use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testUpdateRoleMemberUserAuthorityExpiry.
@Test
public void testUpdateRoleMemberUserAuthorityExpiry() {
Role role = new Role().setUserAuthorityExpiration("elevated-clearance");
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
members.add(new RoleMember().setMemberName("user.joe").setPrincipalType(Principal.Type.USER.getValue()));
role.setRoleMembers(members);
Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
zmsTestInitializer.getZms().userAuthority = null;
// with authority null we always get no changes
zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
assertNull(role.getRoleMembers().get(0).getExpiration());
assertNull(role.getRoleMembers().get(1).getExpiration());
Authority authority = Mockito.mock(Authority.class);
when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
when(authority.getDateAttribute("user.joe", "elevated-clearance")).thenReturn(null);
zmsTestInitializer.getZms().userAuthority = authority;
try {
zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("Invalid member: user.joe"));
}
// let's have one valid user and one service
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
members.add(new RoleMember().setMemberName("sports.api").setPrincipalType(Principal.Type.SERVICE.getValue()));
role.setRoleMembers(members);
// the user will have an expiration while service is skipped
zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
assertNotNull(role.getRoleMembers().get(0).getExpiration());
assertNull(role.getRoleMembers().get(1).getExpiration());
// now let's have only user members
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
members.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
role.setRoleMembers(members);
zmsTestInitializer.getZms().updateRoleMemberUserAuthorityExpiry(role, "unit-test");
assertNotNull(role.getRoleMembers().get(0).getExpiration());
assertNotNull(role.getRoleMembers().get(1).getExpiration());
zmsTestInitializer.getZms().userAuthority = savedAuthority;
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetAccessHomeDomainDisabled.
@Test
public void testGetAccessHomeDomainDisabled() {
System.setProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "false");
ZMSImpl zmsTest = zmsTestInitializer.zmsInit();
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal pJane = principalAuthority.authenticate("v=U1;d=user;n=jane;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtxJane = zmsTestInitializer.createResourceContext(pJane);
try {
zmsTest.getAccess(rsrcCtxJane, "READ", "user.jane:Resource1", null, null);
fail();
} catch (ResourceException ex) {
assertEquals(404, ex.getCode());
}
try {
zmsTest.getAccess(rsrcCtxJane, "WRITE", "user.jane:Resource1", null, null);
fail();
} catch (ResourceException ex) {
assertEquals(404, ex.getCode());
}
try {
zmsTest.getAccess(rsrcCtxJane, "UPDATE", "user.jane:Resource1", null, null);
fail();
} catch (ResourceException ex) {
assertEquals(404, ex.getCode());
}
System.clearProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN);
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testDeletePendingMembershipSelfServeRequest.
@Test
public void testDeletePendingMembershipSelfServeRequest() {
final String domainName = "delete-pending-self-serve";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "delete pending membership", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
setupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "user.fury", "testorg");
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testorg", true, true, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "auditenabled", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsTestInitializer.getZms(), zmsTestInitializer.getMockDomRsrcCtx().principal().getFullName(), domainName, "org");
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "org", zmsTestInitializer.getAuditRef(), meta);
Role auditedRole = zmsTestInitializer.createRoleObject(domainName, "testrole1", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), auditedRole);
RoleSystemMeta rsm = createRoleSystemMetaObject(true);
zmsTestInitializer.getZms().putRoleSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
RoleMeta rm = new RoleMeta().setSelfServe(true);
zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), rm);
// user.joe is going to add user.bob in the self serve role
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=joe";
Principal rsrcPrince = SimplePrincipal.create("user", "joe", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
ResourceContext ctxJoe = zmsTestInitializer.createResourceContext(rsrcPrince);
Membership mbr = new Membership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putMembership(ctxJoe, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
// first request using admin principal
DomainRoleMembership domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
assertNotNull(domainRoleMembership);
assertNotNull(domainRoleMembership.getDomainRoleMembersList());
assertEquals(domainRoleMembership.getDomainRoleMembersList().size(), 1);
for (DomainRoleMembers drm : domainRoleMembership.getDomainRoleMembersList()) {
assertEquals(drm.getDomainName(), domainName);
assertNotNull(drm.getMembers());
for (DomainRoleMember mem : drm.getMembers()) {
assertNotNull(mem);
assertEquals(mem.getMemberName(), "user.bob");
for (MemberRole mr : mem.getMemberRoles()) {
assertNotNull(mr);
assertEquals(mr.getRoleName(), "testrole1");
}
}
}
// first try to delete the pending request without proper authorization
unsignedCreds = "v=U1;d=user;n=jane";
rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
ResourceContext ctxJane = zmsTestInitializer.createResourceContext(rsrcPrince);
try {
zmsTestInitializer.getZms().deletePendingMembership(ctxJane, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
}
// repeat the request using joe principal
zmsTestInitializer.getZms().deletePendingMembership(ctxJoe, domainName, "testrole1", "user.bob", zmsTestInitializer.getAuditRef());
// check the list to see there are no pending requests
domainRoleMembership = zmsTestInitializer.getZms().getPendingDomainRoleMembersList(zmsTestInitializer.getMockDomRsrcCtx(), "user.fury", null);
assertNotNull(domainRoleMembership);
assertTrue(domainRoleMembership.getDomainRoleMembersList().isEmpty());
zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsTestInitializer.getZms());
cleanupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "testOrg");
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGroupUserAuthorityExpiryRemoveRejection2.
@Test
public void testGroupUserAuthorityExpiryRemoveRejection2() {
final String domainName = "reject-group-expiry-remove";
final String groupName = "group1";
final String roleName = "role1";
Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
Authority authority = Mockito.mock(Authority.class);
when(authority.isValidUser(anyString())).thenReturn(true);
when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
Set<String> attrs = new HashSet<>();
attrs.add("elevated-clearance");
when(authority.booleanAttributesSupported()).thenReturn(attrs);
when(authority.dateAttributesSupported()).thenReturn(attrs);
zmsTestInitializer.getZms().userAuthority = authority;
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(authority);
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", "user.user1");
dom1.setAuditEnabled(true);
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Group group = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group);
GroupMeta gm = new GroupMeta().setUserAuthorityExpiration("elevated-clearance");
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", ResourceUtils.groupResourceName(domainName, groupName));
role.setUserAuthorityExpiration("elevated-clearance");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
// now we're going to try to remove the user authority expiration
// from the group and it should be rejected since the role
// has the expiration set on the group
gm = new GroupMeta().setUserAuthorityExpiration("");
try {
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("role expiration requirements"));
}
// now let's remove the expiration from the role
RoleMeta rm = new RoleMeta().setUserAuthorityExpiration("");
zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), rm);
// now our group meta should work
zmsTestInitializer.getZms().putGroupMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), gm);
zmsTestInitializer.getZms().dbService.zmsConfig.setUserAuthority(savedAuthority);
zmsTestInitializer.getZms().userAuthority = savedAuthority;
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testEnforcedUserAuthorityFilter.
@Test
public void testEnforcedUserAuthorityFilter() {
Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
// null authority, filter or empty filter
zmsTestInitializer.getZms().userAuthority = null;
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", null));
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, "validFilter"));
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", "validFilter"));
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, null));
zmsTestInitializer.getZms().userAuthority = Mockito.mock(Authority.class);
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, null));
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter("", null));
assertNull(zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, ""));
// valid filter
assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", null));
assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter(null, "validFilter"));
assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", ""));
assertEquals("validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("", "validFilter"));
assertEquals("validFilter1,validFilter2", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter1", "validFilter2"));
assertEquals("validFilter,validFilter", zmsTestInitializer.getZms().enforcedUserAuthorityFilter("validFilter", "validFilter"));
zmsTestInitializer.getZms().userAuthority = savedAuthority;
}
Aggregations