use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class SimplePrincipalTest method testSimplePrincipalAuthorityCreate.
@Test
public void testSimplePrincipalAuthorityCreate() {
Authority hoge = Mockito.mock(Authority.class);
SimplePrincipal check = (SimplePrincipal) SimplePrincipal.create("user", "jdoe", hoge);
assertNotNull(check);
Mockito.when(hoge.getDomain()).thenReturn(null);
check = (SimplePrincipal) SimplePrincipal.create("user", "jdoe", "hoge", 0, hoge);
assertNotNull(check);
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class SimplePrincipalTest method testFullName.
@Test
public void testFullName() {
Principal p = SimplePrincipal.create("user", "jdoe", fakeCreds, null);
assertEquals(p.getFullName(), "user.jdoe");
assertEquals(p.getFullName(), "user.jdoe");
assertNotNull(SimplePrincipal.create(null, "jdoe", fakeCreds));
assertNotNull(SimplePrincipal.create("user", null, fakeCreds));
List<String> roles = new ArrayList<>();
roles.add("role1");
p = SimplePrincipal.create("user", fakeCreds, roles, null);
assertNotNull(p);
assertEquals(p.getFullName(), "user");
p = SimplePrincipal.create("appid", fakeCreds, (Authority) null);
assertEquals(p.getFullName(), "appid");
assertNull(SimplePrincipal.create(null, null, (Authority) null));
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testDeletePendingGroupMembershipSelfServeRequest.
@Test
public void testDeletePendingGroupMembershipSelfServeRequest() {
final String domainName = "delete-pending-self-serve";
final String groupName = "group1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "delete pending membership", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testorg", true, false, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
Group auditedGroup = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), auditedGroup);
GroupMeta rm = new GroupMeta().setSelfServe(true);
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), rm);
// user.joe is going to add user.bob in the self serve group
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=joe";
Principal rsrcPrince = SimplePrincipal.create("user", "joe", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
ResourceContext ctxJoe = zmsTestInitializer.createResourceContext(rsrcPrince);
GroupMembership mbr = new GroupMembership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putGroupMembership(ctxJoe, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
// first request using admin principal
DomainGroupMembership domainGroupMembership = zmsTestInitializer.getZms().getPendingDomainGroupMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.user1", null);
assertNotNull(domainGroupMembership);
assertNotNull(domainGroupMembership.getDomainGroupMembersList());
assertEquals(domainGroupMembership.getDomainGroupMembersList().size(), 1);
for (DomainGroupMembers drm : domainGroupMembership.getDomainGroupMembersList()) {
assertEquals(drm.getDomainName(), domainName);
assertNotNull(drm.getMembers());
for (DomainGroupMember mem : drm.getMembers()) {
assertNotNull(mem);
assertEquals(mem.getMemberName(), "user.bob");
for (GroupMember mr : mem.getMemberGroups()) {
assertNotNull(mr);
assertEquals(mr.getGroupName(), groupName);
}
}
}
// first try to delete the pending request without proper authorization
unsignedCreds = "v=U1;d=user;n=jane";
rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
ResourceContext ctxJane = zmsTestInitializer.createResourceContext(rsrcPrince);
try {
zmsTestInitializer.getZms().deletePendingGroupMembership(ctxJane, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
}
// repeat the request using joe principal
zmsTestInitializer.getZms().deletePendingGroupMembership(ctxJoe, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef());
// check the list to see there are no pending requests
domainGroupMembership = zmsTestInitializer.getZms().getPendingDomainGroupMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.user1", null);
assertNotNull(domainGroupMembership);
assertTrue(domainGroupMembership.getDomainGroupMembersList().isEmpty());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetAccessCrossDomainWildCardResources.
@Test
public void testGetAccessCrossDomainWildCardResources() {
// create the netops domain
TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject("netops", "Test Netops", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom);
Role role = zmsTestInitializer.createRoleObject("netops", "users", null, null, null);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "users", zmsTestInitializer.getAuditRef(), role);
role = zmsTestInitializer.createRoleObject("netops", "superusers", null, "user.siteops_user_1", "user.siteops_user_2");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "superusers", zmsTestInitializer.getAuditRef(), role);
Policy policy = zmsTestInitializer.createPolicyObject("netops", "users", "users", "NODE_USER", "netops:node.", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "users", zmsTestInitializer.getAuditRef(), policy);
policy = zmsTestInitializer.createPolicyObject("netops", "superusers", "superusers", "NODE_SUDO", "netops:node.", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "superusers", zmsTestInitializer.getAuditRef(), policy);
policy = zmsTestInitializer.createPolicyObject("netops", "netops_superusers", "netops:role.superusers", false, "ASSUME_ROLE", "*:role.netops_superusers", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "netops_superusers", zmsTestInitializer.getAuditRef(), policy);
// create the weather domain
dom = zmsTestInitializer.createTopLevelDomainObject("weather", "Test weather", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom);
role = zmsTestInitializer.createRoleObject("weather", "users", null, null, null);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "users", zmsTestInitializer.getAuditRef(), role);
role = zmsTestInitializer.createRoleObject("weather", "superusers", null, "user.weather_admin_user", null);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "superusers", zmsTestInitializer.getAuditRef(), role);
role = zmsTestInitializer.createRoleObject("weather", "netops_superusers", "netops");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "netops_superusers", zmsTestInitializer.getAuditRef(), role);
policy = zmsTestInitializer.createPolicyObject("weather", "users", "users", "NODE_USER", "weather:node.", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "users", zmsTestInitializer.getAuditRef(), policy);
policy = zmsTestInitializer.createPolicyObject("weather", "superusers", "superusers", "NODE_SUDO", "weather:node.*", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "superusers", zmsTestInitializer.getAuditRef(), policy);
policy = zmsTestInitializer.createPolicyObject("weather", "netops_superusers", "netops_superusers", "NODE_SUDO", "weather:node.*", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "netops_superusers", zmsTestInitializer.getAuditRef(), policy);
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal pWeather = principalAuthority.authenticate("v=U1;d=user;n=weather_admin_user;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtxWeather = zmsTestInitializer.createResourceContext(pWeather);
Access access = zmsTestInitializer.getZms().getAccess(rsrcCtxWeather, "NODE_SUDO", "weather:node.x", null, null);
assertTrue(access.getGranted());
Principal pSiteOps = principalAuthority.authenticate("v=U1;d=user;n=siteops_user_1;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtxSiteOps = zmsTestInitializer.createResourceContext(pSiteOps);
access = zmsTestInitializer.getZms().getAccess(rsrcCtxSiteOps, "NODE_SUDO", "weather:node.x", null, null);
assertTrue(access.getGranted());
Principal pRandom = principalAuthority.authenticate("v=U1;d=user;n=random_user;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtxRandom = zmsTestInitializer.createResourceContext(pRandom);
access = zmsTestInitializer.getZms().getAccess(rsrcCtxRandom, "NODE_SUDO", "weather:node.x", null, null);
assertFalse(access.getGranted());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "weather", zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "netops", zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testPutGroupMembershipDecisionReviewEnabledUnauthorized.
@Test
public void testPutGroupMembershipDecisionReviewEnabledUnauthorized() {
final String domainName = "group-review-enabled-domain-forbidden";
final String groupName = "review-group";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Approval test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName, null, null);
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group1);
GroupMeta rm = new GroupMeta().setReviewEnabled(true);
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), rm);
// add a user to the group
GroupMembership mbr = new GroupMembership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putGroupMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
// verify the user is added with pending state
Group resgroup = zmsTestInitializer.getZms().getGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, false, true);
assertEquals(resgroup.getGroupMembers().size(), 1);
assertEquals(resgroup.getGroupMembers().get(0).getMemberName(), "user.bob");
assertFalse(resgroup.getGroupMembers().get(0).getApproved());
// now try as the second admin himself to approve this user and it must
// be rejected since second admin is not authorized
mbr = new GroupMembership();
mbr.setMemberName("user.bob");
mbr.setActive(true);
mbr.setApproved(true);
// switch to user.user2 principal to add a member to a group
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=user2";
final Principal rsrcPrince = SimplePrincipal.create("user", "user2", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcPrince);
when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcPrince);
try {
zmsTestInitializer.getZms().putGroupMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("not authorized to approve / reject members"));
}
// revert back to admin principal
Authority adminPrincipalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String adminUnsignedCreds = "v=U1;d=user;n=user1";
final Principal rsrcAdminPrince = SimplePrincipal.create("user", "user1", adminUnsignedCreds + ";s=signature", 0, adminPrincipalAuthority);
assertNotNull(rsrcAdminPrince);
((SimplePrincipal) rsrcAdminPrince).setUnsignedCreds(adminUnsignedCreds);
when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Aggregations