Check launch privilege when launching athenz service

author: Morten Tokle <mortent@verizonmedia.com> 2020-01-10 15:24:12 +0100
committer: Morten Tokle <mortent@verizonmedia.com> 2020-01-10 15:24:12 +0100
commit: d505f288aa5d127a6c1b453eeae782671fe90234 (patch)
tree: cc85e137e3b29962f15d28592203c8f1d643b5a9 /controller-api
parent: f77006746634b570aac00847c2ebe426c5e40808 (diff)
2 files changed, 43 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
index 8e21d8cbf20..976f1f08f1a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
@@ -11,6 +11,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 /**
  * @author bjorncs
@@ -41,6 +42,7 @@ public class AthenzDbMock {
         public final Set<AthenzIdentity> tenantAdmins = new HashSet<>();
         public final Map<ApplicationId, Application> applications = new HashMap<>();
         public final Map<String, Service> services = new HashMap<>();
+        public final List<Policy> policies = new ArrayList<>();
         public boolean isVespaTenant = false;
 
         public Domain(AthenzDomain name) {
@@ -49,6 +51,7 @@ public class AthenzDbMock {
 
         public Domain admin(AthenzIdentity identity) {
             admins.add(identity);
+            policies.add(new Policy(identity.getFullName(), ".*", ".*"));
             return this;
         }
 
@@ -62,6 +65,19 @@ public class AthenzDbMock {
             return this;
         }
 
+        public Domain withPolicy(String principalRegex, String operation, String resource) {
+            policies.add(new Policy(principalRegex, operation, resource));
+            return this;
+        }
+
+        public boolean allows(AthenzIdentity identity, String action, String resource) {
+            return policies.stream()
+                    .anyMatch(policy ->
+                            policy.principalMatches(identity) &&
+                            policy.actionMatches(action) &&
+                            policy.resourceMatches(resource));
+        }
+
         /**
          * Simulates establishing Vespa tenancy in Athens.
          */
@@ -95,4 +111,28 @@ public class AthenzDbMock {
             this.allowLaunch = allowLaunch;
         }
     }
+
+    public static class Policy {
+        private final Pattern principal;
+        private final Pattern action;
+        private final Pattern resource;
+
+        public Policy(String principal, String action, String resource) {
+            this.principal = Pattern.compile(principal);
+            this.action = Pattern.compile(action);
+            this.resource = Pattern.compile(resource);
+        }
+
+        public boolean principalMatches(AthenzIdentity athenzIdentity) {
+            return this.principal.matcher(athenzIdentity.getFullName()).matches();
+        }
+
+        public boolean actionMatches(String operation) {
+            return this.action.matcher(operation).matches();
+        }
+
+        public boolean resourceMatches(String resource) {
+            return this.resource.matcher(resource).matches();
+        }
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 096a1af2824..0eda5146fb4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -111,7 +111,7 @@ public class ZmsClientMock implements ZmsClient {
             if (resource.getEntityName().startsWith("service.hosting.tenant.")) {
                 AthenzDomain tenantDomainName = getTenantDomain(resource);
                 AthenzDbMock.Domain tenantDomain = getDomainOrThrow(tenantDomainName, true);
-                if (tenantDomain.admins.contains(identity)) {
+                if (tenantDomain.admins.contains(identity) || tenantDomain.tenantAdmins.contains(identity)) {
                     return true;
                 }
                 if (resource.getEntityName().contains(".res_group.")) {
@@ -125,14 +125,10 @@ public class ZmsClientMock implements ZmsClient {
                 return false;
             }
             return false;
-        } else if ("launch".equals(action)){
+        } else {
             AthenzDbMock.Domain domain = getDomainOrThrow(resource.getDomain(), false);
-            String serviceName = resource.getEntityName().replace("service.","");
-            if(!domain.services.containsKey(serviceName)) return false;
-            AthenzDbMock.Service service = domain.services.get(serviceName);
-            return service.allowLaunch;
+            return domain.allows(identity, action, resource.getEntityName());
         }
-        return false;
     }
 
     @Override
author	Morten Tokle <mortent@verizonmedia.com>	2020-01-10 15:24:12 +0100
committer	Morten Tokle <mortent@verizonmedia.com>	2020-01-10 15:24:12 +0100
commit	d505f288aa5d127a6c1b453eeae782671fe90234 (patch)
tree	cc85e137e3b29962f15d28592203c8f1d643b5a9 /controller-api
parent	f77006746634b570aac00847c2ebe426c5e40808 (diff)