From ff570e8ff3f6e08f7851289efe292b4aa1acedfc Mon Sep 17 00:00:00 2001 From: Ola Aunrønning Date: Thu, 3 Mar 2022 11:06:14 +0100 Subject: Add API for toggling self-served access role --- .../api/integration/athenz/AccessControlService.java | 2 ++ .../athenz/AthenzAccessControlService.java | 19 +++++++++++++++++++ .../integration/athenz/MockAccessControlService.java | 10 ++++++++++ .../api/integration/athenz/ZmsClientMock.java | 5 +++++ 4 files changed, 36 insertions(+) (limited to 'controller-api') diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index a08319055ff..b270c27092f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -19,5 +19,7 @@ public interface AccessControlService { boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials); boolean requestSshAccess(TenantName tenantName); boolean hasPendingAccessRequests(TenantName tenantName); + boolean hasPreapprovedAccess(TenantName tenantName); + void setPreapprovedAccess(TenantName tenantName, boolean preapproved); Collection listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index a3f789149cf..6b91f49af8e 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -110,6 +110,25 @@ public class AthenzAccessControlService implements AccessControlService { return true; } + public boolean hasPreapprovedAccess(TenantName tenantName) { + var role = sshRole(tenantName); + + if (!vespaZmsClient.listRoles(role.domain()).contains(role)) + return true; // true by default + + return !vespaZmsClient.isSelfServeRole(role); + } + + public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) { + var role = sshRole(tenantName); + + var attributes = Map.of( + "selfServe", !preapprovedAccess, + "reviewEnabled", !preapprovedAccess + ); + vespaZmsClient.createRole(role, attributes); + } + private AthenzRole sshRole(TenantName tenantName) { return new AthenzRole(getOrCreateTenantDomain(tenantName), "ssh_access"); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index b8106450705..505ee97bdf5 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -45,6 +45,16 @@ public class MockAccessControlService implements AccessControlService { return false; } + @Override + public boolean hasPreapprovedAccess(TenantName tenantName) { + return false; + } + + @Override + public void setPreapprovedAccess(TenantName tenantName, boolean preapproved) { + + } + public void addPendingMember(AthenzUser user) { pendingMembers.add(user); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 38b2a36a348..62a999bb7a6 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -255,6 +255,11 @@ public class ZmsClientMock implements ZmsClient { @Override public void createSubdomain(AthenzDomain parent, String name) {} + @Override + public boolean isSelfServeRole(AthenzRole role) { + return false; + } + @Override public void close() {} -- cgit v1.2.3