Api to let operators request approval

author: Morten Tokle <mortent@verizonmedia.com> 2021-05-10 11:55:15 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-06-01 14:37:48 +0200
commit: d601a1cdb46ae3cce38feb431bcb8e44fe322cc8 (patch)
tree: 54b94f2bcff82853a3b2c7e2aacd61240240549e /controller-api
parent: 2f67aed1f678d626ed9694a94041437c37e7d688 (diff)
5 files changed, 99 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
index 98591ba41e2..0b17428296c 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.controller.api.integration;
 
 import com.yahoo.vespa.hosted.controller.api.integration.archive.ArchiveService;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AccessControlService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.RoleService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.AwsEventFetcher;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger;
@@ -93,4 +94,6 @@ public interface ServiceRegistry {
     ArchiveService archiveService();
 
     ChangeRequestClient changeRequestClient();
+
+    AccessControlService accessControlService();
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
new file mode 100644
index 00000000000..765312b40a3
--- /dev/null
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
@@ -0,0 +1,12 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.vespa.hosted.controller.api.integration.athenz;
+
+import com.yahoo.vespa.athenz.api.AthenzUser;
+
+import java.util.Collection;
+
+public interface AccessControlService {
+    public boolean approveDataPlaneAccess(AthenzUser user);
+    public Collection<AthenzUser> listMembers();
+}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
new file mode 100644
index 00000000000..2882fb1483c
--- /dev/null
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -0,0 +1,40 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.vespa.hosted.controller.api.integration.athenz;
+
+import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzRole;
+import com.yahoo.vespa.athenz.api.AthenzUser;
+import com.yahoo.vespa.athenz.client.zms.ZmsClient;
+
+import java.util.Collection;
+import java.util.List;
+
+public class AthenzAccessControlService implements AccessControlService {
+
+    private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane";
+    private final ZmsClient zmsClient;
+    private final AthenzRole dataPlaneAccessRole;
+
+
+    public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) {
+        this.zmsClient = zmsClient;
+        this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME);
+    }
+
+    @Override
+    public boolean approveDataPlaneAccess(AthenzUser user) {
+        List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole);
+        if (users.contains(user)) {
+            // TODO (mortent): Handle expiry
+            zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, null);
+            return true;
+        }
+        return false;
+    }
+
+    @Override
+    public Collection<AthenzUser> listMembers() {
+        return null;
+    }
+}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
new file mode 100644
index 00000000000..9a6027317c5
--- /dev/null
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
@@ -0,0 +1,33 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.vespa.hosted.controller.api.integration.athenz;
+
+import com.yahoo.vespa.athenz.api.AthenzUser;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+public class MockAccessControlService implements AccessControlService {
+
+    private final Set<AthenzUser> pendingMembers = new HashSet<>();
+    private final Set<AthenzUser> members = new HashSet<>();
+
+    @Override
+    public boolean approveDataPlaneAccess(AthenzUser user) {
+        if (pendingMembers.remove(user)) {
+            return members.add(user);
+        } else {
+            return false;
+        }
+    }
+
+    @Override
+    public Collection<AthenzUser> listMembers() {
+        return Set.copyOf(members);
+    }
+
+    public void addPendingMember(AthenzUser user) {
+        pendingMembers.add(user);
+    }
+}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 942f0f35f58..6509bd40ebf 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -5,6 +5,7 @@ import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
+import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
 import com.yahoo.vespa.athenz.api.OktaIdentityToken;
 import com.yahoo.vespa.athenz.client.zms.RoleAction;
@@ -12,6 +13,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient;
 import com.yahoo.vespa.athenz.client.zms.ZmsClientException;
 import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -145,6 +147,15 @@ public class ZmsClientMock implements ZmsClient {
         return false;
     }
 
+    @Override
+    public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) {
+        return List.of();
+    }
+
+    @Override
+    public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) {
+    }
+
 
     @Override
     public void close() {}
author	Morten Tokle <mortent@verizonmedia.com>	2021-05-10 11:55:15 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-06-01 14:37:48 +0200
commit	d601a1cdb46ae3cce38feb431bcb8e44fe322cc8 (patch)
tree	54b94f2bcff82853a3b2c7e2aacd61240240549e /controller-api
parent	2f67aed1f678d626ed9694a94041437c37e7d688 (diff)