Example 11 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZMSAuthorizerTest method testAuthorizer.
@Test
public void testAuthorizer() {
ZMSClient client = getClient(systemAdminUser);
String domain = "authorizerdom1";
ZMSAuthorizer authorizer = new ZMSAuthorizer(zmsUrl, domain);
assertNotNull(authorizer);
// create 3 user client objects
Principal p1 = createPrincipal("user1");
Principal p2 = createPrincipal("user2");
Principal p3 = createPrincipal("user3");
ZMSRDLGeneratedClient zmsRdlClient = Mockito.mock(ZMSRDLGeneratedClient.class);
client.setZMSRDLGeneratedClient(zmsRdlClient);
Domain domainMock = Mockito.mock(Domain.class);
Mockito.when(zmsRdlClient.postTopLevelDomain(Mockito.<String>any(), Mockito.any(TopLevelDomain.class))).thenReturn(domainMock);
setupAccess(client, domain);
// only user1 and user3 have access to UPDATE/resource1
ZMSClient mockZMSClient = Mockito.mock(ZMSClient.class);
authorizer.setZMSClient(mockZMSClient);
Access accessMock = Mockito.mock(Access.class);
Mockito.when(mockZMSClient.getAccess("UPDATE", "authorizerdom1:resource1", "authorizerdom1")).thenReturn(accessMock);
Mockito.when(mockZMSClient.getAccess("UPDATE", "authorizerdom1:resource1", null)).thenReturn(accessMock);
Mockito.when(accessMock.getGranted()).thenReturn(true, true, true, false, false, false, true, true);
Mockito.when(zmsRdlClient.getAccess("UPDATE", "authorizerdom1:resource1", "authorizerdom1", null)).thenReturn(accessMock);
boolean access = authorizer.access("UPDATE", "resource1", p1, domain);
assertTrue(access);
// we're going to use a principal token as well to test this access
String principalToken1 = "v=U1;d=user;n=user1;s=signature";
access = authorizer.access("UPDATE", "resource1", principalToken1, domain);
assertTrue(access);
// finally testing with role token as well
String roleToken1 = "v=Z1;d=authorizerdom1;r=role1;s=signature";
access = authorizer.access("UPDATE", "resource1", roleToken1, null);
assertTrue(access);
// now try with other users
access = authorizer.access("UPDATE", "resource1", p2, domain);
assertFalse(access);
String principalToken2 = "v=U1;d=user;n=user2;s=signature";
access = authorizer.access("UPDATE", "resource1", principalToken2, domain);
assertFalse(access);
String roleToken2 = "v=Z1;d=authorizerdom1;r=role2;s=signature";
access = authorizer.access("UPDATE", "resource1", roleToken2, null);
assertFalse(access);
access = authorizer.access("UPDATE", "resource1", p3, domain);
assertTrue(access);
String principalToken3 = "v=U1;d=user;n=user3;s=signature";
access = authorizer.access("UPDATE", "resource1", principalToken3, domain);
assertTrue(access);
// we should get exception with no principal
try {
authorizer.access("UPDATE", "resource2", (Principal) null, domain);
fail();
} catch (Exception ex) {
assertTrue(true);
}
try {
authorizer.access("UPDATE", "resource2", (String) null, domain);
fail();
} catch (Exception ex) {
assertTrue(true);
}
TopLevelDomain topLevelDomainMock = Mockito.mock(TopLevelDomain.class);
Mockito.when(zmsRdlClient.deleteTopLevelDomain(domain, AUDIT_REF)).thenReturn(topLevelDomainMock);
cleanUpAccess(domain);
}
Also used :
ZMSAuthorizer(com.yahoo.athenz.zms.ZMSAuthorizer)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Test(org.testng.annotations.Test)
Example 12 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZMSClientTest method createPrincipal.
private Principal createPrincipal(String userName) {
Authority authority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
Principal p = SimplePrincipal.create("user", userName, "v=U1;d=user;n=" + userName + ";s=signature", 0, authority);
return p;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 13 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZMSImpl method getServicePrincipal.
public ServicePrincipal getServicePrincipal(ResourceContext ctx) {
final String caller = "getserviceprincipal";
metric.increment(ZMSConsts.HTTP_GET);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
Principal principal = ((RsrcCtxWrapper) ctx).principal();
Authority authority = principal.getAuthority();
metric.increment(ZMSConsts.HTTP_REQUEST, principal.getDomain());
metric.increment(caller, principal.getDomain());
Object timerMetric = metric.startTiming("getserviceprincipal_timing", principal.getDomain());
// If the authority does not support authorization then we're going to
// generate a new ServiceToken signed by ZMS and send that back.
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setDomain(principal.getDomain());
servicePrincipal.setService(principal.getName());
if (!authority.allowAuthorization()) {
PrincipalToken sdToken = new PrincipalToken(principal.getCredentials());
PrincipalToken zmsToken = new PrincipalToken.Builder("S1", sdToken.getDomain(), sdToken.getName()).issueTime(sdToken.getTimestamp()).expirationWindow(sdToken.getExpiryTime() - sdToken.getTimestamp()).ip(sdToken.getIP()).keyId(privateKeyId).host(serverHostName).keyService(ZMSConsts.ZMS_SERVICE).build();
zmsToken.sign(privateKey);
servicePrincipal.setToken(zmsToken.getSignedToken());
} else {
servicePrincipal.setToken(principal.getCredentials());
}
metric.stopTiming(timerMetric);
return servicePrincipal;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 14 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZMSImpl method getTenancy.
public Tenancy getTenancy(ResourceContext ctx, String tenantDomain, String providerService) {
final String caller = "gettenancy";
metric.increment(ZMSConsts.HTTP_GET);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
// fully qualified provider's service name
validate(providerService, TYPE_SERVICE_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
tenantDomain = tenantDomain.toLowerCase();
providerService = providerService.toLowerCase();
metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
metric.increment(caller, tenantDomain);
Object timerMetric = metric.startTiming("gettenancy_timing", tenantDomain);
// first verify that we have a valid tenant domain with policies
Domain domain = dbService.getDomain(tenantDomain, false);
if (domain == null) {
throw ZMSUtils.notFoundError("getTenancy: No such tenant domain: " + tenantDomain, caller);
}
// we need to contact the provider to retrieve tenancy details
// since we don't know if the provider supports resource groups
// and as such the policies we have are for tenant's subdomains
// or for tenant's domain with resource groups.
String provSvcDomain = providerServiceDomain(providerService);
String provSvcName = providerServiceName(providerService);
Domain providerDomain = dbService.getDomain(provSvcDomain, false);
if (providerDomain == null) {
throw ZMSUtils.requestError("getTenancy: No such provider domain: " + provSvcDomain, caller);
}
// now retrieve our provider service object
ServiceIdentity service = dbService.getServiceIdentity(provSvcDomain, provSvcName);
if (service == null) {
throw ZMSUtils.requestError("getTenancy: unable to retrieve service=" + providerService, caller);
}
if (LOG.isDebugEnabled()) {
LOG.debug("getTenancy: serviceIdentity: provider=" + service);
}
// contact the provider and get the tenant object
String url = service.getProviderEndpoint();
if (url == null || url.isEmpty()) {
throw ZMSUtils.requestError("getTenancy: cannot get tenancy on provider service=" + providerService + " -- not a provider service", caller);
}
Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
Tenant tenant = null;
try {
ProviderClient prov = getProviderClient(url, tenantAdmin);
tenant = prov.getTenant(provSvcName, tenantDomain);
} catch (com.yahoo.athenz.provider.ResourceException ex) {
LOG.error("getTenancy: ProviderClient exception code: {} message: {}", ex.getCode(), ex.getMessage());
throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
}
if (tenant == null) {
throw ZMSUtils.notFoundError("getTenancy: Provider reports no such tenant: " + tenantDomain, caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("getTenancy: ---- result of provider.getTenant: " + tenant);
}
// now we are going to verify to make sure that both tenant
// and provider domains have the appropriate policies. however we
// are not going to reject any requests because of missing policies
// and instead for resource group support we'll just not report
// the resource group as a valid provisioned one.
Tenancy tenancy = new Tenancy();
tenancy.setDomain(tenantDomain).setService(providerService);
List<String> resourceGroups = tenant.getResourceGroups();
if (resourceGroups != null) {
List<String> tenantPolicies = dbService.listPolicies(tenantDomain);
Set<String> providerPolicies = new HashSet<>(dbService.listPolicies(provSvcDomain));
List<String> tenancyResouceGroups = new ArrayList<>();
for (String resourceGroup : resourceGroups) {
if (!verifyTenancyPolicies(tenantDomain, tenantPolicies, providerPolicies, provSvcDomain, provSvcName, resourceGroup)) {
if (LOG.isInfoEnabled()) {
LOG.info("getTenancy: Invalid Resource Group: " + resourceGroup + " for tenant: " + tenantDomain);
}
} else {
tenancyResouceGroups.add(resourceGroup);
}
}
tenancy.setResourceGroups(tenancyResouceGroups);
}
metric.stopTiming(timerMetric);
return tenancy;
}
Also used :
ArrayList(java.util.ArrayList)
Tenant(com.yahoo.athenz.provider.Tenant)
ProviderClient(com.yahoo.athenz.provider.ProviderClient)
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
HashSet(java.util.HashSet)
Example 15 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZMSImpl method getUserToken.
@Override
public UserToken getUserToken(ResourceContext ctx, String userName, String authorizedServices, Boolean header) {
final String caller = "getusertoken";
metric.increment(ZMSConsts.HTTP_GET);
metric.increment(ZMSConsts.HTTP_REQUEST);
metric.increment(caller);
Object timerMetric = metric.startTiming("getusertoken_timing", null);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
userName = userName.toLowerCase();
Principal principal = ((RsrcCtxWrapper) ctx).principal();
if (!isValidUserTokenRequest(principal, userName)) {
throw ZMSUtils.unauthorizedError("getUserToken: Invalid request - missing User credentials or userName mismatch", caller);
}
// if the user is requesting authorized services we need to verify that
// all the service names are valid
List<String> services = null;
if (authorizedServices != null && !authorizedServices.isEmpty()) {
services = Arrays.asList(authorizedServices.split(","));
for (String service : services) {
if (!serverAuthorizedServices.contains(service)) {
throw ZMSUtils.unauthorizedError("getUserToken: Service " + service + " is not authorized in ZMS", caller);
}
}
}
PrincipalToken token = new PrincipalToken.Builder("U1", userDomain, principal.getName()).expirationWindow(userTokenTimeout).keyId(privateKeyId).host(serverHostName).ip(ServletRequestUtil.getRemoteAddress(ctx.request())).authorizedServices(services).build();
token.sign(privateKey);
UserToken userToken = new UserToken().setToken(token.getSignedToken());
if (header == Boolean.TRUE && principalAuthority != null) {
userToken.setHeader(principalAuthority.getHeader());
}
if (services != null) {
setStandardCORSHeaders(ctx);
}
metric.stopTiming(timerMetric);
return userToken;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
Principal (com.yahoo.athenz.auth.Principal)258
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)218
Test (org.testng.annotations.Test)168
Authority (com.yahoo.athenz.auth.Authority)66
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)52
ArrayList (java.util.ArrayList)35
SignedDomain (com.yahoo.athenz.zms.SignedDomain)33
BeforeTest (org.testng.annotations.BeforeTest)17
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)14
SimpleServiceIdentityProvider (com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)13
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)13
IOException (java.io.IOException)13
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)12
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
KeyStore (com.yahoo.athenz.auth.KeyStore)11
UnsupportedEncodingException (java.io.UnsupportedEncodingException)10
WebApplicationException (javax.ws.rs.WebApplicationException)10
X509Certificate (java.security.cert.X509Certificate)9
ServiceIdentityProvider (com.yahoo.athenz.auth.ServiceIdentityProvider)8
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)8
