diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2021-09-10 09:12:40 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-10 09:12:40 +0200 |
commit | 01513fb2bef0d0b3021ede9857604b3d8b19cf31 (patch) | |
tree | cff84b55f21dc620a03e3df379b4f6d8ba31d40b | |
parent | 0e6866b490b1af138df94b7cab3b8244710704bf (diff) |
return audit refs when listing pending approvals (#19045)
5 files changed, 19 insertions, 12 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 0be32165916..3391965dc67 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -11,6 +11,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import java.time.Instant; import java.util.Collection; import java.util.List; +import java.util.Map; import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { @@ -34,8 +35,8 @@ public class AthenzAccessControlService implements AccessControlService { if(!isVespaTeamMember(user)) { throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName())); } - List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); - if (users.contains(user)) { + Map<AthenzUser, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); + if (users.containsKey(user)) { zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry); return true; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 45018787f02..63a2729baf4 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -162,8 +162,8 @@ public class ZmsClientMock implements ZmsClient { } @Override - public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) { - return List.of(); + public Map<AthenzUser,String> listPendingRoleApprovals(AthenzRole athenzRole) { + return Map.of(); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 8b9f642f9e0..d1bc7a954ec 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -238,19 +238,19 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) { + public Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s?pending=true", athenzRole.domain().getName(), athenzRole.roleName())); HttpUriRequest request = RequestBuilder.get() .setUri(uri) .build(); RoleEntity roleEntity = execute(request, response -> readEntity(response, RoleEntity.class)); + return roleEntity.roleMembers().stream() .filter(RoleEntity.Member::pendingApproval) - .map(RoleEntity.Member::memberName) - .map(AthenzIdentities::from) - .filter(identity -> AthenzIdentities.USER_PRINCIPAL_DOMAIN.equals(identity.getDomain())) - .map(AthenzUser.class::cast) - .collect(Collectors.toList()); + .filter(re -> AthenzIdentities.USER_PRINCIPAL_DOMAIN.equals(AthenzIdentities.from(re.memberName()).getDomain())) + .collect(Collectors.toUnmodifiableMap( + m -> (AthenzUser) AthenzIdentities.from(m.memberName()), + RoleEntity.Member::auditRef)); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index ae36fafbb27..53d7cb6e652 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -52,7 +52,7 @@ public interface ZmsClient extends AutoCloseable { boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole); - List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole); + Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole); void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java index 5babe292138..537fa1fe50a 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java @@ -35,12 +35,14 @@ public class RoleEntity { private final String memberName; private final boolean active; private final boolean approved; + private final String auditRef; @JsonCreator - public Member(@JsonProperty("memberName") String memberName, @JsonProperty("active") boolean active, @JsonProperty("approved") boolean approved) { + public Member(@JsonProperty("memberName") String memberName, @JsonProperty("active") boolean active, @JsonProperty("approved") boolean approved, @JsonProperty("auditRef") String auditRef) { this.memberName = memberName; this.active = active; this.approved = approved; + this.auditRef = auditRef; } public String memberName() { @@ -50,5 +52,9 @@ public class RoleEntity { public boolean pendingApproval() { return !approved; } + + public String auditRef() { + return auditRef; + } } } |