Create roles and policies

author: Morten Tokle <mortent@verizonmedia.com> 2021-09-08 15:40:59 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-09-08 15:40:59 +0200
commit: 05a84f20d0dca3c90772be84a84b60e46b70bd90 (patch)
tree: d90be38c0bf3bbe5ff714bfc16bd078275e11134
parent: 9cfe8bd748d1bc813e701cc94ca20da87f9de198 (diff)
4 files changed, 56 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
index 02a6efb280b..c87a01a7f37 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
@@ -42,6 +42,7 @@ public class AthenzDbMock {
         public final Set<AthenzIdentity> tenantAdmins = new HashSet<>();
         public final Map<ApplicationId, Application> applications = new HashMap<>();
         public final Map<String, Service> services = new HashMap<>();
+        public final List<Role> roles = new ArrayList<>();
         public final List<Policy> policies = new ArrayList<>();
         public boolean isVespaTenant = false;
 
@@ -127,4 +128,16 @@ public class AthenzDbMock {
             return this.resource.matcher(resource).matches();
         }
     }
+
+    public static class Role {
+        private final String name;
+
+        public Role(String name) {
+            this.name = name;
+        }
+
+        public String name() {
+            return name;
+        }
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index d067b7a5054..bbb8c31919a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -18,12 +18,14 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 /**
  * @author bjorncs
@@ -145,8 +147,13 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
-    public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) {
+    public void createPolicy(AthenzDomain athenzDomain, String athenzPolicy) {
+        // Noop
+    }
 
+    @Override
+    public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) {
+        athenz.getOrCreateDomain(athenzDomain).policies.add(new AthenzDbMock.Policy(athenzRole.roleName(), action, resourceName.toResourceNameString()));
     }
 
     @Override
@@ -170,15 +177,24 @@ public class ZmsClientMock implements ZmsClient {
 
     @Override
     public List<AthenzService> listServices(AthenzDomain athenzDomain) {
-        return List.of();
+        return athenz.getOrCreateDomain(athenzDomain).services.keySet().stream()
+                .map(serviceName -> new AthenzService(athenzDomain, serviceName))
+                .collect(Collectors.toList());
     }
 
     @Override
     public void createOrUpdateService(AthenzService athenzService) {
+        athenz.getOrCreateDomain(athenzService.getDomain()).services.put(athenzService.getName(), new AthenzDbMock.Service(false));
     }
 
     @Override
     public void deleteService(AthenzService athenzService) {
+        athenz.getOrCreateDomain(athenzService.getDomain()).services.remove(athenzService.getName());
+    }
+
+    @Override
+    public void createRole(AthenzRole role, Map<String, Object> properties) {
+        athenz.getOrCreateDomain(role.domain()).roles.add(new AthenzDbMock.Role(role.roleName()));
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 89b72c249bd..2294a7e850c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -1,6 +1,7 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.client.zms;
 
+import com.fasterxml.jackson.databind.ser.std.MapSerializer;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzGroup;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
@@ -25,15 +26,19 @@ import com.yahoo.vespa.athenz.client.zms.bindings.TenancyRequestEntity;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import org.apache.http.Header;
+import org.apache.http.HttpEntity;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.entity.StringEntity;
 import org.apache.http.message.BasicHeader;
+import org.bouncycastle.cert.ocsp.Req;
 
 import javax.net.ssl.SSLContext;
 import java.net.URI;
 import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.Set;
@@ -183,6 +188,13 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
+    public void createPolicy(AthenzDomain athenzDomain, String athenzPolicy) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s",
+                                               athenzDomain.getName(), athenzPolicy));
+        execute(RequestBuilder.put(uri).build(), response -> readEntity(response, Void.class));
+    }
+
+    @Override
     public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s/assertion",
                 athenzDomain.getName(), athenzPolicy));
@@ -289,6 +301,14 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         execute(RequestBuilder.delete(uri).build(), response -> readEntity(response, Void.class));
     }
 
+    public void createRole(AthenzRole role, Map<String, Object> attributes) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s", role.domain().getName(), role.roleName()));
+        var request = RequestBuilder.put(uri)
+                .setEntity(toJsonStringEntity(attributes))
+                .build();
+        execute(request, response -> readEntity(response, Void.class));
+    }
+
     private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) {
         return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token()));
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 2807d20f5c6..ae36fafbb27 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -13,6 +13,7 @@ import com.yahoo.vespa.athenz.api.OktaIdentityToken;
 
 import java.time.Instant;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
@@ -45,6 +46,8 @@ public interface ZmsClient extends AutoCloseable {
 
     boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity);
 
+    void createPolicy(AthenzDomain athenzDomain, String athenzPolicy);
+
     void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole);
 
     boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole);
@@ -61,5 +64,7 @@ public interface ZmsClient extends AutoCloseable {
 
     void deleteService(AthenzService athenzService);
 
+    void createRole(AthenzRole role, Map<String, Object> properties);
+
     void close();
 }
author	Morten Tokle <mortent@verizonmedia.com>	2021-09-08 15:40:59 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-09-08 15:40:59 +0200
commit	05a84f20d0dca3c90772be84a84b60e46b70bd90 (patch)
tree	d90be38c0bf3bbe5ff714bfc16bd078275e11134
parent	9cfe8bd748d1bc813e701cc94ca20da87f9de198 (diff)