diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2020-03-30 14:22:12 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-30 14:22:12 +0200 |
commit | c098a56abdf64cb98554dc91592ca1b409e92540 (patch) | |
tree | aa0ef7504a06eb5e82977892da64dd55950fba0e | |
parent | 703918f5b30a14dbba9f46823f632d2357b10dce (diff) | |
parent | 19163175ddec91a8909848ce980e1d046d9f1df2 (diff) |
Merge pull request #12758 from vespa-engine/olaa/payment-callback-role
Add role, policy and path group for payment notification callback
7 files changed, 29 insertions, 6 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 0b9161c0bc6..5c11dfc2a55 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -202,7 +202,11 @@ enum PathGroup { /** Paths used for "dry-running" system-wide feature flags. */ - systemFlagsDryrun(PathPrefix.none, "/system-flags/v1/dryrun"); + systemFlagsDryrun(PathPrefix.none, "/system-flags/v1/dryrun"), + + /** Paths used for receiving payment callbacks */ + paymentProcessor(PathPrefix.none, "/payment/notification"); + final List<String> pathSpecs; final PathPrefix prefix; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 55512b38f95..cfe8d247e54 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -137,7 +137,12 @@ enum Policy { /** Access to /system-flags/v1/dryrun. */ systemFlagsDryrun(Privilege.grant(Action.update) .on(PathGroup.systemFlagsDryrun) - .in(SystemName.all())); + .in(SystemName.all())), + + /** Access to /payment/notification */ + paymentProcessor(Privilege.grant(Action.create) + .on(PathGroup.paymentProcessor) + .in(SystemName.PublicCd)); private final Set<Privilege> privileges; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index 532088e94aa..d3c5e412215 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -73,6 +73,9 @@ public abstract class Role { /** Returns the role for system flag dryrun */ public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); } + /** Returns the role of the payment processor */ + public static UnboundRole paymentProcessor() { return new UnboundRole(RoleDefinition.paymentProcessor); } + /** Returns the role definition of this bound role. */ public RoleDefinition definition() { return roleDefinition; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index c4ce70a8f1e..c05936ee593 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -76,7 +76,9 @@ public enum RoleDefinition { systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun), - systemFlagsDryrunner(Policy.systemFlagsDryrun); + systemFlagsDryrunner(Policy.systemFlagsDryrun), + + paymentProcessor(Policy.paymentProcessor); private final Set<RoleDefinition> parents; private final Set<Policy> policies; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 2b4b251f536..c3a9a8484c9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -243,6 +243,10 @@ public class AthenzFacade implements AccessControl { return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); } + public boolean hasPaymentCallbackAccess(AthenzIdentity identity) { + return hasAccess("callback", new AthenzResourceName(service.getDomain().getName(), "payment-notification-resource").toResourceNameString(), identity); + } + /** * Used when creating tenancies. As there are no tenancy policies at this point, * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 5f51b8f4e43..4d3cfacab14 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -117,6 +117,11 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { roleMemberships.add(Role.systemFlagsDeployer()); })); + futures.add(executor.submit(() -> { + if (athenz.hasPaymentCallbackAccess(identity)) + roleMemberships.add(Role.paymentProcessor()); + })); + // Run last request in handler thread to avoid creating extra thread. if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) roleMemberships.add(Role.systemFlagsDryrunner()); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java index c49f7a90194..5e50e80b7a7 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java @@ -70,13 +70,13 @@ public class AthenzRoleFilterTest { public void testTranslations() throws Exception { // Hosted operators are always members of the hostedOperator role. - assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()), + assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()), filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH)); - assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()), + assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()), filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()), + assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()), filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH)); // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree. |