aboutsummaryrefslogtreecommitdiffstats
path: root/controller-server/src/test/java/com/yahoo
diff options
context:
space:
mode:
Diffstat (limited to 'controller-server/src/test/java/com/yahoo')
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotificationsDbTest.java3
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotifierTest.java3
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializerTest.java13
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java6
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java23
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json19
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/security/CloudUserSessionManagerTest.java64
7 files changed, 82 insertions, 49 deletions
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotificationsDbTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotificationsDbTest.java
index 1a171341ee0..4c1344650f8 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotificationsDbTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotificationsDbTest.java
@@ -61,7 +61,8 @@ public class NotificationsDbTest {
List.of(TenantContacts.Audience.NOTIFICATIONS),
email)))),
List.of(),
- new ArchiveAccess());
+ new ArchiveAccess(),
+ Optional.empty());
private static final List<Notification> notifications = List.of(
notification(1001, Type.deployment, Level.error, NotificationSource.from(tenant), "tenant msg"),
notification(1101, Type.applicationPackage, Level.warning, NotificationSource.from(TenantAndApplicationId.from(tenant.value(), "app1")), "app msg"),
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotifierTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotifierTest.java
index 00d8c100ced..7c07192d633 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotifierTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/notification/NotifierTest.java
@@ -41,7 +41,8 @@ public class NotifierTest {
List.of(TenantContacts.Audience.NOTIFICATIONS),
email)))),
List.of(),
- new ArchiveAccess());
+ new ArchiveAccess(),
+ Optional.empty());
MockCuratorDb curatorDb = new MockCuratorDb(SystemName.Public);
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializerTest.java
index e29d4afabff..636620acf07 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializerTest.java
@@ -103,8 +103,8 @@ public class TenantSerializerTest {
otherPublicKey, new SimplePrincipal("jane")),
TenantInfo.empty(),
List.of(),
- new ArchiveAccess()
- );
+ new ArchiveAccess(),
+ Optional.empty());
CloudTenant serialized = (CloudTenant) serializer.tenantFrom(serializer.toSlime(tenant));
assertEquals(tenant.name(), serialized.name());
assertEquals(tenant.creator(), serialized.creator());
@@ -125,11 +125,12 @@ public class TenantSerializerTest {
new TenantSecretStore("ss1", "123", "role1"),
new TenantSecretStore("ss2", "124", "role2")
),
- new ArchiveAccess().withAWSRole("arn:aws:iam::123456789012:role/my-role")
- );
+ new ArchiveAccess().withAWSRole("arn:aws:iam::123456789012:role/my-role"),
+ Optional.of(Instant.ofEpochMilli(1234567)));
CloudTenant serialized = (CloudTenant) serializer.tenantFrom(serializer.toSlime(tenant));
assertEquals(tenant.info(), serialized.info());
assertEquals(tenant.tenantSecretStores(), serialized.tenantSecretStores());
+ assertEquals(tenant.invalidateUserSessionsBefore(), serialized.invalidateUserSessionsBefore());
}
@Test
@@ -174,8 +175,8 @@ public class TenantSerializerTest {
otherPublicKey, new SimplePrincipal("jane")),
TenantInfo.empty(),
List.of(),
- new ArchiveAccess().withAWSRole("arn:aws:iam::123456789012:role/my-role").withGCPMember("user:foo@example.com")
- );
+ new ArchiveAccess().withAWSRole("arn:aws:iam::123456789012:role/my-role").withGCPMember("user:foo@example.com"),
+ Optional.empty());
CloudTenant serialized = (CloudTenant) serializer.tenantFrom(serializer.toSlime(tenant));
assertEquals(serialized.archiveAccess().awsRole().get(), "arn:aws:iam::123456789012:role/my-role");
assertEquals(serialized.archiveAccess().gcpMember().get(), "user:foo@example.com");
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
index 9ff79213983..ec9be1f04c3 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilterTest.java
@@ -77,7 +77,8 @@ public class SignatureFilterTest {
ImmutableBiMap.of(),
TenantInfo.empty(),
List.of(),
- new ArchiveAccess()));
+ new ArchiveAccess(),
+ Optional.empty()));
tester.curator().writeApplication(new Application(appId, tester.clock().instant()));
}
@@ -123,7 +124,8 @@ public class SignatureFilterTest {
ImmutableBiMap.of(publicKey, () -> "user"),
TenantInfo.empty(),
List.of(),
- new ArchiveAccess()));
+ new ArchiveAccess(),
+ Optional.empty()));
verifySecurityContext(requestOf(signer.signed(request.copy(), Method.POST, () -> new ByteArrayInputStream(hiBytes)), hiBytes),
new SecurityContext(new SimplePrincipal("user"),
Set.of(Role.reader(id.tenant()),
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
index 3e9f6256134..1344b106bbe 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
@@ -84,7 +84,7 @@ public class UserApiTest extends ControllerContainerCloudTest {
// POST a hosted operator role is not allowed.
tester.assertResponse(request("/user/v1/tenant/my-tenant", POST)
.roles(Set.of(Role.administrator(id.tenant())))
- .data("{\"user\":\"evil@evil\",\"roleName\":\"hostedOperator\"}"),
+ .data("{\"user\":\"evil@evil\",\"roles\":[\"hostedOperator\"]}"),
"{\"error-code\":\"BAD_REQUEST\",\"message\":\"Malformed or illegal role name 'hostedOperator'.\"}", 400);
// POST a tenant developer is available to the tenant owner.
@@ -96,15 +96,9 @@ public class UserApiTest extends ControllerContainerCloudTest {
// POST a tenant admin is not available to a tenant developer.
tester.assertResponse(request("/user/v1/tenant/my-tenant", POST)
.roles(Set.of(Role.developer(id.tenant())))
- .data("{\"user\":\"developer@tenant\",\"roleName\":\"administrator\"}"),
+ .data("{\"user\":\"developer@tenant\",\"roles\":[\"administrator\"]}"),
accessDenied, 403);
- // POST a headless for a non-existent application fails.
- tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST)
- .roles(Set.of(Role.administrator(TenantName.from("my-tenant"))))
- .data("{\"user\":\"headless@app\",\"roleName\":\"headless\"}"),
- "{\"error-code\":\"BAD_REQUEST\",\"message\":\"role 'headless' of 'my-app' owned by 'my-tenant' not found\"}", 400);
-
// POST an application is allowed for a tenant developer.
tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app", POST)
.principal("developer@tenant")
@@ -116,22 +110,11 @@ public class UserApiTest extends ControllerContainerCloudTest {
.roles(Set.of(Role.administrator(id.tenant()))),
accessDenied, 403);
- // POST a tenant role is not allowed to an application.
- tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST)
- .roles(Set.of(Role.hostedOperator()))
- .data("{\"user\":\"developer@app\",\"roleName\":\"developer\"}"),
- "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Malformed or illegal role name 'developer'.\"}", 400);
-
// GET tenant role information is available to readers.
tester.assertResponse(request("/user/v1/tenant/my-tenant")
.roles(Set.of(Role.reader(id.tenant()))),
new File("tenant-roles.json"));
- // GET application role information is available to tenant administrators.
- tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app")
- .roles(Set.of(Role.administrator(id.tenant()))),
- new File("application-roles.json"));
-
// POST a pem deploy key
tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app/key", POST)
.roles(Set.of(Role.developer(id.tenant())))
@@ -200,7 +183,7 @@ public class UserApiTest extends ControllerContainerCloudTest {
// DELETE the last tenant owner is not allowed.
tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE)
.roles(operator)
- .data("{\"user\":\"administrator@tenant\",\"roleName\":\"administrator\"}"),
+ .data("{\"user\":\"administrator@tenant\",\"roles\":[\"administrator\"]}"),
"{\"error-code\":\"BAD_REQUEST\",\"message\":\"Can't remove the last administrator of a tenant.\"}", 400);
// DELETE the tenant is not allowed
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json
deleted file mode 100644
index 8497358fe40..00000000000
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
- "tenant": "my-tenant",
- "application": "my-app",
- "roleNames": [ ],
- "users": [
- {
- "name": "administrator@tenant",
- "email": "administrator@tenant",
- "verified": false,
- "roles": { }
- },
- {
- "name": "developer@tenant",
- "email": "developer@tenant",
- "verified": false,
- "roles": { }
- }
- ]
-}
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/security/CloudUserSessionManagerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/security/CloudUserSessionManagerTest.java
new file mode 100644
index 00000000000..710e75fb235
--- /dev/null
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/security/CloudUserSessionManagerTest.java
@@ -0,0 +1,64 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.controller.security;
+
+import com.yahoo.config.provision.SystemName;
+import com.yahoo.config.provision.TenantName;
+import com.yahoo.vespa.flags.InMemoryFlagSource;
+import com.yahoo.vespa.flags.PermanentFlags;
+import com.yahoo.vespa.hosted.controller.ControllerTester;
+import com.yahoo.vespa.hosted.controller.LockedTenant;
+import com.yahoo.vespa.hosted.controller.api.role.Role;
+import com.yahoo.vespa.hosted.controller.api.role.SecurityContext;
+import com.yahoo.vespa.hosted.controller.api.role.SimplePrincipal;
+import com.yahoo.vespa.hosted.controller.api.role.TenantRole;
+import org.junit.jupiter.api.Test;
+
+import java.time.Instant;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+/**
+ * @author freva
+ */
+class CloudUserSessionManagerTest {
+
+ private final ControllerTester tester = new ControllerTester(SystemName.Public);
+ private final CloudUserSessionManager userSessionManager = new CloudUserSessionManager(tester.controller());
+
+ @Test
+ void test() {
+ createTenant("tenant1", null);
+ createTenant("tenant2", 1234);
+ createTenant("tenant3", 1543);
+ createTenant("tenant4", 2313);
+
+ assertShouldExpire(false, 123);
+ assertShouldExpire(false, 123, "tenant1");
+ assertShouldExpire(true, 123, "tenant2");
+ assertShouldExpire(false, 2123, "tenant2");
+ assertShouldExpire(true, 123, "tenant1", "tenant2");
+
+ ((InMemoryFlagSource) tester.controller().flagSource()).withLongFlag(PermanentFlags.INVALIDATE_CONSOLE_SESSIONS.id(), 150);
+ assertShouldExpire(true, 123);
+ assertShouldExpire(true, 123, "tenant1");
+ }
+
+ private void assertShouldExpire(boolean expected, long issuedAtSeconds, String... tenantNames) {
+ Set<Role> roles = Stream.of(tenantNames).map(name -> TenantRole.developer(TenantName.from(name))).collect(Collectors.toSet());
+ SecurityContext context = new SecurityContext(new SimplePrincipal("dev"), roles, Instant.ofEpochSecond(issuedAtSeconds));
+ assertEquals(expected, userSessionManager.shouldExpireSessionFor(context));
+ }
+
+ private void createTenant(String tenantName, Integer invalidateAfterSeconds) {
+ tester.createTenant(tenantName);
+ Optional.ofNullable(invalidateAfterSeconds)
+ .map(Instant::ofEpochSecond)
+ .ifPresent(instant ->
+ tester.controller().tenants().lockOrThrow(TenantName.from(tenantName), LockedTenant.Cloud.class, tenant ->
+ tester.controller().tenants().store(tenant.withInvalidateUserSessionsBefore(instant))));
+ }
+}