Infer managed access through assertion existence

3 files changed, 27 insertions, 6 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
index 1dd6eb543ef..f7876f9cddd 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
@@ -21,5 +21,6 @@ public interface AccessControlService {
     boolean requestSshAccess(TenantName tenantName);
     AthenzRoleInformation getAccessRoleInformation(TenantName tenantName);
     void setPreapprovedAccess(TenantName tenantName, boolean preapproved);
+    boolean getPreapprovedAccess(TenantName tenantName);
     Collection<AthenzUser> listMembers();
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 11cace3b10e..3a42c0c6535 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -3,6 +3,7 @@
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
 import com.yahoo.config.provision.TenantName;
+import com.yahoo.vespa.athenz.api.AthenzAssertion;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzGroup;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
@@ -23,6 +24,7 @@ public class AthenzAccessControlService implements AccessControlService {
     private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team";
     private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane";
     private final String TENANT_DOMAIN_PREFIX = "vespa.tenant";
+    private final String ACCESS_APPROVAL_POLICY = "vespa-access-requester";
     private final ZmsClient zmsClient;
     private final AthenzRole dataPlaneAccessRole;
     private final AthenzGroup vespaTeam;
@@ -129,18 +131,26 @@ public class AthenzAccessControlService implements AccessControlService {
         vespaZmsClient.ifPresentOrElse(
                 zms -> {
                     var role = sshRole(tenantName);
-
-                    var policyName = "vespa-access-requester";
-                    var action = "update_members";
-                    var approverRole = new AthenzRole(role.domain(), "vespa-access-approver");
+                    var assertion = getApprovalAssertion(role);
                     if (preapprovedAccess) {
-                        zms.addPolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole);
+                        zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
                     } else {
-                        zms.deletePolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole);
+                        zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
                     }
                 },() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); });
     }
 
+    public boolean getPreapprovedAccess(TenantName tenantName) {
+        return vespaZmsClient.map(
+                zms -> {
+                    var role = sshRole(tenantName);
+                    var approvalAssertion = getApprovalAssertion(role);
+                    return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY)
+                            .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion)))
+                            .orElse(false);
+                }).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") );
+    }
+
     private AthenzRole sshRole(TenantName tenantName) {
         return new AthenzRole(getTenantDomain(tenantName), "ssh_access");
     }
@@ -152,4 +162,9 @@ public class AthenzAccessControlService implements AccessControlService {
     public boolean isVespaTeamMember(AthenzUser user) {
         return zmsClient.getGroupMembership(vespaTeam, user);
     }
+
+    private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) {
+        var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver");
+        return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build();
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
index c14ca2bdc80..95ebe3380d4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
@@ -54,6 +54,11 @@ public class MockAccessControlService implements AccessControlService {
 
     }
 
+    @Override
+    public boolean getPreapprovedAccess(TenantName tenant) {
+        return false;
+    }
+
     public void addPendingMember(AthenzUser user) {
         pendingMembers.add(user);
     }