Merge pull request #26117 from vespa-engine/mortent/zts-checkaccessv8.128.22

Use ZTS getAccess instead of ZMS

5 files changed, 42 insertions, 2 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
index 54fda58d19c..c4194315922 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
@@ -39,7 +39,7 @@ public class AthenzClientFactoryMock extends AbstractComponent implements Athenz
 
     @Override
     public ZtsClient createZtsClient() {
-        return new ZtsClientMock(athenz);
+        return new ZtsClientMock(athenz, createZmsClient());
     }
 
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
index d3e74965c4b..3ca0fdd0f23 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
@@ -5,10 +5,12 @@ import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
 import com.yahoo.vespa.athenz.api.ZToken;
+import com.yahoo.vespa.athenz.client.zms.ZmsClient;
 import com.yahoo.vespa.athenz.client.zts.Identity;
 import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
 import com.yahoo.vespa.athenz.client.zts.ZtsClient;
@@ -17,6 +19,7 @@ import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
+import java.util.Optional;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -27,9 +30,14 @@ public class ZtsClientMock implements ZtsClient {
     private static final Logger log = Logger.getLogger(ZtsClientMock.class.getName());
 
     private final AthenzDbMock athenz;
+    private final Optional<ZmsClient> zmsClient;
 
     public ZtsClientMock(AthenzDbMock athenz) {
+        this(athenz, null);
+    }
+    public ZtsClientMock(AthenzDbMock athenz, ZmsClient zmsClient) {
         this.athenz = athenz;
+        this.zmsClient = Optional.ofNullable(zmsClient);
     }
 
     @Override
@@ -98,6 +106,12 @@ public class ZtsClientMock implements ZtsClient {
     }
 
     @Override
+    public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity) {
+        return zmsClient.orElseThrow(UnsupportedOperationException::new)
+                .hasAccess(resource, action, identity);
+    }
+
+    @Override
     public void close() {
 
     }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 6a493f3f5ed..65320a25984 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -309,7 +309,7 @@ public class AthenzFacade implements AccessControl {
     }
 
     private boolean lookupAccess(AccessTuple t) {
-        boolean result = zmsClient.hasAccess(AthenzResourceName.fromString(t.resource), t.action, t.identity);
+        boolean result = ztsClient.hasAccess(AthenzResourceName.fromString(t.resource), t.action, t.identity);
         log("getAccess(action=%s, resource=%s, principal=%s) = %b", t.action, t.resource, t.identity, result);
         return result;
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index cf46cad57b1..21c8f4ddd31 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -13,6 +13,7 @@ import com.yahoo.vespa.athenz.api.NToken;
 import com.yahoo.vespa.athenz.api.ZToken;
 import com.yahoo.vespa.athenz.client.ErrorHandler;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
+import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.AccessTokenResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.AwsTemporaryCredentialsResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity;
@@ -221,6 +222,19 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
         });
     }
 
+    @Override
+    public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity) {
+        URI uri = ztsUrl.resolve(String.format("access/%s/%s?principal=%s",
+                                               action, resource.toResourceNameString(), identity.getFullName()));
+        HttpUriRequest request = RequestBuilder.get()
+                .setUri(uri)
+                .build();
+        return execute(request, response -> {
+            AccessResponseEntity result = readEntity(response, AccessResponseEntity.class);
+            return result.granted;
+        });
+    }
+
     private InstanceIdentity getInstanceIdentity(HttpResponse response) throws IOException {
         InstanceIdentityCredentials entity = readEntity(response, InstanceIdentityCredentials.class);
         return entity.getServiceToken() != null
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index c4be6d8ced7..eade6229123 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -5,6 +5,7 @@ import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
@@ -187,5 +188,16 @@ public interface ZtsClient extends AutoCloseable {
      */
     AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId);
 
+    /**
+     * Check access to resource for a given principal
+     *
+     * @param resource The resource to verify access to
+     * @param action Action to verify
+     * @param identity Principal that requests access
+     * @return <code>true</code> if access is allowed, <code>false</code> otherwise
+     */
+    boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity);
+
     void close();
+
 }