diff options
Diffstat (limited to 'controller-api')
3 files changed, 40 insertions, 10 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 0be32165916..3391965dc67 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -11,6 +11,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import java.time.Instant; import java.util.Collection; import java.util.List; +import java.util.Map; import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { @@ -34,8 +35,8 @@ public class AthenzAccessControlService implements AccessControlService { if(!isVespaTeamMember(user)) { throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName())); } - List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); - if (users.contains(user)) { + Map<AthenzUser, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); + if (users.containsKey(user)) { zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry); return true; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java index c87a01a7f37..899e3174df9 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java @@ -52,7 +52,7 @@ public class AthenzDbMock { public Domain admin(AthenzIdentity identity) { admins.add(identity); - policies.add(new Policy(identity.getFullName(), ".*", ".*")); + policies.add(new Policy("admin", identity.getFullName(), ".*", ".*")); return this; } @@ -67,7 +67,7 @@ public class AthenzDbMock { } public Domain withPolicy(String principalRegex, String operation, String resource) { - policies.add(new Policy(principalRegex, operation, resource)); + policies.add(new Policy("admin", principalRegex, operation, resource)); return this; } @@ -106,16 +106,22 @@ public class AthenzDbMock { } public static class Policy { + private final String name; private final Pattern principal; private final Pattern action; private final Pattern resource; - public Policy(String principal, String action, String resource) { + public Policy(String name, String principal, String action, String resource) { + this.name = name; this.principal = Pattern.compile(principal); this.action = Pattern.compile(action); this.resource = Pattern.compile(resource); } + public String name() { + return name; + } + public boolean principalMatches(AthenzIdentity athenzIdentity) { return this.principal.matcher(athenzIdentity.getFullName()).matches(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 45018787f02..77a49c6cbff 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -148,12 +148,17 @@ public class ZmsClientMock implements ZmsClient { @Override public void createPolicy(AthenzDomain athenzDomain, String athenzPolicy) { - // Noop + List<AthenzDbMock.Policy> policies = athenz.getOrCreateDomain(athenzDomain).policies; + if (policies.stream().anyMatch(p -> p.name().equals(athenzPolicy))) { + throw new IllegalArgumentException("Policy already exists"); + } + + // Policy will be created in the mock when an assertion is added } @Override public void addPolicyRule(AthenzDomain athenzDomain, String athenzPolicy, String action, AthenzResourceName resourceName, AthenzRole athenzRole) { - athenz.getOrCreateDomain(athenzDomain).policies.add(new AthenzDbMock.Policy(athenzRole.roleName(), action, resourceName.toResourceNameString())); + athenz.getOrCreateDomain(athenzDomain).policies.add(new AthenzDbMock.Policy(athenzPolicy, athenzRole.roleName(), action, resourceName.toResourceNameString())); } @Override @@ -162,8 +167,8 @@ public class ZmsClientMock implements ZmsClient { } @Override - public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) { - return List.of(); + public Map<AthenzUser,String> listPendingRoleApprovals(AthenzRole athenzRole) { + return Map.of(); } @Override @@ -194,7 +199,25 @@ public class ZmsClientMock implements ZmsClient { @Override public void createRole(AthenzRole role, Map<String, Object> properties) { - athenz.getOrCreateDomain(role.domain()).roles.add(new AthenzDbMock.Role(role.roleName())); + List<AthenzDbMock.Role> roles = athenz.getOrCreateDomain(role.domain()).roles; + if (roles.stream().anyMatch(r -> r.name().equals(role.roleName()))) { + throw new IllegalArgumentException("Role already exists"); + } + roles.add(new AthenzDbMock.Role(role.roleName())); + } + + @Override + public Set<AthenzRole> listRoles(AthenzDomain domain) { + return athenz.getOrCreateDomain(domain).roles.stream() + .map(role -> new AthenzRole(domain, role.name())) + .collect(Collectors.toSet()); + } + + @Override + public Set<String> listPolicies(AthenzDomain domain) { + return athenz.getOrCreateDomain(domain).policies.stream() + .map(AthenzDbMock.Policy::name) + .collect(Collectors.toSet()); } @Override |