summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java16
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java27
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java17
-rw-r--r--controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java45
4 files changed, 99 insertions, 6 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 5c11dfc2a55..ced3d201f6f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -58,13 +58,25 @@ enum PathGroup {
"/application/v4/tenant/{tenant}/application/",
"/application/v4/tenant/{tenant}/cost",
"/application/v4/tenant/{tenant}/cost/{date}",
- "/routing/v1/status/tenant/{tenant}/{*}",
- "/billing/v1/tenant/{tenant}/{*}"),
+ "/routing/v1/status/tenant/{tenant}/{*}"),
tenantKeys(Matcher.tenant,
PathPrefix.api,
"/application/v4/tenant/{tenant}/key/"),
+
+ billingToken(Matcher.tenant,
+ PathPrefix.api,
+ "/billing/v1/tenant/{tenant}/token"),
+
+ billingInstrument(Matcher.tenant,
+ PathPrefix.api,
+ "/billing/v1/tenant/{tenant}/instrument/{*}"),
+
+ billingList(Matcher.tenant,
+ PathPrefix.api,
+ "/billing/v1/tenant/{tenant}/billing/{*}"),
+
applicationKeys(Matcher.tenant,
Matcher.application,
PathPrefix.api,
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index cfe8d247e54..0afa0668a00 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -142,7 +142,32 @@ enum Policy {
/** Access to /payment/notification */
paymentProcessor(Privilege.grant(Action.create)
.on(PathGroup.paymentProcessor)
- .in(SystemName.PublicCd));
+ .in(SystemName.PublicCd)),
+
+ /** Read your own instrument information */
+ paymentInstrumentRead(Privilege.grant(Action.read)
+ .on(PathGroup.billingInstrument)
+ .in(SystemName.PublicCd)),
+
+ /** Ability to update tenant payment instrument */
+ paymentInstrumentUpdate(Privilege.grant(Action.update)
+ .on(PathGroup.billingInstrument)
+ .in(SystemName.PublicCd)),
+
+ /** Ability to remove your own payment instrument */
+ paymentInstrumentDelete(Privilege.grant(Action.delete)
+ .on(PathGroup.billingInstrument)
+ .in(SystemName.PublicCd)),
+
+ /** Get the token to view instrument form */
+ paymentInstrumentCreate(Privilege.grant(Action.read)
+ .on(PathGroup.billingToken)
+ .in(SystemName.PublicCd)),
+
+ /** Read the generated bills */
+ billingInformationRead(Privilege.grant(Action.read)
+ .on(PathGroup.billingList)
+ .in(SystemName.PublicCd));
private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index c05936ee593..438e79bcc4f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -43,7 +43,10 @@ public enum RoleDefinition {
reader(Policy.tenantRead,
Policy.applicationRead,
Policy.deploymentRead,
- Policy.publicRead),
+ Policy.publicRead,
+ Policy.paymentInstrumentRead,
+ Policy.paymentInstrumentDelete,
+ Policy.billingInformationRead),
/** User — the dev.ops. role for normal Vespa tenant users */
developer(Policy.applicationCreate,
@@ -52,12 +55,20 @@ public enum RoleDefinition {
Policy.applicationOperations,
Policy.developmentDeployment,
Policy.keyManagement,
- Policy.submission),
+ Policy.submission,
+ Policy.paymentInstrumentRead,
+ Policy.paymentInstrumentDelete,
+ Policy.billingInformationRead),
/** Admin — the administrative function for user management etc. */
administrator(Policy.tenantUpdate,
Policy.tenantManager,
- Policy.applicationManager),
+ Policy.applicationManager,
+ Policy.paymentInstrumentRead,
+ Policy.paymentInstrumentUpdate,
+ Policy.paymentInstrumentDelete,
+ Policy.paymentInstrumentCreate,
+ Policy.billingInformationRead),
/** Headless — the application specific role identified by deployment keys for production */
headless(Policy.submission),
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index 57b4af9d16c..2da93c5ceca 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -6,8 +6,10 @@ import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.TenantName;
import org.junit.Test;
+import java.awt.event.AdjustmentEvent;
import java.net.URI;
import java.util.List;
+import java.util.stream.Stream;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
@@ -19,6 +21,7 @@ public class RoleTest {
private static final Enforcer mainEnforcer = new Enforcer(SystemName.main);
private static final Enforcer publicEnforcer = new Enforcer(SystemName.Public);
+ private static final Enforcer publicCdEnforcer = new Enforcer(SystemName.PublicCd);
@Test
public void operator_membership() {
@@ -143,4 +146,46 @@ public class RoleTest {
}
}
+ @Test
+ public void payment_instrument() {
+ URI paymentInstrumentUri = URI.create("/billing/v1/tenant/t1/instrument/foobar");
+ URI tenantPaymentInstrumentUri = URI.create("/billing/v1/tenant/t1/instrument");
+ URI tokenUri = URI.create("/billing/v1/tenant/t1/token");
+
+ Role user = Role.reader(TenantName.from("t1"));
+ assertTrue(publicCdEnforcer.allows(user, Action.read, paymentInstrumentUri));
+ assertTrue(publicCdEnforcer.allows(user, Action.delete, paymentInstrumentUri));
+ assertFalse(publicCdEnforcer.allows(user, Action.update, tenantPaymentInstrumentUri));
+ assertFalse(publicCdEnforcer.allows(user, Action.read, tokenUri));
+
+ Role developer = Role.developer(TenantName.from("t1"));
+ assertTrue(publicCdEnforcer.allows(developer, Action.read, paymentInstrumentUri));
+ assertTrue(publicCdEnforcer.allows(developer, Action.delete, paymentInstrumentUri));
+ assertFalse(publicCdEnforcer.allows(developer, Action.update, tenantPaymentInstrumentUri));
+ assertFalse(publicCdEnforcer.allows(developer, Action.read, tokenUri));
+
+ Role admin = Role.administrator(TenantName.from("t1"));
+ assertTrue(publicCdEnforcer.allows(admin, Action.read, paymentInstrumentUri));
+ assertTrue(publicCdEnforcer.allows(admin, Action.delete, paymentInstrumentUri));
+ assertTrue(publicCdEnforcer.allows(admin, Action.update, tenantPaymentInstrumentUri));
+ assertTrue(publicCdEnforcer.allows(admin, Action.read, tokenUri));
+ }
+
+ @Test
+ public void billing() {
+ URI billing = URI.create("/billing/v1/tenant/t1/billing");
+
+ Role user = Role.reader(TenantName.from("t1"));
+ Role developer = Role.developer(TenantName.from("t1"));
+ Role admin = Role.administrator(TenantName.from("t1"));
+
+ Stream.of(user, developer, admin).forEach(role -> {
+ assertTrue(publicCdEnforcer.allows(role, Action.read, billing));
+ assertFalse(publicCdEnforcer.allows(role, Action.update, billing));
+ assertFalse(publicCdEnforcer.allows(role, Action.delete, billing));
+ assertFalse(publicCdEnforcer.allows(role, Action.create, billing));
+ });
+
+ }
+
}