Examples with Authority com.yahoo.athenz.auth.Authority used on opensource projects

Search in sources :

Example 31 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testPutMembershipDecisionReviewEnabledUnauthorized.

@Test
public void testPutMembershipDecisionReviewEnabledUnauthorized() {
    final String domainName = "review-enabled-domain-forbidden";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Approval test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    final String roleName = "review-role";
    Role role1 = zmsTestInitializer.createRoleObject(domainName, roleName, null, null, null);
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role1);
    RoleMeta rm = new RoleMeta().setReviewEnabled(true);
    zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), rm);
    // add a user to the role
    Membership mbr = new Membership();
    mbr.setMemberName("user.bob");
    mbr.setActive(false);
    mbr.setApproved(false);
    zmsTestInitializer.getZms().putMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
    // verify the user is added with pending state
    Role resrole = zmsTestInitializer.getZms().getRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, false, false, true);
    assertEquals(resrole.getRoleMembers().size(), 1);
    assertEquals(resrole.getRoleMembers().get(0).getMemberName(), "user.bob");
    assertFalse(resrole.getRoleMembers().get(0).getApproved());
    // now try as the second admin himself to approve this user and it must
    // be rejected since second admin is not authorized
    mbr = new Membership();
    mbr.setMemberName("user.bob");
    mbr.setActive(true);
    mbr.setApproved(true);
    // switch to user.user2 principal to add a member to a role
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=user2";
    final Principal rsrcPrince = SimplePrincipal.create("user", "user2", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcPrince);
    when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcPrince);
    try {
        zmsTestInitializer.getZms().putMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("not authorized to approve / reject members"));
    }
    // revert back to admin principal
    Authority adminPrincipalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String adminUnsignedCreds = "v=U1;d=user;n=user1";
    final Principal rsrcAdminPrince = SimplePrincipal.create("user", "user1", adminUnsignedCreds + ";s=signature", 0, adminPrincipalAuthority);
    assertNotNull(rsrcAdminPrince);
    ((SimplePrincipal) rsrcAdminPrince).setUnsignedCreds(adminUnsignedCreds);
    when(zmsTestInitializer.getMockDomRestRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
    when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcAdminPrince);
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 32 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testUpdateGroupMemberUserAuthorityExpiry.

@Test
public void testUpdateGroupMemberUserAuthorityExpiry() {
    Group group = new Group().setUserAuthorityExpiration("elevated-clearance");
    List<GroupMember> members = new ArrayList<>();
    members.add(new GroupMember().setMemberName("user.john"));
    members.add(new GroupMember().setMemberName("user.joe"));
    group.setGroupMembers(members);
    Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
    zmsTestInitializer.getZms().userAuthority = null;
    // with authority null we always get no changes
    zmsTestInitializer.getZms().updateGroupMemberUserAuthorityExpiry(group, "unit-test");
    assertNull(group.getGroupMembers().get(0).getExpiration());
    assertNull(group.getGroupMembers().get(1).getExpiration());
    Authority authority = Mockito.mock(Authority.class);
    when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(new Date());
    when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(new Date());
    when(authority.getDateAttribute("user.joe", "elevated-clearance")).thenReturn(null);
    zmsTestInitializer.getZms().userAuthority = authority;
    try {
        zmsTestInitializer.getZms().updateGroupMemberUserAuthorityExpiry(group, "unit-test");
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("Invalid member: user.joe"));
    }
    // let's have one valid user and one service
    members = new ArrayList<>();
    members.add(new GroupMember().setMemberName("user.john"));
    members.add(new GroupMember().setMemberName("sports.api"));
    group.setGroupMembers(members);
    // the user will have an expiration while service is skipped
    zmsTestInitializer.getZms().updateGroupMemberUserAuthorityExpiry(group, "unit-test");
    assertNotNull(group.getGroupMembers().get(0).getExpiration());
    assertNull(group.getGroupMembers().get(1).getExpiration());
    // now let's have only user members
    members = new ArrayList<>();
    members.add(new GroupMember().setMemberName("user.john"));
    members.add(new GroupMember().setMemberName("user.jane"));
    group.setGroupMembers(members);
    zmsTestInitializer.getZms().updateGroupMemberUserAuthorityExpiry(group, "unit-test");
    assertNotNull(group.getGroupMembers().get(0).getExpiration());
    assertNotNull(group.getGroupMembers().get(1).getExpiration());
    zmsTestInitializer.getZms().userAuthority = savedAuthority;
}
Also used : Authority(com.yahoo.athenz.auth.Authority)

Example 33 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testManageMembershipWithUpdateMembersAction.

@Test
public void testManageMembershipWithUpdateMembersAction() {
    final String domainName = "update-member-domain1";
    Authority savedAuthority = zmsTestInitializer.getZms().userAuthority;
    Authority authority = Mockito.mock(Authority.class);
    when(authority.isValidUser(anyString())).thenReturn(true);
    when(authority.getDateAttribute(anyString(), anyString())).thenReturn(null);
    Set<String> attrs = new HashSet<>();
    attrs.add("elevated-clearance");
    when(authority.dateAttributesSupported()).thenReturn(attrs);
    zmsTestInitializer.getZms().userAuthority = authority;
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    // role1 will have user.user1 through group1
    Role role1 = zmsTestInitializer.createRoleObject(domainName, "role1", null, "user.user1", "user.user2");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "role1", zmsTestInitializer.getAuditRef(), role1);
    Policy policy1 = zmsTestInitializer.createPolicyObject(domainName, "policy1", "role1", "update_members", domainName + ":role.role1", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy1", zmsTestInitializer.getAuditRef(), policy1);
    // user1 has access to add members to a role1
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtx1 = zmsTestInitializer.createResourceContext(principal1);
    Membership mbr = new Membership().setMemberName("user.user3");
    zmsTestInitializer.getZms().putMembership(rsrcCtx1, domainName, "role1", "user.user3", zmsTestInitializer.getAuditRef(), mbr);
    Membership mbrResponse = zmsTestInitializer.getZms().getMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "role1", "user.user3", null);
    assertNotNull(mbrResponse);
    assertTrue(mbrResponse.getIsMember());
    assertTrue(mbrResponse.getApproved());
    // now delete the member
    zmsTestInitializer.getZms().deleteMembership(rsrcCtx1, domainName, "role1", "user.user3", zmsTestInitializer.getAuditRef());
    mbrResponse = zmsTestInitializer.getZms().getMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "role1", "user.user3", null);
    assertNotNull(mbrResponse);
    assertFalse(mbrResponse.getIsMember());
    // a different user does not have access to a role
    Principal principal4 = principalAuthority.authenticate("v=U1;d=user;n=user4;s=signature", "10.11.12.13", "GET", null);
    ResourceContext rsrcCtx4 = zmsTestInitializer.createResourceContext(principal4);
    try {
        zmsTestInitializer.getZms().putMembership(rsrcCtx4, domainName, "role1", "user.user3", zmsTestInitializer.getAuditRef(), mbr);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
    }
    try {
        zmsTestInitializer.getZms().deleteMembership(rsrcCtx4, domainName, "role1", "user.user1", zmsTestInitializer.getAuditRef());
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
    }
    zmsTestInitializer.getZms().userAuthority = savedAuthority;
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 34 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class ZMSImplTest method testIsAllowedDeletePendingGroupMembership.

@Test
public void testIsAllowedDeletePendingGroupMembership() {
    final String domainName = "allowed-del-pending-mbr";
    final String groupName = "group1";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Group Test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName, "user.user1", "user.jane");
    zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), group1);
    Role role1 = zmsTestInitializer.createRoleObject(domainName, "testrole1", null, "user.user1", "user.jane");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "testrole1", zmsTestInitializer.getAuditRef(), role1);
    Policy policy1 = zmsTestInitializer.createPolicyObject(domainName, "Policy1", "testrole1", "UPDATE", domainName + ":group.*", AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "Policy1", zmsTestInitializer.getAuditRef(), policy1);
    assertTrue(zmsTestInitializer.getZms().isAllowedDeletePendingGroupMembership(zmsTestInitializer.getMockDomRsrcCtx().principal(), domainName, groupName, "user.pending"));
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=jane";
    Principal rsrcPrince = SimplePrincipal.create("user", "jane", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    assertTrue(zmsTestInitializer.getZms().isAllowedDeletePendingGroupMembership(rsrcPrince, domainName, groupName, "user.pending"));
    unsignedCreds = "v=U1;d=user;n=john";
    rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    // this time false since john is not authorized
    assertFalse(zmsTestInitializer.getZms().isAllowedDeletePendingGroupMembership(rsrcPrince, domainName, groupName, "user.pending"));
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 35 with Authority

use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.

the class NotificationToEmailConverterCommonTest method testGetFullyQualifiedEmailAddressesUserAuthority.

@Test
public void testGetFullyQualifiedEmailAddressesUserAuthority() {
    System.clearProperty("athenz.user_domain");
    System.setProperty("athenz.user_domain", "entuser");
    System.setProperty("athenz.notification_email_domain_from", "from.example.com");
    System.setProperty("athenz.notification_email_domain_to", "example.com");
    Set<String> recipients = new HashSet<>(Arrays.asList("entuser.user1", "entuser.user2", "entuser.user3", "unknown.user"));
    Authority notificationAuthorityForTest = new NotificationAuthorityForTest();
    NotificationToEmailConverterCommon notificationToEmailConverterCommon = new NotificationToEmailConverterCommon(notificationAuthorityForTest);
    Set<String> recipientsResp = notificationToEmailConverterCommon.getFullyQualifiedEmailAddresses(recipients);
    assertNotNull(recipientsResp);
    assertEquals(recipientsResp.size(), 4);
    assertTrue(recipientsResp.contains("entuser.user1@mail.from.authority.com"));
    assertTrue(recipientsResp.contains("entuser.user2@mail.from.authority.com"));
    assertTrue(recipientsResp.contains("entuser.user3@mail.from.authority.com"));
    assertTrue(recipientsResp.contains("unknown.user@example.com"));
    System.clearProperty("athenz.notification_email_domain_from");
    System.clearProperty("athenz.notification_email_domain_to");
    System.clearProperty("athenz.user_domain");
}
Also used : Authority(com.yahoo.athenz.auth.Authority) DebugUserAuthority(com.yahoo.athenz.common.server.debug.DebugUserAuthority) NotificationAuthorityForTest(com.yahoo.athenz.common.server.notification.impl.NotificationAuthorityForTest) HashSet(java.util.HashSet) Test(org.testng.annotations.Test) NotificationAuthorityForTest(com.yahoo.athenz.common.server.notification.impl.NotificationAuthorityForTest)

Aggregations

Authority (com.yahoo.athenz.auth.Authority)193 Principal (com.yahoo.athenz.auth.Principal)124 Test (org.testng.annotations.Test)72 PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30 HttpServletRequest (javax.servlet.http.HttpServletRequest)24 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21 HttpServletResponse (javax.servlet.http.HttpServletResponse)20 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19 Authorizer (com.yahoo.athenz.auth.Authorizer)15 AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11 ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9 Timestamp (com.yahoo.rdl.Timestamp)9 Metric (com.yahoo.athenz.common.metrics.Metric)8 IOException (java.io.IOException)8 Response (javax.ws.rs.core.Response)6 Struct (com.yahoo.rdl.Struct)5 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 WebApplicationException (javax.ws.rs.WebApplicationException)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial