diff options
Diffstat (limited to 'controller-api')
5 files changed, 99 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java index 98591ba41e2..0b17428296c 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.api.integration; import com.yahoo.vespa.hosted.controller.api.integration.archive.ArchiveService; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.AccessControlService; import com.yahoo.vespa.hosted.controller.api.integration.aws.RoleService; import com.yahoo.vespa.hosted.controller.api.integration.aws.AwsEventFetcher; import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger; @@ -93,4 +94,6 @@ public interface ServiceRegistry { ArchiveService archiveService(); ChangeRequestClient changeRequestClient(); + + AccessControlService accessControlService(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java new file mode 100644 index 00000000000..765312b40a3 --- /dev/null +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -0,0 +1,12 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.hosted.controller.api.integration.athenz; + +import com.yahoo.vespa.athenz.api.AthenzUser; + +import java.util.Collection; + +public interface AccessControlService { + public boolean approveDataPlaneAccess(AthenzUser user); + public Collection<AthenzUser> listMembers(); +} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java new file mode 100644 index 00000000000..2882fb1483c --- /dev/null +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -0,0 +1,40 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.hosted.controller.api.integration.athenz; + +import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.client.zms.ZmsClient; + +import java.util.Collection; +import java.util.List; + +public class AthenzAccessControlService implements AccessControlService { + + private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; + private final ZmsClient zmsClient; + private final AthenzRole dataPlaneAccessRole; + + + public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) { + this.zmsClient = zmsClient; + this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME); + } + + @Override + public boolean approveDataPlaneAccess(AthenzUser user) { + List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); + if (users.contains(user)) { + // TODO (mortent): Handle expiry + zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, null); + return true; + } + return false; + } + + @Override + public Collection<AthenzUser> listMembers() { + return null; + } +} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java new file mode 100644 index 00000000000..9a6027317c5 --- /dev/null +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -0,0 +1,33 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.hosted.controller.api.integration.athenz; + +import com.yahoo.vespa.athenz.api.AthenzUser; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +public class MockAccessControlService implements AccessControlService { + + private final Set<AthenzUser> pendingMembers = new HashSet<>(); + private final Set<AthenzUser> members = new HashSet<>(); + + @Override + public boolean approveDataPlaneAccess(AthenzUser user) { + if (pendingMembers.remove(user)) { + return members.add(user); + } else { + return false; + } + } + + @Override + public Collection<AthenzUser> listMembers() { + return Set.copyOf(members); + } + + public void addPendingMember(AthenzUser user) { + pendingMembers.add(user); + } +} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 942f0f35f58..6509bd40ebf 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -5,6 +5,7 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.api.OktaIdentityToken; import com.yahoo.vespa.athenz.client.zms.RoleAction; @@ -12,6 +13,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import com.yahoo.vespa.athenz.client.zms.ZmsClientException; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; +import java.time.Instant; import java.util.ArrayList; import java.util.List; import java.util.Optional; @@ -145,6 +147,15 @@ public class ZmsClientMock implements ZmsClient { return false; } + @Override + public List<AthenzUser> listPendingRoleApprovals(AthenzRole athenzRole) { + return List.of(); + } + + @Override + public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) { + } + @Override public void close() {} |