Example 21 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testPutTenantResourceGroupRolesNull.
@Test
public void testPutTenantResourceGroupRolesNull() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx1 = zmsTestInitializer.createResourceContext(principal1);
TenantResourceGroupRoles tenantResource = new TenantResourceGroupRoles();
try {
zmsTestInitializer.getZms().putTenantResourceGroupRoles(rsrcCtx1, null, null, null, null, null, tenantResource);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 400);
}
}Example 22 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetAuditLogMsgBuilderTokenWithSig.
@Test
public void testGetAuditLogMsgBuilderTokenWithSig() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String userId = "user1";
String signature = "ABRACADABRA";
String unsignedCreds = "v=U1;d=user;n=user1";
Principal principal = SimplePrincipal.create("user", userId, unsignedCreds + ";s=" + signature, 0, principalAuthority);
assertNotNull(principal);
// set unsigned creds
((SimplePrincipal) principal).setUnsignedCreds(unsignedCreds);
ResourceContext ctx = zmsTestInitializer.createResourceContext(principal);
AuditLogMsgBuilder msgBldr = ZMSUtils.getAuditLogMsgBuilder(ctx, zmsTestInitializer.getAuditLogger(), "mydomain", zmsTestInitializer.getAuditRef(), "myapi", "PUT");
assertNotNull(msgBldr);
String who = msgBldr.who();
assertNotNull(who);
assertTrue(who.contains(userId));
assertFalse(who.contains(signature), "Should not contain the signature: " + who);
}
Also used :
DefaultAuditLogMsgBuilder(com.yahoo.athenz.common.server.log.impl.DefaultAuditLogMsgBuilder)
AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)
Authority(com.yahoo.athenz.auth.Authority)
Principal(com.yahoo.athenz.auth.Principal)
Example 23 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testDeletePendingMembershipAdminRequest.
@Test
public void testDeletePendingMembershipAdminRequest() {
final String domainName = "delete-pending";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "delete pending membership", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
setupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "user.fury", "testorg");
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testorg", true, true, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "auditenabled", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsTestInitializer.getZms(), zmsTestInitializer.getMockDomRsrcCtx().principal().getFullName(), domainName, "org");
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "org", zmsTestInitializer.getAuditRef(), meta);
Role auditedRole = zmsTestInitializer.createRoleObject(domainName, "testrole1", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), auditedRole);
RoleSystemMeta rsm = createRoleSystemMetaObject(true);
zmsTestInitializer.getZms().putRoleSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
Membership mbr = new Membership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
// first request using admin principal
DomainRoleMembership domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
assertNotNull(domainRoleMembership);
assertNotNull(domainRoleMembership.getDomainRoleMembersList());
assertEquals(domainRoleMembership.getDomainRoleMembersList().size(), 1);
for (DomainRoleMembers drm : domainRoleMembership.getDomainRoleMembersList()) {
assertEquals(drm.getDomainName(), domainName);
assertNotNull(drm.getMembers());
for (DomainRoleMember mem : drm.getMembers()) {
assertNotNull(mem);
assertEquals(mem.getMemberName(), "user.bob");
for (MemberRole mr : mem.getMemberRoles()) {
assertNotNull(mr);
assertEquals(mr.getRoleName(), "testrole1");
}
}
}
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=jane";
Principal rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
ResourceContext ctx = zmsTestInitializer.createResourceContext(rsrcPrince);
try {
zmsTestInitializer.getZms().deletePendingMembership(ctx, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
}
// repeat the request using context principal
zmsTestInitializer.getZms().deletePendingMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
// check the list to see there are no pending requests
domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
assertNotNull(domainRoleMembership);
assertTrue(domainRoleMembership.getDomainRoleMembersList().isEmpty());
try {
zmsTestInitializer.getZms().deletePendingMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "user.bob2", zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 404);
}
try {
zmsTestInitializer.getZms().deletePendingMembership(zmsTestInitializer.getMockDomRsrcCtx(), "unkwown-domain", "testrole1", "user.bob2", zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 404);
}
zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsTestInitializer.getZms());
cleanupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "testOrg");
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}Example 24 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetAccessExt.
@Test
public void testGetAccessExt() {
final String testDomainName = "AccessDomExt1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(testDomainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role1 = zmsTestInitializer.createRoleObject(testDomainName, "Role1", null, "user.user1", "user.user3");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Role1", zmsTestInitializer.getAuditRef(), role1);
Role role2 = zmsTestInitializer.createRoleObject(testDomainName, "Role2", null, "user.user2", "user.user3");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Role2", zmsTestInitializer.getAuditRef(), role2);
Policy policy1 = zmsTestInitializer.createPolicyObject(testDomainName, "Policy1", "Role1", "UPDATE", testDomainName + ":resource1/resource2", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Policy1", zmsTestInitializer.getAuditRef(), policy1);
Policy policy2 = zmsTestInitializer.createPolicyObject(testDomainName, "Policy2", "Role2", "CREATE", testDomainName + ":resource2(resource3)", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Policy2", zmsTestInitializer.getAuditRef(), policy2);
Policy policy3 = zmsTestInitializer.createPolicyObject(testDomainName, "Policy3", "Role2", "*", testDomainName + ":resource3/*", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Policy3", zmsTestInitializer.getAuditRef(), policy3);
Policy policy4 = zmsTestInitializer.createPolicyObject(testDomainName, "Policy4", "Role1", "READ", testDomainName + ":resource4[*]/data1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Policy4", zmsTestInitializer.getAuditRef(), policy4);
Policy policy5 = zmsTestInitializer.createPolicyObject(testDomainName, "Policy5", "Role2", "access", testDomainName + ":https://*.athenz.com/*", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, "Policy5", zmsTestInitializer.getAuditRef(), policy5);
// user1 and user3 have access to UPDATE/resource1
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx1 = zmsTestInitializer.createResourceContext(principal1);
Principal principal2 = principalAuthority.authenticate("v=U1;d=user;n=user2;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx2 = zmsTestInitializer.createResourceContext(principal2);
Principal principal3 = principalAuthority.authenticate("v=U1;d=user;n=user3;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx3 = zmsTestInitializer.createResourceContext(principal3);
// user1 and user3 have update access to resource1/resource2
Access access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "UPDATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "UPDATE", testDomainName + ":resource1/resource3", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "UPDATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "UPDATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertTrue(access.getGranted());
// all three have no access to CREATE action on resource1/resource2
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "CREATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "CREATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "CREATE", testDomainName + ":resource1/resource2", testDomainName, null);
assertFalse(access.getGranted());
// user2 and user3 have create access to resource2(resource3)
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "CREATE", testDomainName + ":resource2(resource3)", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "CREATE", testDomainName + ":resource2(resource3)", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "CREATE", testDomainName + ":resource2(resource3)", testDomainName, null);
assertTrue(access.getGranted());
// user2 and user3 have access to CREATE(*)/resource3/*
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "CREATE", testDomainName + ":resource3", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "CREATE", testDomainName + ":resource3/test1", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "CREATE", testDomainName + ":resource3/anothertest", testDomainName, null);
assertTrue(access.getGranted());
// user2 and user3 have access to UPDATE(*)/resource3/*
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "UPDATE", testDomainName + ":resource3", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "UPDATE", testDomainName + ":resource3/(another value)", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "UPDATE", testDomainName + ":resource3/a", testDomainName, null);
assertTrue(access.getGranted());
// user1 and user3 have access to READ/resource6[*]/data1
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "read", testDomainName + ":resource4[test1]/data1", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "read", testDomainName + ":resource4[test1]/data1", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "read", testDomainName + ":resource4[test another]/data1", testDomainName, null);
assertTrue(access.getGranted());
// user2 and user3 have access to access/https://*.athenz.com/*
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx1, "access", testDomainName + ":https://web.athenz.com/data", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "access", testDomainName + ":https://web.athenz.com/data", testDomainName, null);
assertTrue(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx2, "access", testDomainName + ":https://web.athenz.org/data", testDomainName, null);
assertFalse(access.getGranted());
access = zmsTestInitializer.getZms().getAccessExt(rsrcCtx3, "access", testDomainName + ":https://web-store.athenz.com/data/path", testDomainName, null);
assertTrue(access.getGranted());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), testDomainName, zmsTestInitializer.getAuditRef());
}Example 25 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetSignedDomainsWithMetaAttrs.
@Test
public void testGetSignedDomainsWithMetaAttrs() {
// create multiple top level domains
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("SignedDom1", "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
// set the meta attributes for domain
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain1", null, true, false, "12345", 0);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", zmsTestInitializer.getAuditRef(), meta);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain1", null, true, false, "12345", 987654103);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "account", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "productid", zmsTestInitializer.getAuditRef(), meta);
TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("SignedDom2", "Test Domain2", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom2);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain2", null, true, false, "12346", null);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2", zmsTestInitializer.getAuditRef(), meta);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain2", null, true, false, "12346", null);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2", "account", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsTestInitializer.getZms(), zmsTestInitializer.getMockDomRsrcCtx().principal().getFullName(), "signeddom2", "productid");
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain2", null, true, false, "12346", null);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2", "productid", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsTestInitializer.getZms());
DomainList domList = zmsTestInitializer.getZms().getDomainList(zmsTestInitializer.getMockDomRsrcCtx(), null, null, null, null, null, null, null, null, null, null, null, null, null);
assertNotNull(domList);
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKey())), "0");
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal sysPrincipal = principalAuthority.authenticate("v=U1;d=sys;n=zts;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx = zmsTestInitializer.createResourceContext(sysPrincipal);
// we're going to ask for entries with ypm id so we'll only
// get one of the domains back - dom1 but not dom2
Response response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, "true", "ypmid", Boolean.TRUE, false, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
List<SignedDomain> list = sdoms.getDomains();
assertNotNull(list);
boolean dom1Found = false;
boolean dom2Found = false;
for (SignedDomain sDomain : list) {
DomainData domainData = sDomain.getDomain();
switch(domainData.getName()) {
case "signeddom1":
dom1Found = true;
break;
case "signeddom2":
dom2Found = true;
break;
}
}
assertTrue(dom1Found);
assertFalse(dom2Found);
// now asking for specific domains with ypm id
// first signeddom1 with should return
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, "signeddom1", "true", "ypmid", Boolean.TRUE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), 1);
DomainData domainData = list.get(0).getDomain();
assertEquals(domainData.getName(), "signeddom1");
// then signeddom2 with should not return
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, "signeddom2", "true", "ypmid", Boolean.TRUE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), 0);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom1", zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom2", zmsTestInitializer.getAuditRef());
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
Authority (com.yahoo.athenz.auth.Authority)193
Principal (com.yahoo.athenz.auth.Principal)124
Test (org.testng.annotations.Test)72
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30
HttpServletRequest (javax.servlet.http.HttpServletRequest)24
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21
HttpServletResponse (javax.servlet.http.HttpServletResponse)20
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19
Authorizer (com.yahoo.athenz.auth.Authorizer)15
AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9
Timestamp (com.yahoo.rdl.Timestamp)9
Metric (com.yahoo.athenz.common.metrics.Metric)8
IOException (java.io.IOException)8
Response (javax.ws.rs.core.Response)6
Struct (com.yahoo.rdl.Struct)5
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
