return audit refs when listing pending approvals (#19045)

author: Andreas Eriksen <andreer@verizonmedia.com> 2021-09-10 09:12:40 +0200
committer: GitHub <noreply@github.com> 2021-09-10 09:12:40 +0200
commit: 01513fb2bef0d0b3021ede9857604b3d8b19cf31 (patch)
tree: cff84b55f21dc620a03e3df379b4f6d8ba31d40b
parent: 0e6866b490b1af138df94b7cab3b8244710704bf (diff)
5 files changed, 19 insertions, 12 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 0be32165916..3391965dc67 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -11,6 +11,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient;
 import java.time.Instant;
 import java.util.Collection;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 public class AthenzAccessControlService implements AccessControlService {
@@ -34,8 +35,8 @@ public class AthenzAccessControlService implements AccessControlService {
         if(!isVespaTeamMember(user)) {
             throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName()));
         }
-        List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole);
-        if (users.contains(user)) {
+        Map<AthenzUser, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole);
+        if (users.containsKey(user)) {
             zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry);
             return true;
         }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 45018787f02..63a2729baf4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -162,8 +162,8 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
-    public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) {
-        return List.of();
+    public Map<AthenzUser,String> listPendingRoleApprovals(AthenzRole athenzRole) {
+        return Map.of();
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 8b9f642f9e0..d1bc7a954ec 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -238,19 +238,19 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
-    public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) {
+    public Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s?pending=true", athenzRole.domain().getName(), athenzRole.roleName()));
         HttpUriRequest request = RequestBuilder.get()
                 .setUri(uri)
                 .build();
         RoleEntity roleEntity =  execute(request, response -> readEntity(response, RoleEntity.class));
+
         return roleEntity.roleMembers().stream()
                 .filter(RoleEntity.Member::pendingApproval)
-                .map(RoleEntity.Member::memberName)
-                .map(AthenzIdentities::from)
-                .filter(identity -> AthenzIdentities.USER_PRINCIPAL_DOMAIN.equals(identity.getDomain()))
-                .map(AthenzUser.class::cast)
-                .collect(Collectors.toList());
+                .filter(re -> AthenzIdentities.USER_PRINCIPAL_DOMAIN.equals(AthenzIdentities.from(re.memberName()).getDomain()))
+                .collect(Collectors.toUnmodifiableMap(
+                        m -> (AthenzUser) AthenzIdentities.from(m.memberName()),
+                        RoleEntity.Member::auditRef));
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index ae36fafbb27..53d7cb6e652 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -52,7 +52,7 @@ public interface ZmsClient extends AutoCloseable {
 
     boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole);
 
-    List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole);
+    Map<AthenzUser, String> listPendingRoleApprovals(AthenzRole athenzRole);
 
     void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry);
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java
index 5babe292138..537fa1fe50a 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java
@@ -35,12 +35,14 @@ public class RoleEntity {
         private final String memberName;
         private final boolean active;
         private final boolean approved;
+        private final String auditRef;
 
         @JsonCreator
-        public Member(@JsonProperty("memberName") String memberName, @JsonProperty("active") boolean active, @JsonProperty("approved") boolean approved) {
+        public Member(@JsonProperty("memberName") String memberName, @JsonProperty("active") boolean active, @JsonProperty("approved") boolean approved, @JsonProperty("auditRef") String auditRef) {
             this.memberName = memberName;
             this.active = active;
             this.approved = approved;
+            this.auditRef = auditRef;
         }
 
         public String memberName() {
@@ -50,5 +52,9 @@ public class RoleEntity {
         public boolean pendingApproval() {
             return !approved;
         }
+
+        public String auditRef() {
+            return auditRef;
+        }
     }
 }
author	Andreas Eriksen <andreer@verizonmedia.com>	2021-09-10 09:12:40 +0200
committer	GitHub <noreply@github.com>	2021-09-10 09:12:40 +0200
commit	01513fb2bef0d0b3021ede9857604b3d8b19cf31 (patch)
tree	cff84b55f21dc620a03e3df379b4f6d8ba31d40b
parent	0e6866b490b1af138df94b7cab3b8244710704bf (diff)