diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-09-08 15:40:59 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-09-08 15:40:59 +0200 |
commit | 05a84f20d0dca3c90772be84a84b60e46b70bd90 (patch) | |
tree | d90be38c0bf3bbe5ff714bfc16bd078275e11134 | |
parent | 9cfe8bd748d1bc813e701cc94ca20da87f9de198 (diff) |
Create roles and policies
4 files changed, 56 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java index 02a6efb280b..c87a01a7f37 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java @@ -42,6 +42,7 @@ public class AthenzDbMock { public final Set<AthenzIdentity> tenantAdmins = new HashSet<>(); public final Map<ApplicationId, Application> applications = new HashMap<>(); public final Map<String, Service> services = new HashMap<>(); + public final List<Role> roles = new ArrayList<>(); public final List<Policy> policies = new ArrayList<>(); public boolean isVespaTenant = false; @@ -127,4 +128,16 @@ public class AthenzDbMock { return this.resource.matcher(resource).matches(); } } + + public static class Role { + private final String name; + + public Role(String name) { + this.name = name; + } + + public String name() { + return name; + } + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index d067b7a5054..bbb8c31919a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -18,12 +18,14 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import java.time.Instant; import java.util.ArrayList; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Matcher; import java.util.regex.Pattern; +import java.util.stream.Collectors; /** * @author bjorncs @@ -145,8 +147,13 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { + public void createPolicy(AthenzDomain athenzDomain, String athenzPolicy) { + // Noop + } + @Override + public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { + athenz.getOrCreateDomain(athenzDomain).policies.add(new AthenzDbMock.Policy(athenzRole.roleName(), action, resourceName.toResourceNameString())); } @Override @@ -170,15 +177,24 @@ public class ZmsClientMock implements ZmsClient { @Override public List<AthenzService> listServices(AthenzDomain athenzDomain) { - return List.of(); + return athenz.getOrCreateDomain(athenzDomain).services.keySet().stream() + .map(serviceName -> new AthenzService(athenzDomain, serviceName)) + .collect(Collectors.toList()); } @Override public void createOrUpdateService(AthenzService athenzService) { + athenz.getOrCreateDomain(athenzService.getDomain()).services.put(athenzService.getName(), new AthenzDbMock.Service(false)); } @Override public void deleteService(AthenzService athenzService) { + athenz.getOrCreateDomain(athenzService.getDomain()).services.remove(athenzService.getName()); + } + + @Override + public void createRole(AthenzRole role, Map<String, Object> properties) { + athenz.getOrCreateDomain(role.domain()).roles.add(new AthenzDbMock.Role(role.roleName())); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 89b72c249bd..2294a7e850c 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zms; +import com.fasterxml.jackson.databind.ser.std.MapSerializer; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -25,15 +26,19 @@ import com.yahoo.vespa.athenz.client.zms.bindings.TenancyRequestEntity; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.utils.AthenzIdentities; import org.apache.http.Header; +import org.apache.http.HttpEntity; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.methods.RequestBuilder; +import org.apache.http.entity.StringEntity; import org.apache.http.message.BasicHeader; +import org.bouncycastle.cert.ocsp.Req; import javax.net.ssl.SSLContext; import java.net.URI; import java.time.Instant; import java.util.Collections; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.OptionalInt; import java.util.Set; @@ -183,6 +188,13 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override + public void createPolicy(AthenzDomain athenzDomain, String athenzPolicy) { + URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s", + athenzDomain.getName(), athenzPolicy)); + execute(RequestBuilder.put(uri).build(), response -> readEntity(response, Void.class)); + } + + @Override public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s/assertion", athenzDomain.getName(), athenzPolicy)); @@ -289,6 +301,14 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { execute(RequestBuilder.delete(uri).build(), response -> readEntity(response, Void.class)); } + public void createRole(AthenzRole role, Map<String, Object> attributes) { + URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s", role.domain().getName(), role.roleName())); + var request = RequestBuilder.put(uri) + .setEntity(toJsonStringEntity(attributes)) + .build(); + execute(request, response -> readEntity(response, Void.class)); + } + private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) { return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token())); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 2807d20f5c6..ae36fafbb27 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -13,6 +13,7 @@ import com.yahoo.vespa.athenz.api.OktaIdentityToken; import java.time.Instant; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.Set; @@ -45,6 +46,8 @@ public interface ZmsClient extends AutoCloseable { boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity); + void createPolicy(AthenzDomain athenzDomain, String athenzPolicy); + void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole); boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole); @@ -61,5 +64,7 @@ public interface ZmsClient extends AutoCloseable { void deleteService(AthenzService athenzService); + void createRole(AthenzRole role, Map<String, Object> properties); + void close(); } |