Search in sources :

Example 11 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class SimplePrincipalTest method testSimplePrincipalAuthorityCreate.

@Test
public void testSimplePrincipalAuthorityCreate() {
    Authority hoge = Mockito.mock(Authority.class);
    SimplePrincipal check = (SimplePrincipal) SimplePrincipal.create("user", "jdoe", hoge);
    assertNotNull(check);
    Mockito.when(hoge.getDomain()).thenReturn(null);
    check = (SimplePrincipal) SimplePrincipal.create("user", "jdoe", "hoge", 0, hoge);
    assertNotNull(check);
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Test(org.testng.annotations.Test)

Example 12 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class SimplePrincipalTest method testFullName.

@Test
public void testFullName() {
    Principal p = SimplePrincipal.create("user", "jdoe", fakeCreds, null);
    assertEquals(p.getFullName(), "user.jdoe");
    assertEquals(p.getFullName(), "user.jdoe");
    assertNotNull(SimplePrincipal.create(null, "jdoe", fakeCreds));
    assertNotNull(SimplePrincipal.create("user", null, fakeCreds));
    List<String> roles = new ArrayList<>();
    roles.add("role1");
    p = SimplePrincipal.create("user", fakeCreds, roles, null);
    assertNotNull(p);
    assertEquals(p.getFullName(), "user");
    p = SimplePrincipal.create("appid", fakeCreds, (Authority) null);
    assertEquals(p.getFullName(), "appid");
    assertNull(SimplePrincipal.create(null, null, (Authority) null));
}
Also used : Authority(com.yahoo.athenz.auth.Authority) ArrayList(java.util.ArrayList) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 13 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testDeletePendingGroupMembershipSelfServeRequest.

@Test
public void testDeletePendingGroupMembershipSelfServeRequest() {
    final String domainName = "delete-pending-self-serve";
    final String groupName = "group1";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "delete pending membership", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testorg", true, false, "12345", 1001);
    zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
    Group auditedGroup = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
    zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), auditedGroup);
    GroupMeta rm = new GroupMeta().setSelfServe(true);
    zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), rm);
    // user.joe is going to add user.bob in the self serve group
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=joe";
    Principal rsrcPrince = SimplePrincipal.create("user", "joe", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    ResourceContext ctxJoe = zmsTestInitializer.createResourceContext(rsrcPrince);
    GroupMembership mbr = new GroupMembership();
    mbr.setMemberName("user.bob");
    mbr.setActive(false);
    mbr.setApproved(false);
    zmsTestInitializer.getZms().putGroupMembership(ctxJoe, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
    // first request using admin principal
    DomainGroupMembership domainGroupMembership = zmsTestInitializer.getZms().getPendingDomainGroupMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.user1", null);
    assertNotNull(domainGroupMembership);
    assertNotNull(domainGroupMembership.getDomainGroupMembersList());
    assertEquals(domainGroupMembership.getDomainGroupMembersList().size(), 1);
    for (DomainGroupMembers drm : domainGroupMembership.getDomainGroupMembersList()) {
        assertEquals(drm.getDomainName(), domainName);
        assertNotNull(drm.getMembers());
        for (DomainGroupMember mem : drm.getMembers()) {
            assertNotNull(mem);
            assertEquals(mem.getMemberName(), "user.bob");
            for (GroupMember mr : mem.getMemberGroups()) {
                assertNotNull(mr);
                assertEquals(mr.getGroupName(), groupName);
            }
        }
    }
    // first try to delete the pending request without proper authorization
    unsignedCreds = "v=U1;d=user;n=jane";
    rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    ResourceContext ctxJane = zmsTestInitializer.createResourceContext(rsrcPrince);
    try {
        zmsTestInitializer.getZms().deletePendingGroupMembership(ctxJane, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef());
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
    }
    // repeat the request using joe principal
    zmsTestInitializer.getZms().deletePendingGroupMembership(ctxJoe, domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef());
    // check the list to see there are no pending requests
    domainGroupMembership = zmsTestInitializer.getZms().getPendingDomainGroupMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.user1", null);
    assertNotNull(domainGroupMembership);
    assertTrue(domainGroupMembership.getDomainGroupMembersList().isEmpty());
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 14 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testGetAccessCrossDomainWildCardResources.

@Test
public void testGetAccessCrossDomainWildCardResources() {
    // create the netops domain
    TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject("netops", "Test Netops", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom);
    Role role = zmsTestInitializer.createRoleObject("netops", "users", null, null, null);
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "users", zmsTestInitializer.getAuditRef(), role);
    role = zmsTestInitializer.createRoleObject("netops", "superusers", null, "user.siteops_user_1", "user.siteops_user_2");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "superusers", zmsTestInitializer.getAuditRef(), role);
    Policy policy = zmsTestInitializer.createPolicyObject("netops", "users", "users", "NODE_USER", "netops:node.", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "users", zmsTestInitializer.getAuditRef(), policy);
    policy = zmsTestInitializer.createPolicyObject("netops", "superusers", "superusers", "NODE_SUDO", "netops:node.", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "superusers", zmsTestInitializer.getAuditRef(), policy);
    policy = zmsTestInitializer.createPolicyObject("netops", "netops_superusers", "netops:role.superusers", false, "ASSUME_ROLE", "*:role.netops_superusers", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "netops", "netops_superusers", zmsTestInitializer.getAuditRef(), policy);
    // create the weather domain
    dom = zmsTestInitializer.createTopLevelDomainObject("weather", "Test weather", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom);
    role = zmsTestInitializer.createRoleObject("weather", "users", null, null, null);
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "users", zmsTestInitializer.getAuditRef(), role);
    role = zmsTestInitializer.createRoleObject("weather", "superusers", null, "user.weather_admin_user", null);
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "superusers", zmsTestInitializer.getAuditRef(), role);
    role = zmsTestInitializer.createRoleObject("weather", "netops_superusers", "netops");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "netops_superusers", zmsTestInitializer.getAuditRef(), role);
    policy = zmsTestInitializer.createPolicyObject("weather", "users", "users", "NODE_USER", "weather:node.", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "users", zmsTestInitializer.getAuditRef(), policy);
    policy = zmsTestInitializer.createPolicyObject("weather", "superusers", "superusers", "NODE_SUDO", "weather:node.*", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "superusers", zmsTestInitializer.getAuditRef(), policy);
    policy = zmsTestInitializer.createPolicyObject("weather", "netops_superusers", "netops_superusers", "NODE_SUDO", "weather:node.*", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "weather", "netops_superusers", zmsTestInitializer.getAuditRef(), policy);
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal pWeather = principalAuthority.authenticate("v=U1;d=user;n=weather_admin_user;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtxWeather = zmsTestInitializer.createResourceContext(pWeather);
    Access access = zmsTestInitializer.getZms().getAccess(rsrcCtxWeather, "NODE_SUDO", "weather:node.x", null, null);
    assertTrue(access.getGranted());
    Principal pSiteOps = principalAuthority.authenticate("v=U1;d=user;n=siteops_user_1;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtxSiteOps = zmsTestInitializer.createResourceContext(pSiteOps);
    access = zmsTestInitializer.getZms().getAccess(rsrcCtxSiteOps, "NODE_SUDO", "weather:node.x", null, null);
    assertTrue(access.getGranted());
    Principal pRandom = principalAuthority.authenticate("v=U1;d=user;n=random_user;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtxRandom = zmsTestInitializer.createResourceContext(pRandom);
    access = zmsTestInitializer.getZms().getAccess(rsrcCtxRandom, "NODE_SUDO", "weather:node.x", null, null);
    assertFalse(access.getGranted());
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "weather", zmsTestInitializer.getAuditRef());
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "netops", zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 15 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testPutGroupMembershipDecisionReviewEnabledUnauthorized.

@Test
public void testPutGroupMembershipDecisionReviewEnabledUnauthorized() {
    final String domainName = "group-review-enabled-domain-forbidden";
    final String groupName = "review-group";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Approval test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName, null, null);
    zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group1);
    GroupMeta rm = new GroupMeta().setReviewEnabled(true);
    zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), rm);
    // add a user to the group
    GroupMembership mbr = new GroupMembership();
    mbr.setMemberName("user.bob");
    mbr.setActive(false);
    mbr.setApproved(false);
    zmsTestInitializer.getZms().putGroupMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
    // verify the user is added with pending state
    Group resgroup = zmsTestInitializer.getZms().getGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, false, true);
    assertEquals(resgroup.getGroupMembers().size(), 1);
    assertEquals(resgroup.getGroupMembers().get(0).getMemberName(), "user.bob");
    assertFalse(resgroup.getGroupMembers().get(0).getApproved());
    // now try as the second admin himself to approve this user and it must
    // be rejected since second admin is not authorized
    mbr = new GroupMembership();
    mbr.setMemberName("user.bob");
    mbr.setActive(true);
    mbr.setApproved(true);
    // switch to user.user2 principal to add a member to a group
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=user2";
    final Principal rsrcPrince = SimplePrincipal.create("user", "user2", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcPrince);
    when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcPrince);
    try {
        zmsTestInitializer.getZms().putGroupMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("not authorized to approve / reject members"));
    }
    // revert back to admin principal
    Authority adminPrincipalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String adminUnsignedCreds = "v=U1;d=user;n=user1";
    final Principal rsrcAdminPrince = SimplePrincipal.create("user", "user1", adminUnsignedCreds + ";s=signature", 0, adminPrincipalAuthority);
    assertNotNull(rsrcAdminPrince);
    ((SimplePrincipal) rsrcAdminPrince).setUnsignedCreds(adminUnsignedCreds);
    when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
    when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Aggregations

Authority (com.yahoo.athenz.auth.Authority)193 Principal (com.yahoo.athenz.auth.Principal)124 Test (org.testng.annotations.Test)72 PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30 HttpServletRequest (javax.servlet.http.HttpServletRequest)24 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21 HttpServletResponse (javax.servlet.http.HttpServletResponse)20 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19 Authorizer (com.yahoo.athenz.auth.Authorizer)15 AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11 ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9 Timestamp (com.yahoo.rdl.Timestamp)9 Metric (com.yahoo.athenz.common.metrics.Metric)8 IOException (java.io.IOException)8 Response (javax.ws.rs.core.Response)6 Struct (com.yahoo.rdl.Struct)5 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 WebApplicationException (javax.ws.rs.WebApplicationException)5