diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2020-04-27 15:37:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-27 15:37:20 +0200 |
commit | 6fc1a23906112ef1bed4877d01cdb4c746ff01b9 (patch) | |
tree | e0853a65d59485d094a00d2471d819ef76ddbe06 /controller-api | |
parent | e2356a51c4c64745d232c02ed142afd42efe5a93 (diff) | |
parent | dfc3ea8a384311135580fc856fde3808640ffeae (diff) |
Merge pull request #13079 from vespa-engine/ogronnesby/billing-policies
Create policies for billing API resources
Diffstat (limited to 'controller-api')
4 files changed, 99 insertions, 6 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 5c11dfc2a55..ced3d201f6f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -58,13 +58,25 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/", "/application/v4/tenant/{tenant}/cost", "/application/v4/tenant/{tenant}/cost/{date}", - "/routing/v1/status/tenant/{tenant}/{*}", - "/billing/v1/tenant/{tenant}/{*}"), + "/routing/v1/status/tenant/{tenant}/{*}"), tenantKeys(Matcher.tenant, PathPrefix.api, "/application/v4/tenant/{tenant}/key/"), + + billingToken(Matcher.tenant, + PathPrefix.api, + "/billing/v1/tenant/{tenant}/token"), + + billingInstrument(Matcher.tenant, + PathPrefix.api, + "/billing/v1/tenant/{tenant}/instrument/{*}"), + + billingList(Matcher.tenant, + PathPrefix.api, + "/billing/v1/tenant/{tenant}/billing/{*}"), + applicationKeys(Matcher.tenant, Matcher.application, PathPrefix.api, diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index cfe8d247e54..0afa0668a00 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -142,7 +142,32 @@ enum Policy { /** Access to /payment/notification */ paymentProcessor(Privilege.grant(Action.create) .on(PathGroup.paymentProcessor) - .in(SystemName.PublicCd)); + .in(SystemName.PublicCd)), + + /** Read your own instrument information */ + paymentInstrumentRead(Privilege.grant(Action.read) + .on(PathGroup.billingInstrument) + .in(SystemName.PublicCd)), + + /** Ability to update tenant payment instrument */ + paymentInstrumentUpdate(Privilege.grant(Action.update) + .on(PathGroup.billingInstrument) + .in(SystemName.PublicCd)), + + /** Ability to remove your own payment instrument */ + paymentInstrumentDelete(Privilege.grant(Action.delete) + .on(PathGroup.billingInstrument) + .in(SystemName.PublicCd)), + + /** Get the token to view instrument form */ + paymentInstrumentCreate(Privilege.grant(Action.read) + .on(PathGroup.billingToken) + .in(SystemName.PublicCd)), + + /** Read the generated bills */ + billingInformationRead(Privilege.grant(Action.read) + .on(PathGroup.billingList) + .in(SystemName.PublicCd)); private final Set<Privilege> privileges; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index c05936ee593..438e79bcc4f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -43,7 +43,10 @@ public enum RoleDefinition { reader(Policy.tenantRead, Policy.applicationRead, Policy.deploymentRead, - Policy.publicRead), + Policy.publicRead, + Policy.paymentInstrumentRead, + Policy.paymentInstrumentDelete, + Policy.billingInformationRead), /** User — the dev.ops. role for normal Vespa tenant users */ developer(Policy.applicationCreate, @@ -52,12 +55,20 @@ public enum RoleDefinition { Policy.applicationOperations, Policy.developmentDeployment, Policy.keyManagement, - Policy.submission), + Policy.submission, + Policy.paymentInstrumentRead, + Policy.paymentInstrumentDelete, + Policy.billingInformationRead), /** Admin — the administrative function for user management etc. */ administrator(Policy.tenantUpdate, Policy.tenantManager, - Policy.applicationManager), + Policy.applicationManager, + Policy.paymentInstrumentRead, + Policy.paymentInstrumentUpdate, + Policy.paymentInstrumentDelete, + Policy.paymentInstrumentCreate, + Policy.billingInformationRead), /** Headless — the application specific role identified by deployment keys for production */ headless(Policy.submission), diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index 57b4af9d16c..2da93c5ceca 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -6,8 +6,10 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.TenantName; import org.junit.Test; +import java.awt.event.AdjustmentEvent; import java.net.URI; import java.util.List; +import java.util.stream.Stream; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -19,6 +21,7 @@ public class RoleTest { private static final Enforcer mainEnforcer = new Enforcer(SystemName.main); private static final Enforcer publicEnforcer = new Enforcer(SystemName.Public); + private static final Enforcer publicCdEnforcer = new Enforcer(SystemName.PublicCd); @Test public void operator_membership() { @@ -143,4 +146,46 @@ public class RoleTest { } } + @Test + public void payment_instrument() { + URI paymentInstrumentUri = URI.create("/billing/v1/tenant/t1/instrument/foobar"); + URI tenantPaymentInstrumentUri = URI.create("/billing/v1/tenant/t1/instrument"); + URI tokenUri = URI.create("/billing/v1/tenant/t1/token"); + + Role user = Role.reader(TenantName.from("t1")); + assertTrue(publicCdEnforcer.allows(user, Action.read, paymentInstrumentUri)); + assertTrue(publicCdEnforcer.allows(user, Action.delete, paymentInstrumentUri)); + assertFalse(publicCdEnforcer.allows(user, Action.update, tenantPaymentInstrumentUri)); + assertFalse(publicCdEnforcer.allows(user, Action.read, tokenUri)); + + Role developer = Role.developer(TenantName.from("t1")); + assertTrue(publicCdEnforcer.allows(developer, Action.read, paymentInstrumentUri)); + assertTrue(publicCdEnforcer.allows(developer, Action.delete, paymentInstrumentUri)); + assertFalse(publicCdEnforcer.allows(developer, Action.update, tenantPaymentInstrumentUri)); + assertFalse(publicCdEnforcer.allows(developer, Action.read, tokenUri)); + + Role admin = Role.administrator(TenantName.from("t1")); + assertTrue(publicCdEnforcer.allows(admin, Action.read, paymentInstrumentUri)); + assertTrue(publicCdEnforcer.allows(admin, Action.delete, paymentInstrumentUri)); + assertTrue(publicCdEnforcer.allows(admin, Action.update, tenantPaymentInstrumentUri)); + assertTrue(publicCdEnforcer.allows(admin, Action.read, tokenUri)); + } + + @Test + public void billing() { + URI billing = URI.create("/billing/v1/tenant/t1/billing"); + + Role user = Role.reader(TenantName.from("t1")); + Role developer = Role.developer(TenantName.from("t1")); + Role admin = Role.administrator(TenantName.from("t1")); + + Stream.of(user, developer, admin).forEach(role -> { + assertTrue(publicCdEnforcer.allows(role, Action.read, billing)); + assertFalse(publicCdEnforcer.allows(role, Action.update, billing)); + assertFalse(publicCdEnforcer.allows(role, Action.delete, billing)); + assertFalse(publicCdEnforcer.allows(role, Action.create, billing)); + }); + + } + } |