:27:52 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-06-12 12:34:58 +0200
commit: a3a9d6ae29cec4fe4f55c3c7b93986547a267a0f (patch)
tree: 1bcf0019eb34572232208bc239dc7598c0f48fca /node-repository
parent: a78e1ec449e493fe8ff4f7131a0fb84bae0eda1d (diff)
2 files changed, 22 insertions, 2 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
index da8f5be142f..ad078e09c45 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java
@@ -7,7 +7,6 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
-import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.utils.URLEncodedUtils;
 
@@ -52,6 +51,11 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> {
             return true;
         }
         if (principal.getHostname().isPresent()) {
+            String hostname = principal.getHostname().get();
+            if (isAthenzProviderApi(uri)) {
+                return hostname.equals(NodeIdentifier.ZTS_AWS_IDENTITY) || hostname.equals(NodeIdentifier.ZTS_ON_PREM_IDENTITY);
+            }
+
             // Individual nodes can only access their own resources
             if (canAccessAll(hostnamesFrom(uri), principal, this::isSelfOrParent)) {
                 return true;
@@ -63,13 +67,18 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> {
             }
 
             // The host itself can access all resources
-            if (whitelistedHostnames.contains(principal.getHostname().get())) {
+            if (whitelistedHostnames.contains(hostname)) {
                 return true;
             }
         }
         return false;
     }
 
+    private static boolean isAthenzProviderApi(URI uri) {
+        return "/athenz/v1/provider/instance".equals(uri.getPath()) ||
+                "/athenz/v1/provider/refresh".equals(uri.getPath());
+    }
+
     /** Returns whether principal is the node itself or the parent of the node */
     private boolean isSelfOrParent(String hostname, NodePrincipal principal) {
         // Node can always access itself
@@ -153,6 +162,9 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> {
             "/nodes/v2/node/".equals(uri.getPath())) {
             return hostnamesFromQuery(uri);
         }
+        if (isChildOf("/athenz/v1/provider/identity-document", uri.getPath())) {
+            return Collections.singletonList(lastChildOf(uri.getPath()));
+        }
         return Collections.emptyList();
     }
 
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
index 9dc57507b8c..38128e66861 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java
@@ -101,6 +101,8 @@ public class AuthorizerTest {
         assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/host1"));
         assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/child1-1"));
         assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/command/reboot?hostname=child1-1"));
+        assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/tenant/host1"));
+        assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/node/child1-1"));
 
         // Trusted services can access everything in their own system
         assertFalse(authorizedController("vespa.vespa.cd.hosting", "/")); // Wrong system
@@ -151,6 +153,12 @@ public class AuthorizerTest {
         assertTrue(authorizedLegacyNode("cfghost1", "/application/v2"));
     }
 
+    @Test
+    public void zts_allowed_for_athenz_provider_api() {
+        assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_AWS_IDENTITY, "/athenz/v1/provider/refresh"));
+        assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_ON_PREM_IDENTITY, "/athenz/v1/provider/instance"));
+    }
+
     private boolean authorizedTenantNode(String hostname, String path) {
         return authorized(NodePrincipal.withAthenzIdentity("vespa.vespa.tenant", hostname, emptyList()), path);
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-06-12 12:27:52 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-06-12 12:34:58 +0200
commit	a3a9d6ae29cec4fe4f55c3c7b93986547a267a0f (patch)
tree	1bcf0019eb34572232208bc239dc7598c0f48fca /node-repository
parent	a78e1ec449e493fe8ff4f7131a0fb84bae0eda1d (diff)