Examples with Principal com.yahoo.athenz.auth.Principal used on opensource projects

Example 1 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSClientTest method createPrincipal.

private Principal createPrincipal(String userName) {
    Authority authority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
    Principal p = SimplePrincipal.create("user", userName, "v=U1;d=user;n=" + userName + ";s=signature", 0, authority);
    return p;
}

Example 2 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method getTenancy.

public Tenancy getTenancy(ResourceContext ctx, String tenantDomain, String providerService) {
    final String caller = "gettenancy";
    metric.increment(ZMSConsts.HTTP_GET);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(providerService, TYPE_SERVICE_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    providerService = providerService.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("gettenancy_timing", tenantDomain);
    // first verify that we have a valid tenant domain with policies
    Domain domain = dbService.getDomain(tenantDomain, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("getTenancy: No such tenant domain: " + tenantDomain, caller);
    }
    // we need to contact the provider to retrieve tenancy details
    // since we don't know if the provider supports resource groups
    // and as such the policies we have are for tenant's subdomains
    // or for tenant's domain with resource groups.
    String provSvcDomain = providerServiceDomain(providerService);
    String provSvcName = providerServiceName(providerService);
    Domain providerDomain = dbService.getDomain(provSvcDomain, false);
    if (providerDomain == null) {
        throw ZMSUtils.requestError("getTenancy: No such provider domain: " + provSvcDomain, caller);
    }
    // now retrieve our provider service object
    ServiceIdentity service = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (service == null) {
        throw ZMSUtils.requestError("getTenancy: unable to retrieve service=" + providerService, caller);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("getTenancy: serviceIdentity: provider=" + service);
    }
    // contact the provider and get the tenant object
    String url = service.getProviderEndpoint();
    if (url == null || url.isEmpty()) {
        throw ZMSUtils.requestError("getTenancy: cannot get tenancy on provider service=" + providerService + " -- not a provider service", caller);
    }
    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
    Tenant tenant = null;
    try {
        ProviderClient prov = getProviderClient(url, tenantAdmin);
        tenant = prov.getTenant(provSvcName, tenantDomain);
    } catch (com.yahoo.athenz.provider.ResourceException ex) {
        LOG.error("getTenancy: ProviderClient exception code: {} message: {}", ex.getCode(), ex.getMessage());
        throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
    }
    if (tenant == null) {
        throw ZMSUtils.notFoundError("getTenancy: Provider reports no such tenant: " + tenantDomain, caller);
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("getTenancy: ---- result of provider.getTenant: " + tenant);
    }
    // now we are going to verify to make sure that both tenant
    // and provider domains have the appropriate policies. however we
    // are not going to reject any requests because of missing policies
    // and instead for resource group support we'll just not report
    // the resource group as a valid provisioned one.
    Tenancy tenancy = new Tenancy();
    tenancy.setDomain(tenantDomain).setService(providerService);
    List<String> resourceGroups = tenant.getResourceGroups();
    if (resourceGroups != null) {
        List<String> tenantPolicies = dbService.listPolicies(tenantDomain);
        Set<String> providerPolicies = new HashSet<>(dbService.listPolicies(provSvcDomain));
        List<String> tenancyResouceGroups = new ArrayList<>();
        for (String resourceGroup : resourceGroups) {
            if (!verifyTenancyPolicies(tenantDomain, tenantPolicies, providerPolicies, provSvcDomain, provSvcName, resourceGroup)) {
                if (LOG.isInfoEnabled()) {
                    LOG.info("getTenancy: Invalid Resource Group: " + resourceGroup + " for tenant: " + tenantDomain);
                }
            } else {
                tenancyResouceGroups.add(resourceGroup);
            }
        }
        tenancy.setResourceGroups(tenancyResouceGroups);
    }
    metric.stopTiming(timerMetric);
    return tenancy;
}

Example 3 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method putTenancyResourceGroup.

public TenancyResourceGroup putTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef, TenancyResourceGroup detail) {
    final String caller = "puttenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_PUT);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // the fully qualified service name to provision on
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    AthenzObject.TENANCY_RESOURCE_GROUP.convertToLowerCase(detail);
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("puttenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    if (LOG.isDebugEnabled()) {
        LOG.debug("putTenancyResourceGroup: tenant domain(" + tenantDomain + ") resourceGroup(" + resourceGroup + ")");
    }
    // provider service domain
    String provSvcDomain = providerServiceDomain(provider);
    // provider service name
    String provSvcName = providerServiceName(provider);
    ServiceIdentity ent = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (ent == null) {
        throw ZMSUtils.requestError("Unable to retrieve service=" + provider, caller);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("serviceIdentity: provider=" + ent);
    }
    String url = ent.getProviderEndpoint();
    if (url == null || url.isEmpty()) {
        throw ZMSUtils.requestError("Cannot put tenancy resource group on provider service=" + provider + " -- not a provider service", caller);
    }
    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
    TenantResourceGroup tenantResourceGroup = new TenantResourceGroup();
    tenantResourceGroup.setService(provSvcName).setName(tenantDomain).setResourceGroup(resourceGroup);
    TenantResourceGroup tenantWithRoles = null;
    try {
        ProviderClient prov = getProviderClient(url, tenantAdmin);
        tenantWithRoles = prov.putTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef, tenantResourceGroup);
    } catch (com.yahoo.athenz.provider.ResourceException ex) {
        throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("---- result of provider.putTenantResourceGroup: " + tenantWithRoles);
    }
    List<String> providerRoles = tenantWithRoles.getRoles();
    if (providerRoles == null || providerRoles.isEmpty()) {
        throw ZMSUtils.requestError("Provider Controller did not return any roles to provision", caller);
    }
    // we're going to create a separate role for each one of tenant roles returned
    // based on its action and set the caller as a member in each role
    dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, providerRoles, auditRef, caller);
    if (LOG.isInfoEnabled()) {
        LOG.info("---- END put Tenant Resource Group -> " + detail);
    }
    metric.stopTiming(timerMetric);
    return null;
}

Example 4 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method deleteTenancyResourceGroup.

public TenancyResourceGroup deleteTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef) {
    final String caller = "deletetenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_DELETE);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("deletetenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    // for delete tenant resource group operation we're going to go through
    // the steps of lookup up provider's service object and make sure it has
    // an endpoint configured and we can talk to it and request the tenant
    // resource group to be deleted. if any of these operations fail, we're not
    // going to reject the request but rather continue on and do the local cleanup.
    // However, at the end we're going to return an exception with an error message
    // stating exactly what failed so the administrator can go ahead and contact
    // the provider manually, if necessary, to complete the delete tenancy
    // resource group process
    String errorMessage = null;
    // before local clean-up, we're going to contact the provider at their
    // configured endpoint and request the tenant resource group to be deleted.
    String provSvcDomain = providerServiceDomain(provider);
    String provSvcName = providerServiceName(provider);
    ServiceIdentity provSvcId = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (provSvcId == null) {
        errorMessage = "service does not exist";
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("provider serviceIdentity(" + provSvcId + ")");
        }
        String url = provSvcId.getProviderEndpoint();
        if (url == null) {
            errorMessage = "service does not have endpoint configured";
        } else {
            if (LOG.isInfoEnabled()) {
                LOG.info("Tenant will contact provider at endpoint: " + url);
            }
            try {
                Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
                ProviderClient prov = getProviderClient(url, tenantAdmin);
                prov.deleteTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef);
            } catch (Exception exc) {
                errorMessage = "failed to delete tenant resource group. Error: " + exc.getMessage();
            }
        }
    }
    // now clean-up local domain roles and policies for this tenant
    dbService.executeDeleteTenancy(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, auditRef, caller);
    metric.stopTiming(timerMetric);
    if (errorMessage != null) {
        final String tenantCleanupMsg = "Tenant cleanup in(" + tenantDomain + "): ";
        throw ZMSUtils.requestError(tenantCleanupMsg + "completed successfully. However, there " + "was an error when contacting the Provider Service: " + provider + ":" + errorMessage + ". Please contact the Provider administrator directly " + "to complete this delete tenancy resource group request", caller);
    }
    return null;
}

Example 5 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testIsExpiredTokenAtLeastOneLimitIsNotNull.

@Test
public void testIsExpiredTokenAtLeastOneLimitIsNotNull() {
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
    ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
    assertFalse(client.isExpiredToken(500, null, 600));
    assertFalse(client.isExpiredToken(500, 200, null));
    assertFalse(client.isExpiredToken(500, 200, 501));
    client.close();
}