1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
package com.yahoo.vespa.hosted.controller.restapi.filter;
import com.google.inject.Inject;
import com.yahoo.config.provision.ApplicationName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.TenantName;
import com.yahoo.restapi.Path;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzPrincipal;
import com.yahoo.vespa.athenz.api.AthenzUser;
import com.yahoo.vespa.athenz.client.zms.ZmsClientException;
import com.yahoo.vespa.hosted.controller.Controller;
import com.yahoo.vespa.hosted.controller.TenantController;
import com.yahoo.vespa.hosted.controller.athenz.ApplicationAction;
import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade;
import com.yahoo.vespa.hosted.controller.role.Role;
import com.yahoo.vespa.hosted.controller.role.RoleMembership;
import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
import com.yahoo.vespa.hosted.controller.tenant.Tenant;
import com.yahoo.vespa.hosted.controller.tenant.UserTenant;
import javax.ws.rs.InternalServerErrorException;
import java.security.Principal;
import java.util.Optional;
import static com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities.SCREWDRIVER_DOMAIN;
/**
* Translates Athenz principals to role memberships for use in access control.
*
* @author tokle
* @author mpolden
*/
public class AthenzRoleResolver implements RoleMembership.Resolver {
private final AthenzFacade athenz;
private final TenantController tenants;
private final SystemName system;
@Inject
public AthenzRoleResolver(AthenzFacade athenz, Controller controller) {
this.athenz = athenz;
this.tenants = controller.tenants();
this.system = controller.system();
}
private boolean isTenantAdmin(AthenzIdentity identity, Tenant tenant) {
if (tenant instanceof AthenzTenant) {
return athenz.hasTenantAdminAccess(identity, ((AthenzTenant) tenant).domain());
} else if (tenant instanceof UserTenant) {
if (!(identity instanceof AthenzUser)) {
return false;
}
AthenzUser user = (AthenzUser) identity;
return ((UserTenant) tenant).is(user.getName()) || isHostedOperator(identity);
}
throw new InternalServerErrorException("Unknown tenant type: " + tenant.getClass().getSimpleName());
}
private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application) {
try {
return athenz.hasApplicationAccess(identity,
ApplicationAction.deploy,
tenantDomain,
application);
} catch (ZmsClientException e) {
throw new InternalServerErrorException("Failed to authorize operation: (" + e.getMessage() + ")", e);
}
}
private boolean isHostedOperator(AthenzIdentity identity) {
return athenz.hasHostedOperatorAccess(identity);
}
@Override
public RoleMembership membership(Principal principal, Optional<String> uriPath) {
if ( ! (principal instanceof AthenzPrincipal))
throw new IllegalStateException("Expected an AthenzPrincipal to be set on the request.");
Path path = new Path(uriPath.orElseThrow(() -> new IllegalArgumentException("This resolver needs the request path.")));
path.matches("/application/v4/tenant/{tenant}/{*}");
Optional<Tenant> tenant = Optional.ofNullable(path.get("tenant")).map(TenantName::from).flatMap(tenants::get);
path.matches("/application/v4/tenant/{tenant}/application/{application}/{*}");
Optional<ApplicationName> application = Optional.ofNullable(path.get("application")).map(ApplicationName::from);
AthenzIdentity identity = ((AthenzPrincipal) principal).getIdentity();
RoleMembership.Builder memberships = RoleMembership.in(system);
if (isHostedOperator(identity)) {
memberships.add(Role.hostedOperator);
}
if (tenant.isPresent() && isTenantAdmin(identity, tenant.get())) {
memberships.add(Role.athenzTenantAdmin).limitedTo(tenant.get().name());
}
AthenzDomain principalDomain = identity.getDomain();
if (principalDomain.equals(SCREWDRIVER_DOMAIN)) {
if (application.isPresent() && tenant.isPresent()) {
// NOTE: Only fine-grained deploy authorization for Athenz tenants
if (tenant.get() instanceof AthenzTenant) {
AthenzDomain tenantDomain = ((AthenzTenant) tenant.get()).domain();
if (hasDeployerAccess(identity, tenantDomain, application.get())) {
memberships.add(Role.tenantPipeline).limitedTo(tenant.get().name(), application.get());
}
}
else {
memberships.add(Role.tenantPipeline).limitedTo(tenant.get().name(), application.get());
}
}
}
memberships.add(Role.everyone);
return memberships.build();
}
}
|