Merge pull request #11453 from vespa-engine/freva/add-all-accessible-tenants

Add all accessible tenants

3 files changed, 21 insertions, 27 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/User.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/User.java
index 35dcd54799b..ac64df7713f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/User.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/User.java
@@ -2,19 +2,21 @@ package com.yahoo.vespa.hosted.controller.api.integration.user;
 
 import java.util.Objects;
 
+/**
+ * @author smorgrav
+ */
 public class User {
 
-    private final String name;
+    public static final String ATTRIBUTE_NAME = User.class.getName();
+
     private final String email;
+    private final String name;
     private final String nickname;
     private final String picture;
 
     public User(String email, String name, String nickname, String picture) {
-        Objects.requireNonNull(email);
-        Objects.requireNonNull(name);
-
+        this.email = Objects.requireNonNull(email);
         this.name = name;
-        this.email = email;
         this.nickname = nickname;
         this.picture = picture;
     }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 56b2de33478..361aad93133 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -15,14 +15,14 @@ import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.client.zms.ZmsClientException;
 import com.yahoo.vespa.hosted.controller.Controller;
 import com.yahoo.vespa.hosted.controller.TenantController;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
 import com.yahoo.vespa.hosted.controller.api.role.Role;
 import com.yahoo.vespa.hosted.controller.api.role.SecurityContext;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
 import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade;
+import com.yahoo.vespa.hosted.controller.security.Credentials;
 import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
 import com.yahoo.vespa.hosted.controller.tenant.Tenant;
-import com.yahoo.vespa.hosted.controller.tenant.UserTenant;
 import com.yahoo.yolean.Exceptions;
 
 import java.net.URI;
@@ -82,13 +82,13 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
 
         AthenzIdentity identity = principal.getIdentity();
 
+        Set<Role> roleMemberships = new HashSet<>();
         if (athenz.hasHostedOperatorAccess(identity))
-            return Set.of(Role.hostedOperator());
+            roleMemberships.add(Role.hostedOperator());
 
-        // A principal can be both tenant admin and tenantPipeline
-        Set<Role> roleMemberships = new HashSet<>();
-        if (tenant.isPresent() && isTenantAdmin(identity, tenant.get()))
-            roleMemberships.add(Role.athenzTenantAdmin(tenant.get().name()));
+        // Add all tenants that are accessible for this request
+        athenz.accessibleTenants(tenants.asList(), new Credentials(principal))
+                .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name())));
 
         if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent())
             // NOTE: Only fine-grained deploy authorization for Athenz tenants
@@ -114,14 +114,6 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
                 : Set.copyOf(roleMemberships);
     }
 
-    private boolean isTenantAdmin(AthenzIdentity identity, Tenant tenant) {
-        switch (tenant.type()) {
-            case athenz: return athenz.hasTenantAdminAccess(identity, ((AthenzTenant) tenant).domain());
-            case user: return ((UserTenant) tenant).is(identity.getName()) || athenz.hasHostedOperatorAccess(identity);
-            default: throw new IllegalArgumentException("Unexpected tenant type '" + tenant.type() + "'.");
-        }
-    }
-
     private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application) {
         try {
             return athenz.hasApplicationAccess(identity,
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
index ee9a7ff78df..0aba88ccc77 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
@@ -10,11 +10,11 @@ import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.hosted.controller.ControllerTester;
 import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId;
-import com.yahoo.vespa.hosted.controller.api.role.Role;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
-import com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactoryMock;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzDbMock;
+import com.yahoo.vespa.hosted.controller.api.role.Role;
+import com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -72,13 +72,13 @@ public class AthenzRoleFilterTest {
     public void testTranslations() {
 
         // Hosted operators are always members of the hostedOperator role.
-        assertEquals(Set.of(Role.hostedOperator()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
                      filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
                      filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
                      filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH));
 
         // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree.
@@ -91,10 +91,10 @@ public class AthenzRoleFilterTest {
         assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)),
                      filter.roles(TENANT_ADMIN, APPLICATION_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.everyone()),
+        assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)),
                      filter.roles(TENANT_ADMIN, TENANT2_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.everyone()),
+        assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)),
                      filter.roles(TENANT_ADMIN, APPLICATION2_CONTEXT_PATH));
 
         // Build services are members of the tenantPipeline role within their application subtree.