diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-06-21 08:20:35 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-06-21 08:54:01 +0200 |
commit | 2f5549df2cae55109dbb5a52beeb9c414cb8bd09 (patch) | |
tree | 6fddf76fdeba52ce82b21b7cabbab43e9d445391 /vespa-athenz | |
parent | 04ae3583cb45466bd87e0b23032951740e0ed090 (diff) |
Only approve allowed operators
Diffstat (limited to 'vespa-athenz')
4 files changed, 97 insertions, 11 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzGroup.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzGroup.java new file mode 100644 index 00000000000..2608af381a2 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzGroup.java @@ -0,0 +1,41 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.athenz.api; + +import java.util.Objects; + +public class AthenzGroup { + private final AthenzDomain domain; + private final String groupName; + + public AthenzGroup(AthenzDomain domain, String groupName) { + this.domain = domain; + this.groupName = groupName; + } + + public AthenzGroup(String domain, String groupName) { + this.domain = new AthenzDomain(domain); + this.groupName = groupName; + } + + public AthenzDomain domain() { + return domain; + } + + public String groupName() { + return groupName; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + AthenzGroup that = (AthenzGroup) o; + return Objects.equals(domain, that.domain) && Objects.equals(groupName, that.groupName); + } + + @Override + public int hashCode() { + return Objects.hash(domain, groupName); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index f73ac9c3535..5817eb0c8d2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.client.zms; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -112,7 +113,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { @Override public void addRoleMember(AthenzRole role, AthenzIdentity member) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName())); - MembershipEntity membership = new MembershipEntity(member.getFullName(), true, role.roleName(), null); + MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(member.getFullName(), true, role.roleName(), null); HttpUriRequest request = RequestBuilder.put(uri) .setEntity(toJsonStringEntity(membership)) .build(); @@ -133,6 +134,18 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { .setUri(uri) .build(); return execute(request, response -> { + MembershipEntity membership = readEntity(response, MembershipEntity.GroupMembershipEntity.class); + return membership.isMember; + }); + } + + @Override + public boolean getGroupMembership(AthenzGroup group, AthenzIdentity identity) { + URI uri = zmsUrl.resolve(String.format("domain/%s/group/%s/member/%s", group.domain().getName(), group.groupName(), identity.getFullName())); + HttpUriRequest request = RequestBuilder.get() + .setUri(uri) + .build(); + return execute(request, response -> { MembershipEntity membership = readEntity(response, MembershipEntity.class); return membership.isMember; }); @@ -223,7 +236,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { @Override public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s/decision", athenzRole.domain().getName(), athenzRole.roleName(), athenzUser.getFullName())); - MembershipEntity membership = new MembershipEntity(athenzUser.getFullName(), true, athenzRole.roleName(), Long.toString(expiry.getEpochSecond())); + MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(athenzUser.getFullName(), true, athenzRole.roleName(), Long.toString(expiry.getEpochSecond())); HttpUriRequest request = RequestBuilder.put() .setUri(uri) .setEntity(toJsonStringEntity(membership)) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 15e8ba77850..245078e3679 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.client.zms; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -36,6 +37,8 @@ public interface ZmsClient extends AutoCloseable { boolean getMembership(AthenzRole role, AthenzIdentity identity); + boolean getGroupMembership(AthenzGroup group, AthenzIdentity identity); + List<AthenzDomain> getDomainList(String prefix); boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java index d0672473776..33acf0e1c90 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java @@ -16,17 +16,14 @@ import com.fasterxml.jackson.annotation.JsonProperty; public class MembershipEntity { public final String memberName; public final boolean isMember; - public final String roleName; public final String expiration; @JsonCreator public MembershipEntity(@JsonProperty("memberName") String memberName, @JsonProperty("isMember") boolean isMember, - @JsonProperty("roleName") String roleName, @JsonProperty("expiration") String expiration) { this.memberName = memberName; this.isMember = isMember; - this.roleName = roleName; this.expiration = expiration; } @@ -40,13 +37,45 @@ public class MembershipEntity { return isMember; } - @JsonGetter("roleName") - public String roleName() { - return roleName; - } - @JsonGetter("expiration") public String expiration() { return expiration; } -} + + public static class RoleMembershipEntity extends MembershipEntity { + public final String roleName; + + @JsonCreator + public RoleMembershipEntity(@JsonProperty("memberName") String memberName, + @JsonProperty("isMember") boolean isMember, + @JsonProperty("roleName") String roleName, + @JsonProperty("expiration") String expiration) { + super(memberName, isMember, expiration); + this.roleName = roleName; + } + + @JsonGetter("roleName") + public String roleName() { + return roleName; + } + + } + + public static class GroupMembershipEntity extends MembershipEntity { + public final String groupName; + + @JsonCreator + public GroupMembershipEntity(@JsonProperty("memberName") String memberName, + @JsonProperty("isMember") boolean isMember, + @JsonProperty("groupName") String groupName, + @JsonProperty("expiration") String expiration) { + super(memberName, isMember, expiration); + this.groupName = groupName; + } + + @JsonGetter("groupName") + public String roleName() { + return groupName; + } + } +}
\ No newline at end of file |