Example 16 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testValidateGroupPrincipalFailures.
@Test
public void testValidateGroupPrincipalFailures() {
final String domainName = "val-group-principal";
final String groupName = "group1";
Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
Authority authority = Mockito.mock(Authority.class);
when(authority.isValidUser(anyString())).thenReturn(true);
when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
when(authority.isAttributeSet("user.john", "OnShore-US")).thenReturn(true);
when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
when(authority.isAttributeSet("user.jane", "OnShore-US")).thenReturn(true);
Set<String> attrs = new HashSet<>();
attrs.add("OnShore-US");
attrs.add("elevated-clearance");
when(authority.booleanAttributesSupported()).thenReturn(attrs);
when(authority.dateAttributesSupported()).thenReturn(attrs);
zmsTestInitializer.getZms().userAuthority = authority;
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(authority);
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
dom1.setAuditEnabled(true);
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Group group = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group);
// both null is good
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), null, null, null, "unittest");
try {
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-US", null, null, "unittest");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("does not have same user authority filter"));
}
GroupMeta gm = new GroupMeta().setUserAuthorityFilter("OnShore-US");
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
// now without user expiry we have success
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-US", null, null, "unittest");
try {
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-US", "elevated-clearance", null, "unittest");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("does not have same user authority expiration"));
}
// now we set the expiry on group as well
gm = new GroupMeta().setUserAuthorityFilter("OnShore-US").setUserAuthorityExpiration("elevated-clearance");
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
// now we have success
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-US", "elevated-clearance", null, "unittest");
try {
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-UK", null, null, "unittest");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("does not have same user authority filter"));
}
try {
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), "OnShore-US", "elevated-l2-clearance", null, "unittest");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("does not have same user authority expiration"));
}
try {
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), null, null, true, "unittest");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("must be audit enabled"));
}
// if we pass false then we're good
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), null, null, false, "unittest");
// now let's set the group as audit enabled and try again
GroupSystemMeta gsm = new GroupSystemMeta().setAuditEnabled(true);
zmsTestInitializer.getZms().putGroupSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "auditenabled", zmsTestInitializer.getAuditRef(), gsm);
zmsTestInitializer.getZms().validateGroupPrincipal(ResourceUtils.groupResourceName(domainName, groupName), null, null, true, "unittest");
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(savedAuthority);
zmsTestInitializer.getZms().userAuthority = savedAuthority;
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
Example 17 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testIsSysAdminUserInvalidDomain.
@Test
public void testIsSysAdminUserInvalidDomain() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("sports", "nhl", "v=S1;d=sports;n=nhl;s=signature", 0, principalAuthority);
assertNotNull(principal);
assertFalse(zmsTestInitializer.getZms().isSysAdminUser(principal));
}Example 18 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetUserTokenMismatchName.
@Test
public void testGetUserTokenMismatchName() {
int code = 401;
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
String userId = "user1";
Principal principal = SimplePrincipal.create("user", userId, userId + ":password", 0, userAuthority);
assertNotNull(principal);
((SimplePrincipal) principal).setUnsignedCreds(userId);
ResourceContext rsrcCtx1 = zmsTestInitializer.createResourceContext(principal);
try {
zmsTestInitializer.getZms().getUserToken(rsrcCtx1, "user2", null, null);
fail("unauthorizederror not thrown.");
} catch (ResourceException ex) {
assertEquals(ex.getCode(), code);
}
try {
zmsTestInitializer.getZms().getUserToken(rsrcCtx1, "_self", null, false);
fail("unauthorizederror not thrown.");
} catch (ResourceException ex) {
assertEquals(ex.getCode(), code);
}
try {
zmsTestInitializer.getZms().getUserToken(rsrcCtx1, "self", null, false);
fail("unauthorizederror not thrown.");
} catch (ResourceException ex) {
assertEquals(ex.getCode(), code);
}
}Example 19 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testReceiveSignedDomainDataAuditExpiryFields.
@Test
public void testReceiveSignedDomainDataAuditExpiryFields() {
Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
final String domainName = "signed-dom-fields";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
dom1.setAuditEnabled(true);
dom1.setTokenExpiryMins(10);
dom1.setRoleCertExpiryMins(20);
dom1.setServiceCertExpiryMins(30);
dom1.setDescription("test description");
dom1.setCertDnsDomain("test dns domain");
dom1.setOrg("org");
dom1.setUserAuthorityFilter("OnShore-US");
dom1.setMemberExpiryDays(40);
dom1.setGroupExpiryDays(50);
dom1.setServiceExpiryDays(60);
Authority authority = Mockito.mock(Authority.class);
when(authority.getDateAttribute("user.testadminuser", "elevated-clearance")).thenReturn(new Date());
when(authority.isAttributeSet("user.testadminuser", "OnShore-US")).thenReturn(true);
Set<String> attrs = new HashSet<>();
attrs.add("OnShore-US");
attrs.add("elevated-clearance");
when(authority.booleanAttributesSupported()).thenReturn(attrs);
when(authority.dateAttributesSupported()).thenReturn(attrs);
zmsTestInitializer.getZms().userAuthority = authority;
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(authority);
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
// get the domain which would return from cache
Domain dom = new Domain().setName(domainName).setModified(Timestamp.fromMillis(0));
SignedDomain signedDomain = zmsTestInitializer.getZms().retrieveSignedDomainData(dom, false, false);
assertTrue(signedDomain.getDomain().getAuditEnabled());
assertEquals(Integer.valueOf(10), signedDomain.getDomain().getTokenExpiryMins());
assertEquals(Integer.valueOf(20), signedDomain.getDomain().getRoleCertExpiryMins());
assertEquals(Integer.valueOf(30), signedDomain.getDomain().getServiceCertExpiryMins());
assertEquals("test description", signedDomain.getDomain().getDescription());
assertEquals("test dns domain", signedDomain.getDomain().getCertDnsDomain());
assertEquals("org", signedDomain.getDomain().getOrg());
assertEquals("OnShore-US", signedDomain.getDomain().getUserAuthorityFilter());
assertEquals(Integer.valueOf(40), signedDomain.getDomain().getMemberExpiryDays());
assertEquals(Integer.valueOf(50), signedDomain.getDomain().getGroupExpiryDays());
assertEquals(Integer.valueOf(60), signedDomain.getDomain().getServiceExpiryDays());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().userAuthority = savedAuthority;
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(savedAuthority);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 20 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testVirtualHomeDomainDifferentUserHome.
@Test
public void testVirtualHomeDomainDifferentUserHome() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user", "john.smith", "v=U1;d=user;n=john.smith;s=signature", 0, principalAuthority);
AthenzDomain virtualDomain = zmsTestInitializer.getZms().virtualHomeDomain(principal, "home.john-smith");
assertNotNull(virtualDomain);
List<Role> roles = virtualDomain.getRoles();
assertNotNull(roles);
Role adminRole = null;
for (Role role : roles) {
if (role.getName().equals("home.john-smith:role.admin")) {
adminRole = role;
break;
}
}
assertNotNull(adminRole);
List<RoleMember> roleMembers = adminRole.getRoleMembers();
assertEquals(roleMembers.size(), 1);
assertEquals(roleMembers.get(0).getMemberName(), "user.john.smith");
List<Policy> policies = virtualDomain.getPolicies();
assertNotNull(policies);
Policy adminPolicy = null;
for (Policy policy : policies) {
if (policy.getName().equals("home.john-smith:policy.admin")) {
adminPolicy = policy;
break;
}
}
assertNotNull(adminPolicy);
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Authority(com.yahoo.athenz.auth.Authority)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
Authority (com.yahoo.athenz.auth.Authority)193
Principal (com.yahoo.athenz.auth.Principal)124
Test (org.testng.annotations.Test)72
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30
HttpServletRequest (javax.servlet.http.HttpServletRequest)24
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21
HttpServletResponse (javax.servlet.http.HttpServletResponse)20
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19
Authorizer (com.yahoo.athenz.auth.Authorizer)15
AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9
Timestamp (com.yahoo.rdl.Timestamp)9
Metric (com.yahoo.athenz.common.metrics.Metric)8
IOException (java.io.IOException)8
Response (javax.ws.rs.core.Response)6
Struct (com.yahoo.rdl.Struct)5
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
