diff options
Diffstat (limited to 'node-repository')
5 files changed, 6 insertions, 28 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index 12de9aeef30..fcefe73a8b9 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.google.inject.Inject; -import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; @@ -34,7 +33,7 @@ public class AuthorizationFilter implements SecurityRequestFilter { @Inject public AuthorizationFilter(Zone zone, NodeRepository nodeRepository) { - this(new Authorizer(zone.system(), nodeRepository), rejectActionIn(zone.system())); + this(new Authorizer(zone.system(), nodeRepository), AuthorizationFilter::logAndReject); } AuthorizationFilter(BiPredicate<Principal, URI> authorizer, @@ -63,17 +62,6 @@ public class AuthorizationFilter implements SecurityRequestFilter { } } - private static BiConsumer<ErrorResponse, ResponseHandler> rejectActionIn(SystemName system) { - if (system == SystemName.cd) { - return AuthorizationFilter::logAndReject; - } - return AuthorizationFilter::log; - } - - private static void log(ErrorResponse response, @SuppressWarnings("unused") ResponseHandler handler) { - log.warning("Would reject request: " + response.getStatus() + " - " + response.message()); - } - private static void logAndReject(ErrorResponse response, ResponseHandler handler) { log.warning(response.message()); FilterUtils.write(response, handler); @@ -81,8 +69,7 @@ public class AuthorizationFilter implements SecurityRequestFilter { /** Read common name (CN) from certificate */ private static Optional<String> commonName(X509Certificate certificate) { - return X509CertificateUtils.getCommonNames(certificate).stream() - .findFirst(); + return X509CertificateUtils.getCommonNames(certificate).stream().findFirst(); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java index 368b464afff..f9900f9b0ec 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java @@ -10,7 +10,7 @@ import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; import java.net.InetAddress; /** - * A security filter that only allows local requests. + * A security filter that only allows self-originating requests. * * @author mpolden */ diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java index 1d59ed52b67..c6203c76347 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java @@ -22,7 +22,7 @@ public class AuthorizationFilterTest { @Before public void before() { - tester = filterTester(SystemName.cd); + tester = filterTester(SystemName.main); } @Test @@ -43,14 +43,6 @@ public class AuthorizationFilterTest { tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/foo").commonName("foo")); } - // TODO: Remove once filter applies to all systems - @Test - public void filter_does_nothing_in_main_system() { - FilterTester tester = filterTester(SystemName.main); - tester.assertSuccess(new Request(Method.GET, "/").commonName("foo")); - tester.assertSuccess(new Request(Method.GET, "/nodes/v2/node/bar").commonName("foo")); - } - private static FilterTester filterTester(SystemName system) { Zone zone = new Zone(system, Environment.prod, RegionName.defaultName()); return new FilterTester(new AuthorizationFilter(zone, new MockNodeRepository(new MockCurator(), diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java index 5cd01755c26..3fdff46933c 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java @@ -87,8 +87,7 @@ public class FilterTester { Instant now = Instant.now(); X500Principal subject = new X500Principal("CN=" + commonName); return X509CertificateBuilder - .fromKeypair( - keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli()) + .fromKeypair(keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli()) .setBasicConstraints(true, true) .build(); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java index b4e446f6818..cb1ac2ade72 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java @@ -30,7 +30,7 @@ public class LocalhostFilterTest { tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.127.0.1")); tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("0:0:0:0:0:0:0:1")); - // Allow requests originating from same host + // Allow requests originating from self tester.assertSuccess(new Request(Method.GET, "/").localAddr("1.3.3.7").remoteAddr("1.3.3.7")); } |