aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java4
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java2
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java2
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java5
4 files changed, 10 insertions, 3 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
index 295f8e8fd98..dfdd273b6f5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
@@ -75,4 +75,8 @@ public class MockUserManagement implements UserManagement {
return List.copyOf(get(role));
}
+ @Override
+ public List<Role> listRoles(UserId userId) {
+ return List.of();
+ }
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
index 8a549b505c7..bfb617a75b6 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
@@ -34,4 +34,6 @@ public interface UserManagement {
/** Returns all users in the given role, or throws if the role does not exist. */
List<User> listUsers(Role role);
+ /** Returns all roles of which the given user is part, or throws if the user does not exist */
+ List<Role> listRoles(UserId user);
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
index 787f0f27d40..a908b341039 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/Auth0Credentials.java
@@ -23,7 +23,7 @@ public class Auth0Credentials extends Credentials {
}
/** The set of roles set in the auth0 cookie, extracted by CloudAccessControlRequests. */
- public Set<Role> getRoles() {
+ public Set<Role> getRolesFromCookie() {
return roles;
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
index af55da630c7..dc3dbabcc07 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
@@ -73,7 +73,7 @@ public class CloudAccessControl implements AccessControl {
}
private boolean allowedByPrivilegedRole(Auth0Credentials auth0Credentials) {
- return auth0Credentials.getRoles().stream()
+ return auth0Credentials.getRolesFromCookie().stream()
.map(Role::definition)
.anyMatch(rd -> rd == hostedOperator || rd == hostedSupporter);
}
@@ -83,7 +83,8 @@ public class CloudAccessControl implements AccessControl {
}
private long administeredTenants(Auth0Credentials auth0Credentials) {
- return auth0Credentials.getRoles().stream()
+ // We have to verify the roles with auth0 to ensure the user is not using an "old" cookie to make too many tenants.
+ return userManagement.listRoles(new UserId(auth0Credentials.user().getName())).stream()
.map(Role::definition)
.filter(rd -> rd == administrator)
.count();