pass audit ref back to athenz when approving ssh

author: andreer <andreer@verizonmedia.com> 2021-09-20 12:56:14 +0200
committer: andreer <andreer@verizonmedia.com> 2021-09-20 12:56:14 +0200
commit: e91e96934ebaca0742c3858a63b83906d9f640bf (patch)
tree: f333796158b62d29d25b2e91e239be26faa60465
parent: 304fc2ea70fd82957565416554bfed190353d643 (diff)
4 files changed, 14 insertions, 8 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 3391965dc67..617e87c55a9 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -12,6 +12,7 @@ import java.time.Instant;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 public class AthenzAccessControlService implements AccessControlService {
@@ -37,7 +38,7 @@ public class AthenzAccessControlService implements AccessControlService {
         }
         Map<AthenzUser, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole);
         if (users.containsKey(user)) {
-            zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry);
+            zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry, Optional.empty());
             return true;
         }
         return false;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 77a49c6cbff..f02ba85c9bf 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -172,7 +172,7 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
-    public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) {
+    public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason) {
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 54f2b2fd9e3..297852e9584 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -259,14 +259,19 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
-    public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) {
+    public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s/decision", athenzRole.domain().getName(), athenzRole.roleName(), athenzUser.getFullName()));
         MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(athenzUser.getFullName(), true, athenzRole.roleName(), Long.toString(expiry.getEpochSecond()));
-        HttpUriRequest request = RequestBuilder.put()
+
+        var requestBuilder = RequestBuilder.put()
                 .setUri(uri)
-                .setEntity(toJsonStringEntity(membership))
-                .build();
-        execute(request, response -> readEntity(response, Void.class));
+                .setEntity(toJsonStringEntity(membership));
+
+        if (reason.filter(s -> !s.isBlank()).isPresent()) {
+            requestBuilder.addHeader("Y-Audit-Ref", reason.get());
+        }
+
+        execute(requestBuilder.build(), response -> readEntity(response, Void.class));
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 2fd1cea0e50..7dd0585bfd4 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -54,7 +54,7 @@ public interface ZmsClient extends AutoCloseable {
 
     Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole);
 
-    void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry);
+    void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason);
 
     List<AthenzIdentity> listMembers(AthenzRole athenzRole);
author	andreer <andreer@verizonmedia.com>	2021-09-20 12:56:14 +0200
committer	andreer <andreer@verizonmedia.com>	2021-09-20 12:56:14 +0200
commit	e91e96934ebaca0742c3858a63b83906d9f640bf (patch)
tree	f333796158b62d29d25b2e91e239be26faa60465
parent	304fc2ea70fd82957565416554bfed190353d643 (diff)