Add API for toggling self-served access role

author: Ola Aunrønning <olaa@verizonmedia.com> 2022-03-03 11:06:14 +0100
committer: Ola Aunrønning <olaa@verizonmedia.com> 2022-03-03 11:06:14 +0100
commit: ff570e8ff3f6e08f7851289efe292b4aa1acedfc (patch)
tree: 40538e6072e1e867261d2f61c831d701771d3a41 /controller-api
parent: e31e567d8e14a5e260416742168dd48c0b091bfe (diff)
4 files changed, 36 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
index a08319055ff..b270c27092f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
@@ -19,5 +19,7 @@ public interface AccessControlService {
     boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials);
     boolean requestSshAccess(TenantName tenantName);
     boolean hasPendingAccessRequests(TenantName tenantName);
+    boolean hasPreapprovedAccess(TenantName tenantName);
+    void setPreapprovedAccess(TenantName tenantName, boolean preapproved);
     Collection<AthenzUser> listMembers();
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index a3f789149cf..6b91f49af8e 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -110,6 +110,25 @@ public class AthenzAccessControlService implements AccessControlService {
         return true;
     }
 
+    public boolean hasPreapprovedAccess(TenantName tenantName) {
+        var role = sshRole(tenantName);
+
+        if (!vespaZmsClient.listRoles(role.domain()).contains(role))
+            return true; // true by default
+
+        return !vespaZmsClient.isSelfServeRole(role);
+    }
+
+    public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) {
+        var role = sshRole(tenantName);
+
+        var attributes = Map.<String, Object>of(
+                "selfServe", !preapprovedAccess,
+                "reviewEnabled", !preapprovedAccess
+        );
+        vespaZmsClient.createRole(role, attributes);
+    }
+
     private AthenzRole sshRole(TenantName tenantName) {
         return new AthenzRole(getOrCreateTenantDomain(tenantName), "ssh_access");
     }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
index b8106450705..505ee97bdf5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
@@ -45,6 +45,16 @@ public class MockAccessControlService implements AccessControlService {
         return false;
     }
 
+    @Override
+    public boolean hasPreapprovedAccess(TenantName tenantName) {
+        return false;
+    }
+
+    @Override
+    public void setPreapprovedAccess(TenantName tenantName, boolean preapproved) {
+
+    }
+
     public void addPendingMember(AthenzUser user) {
         pendingMembers.add(user);
     }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 38b2a36a348..62a999bb7a6 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -256,6 +256,11 @@ public class ZmsClientMock implements ZmsClient {
     public void createSubdomain(AthenzDomain parent, String name) {}
 
     @Override
+    public boolean isSelfServeRole(AthenzRole role) {
+        return false;
+    }
+
+    @Override
     public void close() {}
 
     private static AthenzDomain getTenantDomain(AthenzResourceName resource) {
author	Ola Aunrønning <olaa@verizonmedia.com>	2022-03-03 11:06:14 +0100
committer	Ola Aunrønning <olaa@verizonmedia.com>	2022-03-03 11:06:14 +0100
commit	ff570e8ff3f6e08f7851289efe292b4aa1acedfc (patch)
tree	40538e6072e1e867261d2f61c831d701771d3a41 /controller-api
parent	e31e567d8e14a5e260416742168dd48c0b091bfe (diff)