1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.controller.api.role;
import com.yahoo.config.provision.ApplicationName;
import com.yahoo.config.provision.InstanceName;
import com.yahoo.config.provision.TenantName;
import java.util.Objects;
/**
* A role is a combination of a {@link RoleDefinition} and a {@link Context}, which allows evaluation
* of access control for a given action on a resource.
*
* @author jonmv
*/
public abstract class Role {
private final RoleDefinition roleDefinition;
final Context context;
Role(RoleDefinition roleDefinition, Context context) {
this.roleDefinition = Objects.requireNonNull(roleDefinition);
this.context = Objects.requireNonNull(context);
}
/** Returns a {@link RoleDefinition#hostedOperator} for the current system. */
public static UnboundRole hostedOperator() {
return new UnboundRole(RoleDefinition.hostedOperator);
}
/** Returns a {@link RoleDefinition#everyone} for the current system. */
public static UnboundRole everyone() {
return new UnboundRole(RoleDefinition.everyone);
}
/** Returns a {@link RoleDefinition#athenzTenantAdmin} for the current system and given tenant. */
public static TenantRole athenzTenantAdmin(TenantName tenant) {
return new TenantRole(RoleDefinition.athenzTenantAdmin, tenant);
}
/** Returns a {@link RoleDefinition#tenantPipeline} for the current system and given tenant and application. */
public static ApplicationRole tenantPipeline(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.tenantPipeline, tenant, application);
}
/** Returns a {@link RoleDefinition#athenzUser} for the current system and given tenant and application. */
public static InstanceRole athenzUser(TenantName tenant, ApplicationName application, InstanceName instance) {
return new InstanceRole(RoleDefinition.athenzUser, tenant, application, instance);
}
/** Returns a {@link RoleDefinition#tenantOwner} for the current system and given tenant. */
public static TenantRole tenantOwner(TenantName tenant) {
return new TenantRole(RoleDefinition.tenantOwner, tenant);
}
/** Returns a {@link RoleDefinition#tenantAdmin} for the current system and given tenant. */
public static TenantRole tenantAdmin(TenantName tenant) {
return new TenantRole(RoleDefinition.tenantAdmin, tenant);
}
/** Returns a {@link RoleDefinition#tenantOperator} for the current system and given tenant. */
public static TenantRole tenantOperator(TenantName tenant) {
return new TenantRole(RoleDefinition.tenantOperator, tenant);
}
/** Returns a {@link RoleDefinition#reader} for the current system and given tenant. */
public static TenantRole reader(TenantName tenant) {
return new TenantRole(RoleDefinition.reader, tenant);
}
/** Returns a {@link RoleDefinition#developer} for the current system and given tenant. */
public static TenantRole developer(TenantName tenant) {
return new TenantRole(RoleDefinition.developer, tenant);
}
/** Returns a {@link RoleDefinition#administrator} for the current system and given tenant. */
public static TenantRole administrator(TenantName tenant) {
return new TenantRole(RoleDefinition.administrator, tenant);
}
/** Returns a {@link RoleDefinition#headless} for the current system, given tenant, and application */
public static ApplicationRole headless(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.headless, tenant, application);
}
/** Returns a {@link RoleDefinition#applicationAdmin} for the current system and given tenant and application. */
public static ApplicationRole applicationAdmin(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.applicationAdmin, tenant, application);
}
/** Returns a {@link RoleDefinition#applicationOperator} for the current system and given tenant and application. */
public static ApplicationRole applicationOperator(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.applicationOperator, tenant, application);
}
/** Returns a {@link RoleDefinition#applicationDeveloper} for the current system and given tenant and application. */
public static ApplicationRole applicationDeveloper(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.applicationDeveloper, tenant, application);
}
/** Returns a {@link RoleDefinition#applicationReader} for the current system and given tenant and application. */
public static ApplicationRole applicationReader(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.applicationReader, tenant, application);
}
/** Returns a {@link RoleDefinition#buildService} for the current system and given tenant and application. */
public static ApplicationRole buildService(TenantName tenant, ApplicationName application) {
return new ApplicationRole(RoleDefinition.buildService, tenant, application);
}
/** Returns the role for system flag deployer */
public static UnboundRole systemFlagsDeployer() { return new UnboundRole(RoleDefinition.systemFlagsDeployer); }
/** Returns the role definition of this bound role. */
public RoleDefinition definition() { return roleDefinition; }
/** Returns whether the other role is a parent of this, and has a context included in this role's context. */
public boolean implies(Role other) {
return (context.tenant().isEmpty() || context.tenant().equals(other.context.tenant()))
&& (context.application().isEmpty() || context.application().equals(other.context.application()))
&& roleDefinition.inherited().contains(other.roleDefinition);
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
Role role = (Role) o;
return roleDefinition == role.roleDefinition &&
Objects.equals(context, role.context);
}
@Override
public int hashCode() {
return Objects.hash(roleDefinition, context);
}
}
|
