Examples with Principal com.yahoo.athenz.auth.Principal used on opensource projects

Example 16 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method putTenancyResourceGroup.

public TenancyResourceGroup putTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef, TenancyResourceGroup detail) {
    final String caller = "puttenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_PUT);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // the fully qualified service name to provision on
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    AthenzObject.TENANCY_RESOURCE_GROUP.convertToLowerCase(detail);
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("puttenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    if (LOG.isDebugEnabled()) {
        LOG.debug("putTenancyResourceGroup: tenant domain(" + tenantDomain + ") resourceGroup(" + resourceGroup + ")");
    }
    // provider service domain
    String provSvcDomain = providerServiceDomain(provider);
    // provider service name
    String provSvcName = providerServiceName(provider);
    ServiceIdentity ent = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (ent == null) {
        throw ZMSUtils.requestError("Unable to retrieve service=" + provider, caller);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("serviceIdentity: provider=" + ent);
    }
    String url = ent.getProviderEndpoint();
    if (url == null || url.isEmpty()) {
        throw ZMSUtils.requestError("Cannot put tenancy resource group on provider service=" + provider + " -- not a provider service", caller);
    }
    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
    TenantResourceGroup tenantResourceGroup = new TenantResourceGroup();
    tenantResourceGroup.setService(provSvcName).setName(tenantDomain).setResourceGroup(resourceGroup);
    TenantResourceGroup tenantWithRoles = null;
    try {
        ProviderClient prov = getProviderClient(url, tenantAdmin);
        tenantWithRoles = prov.putTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef, tenantResourceGroup);
    } catch (com.yahoo.athenz.provider.ResourceException ex) {
        throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("---- result of provider.putTenantResourceGroup: " + tenantWithRoles);
    }
    List<String> providerRoles = tenantWithRoles.getRoles();
    if (providerRoles == null || providerRoles.isEmpty()) {
        throw ZMSUtils.requestError("Provider Controller did not return any roles to provision", caller);
    }
    // we're going to create a separate role for each one of tenant roles returned
    // based on its action and set the caller as a member in each role
    dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, providerRoles, auditRef, caller);
    if (LOG.isInfoEnabled()) {
        LOG.info("---- END put Tenant Resource Group -> " + detail);
    }
    metric.stopTiming(timerMetric);
    return null;
}

Example 17 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method postUserDomain.

public Domain postUserDomain(ResourceContext ctx, String name, String auditRef, UserDomain detail) {
    final String caller = "postuserdomain";
    metric.increment(ZMSConsts.HTTP_POST);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(detail, TYPE_USER_DOMAIN, caller);
    validate(name, TYPE_SIMPLE_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    name = name.toLowerCase();
    AthenzObject.USER_DOMAIN.convertToLowerCase(detail);
    metric.increment(ZMSConsts.HTTP_REQUEST, name);
    metric.increment(caller, name);
    Object timerMetric = metric.startTiming("postuserdomain_timing", name);
    if (detail.getName().indexOf('_') != -1 && !isSysAdminUser(((RsrcCtxWrapper) ctx).principal())) {
        throw ZMSUtils.requestError("Domain name cannot contain underscores", caller);
    }
    // verify that request is properly authenticated for this request
    Principal principal = ((RsrcCtxWrapper) ctx).principal();
    verifyAuthorizedServiceOperation(principal.getAuthorizedService(), caller);
    if (!name.equals(detail.getName())) {
        throw ZMSUtils.forbiddenError("postUserDomain: Request and detail domain names do not match", caller);
    }
    // we're dealing with user's top level domain so the parent is going
    // to be the home domain and the admin of the domain is the user
    List<String> adminUsers = new ArrayList<>();
    adminUsers.add(userDomainPrefix + principal.getName());
    List<String> solutionTemplates = null;
    DomainTemplateList templates = detail.getTemplates();
    if (templates != null) {
        solutionTemplates = templates.getTemplateNames();
        validateSolutionTemplates(solutionTemplates, caller);
    }
    Domain domain = createSubDomain(ctx, homeDomain, getUserDomainName(detail.getName()), detail.getDescription(), detail.getOrg(), detail.getAuditEnabled(), adminUsers, detail.getAccount(), 0, detail.getApplicationId(), solutionTemplates, auditRef, caller);
    metric.stopTiming(timerMetric);
    return domain;
}

Example 18 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZMSImpl method deleteTenancyResourceGroup.

public TenancyResourceGroup deleteTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef) {
    final String caller = "deletetenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_DELETE);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("deletetenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    // for delete tenant resource group operation we're going to go through
    // the steps of lookup up provider's service object and make sure it has
    // an endpoint configured and we can talk to it and request the tenant
    // resource group to be deleted. if any of these operations fail, we're not
    // going to reject the request but rather continue on and do the local cleanup.
    // However, at the end we're going to return an exception with an error message
    // stating exactly what failed so the administrator can go ahead and contact
    // the provider manually, if necessary, to complete the delete tenancy
    // resource group process
    String errorMessage = null;
    // before local clean-up, we're going to contact the provider at their
    // configured endpoint and request the tenant resource group to be deleted.
    String provSvcDomain = providerServiceDomain(provider);
    String provSvcName = providerServiceName(provider);
    ServiceIdentity provSvcId = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (provSvcId == null) {
        errorMessage = "service does not exist";
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("provider serviceIdentity(" + provSvcId + ")");
        }
        String url = provSvcId.getProviderEndpoint();
        if (url == null) {
            errorMessage = "service does not have endpoint configured";
        } else {
            if (LOG.isInfoEnabled()) {
                LOG.info("Tenant will contact provider at endpoint: " + url);
            }
            try {
                Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
                ProviderClient prov = getProviderClient(url, tenantAdmin);
                prov.deleteTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef);
            } catch (Exception exc) {
                errorMessage = "failed to delete tenant resource group. Error: " + exc.getMessage();
            }
        }
    }
    // now clean-up local domain roles and policies for this tenant
    dbService.executeDeleteTenancy(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, auditRef, caller);
    metric.stopTiming(timerMetric);
    if (errorMessage != null) {
        final String tenantCleanupMsg = "Tenant cleanup in(" + tenantDomain + "): ";
        throw ZMSUtils.requestError(tenantCleanupMsg + "completed successfully. However, there " + "was an error when contacting the Provider Service: " + provider + ":" + errorMessage + ". Please contact the Provider administrator directly " + "to complete this delete tenancy resource group request", caller);
    }
    return null;
}

Example 19 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class HttpTest method testAuthorizedForbidden.

@Test
public void testAuthorizedForbidden() throws Exception {
    Authorizer authorizer = Mockito.mock(Authorizer.class);
    Principal principal = Mockito.mock(Principal.class);
    try {
        Http.authorize(authorizer, principal, "action", "resource", null);
    } catch (ResourceException expected) {
        assertEquals(expected.getCode(), 403);
    }
}

Example 20 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testIsExpiredTokenAtLeastOneLimitIsNotNull.

@Test
public void testIsExpiredTokenAtLeastOneLimitIsNotNull() {
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
    ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
    assertFalse(client.isExpiredToken(500, null, 600));
    assertFalse(client.isExpiredToken(500, 200, null));
    assertFalse(client.isExpiredToken(500, 200, 501));
    client.close();
}