From c592b2e93833e713d12cef61e0d9f8e57ee0d9f3 Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@yahooinc.com>
Date: Mon, 20 Feb 2023 16:17:39 +0100
Subject: Use ZTS getAccess instead of ZMS

---
 .../controller/api/integration/athenz/ZtsClientMock.java   |  6 ++++++
 .../vespa/hosted/controller/athenz/impl/AthenzFacade.java  |  2 +-
 .../yahoo/vespa/athenz/client/zts/DefaultZtsClient.java    | 14 ++++++++++++++
 .../java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java  | 12 ++++++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
index d3e74965c4b..b03710ba0b5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
@@ -5,6 +5,7 @@ import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
@@ -97,6 +98,11 @@ public class ZtsClientMock implements ZtsClient {
         throw new UnsupportedOperationException();
     }
 
+    @Override
+    public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity) {
+        throw new UnsupportedOperationException();
+    }
+
     @Override
     public void close() {
 
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 6a493f3f5ed..65320a25984 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -309,7 +309,7 @@ public class AthenzFacade implements AccessControl {
     }
 
     private boolean lookupAccess(AccessTuple t) {
-        boolean result = zmsClient.hasAccess(AthenzResourceName.fromString(t.resource), t.action, t.identity);
+        boolean result = ztsClient.hasAccess(AthenzResourceName.fromString(t.resource), t.action, t.identity);
         log("getAccess(action=%s, resource=%s, principal=%s) = %b", t.action, t.resource, t.identity, result);
         return result;
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index cf46cad57b1..21c8f4ddd31 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -13,6 +13,7 @@ import com.yahoo.vespa.athenz.api.NToken;
 import com.yahoo.vespa.athenz.api.ZToken;
 import com.yahoo.vespa.athenz.client.ErrorHandler;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
+import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.AccessTokenResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.AwsTemporaryCredentialsResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity;
@@ -221,6 +222,19 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
         });
     }
 
+    @Override
+    public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity) {
+        URI uri = ztsUrl.resolve(String.format("access/%s/%s?principal=%s",
+                                               action, resource.toResourceNameString(), identity.getFullName()));
+        HttpUriRequest request = RequestBuilder.get()
+                .setUri(uri)
+                .build();
+        return execute(request, response -> {
+            AccessResponseEntity result = readEntity(response, AccessResponseEntity.class);
+            return result.granted;
+        });
+    }
+
     private InstanceIdentity getInstanceIdentity(HttpResponse response) throws IOException {
         InstanceIdentityCredentials entity = readEntity(response, InstanceIdentityCredentials.class);
         return entity.getServiceToken() != null
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index c4be6d8ced7..eade6229123 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -5,6 +5,7 @@ import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
@@ -187,5 +188,16 @@ public interface ZtsClient extends AutoCloseable {
      */
     AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId);
 
+    /**
+     * Check access to resource for a given principal
+     *
+     * @param resource The resource to verify access to
+     * @param action Action to verify
+     * @param identity Principal that requests access
+     * @return <code>true</code> if access is allowed, <code>false</code> otherwise
+     */
+    boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity);
+
     void close();
+
 }
-- 
cgit v1.2.3


From a87a2edd2263c0b4c5503a35b621ca0f68b5578a Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@yahooinc.com>
Date: Mon, 20 Feb 2023 21:40:05 +0100
Subject: Fix api access tests

---
 .../api/integration/athenz/AthenzClientFactoryMock.java        |  2 +-
 .../controller/api/integration/athenz/ZtsClientMock.java       | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
index 54fda58d19c..c4194315922 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactoryMock.java
@@ -39,7 +39,7 @@ public class AthenzClientFactoryMock extends AbstractComponent implements Athenz
 
     @Override
     public ZtsClient createZtsClient() {
-        return new ZtsClientMock(athenz);
+        return new ZtsClientMock(athenz, createZmsClient());
     }
 
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
index b03710ba0b5..3ca0fdd0f23 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClientMock.java
@@ -10,6 +10,7 @@ import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
 import com.yahoo.vespa.athenz.api.ZToken;
+import com.yahoo.vespa.athenz.client.zms.ZmsClient;
 import com.yahoo.vespa.athenz.client.zts.Identity;
 import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
 import com.yahoo.vespa.athenz.client.zts.ZtsClient;
@@ -18,6 +19,7 @@ import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
+import java.util.Optional;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -28,9 +30,14 @@ public class ZtsClientMock implements ZtsClient {
     private static final Logger log = Logger.getLogger(ZtsClientMock.class.getName());
 
     private final AthenzDbMock athenz;
+    private final Optional<ZmsClient> zmsClient;
 
     public ZtsClientMock(AthenzDbMock athenz) {
+        this(athenz, null);
+    }
+    public ZtsClientMock(AthenzDbMock athenz, ZmsClient zmsClient) {
         this.athenz = athenz;
+        this.zmsClient = Optional.ofNullable(zmsClient);
     }
 
     @Override
@@ -100,7 +107,8 @@ public class ZtsClientMock implements ZtsClient {
 
     @Override
     public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity) {
-        throw new UnsupportedOperationException();
+        return zmsClient.orElseThrow(UnsupportedOperationException::new)
+                .hasAccess(resource, action, identity);
     }
 
     @Override
-- 
cgit v1.2.3