diff options
author | andreer <andreer@verizonmedia.com> | 2021-09-20 12:56:14 +0200 |
---|---|---|
committer | andreer <andreer@verizonmedia.com> | 2021-09-20 12:56:14 +0200 |
commit | e91e96934ebaca0742c3858a63b83906d9f640bf (patch) | |
tree | f333796158b62d29d25b2e91e239be26faa60465 | |
parent | 304fc2ea70fd82957565416554bfed190353d643 (diff) |
pass audit ref back to athenz when approving ssh
4 files changed, 14 insertions, 8 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 3391965dc67..617e87c55a9 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -12,6 +12,7 @@ import java.time.Instant; import java.util.Collection; import java.util.List; import java.util.Map; +import java.util.Optional; import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { @@ -37,7 +38,7 @@ public class AthenzAccessControlService implements AccessControlService { } Map<AthenzUser, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); if (users.containsKey(user)) { - zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry); + zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry, Optional.empty()); return true; } return false; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 77a49c6cbff..f02ba85c9bf 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -172,7 +172,7 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) { + public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason) { } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 54f2b2fd9e3..297852e9584 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -259,14 +259,19 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) { + public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s/decision", athenzRole.domain().getName(), athenzRole.roleName(), athenzUser.getFullName())); MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(athenzUser.getFullName(), true, athenzRole.roleName(), Long.toString(expiry.getEpochSecond())); - HttpUriRequest request = RequestBuilder.put() + + var requestBuilder = RequestBuilder.put() .setUri(uri) - .setEntity(toJsonStringEntity(membership)) - .build(); - execute(request, response -> readEntity(response, Void.class)); + .setEntity(toJsonStringEntity(membership)); + + if (reason.filter(s -> !s.isBlank()).isPresent()) { + requestBuilder.addHeader("Y-Audit-Ref", reason.get()); + } + + execute(requestBuilder.build(), response -> readEntity(response, Void.class)); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 2fd1cea0e50..7dd0585bfd4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -54,7 +54,7 @@ public interface ZmsClient extends AutoCloseable { Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole); - void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry); + void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason); List<AthenzIdentity> listMembers(AthenzRole athenzRole); |