Merge pull request #12758 from vespa-engine/olaa/payment-callback-role

Add role, policy and path group for payment notification callback

7 files changed, 29 insertions, 6 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 0b9161c0bc6..5c11dfc2a55 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -202,7 +202,11 @@ enum PathGroup {
 
 
     /** Paths used for "dry-running" system-wide feature flags. */
-    systemFlagsDryrun(PathPrefix.none, "/system-flags/v1/dryrun");
+    systemFlagsDryrun(PathPrefix.none, "/system-flags/v1/dryrun"),
+
+    /** Paths used for receiving payment callbacks */
+    paymentProcessor(PathPrefix.none, "/payment/notification");
+
 
     final List<String> pathSpecs;
     final PathPrefix prefix;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 55512b38f95..cfe8d247e54 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -137,7 +137,12 @@ enum Policy {
     /** Access to /system-flags/v1/dryrun. */
     systemFlagsDryrun(Privilege.grant(Action.update)
                                   .on(PathGroup.systemFlagsDryrun)
-                                  .in(SystemName.all()));
+                                  .in(SystemName.all())),
+
+    /** Access to /payment/notification */
+    paymentProcessor(Privilege.grant(Action.create)
+                                .on(PathGroup.paymentProcessor)
+                                .in(SystemName.PublicCd));
 
     private final Set<Privilege> privileges;
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index 532088e94aa..d3c5e412215 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -73,6 +73,9 @@ public abstract class Role {
     /** Returns the role for system flag dryrun */
     public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); }
 
+    /** Returns the role of the payment processor */
+    public static UnboundRole paymentProcessor() { return new UnboundRole(RoleDefinition.paymentProcessor); }
+
     /** Returns the role definition of this bound role. */
     public RoleDefinition definition() { return roleDefinition; }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index c4ce70a8f1e..c05936ee593 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -76,7 +76,9 @@ public enum RoleDefinition {
 
     systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun),
 
-    systemFlagsDryrunner(Policy.systemFlagsDryrun);
+    systemFlagsDryrunner(Policy.systemFlagsDryrun),
+
+    paymentProcessor(Policy.paymentProcessor);
 
     private final Set<RoleDefinition> parents;
     private final Set<Policy> policies;
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 2b4b251f536..c3a9a8484c9 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -243,6 +243,10 @@ public class AthenzFacade implements AccessControl {
         return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
     }
 
+    public boolean hasPaymentCallbackAccess(AthenzIdentity identity) {
+        return hasAccess("callback", new AthenzResourceName(service.getDomain().getName(), "payment-notification-resource").toResourceNameString(), identity);
+    }
+
     /**
      * Used when creating tenancies. As there are no tenancy policies at this point,
      * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 5f51b8f4e43..4d3cfacab14 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -117,6 +117,11 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
                 roleMemberships.add(Role.systemFlagsDeployer());
         }));
 
+        futures.add(executor.submit(() -> {
+            if (athenz.hasPaymentCallbackAccess(identity))
+                roleMemberships.add(Role.paymentProcessor());
+        }));
+
         // Run last request in handler thread to avoid creating extra thread.
         if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true))
             roleMemberships.add(Role.systemFlagsDryrunner());
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
index c49f7a90194..5e50e80b7a7 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
@@ -70,13 +70,13 @@ public class AthenzRoleFilterTest {
     public void testTranslations() throws Exception {
 
         // Hosted operators are always members of the hostedOperator role.
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH));
 
         // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree.