Search in sources :

Example 26 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testUpdateRoleMemberUserAuthorityExpiry.

@Test
public void testUpdateRoleMemberUserAuthorityExpiry() {
    Role role = new Role().setUserAuthorityExpiration("elevated-clearance");
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
    members.add(new RoleMember().setMemberName("user.joe").setPrincipalType(Principal.Type.USER.getValue()));
    role.setRoleMembers(members);
    Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
    zmsTestInitializer.getZms().userAuthority = null;
    // with authority null we always get no changes
    zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
    assertNull(role.getRoleMembers().get(0).getExpiration());
    assertNull(role.getRoleMembers().get(1).getExpiration());
    Authority authority = Mockito.mock(Authority.class);
    when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
    when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
    when(authority.getDateAttribute("user.joe", "elevated-clearance")).thenReturn(null);
    zmsTestInitializer.getZms().userAuthority = authority;
    try {
        zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("Invalid member: user.joe"));
    }
    // let's have one valid user and one service
    members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
    members.add(new RoleMember().setMemberName("sports.api").setPrincipalType(Principal.Type.SERVICE.getValue()));
    role.setRoleMembers(members);
    // the user will have an expiration while service is skipped
    zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
    assertNotNull(role.getRoleMembers().get(0).getExpiration());
    assertNull(role.getRoleMembers().get(1).getExpiration());
    // now let's have only user members
    members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
    members.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
    role.setRoleMembers(members);
    zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
    assertNotNull(role.getRoleMembers().get(0).getExpiration());
    assertNotNull(role.getRoleMembers().get(1).getExpiration());
    zmsTestInitializer.getZms().userAuthority = savedAuthority;
}
Also used : Authority(com.yahoo.athenz.auth.Authority)

Example 27 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testGetAccessHomeDomainDisabled.

@Test
public void testGetAccessHomeDomainDisabled() {
    System.setProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "false");
    ZMSImpl zmsTest = zmsTestInitializer.zmsInit();
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal pJane = principalAuthority.authenticate("v=U1;d=user;n=jane;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtxJane = zmsTestInitializer.createResourceContext(pJane);
    try {
        zmsTest.getAccess(rsrcCtxJane, "READ", "user.jane:Resource1", null, null);
        fail();
    } catch (ResourceException ex) {
        assertEquals(404, ex.getCode());
    }
    try {
        zmsTest.getAccess(rsrcCtxJane, "WRITE", "user.jane:Resource1", null, null);
        fail();
    } catch (ResourceException ex) {
        assertEquals(404, ex.getCode());
    }
    try {
        zmsTest.getAccess(rsrcCtxJane, "UPDATE", "user.jane:Resource1", null, null);
        fail();
    } catch (ResourceException ex) {
        assertEquals(404, ex.getCode());
    }
    System.clearProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN);
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 28 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testDeletePendingMembershipSelfServeRequest.

@Test
public void testDeletePendingMembershipSelfServeRequest() {
    final String domainName = "delete-pending-self-serve";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "delete pending membership", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    setupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "user.fury", "testorg");
    DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testorg", true, true, "12345", 1001);
    zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
    zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "auditenabled", zmsTestInitializer.getAuditRef(), meta);
    zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsTestInitializer.getZms(), zmsTestInitializer.getMockDomRsrcCtx().principal().getFullName(), domainName, "org");
    zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "org", zmsTestInitializer.getAuditRef(), meta);
    Role auditedRole = zmsTestInitializer.createRoleObject(domainName, "testrole1", null, "user.john", "user.jane");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), auditedRole);
    RoleSystemMeta rsm = createRoleSystemMetaObject(true);
    zmsTestInitializer.getZms().putRoleSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
    RoleMeta rm = new RoleMeta().setSelfServe(true);
    zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), rm);
    // user.joe is going to add user.bob in the self serve role
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=joe";
    Principal rsrcPrince = SimplePrincipal.create("user", "joe", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    ResourceContext ctxJoe = zmsTestInitializer.createResourceContext(rsrcPrince);
    Membership mbr = new Membership();
    mbr.setMemberName("user.bob");
    mbr.setActive(false);
    mbr.setApproved(false);
    zmsTestInitializer.getZms().putMembership(ctxJoe, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
    // first request using admin principal
    DomainRoleMembership domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
    assertNotNull(domainRoleMembership);
    assertNotNull(domainRoleMembership.getDomainRoleMembersList());
    assertEquals(domainRoleMembership.getDomainRoleMembersList().size(), 1);
    for (DomainRoleMembers drm : domainRoleMembership.getDomainRoleMembersList()) {
        assertEquals(drm.getDomainName(), domainName);
        assertNotNull(drm.getMembers());
        for (DomainRoleMember mem : drm.getMembers()) {
            assertNotNull(mem);
            assertEquals(mem.getMemberName(), "user.bob");
            for (MemberRole mr : mem.getMemberRoles()) {
                assertNotNull(mr);
                assertEquals(mr.getRoleName(), "testrole1");
            }
        }
    }
    // first try to delete the pending request without proper authorization
    unsignedCreds = "v=U1;d=user;n=jane";
    rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    ResourceContext ctxJane = zmsTestInitializer.createResourceContext(rsrcPrince);
    try {
        zmsTestInitializer.getZms().deletePendingMembership(ctxJane, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
    }
    // repeat the request using joe principal
    zmsTestInitializer.getZms().deletePendingMembership(ctxJoe, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
    // check the list to see there are no pending requests
    domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
    assertNotNull(domainRoleMembership);
    assertTrue(domainRoleMembership.getDomainRoleMembersList().isEmpty());
    zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsTestInitializer.getZms());
    cleanupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "testOrg");
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 29 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testGroupUserAuthorityExpiryRemoveRejection2.

@Test
public void testGroupUserAuthorityExpiryRemoveRejection2() {
    final String domainName = "reject-group-expiry-remove";
    final String groupName = "group1";
    final String roleName = "role1";
    Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
    Authority authority = Mockito.mock(Authority.class);
    when(authority.isValidUser(anyString())).thenReturn(true);
    when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
    when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
    Set<String> attrs = new HashSet<>();
    attrs.add("elevated-clearance");
    when(authority.booleanAttributesSupported()).thenReturn(attrs);
    when(authority.dateAttributesSupported()).thenReturn(attrs);
    zmsTestInitializer.getZms().userAuthority = authority;
    zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(authority);
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", "user.user1");
    dom1.setAuditEnabled(true);
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Group group = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
    zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group);
    GroupMeta gm = new GroupMeta().setUserAuthorityExpiration("elevated-clearance");
    zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
    Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", ResourceUtils.groupResourceName(domainName, groupName));
    role.setUserAuthorityExpiration("elevated-clearance");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
    // now we're going to try to remove the user authority expiration
    // from the group and it should be rejected since the role
    // has the expiration set on the group
    gm = new GroupMeta().setUserAuthorityExpiration("");
    try {
        zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("role expiration requirements"));
    }
    // now let's remove the expiration from the role
    RoleMeta rm = new RoleMeta().setUserAuthorityExpiration("");
    zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), rm);
    // now our group meta should work
    zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
    zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(savedAuthority);
    zmsTestInitializer.getZms().userAuthority = savedAuthority;
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority)

Example 30 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testEnforcedUserAuthorityFilter.

@Test
public void testEnforcedUserAuthorityFilter() {
    Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
    // null authority, filter or empty filter
    zmsTestInitializer.getZms().userAuthority = null;
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", null));
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, "validFilter"));
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", "validFilter"));
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, null));
    zmsTestInitializer.getZms().userAuthority = Mockito.mock(Authority.class);
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, null));
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("", null));
    assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, ""));
    // valid filter
    assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", null));
    assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, "validFilter"));
    assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", ""));
    assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("", "validFilter"));
    assertEquals("validFilter1,validFilter2", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter1", "validFilter2"));
    assertEquals("validFilter,validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", "validFilter"));
    zmsTestInitializer.getZms().userAuthority = savedAuthority;
}
Also used : Authority(com.yahoo.athenz.auth.Authority)

Aggregations

Authority (com.yahoo.athenz.auth.Authority)193 Principal (com.yahoo.athenz.auth.Principal)124 Test (org.testng.annotations.Test)72 PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30 HttpServletRequest (javax.servlet.http.HttpServletRequest)24 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21 HttpServletResponse (javax.servlet.http.HttpServletResponse)20 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19 Authorizer (com.yahoo.athenz.auth.Authorizer)15 AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11 ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9 Timestamp (com.yahoo.rdl.Timestamp)9 Metric (com.yahoo.athenz.common.metrics.Metric)8 IOException (java.io.IOException)8 Response (javax.ws.rs.core.Response)6 Struct (com.yahoo.rdl.Struct)5 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 WebApplicationException (javax.ws.rs.WebApplicationException)5