Merge pull request #18950 from vespa-engine/olaa/auth0-role-maintainer

Create UserManagementMaintainer
author: Ola Aunrønning <olaa@verizonmedia.com> 2021-09-02 14:55:54 +0200
committer: GitHub <noreply@github.com> 2021-09-02 14:55:54 +0200
commit: 2487f854a2d7c3a7dc5a0c008c56c98d81ef5008 (patch)
tree: f0dcae4806cf44b8a02d6d26e8c817167f3ae42d
parent: 5c0039ac6a573cb0299c63cc4e39a2a7d5a834a0 (diff)
parent: e5cc08ddc51e399c91bf39ec7f2fd8380d86cd0a (diff)
6 files changed, 125 insertions, 1 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
index dfdd273b6f5..5313139ff7d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
@@ -6,6 +6,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.user.UserId;
 import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
 import com.yahoo.vespa.hosted.controller.api.role.Role;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -79,4 +80,9 @@ public class MockUserManagement implements UserManagement {
     public List<Role> listRoles(UserId userId) {
         return List.of();
     }
+
+    @Override
+    public List<Role> listRoles() {
+        return new ArrayList<>(memberships.keySet());
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
index bfb617a75b6..722acc065d9 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java
@@ -36,4 +36,7 @@ public interface UserManagement {
 
     /** Returns all roles of which the given user is part, or throws if the user does not exist */
     List<Role> listRoles(UserId user);
+
+    /** Returns all roles */
+    List<Role> listRoles();
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
index 924116e04c0..3b7cf313b37 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
@@ -8,6 +8,7 @@ import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.zone.ZoneApi;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.vespa.hosted.controller.Controller;
+import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
 
 import java.time.Duration;
 import java.time.temporal.TemporalUnit;
@@ -35,7 +36,7 @@ public class ControllerMaintenance extends AbstractComponent {
 
     @Inject
     @SuppressWarnings("unused") // instantiated by Dependency Injection
-    public ControllerMaintenance(Controller controller, Metric metric) {
+    public ControllerMaintenance(Controller controller, Metric metric, UserManagement userManagement) {
         Intervals intervals = new Intervals(controller.system());
         upgrader = new Upgrader(controller, intervals.defaultInterval);
         maintainers.add(upgrader);
@@ -73,6 +74,7 @@ public class ControllerMaintenance extends AbstractComponent {
         maintainers.add(new VcmrMaintainer(controller, intervals.vcmrMaintainer));
         maintainers.add(new CloudTrialExpirer(controller, intervals.defaultInterval));
         maintainers.add(new RetriggerMaintainer(controller, intervals.retriggerMaintainer));
+        maintainers.add(new UserManagementMaintainer(controller, intervals.userManagementMaintainer, userManagement));
     }
 
     public Upgrader upgrader() { return upgrader; }
@@ -129,6 +131,7 @@ public class ControllerMaintenance extends AbstractComponent {
         private final Duration changeRequestMaintainer;
         private final Duration vcmrMaintainer;
         private final Duration retriggerMaintainer;
+        private final Duration userManagementMaintainer;
 
         public Intervals(SystemName system) {
             this.system = Objects.requireNonNull(system);
@@ -162,6 +165,7 @@ public class ControllerMaintenance extends AbstractComponent {
             this.changeRequestMaintainer = duration(1, HOURS);
             this.vcmrMaintainer = duration(1, HOURS);
             this.retriggerMaintainer = duration(1, MINUTES);
+            this.userManagementMaintainer = duration(12, HOURS);
         }
 
         private Duration duration(long amount, TemporalUnit unit) {
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java
new file mode 100644
index 00000000000..6b509e82dba
--- /dev/null
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java
@@ -0,0 +1,64 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.controller.maintenance;
+
+import com.yahoo.config.provision.SystemName;
+import com.yahoo.vespa.hosted.controller.Application;
+import com.yahoo.vespa.hosted.controller.Controller;
+import com.yahoo.vespa.hosted.controller.api.integration.user.Roles;
+import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
+import com.yahoo.vespa.hosted.controller.api.role.Role;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
+
+/**
+ * Maintains user management resources.
+ * For now, ensures there's no discrepnacy between expected tenant/application roles and Auth0 roles
+ *
+ * @author olaa
+ */
+public class UserManagementMaintainer extends ControllerMaintainer {
+
+    private final UserManagement userManagement;
+
+    private static final Logger logger = Logger.getLogger(UserManagementMaintainer.class.getName());
+
+    public UserManagementMaintainer(Controller controller, Duration interval, UserManagement userManagement) {
+        super(controller, interval, UserManagementMaintainer.class.getSimpleName(), SystemName.allOf(SystemName::isPublic));
+        this.userManagement = userManagement;
+
+    }
+
+    @Override
+    protected double maintain() {
+        findLeftoverRoles().forEach(role -> {
+            /*
+                Log discrepancy now
+                TODO: userManagement.deleteRole(role);
+             */
+            logger.warning(String.format("Found unexpected role %s - Please investigate", role.toString()));
+        });
+        return 1.0;
+    }
+
+    // protected for testing
+    protected List<Role> findLeftoverRoles() {
+        var tenantRoles = controller().tenants().asList()
+                .stream()
+                .flatMap(tenant -> Roles.tenantRoles(tenant.name()).stream())
+                .collect(Collectors.toList());
+
+        var applicationRoles = controller().applications().asList()
+                .stream()
+                .map(Application::id)
+                .flatMap(applicationId -> Roles.applicationRoles(applicationId.tenant(), applicationId.application()).stream())
+                .collect(Collectors.toList());
+
+        return userManagement.listRoles().stream()
+                .filter(role -> !tenantRoles.contains(role) && !applicationRoles.contains(role))
+                .collect(Collectors.toList());
+    }
+
+}
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java
new file mode 100644
index 00000000000..08be2266b2e
--- /dev/null
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java
@@ -0,0 +1,44 @@
+package com.yahoo.vespa.hosted.controller.maintenance;
+
+import com.yahoo.config.provision.ApplicationName;
+import com.yahoo.config.provision.TenantName;
+import com.yahoo.vespa.hosted.controller.ControllerTester;
+import com.yahoo.vespa.hosted.controller.api.integration.stubs.MockUserManagement;
+import com.yahoo.vespa.hosted.controller.api.integration.user.Roles;
+import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
+import org.junit.Test;
+
+import java.time.Duration;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author olaa
+ */
+public class UserManagementMaintainerTest {
+
+    private final ControllerTester tester = new ControllerTester();
+    private final UserManagement userManagement = new MockUserManagement();
+    private final UserManagementMaintainer userManagementMaintainer = new UserManagementMaintainer(tester.controller(), Duration.ofMinutes(1), userManagement);
+
+    private final TenantName tenant = TenantName.from("tenant1");
+    private final ApplicationName app = ApplicationName.from("app1");
+    private final TenantName deletedTenant = TenantName.from("deleted-tenant");
+
+    @Test
+    public void finds_superfluous_roles() {
+        tester.createTenant(tenant.value());
+        tester.createApplication(tenant.value(), app.value());
+
+        Roles.tenantRoles(tenant).forEach(userManagement::createRole);
+        Roles.applicationRoles(tenant, app).forEach(userManagement::createRole);
+        Roles.tenantRoles(deletedTenant).forEach(userManagement::createRole);
+
+        var expectedRoles = Roles.tenantRoles(deletedTenant);
+        var actualRoles = userManagementMaintainer.findLeftoverRoles();
+
+        assertEquals(expectedRoles.size(), actualRoles.size());
+        assertTrue(expectedRoles.containsAll(actualRoles) && actualRoles.containsAll(expectedRoles));
+    }
+
+}
+\ No newline at end of file
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json
index be51312186b..2edf1867fd3 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json
@@ -100,6 +100,9 @@
       "name": "Upgrader"
     },
     {
+      "name": "UserManagementMaintainer"
+    },
+    {
       "name": "VcmrMaintainer"
     },
     {
author	Ola Aunrønning <olaa@verizonmedia.com>	2021-09-02 14:55:54 +0200
committer	GitHub <noreply@github.com>	2021-09-02 14:55:54 +0200
commit	2487f854a2d7c3a7dc5a0c008c56c98d81ef5008 (patch)
tree	f0dcae4806cf44b8a02d6d26e8c817167f3ae42d
parent	5c0039ac6a573cb0299c63cc4e39a2a7d5a834a0 (diff)
parent	e5cc08ddc51e399c91bf39ec7f2fd8380d86cd0a (diff)