diff options
| author | Ola Aunrønning <olaa@verizonmedia.com> | 2020-10-21 13:41:52 +0200 |
|---|---|---|
| committer | Ola Aunrønning <olaa@verizonmedia.com> | 2020-10-23 12:36:08 +0200 |
| commit | 3642b85d61e219809f79689f392f3dc78d18be0d (patch) | |
| tree | cbe71a0d8506ec2ec199a1314d536acf6c4c9d45 /vespa-athenz | |
| parent | 8fd4f84b036b55d53324088393bdee8312fbd262 (diff) | |
Create maintainer tracking host repair status
Extended ZmsClient to add/delete policy rules
Extended controller's node repo client with patchNode function
Diffstat (limited to 'vespa-athenz')
4 files changed, 130 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index eaf83238145..9a31ea81715 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -9,8 +9,10 @@ import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.api.OktaIdentityToken; import com.yahoo.vespa.athenz.client.common.ClientBase; import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity; +import com.yahoo.vespa.athenz.client.zms.bindings.AssertionEntity; import com.yahoo.vespa.athenz.client.zms.bindings.DomainListResponseEntity; import com.yahoo.vespa.athenz.client.zms.bindings.MembershipResponseEntity; +import com.yahoo.vespa.athenz.client.zms.bindings.PolicyEntity; import com.yahoo.vespa.athenz.client.zms.bindings.ProviderResourceGroupRolesRequestEntity; import com.yahoo.vespa.athenz.client.zms.bindings.TenancyRequestEntity; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; @@ -23,6 +25,8 @@ import javax.net.ssl.SSLContext; import java.net.URI; import java.util.Collections; import java.util.List; +import java.util.Optional; +import java.util.OptionalInt; import java.util.Set; import java.util.function.Supplier; @@ -149,6 +153,47 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { }); } + @Override + public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { + URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s/assertion", + athenzDomain.getName(), athenzPolicy)); + HttpUriRequest request = RequestBuilder.put() + .setUri(uri) + .setEntity(toJsonStringEntity(new AssertionEntity(athenzRole.toResourceNameString(), resourceName.toResourceNameString(), action))) + .build(); + execute(request, response -> readEntity(response, Void.class)); + } + + @Override + public boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { + URI uri = zmsUrl.resolve(String.format("domain/%s/policy/%s", + athenzDomain.getName(), athenzPolicy)); + HttpUriRequest request = RequestBuilder.get() + .setUri(uri) + .build(); + PolicyEntity policyEntity = execute(request, response -> readEntity(response, PolicyEntity.class)); + + OptionalInt assertionId = policyEntity.getAssertions().stream() + .filter(assertionEntity -> assertionEntity.getAction().equals(action) && + assertionEntity.getResource().equals(resourceName.toResourceNameString()) && + assertionEntity.getRole().equals(athenzRole.toResourceNameString())) + .mapToInt(AssertionEntity::getAssertionId).findFirst(); + + if (assertionId.isEmpty()) { + return false; + } + + uri = zmsUrl.resolve(String.format("domain/%s/policy/%s/assertion/d", + athenzDomain.getName(), athenzPolicy, assertionId.getAsInt())); + + request = RequestBuilder.delete() + .setUri(uri) + .build(); + + execute(request, response -> readEntity(response, Void.class)); + return true; + } + private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) { return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token())); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 12762534bd4..c7f865a58bb 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -38,5 +38,9 @@ public interface ZmsClient extends AutoCloseable { boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity); + void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole); + + boolean deletePolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole); + void close(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/AssertionEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/AssertionEntity.java new file mode 100644 index 00000000000..b181bc7a8c7 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/AssertionEntity.java @@ -0,0 +1,50 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zms.bindings; + +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * @author olaa + */ +@JsonInclude(JsonInclude.Include.NON_NULL) +public class AssertionEntity { + + private final String role; + private final String resource; + private final String action; + private final Integer assertionId; + + + public AssertionEntity(String role, String resource, String action) { + this(role, resource, action, null); + } + + public AssertionEntity(@JsonProperty("role") String role, + @JsonProperty("resource") String resource, + @JsonProperty("action") String action, + @JsonProperty("assertionId") Integer assertionId) { + this.role = role; + this.resource = resource; + this.action = action; + this.assertionId = assertionId; + } + + public String getRole() { + return role; + } + + public String getResource() { + return resource; + } + + public String getAction() { + return action; + } + + @JsonIgnore + public int getAssertionId() { + return assertionId; + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/PolicyEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/PolicyEntity.java new file mode 100644 index 00000000000..442f9d12c71 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/PolicyEntity.java @@ -0,0 +1,31 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zms.bindings; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.List; + +/** + * @author olaa + */ +public class PolicyEntity { + + @JsonInclude(JsonInclude.Include.NON_EMPTY) + private final List<AssertionEntity> assertions; + private final String name; + + public PolicyEntity(@JsonProperty("name") String name, + @JsonProperty("assertions") List<AssertionEntity> assertions) { + this.name = name; + this.assertions = assertions; + } + + public String getName() { + return name; + } + + public List<AssertionEntity> getAssertions() { + return assertions; + } +} |