Example 21 with PrincipalAuthority
use of com.yahoo.athenz.auth.impl.PrincipalAuthority in project athenz by yahoo.
the class ZMSImplTest method testPutProviderResourceGroupRolesWithAuthorizedService.
@Test
public void testPutProviderResourceGroupRolesWithAuthorizedService() {
String tenantDomain = "providerresourcegrouprolesauthorizedservice";
String providerService = "storage";
String providerDomain = "coretech";
String resourceGroup = "hockey";
setupTenantDomainProviderService(tenantDomain, providerDomain, providerService, "http://localhost:8090/tableprovider");
// tenant is setup so let's setup up policy to authorize access to tenants
// without this role/policy we won't be authorized to add tenant roles
// to the provider domain even with authorized service details
Role role = createRoleObject(providerDomain, "self_serve", null, providerDomain + "." + providerService, null);
zms.putRole(mockDomRsrcCtx, providerDomain, "self_serve", auditRef, role);
Policy policy = createPolicyObject(providerDomain, "self_serve", "self_serve", "update", providerDomain + ":tenant.*", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, providerDomain, "self_serve", auditRef, policy);
// now we're going to setup our provider role call
List<TenantRoleAction> roleActions = new ArrayList<TenantRoleAction>();
for (Struct.Field f : RESOURCE_PROVIDER_ROLE_ACTIONS) {
roleActions.add(new TenantRoleAction().setRole(f.name()).setAction((String) f.value()));
}
ProviderResourceGroupRoles providerRoles = new ProviderResourceGroupRoles().setDomain(providerDomain).setService(providerService).setTenant(tenantDomain).setRoles(roleActions).setResourceGroup(resourceGroup);
// we are going to create a principal object with authorized service
// set to coretech.storage
String userId = "user1";
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=" + userId;
Principal principal = SimplePrincipal.create("user", userId, unsignedCreds + ";s=signature", 0, principalAuthority);
((SimplePrincipal) principal).setUnsignedCreds(unsignedCreds);
((SimplePrincipal) principal).setUnsignedCreds(unsignedCreds);
((SimplePrincipal) principal).setAuthorizedService("coretech.storage");
ResourceContext ctx = createResourceContext(principal);
// after this call we should have roles set for both provider and tenant
zms.putProviderResourceGroupRoles(ctx, tenantDomain, providerDomain, providerService, resourceGroup, auditRef, providerRoles);
ProviderResourceGroupRoles pRoles = zms.getProviderResourceGroupRoles(ctx, tenantDomain, providerDomain, providerService, resourceGroup);
assertNotNull(pRoles);
assertEquals(providerDomain.toLowerCase(), pRoles.getDomain());
assertEquals(providerService.toLowerCase(), pRoles.getService());
assertEquals(tenantDomain.toLowerCase(), pRoles.getTenant());
assertEquals(resourceGroup.toLowerCase(), pRoles.getResourceGroup());
assertEquals(RESOURCE_PROVIDER_ROLE_ACTIONS.size(), pRoles.getRoles().size());
List<TenantRoleAction> traList = pRoles.getRoles();
List<String> roles = new ArrayList<>();
for (TenantRoleAction ra : traList) {
roles.add(ra.getRole());
}
assertTrue(roles.contains("reader"));
assertTrue(roles.contains("writer"));
// now get the tenant roles for the provider
TenantResourceGroupRoles tRoles = zms.getTenantResourceGroupRoles(mockDomRsrcCtx, providerDomain, providerService, tenantDomain, resourceGroup);
assertNotNull(tRoles);
assertEquals(tRoles.getDomain(), providerDomain);
assertEquals(tRoles.getService(), providerService);
assertEquals(tRoles.getTenant(), tenantDomain);
assertEquals(tRoles.getResourceGroup(), resourceGroup);
assertEquals(RESOURCE_PROVIDER_ROLE_ACTIONS.size(), tRoles.getRoles().size());
traList = pRoles.getRoles();
roles = new ArrayList<>();
for (TenantRoleAction ra : traList) {
roles.add(ra.getRole());
}
assertTrue(roles.contains("reader"));
assertTrue(roles.contains("writer"));
// now we're going to delete the provider roles using the standard
// resource object without the authorized service. in this case
// the provider roles are going to be deleted but not the tenant
// roles from the provider domain
zms.deleteProviderResourceGroupRoles(mockDomRsrcCtx, tenantDomain, providerDomain, providerService, resourceGroup, auditRef);
// so for tenant we're going to 0 provider roles
pRoles = zms.getProviderResourceGroupRoles(mockDomRsrcCtx, tenantDomain, providerDomain, providerService, resourceGroup);
assertNotNull(pRoles);
assertEquals(0, pRoles.getRoles().size());
// but for provider we're still going to get full set of roles
tRoles = zms.getTenantResourceGroupRoles(mockDomRsrcCtx, providerDomain, providerService, tenantDomain, resourceGroup);
assertNotNull(tRoles);
assertEquals(2, tRoles.getRoles().size());
// now this time we're going to delete with the principal with the
// authorized service token
zms.deleteProviderResourceGroupRoles(ctx, tenantDomain, providerDomain, providerService, resourceGroup, auditRef);
// so for tenant we're still going to 0 provider roles
pRoles = zms.getProviderResourceGroupRoles(ctx, tenantDomain, providerDomain, providerService, resourceGroup);
assertNotNull(pRoles);
assertEquals(0, pRoles.getRoles().size());
// and for provider we're now going to get 0 tenant roles as well
tRoles = zms.getTenantResourceGroupRoles(mockDomRsrcCtx, providerDomain, providerService, tenantDomain, resourceGroup);
assertNotNull(tRoles);
assertEquals(0, tRoles.getRoles().size());
// clean up our domains
zms.deleteTopLevelDomain(mockDomRsrcCtx, tenantDomain, auditRef);
zms.deleteTopLevelDomain(mockDomRsrcCtx, providerDomain, auditRef);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
ArrayList(java.util.ArrayList)
Struct(com.yahoo.rdl.Struct)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Example 22 with PrincipalAuthority
use of com.yahoo.athenz.auth.impl.PrincipalAuthority in project athenz by yahoo.
the class ZMSImplTest method testGetUserTokenExpiredIssueTime.
@Test
public void testGetUserTokenExpiredIssueTime() {
// Use real Principal Authority to verify signatures
PrincipalAuthority principalAuthority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
principalAuthority.setKeyStore(zms);
// we're going to set the issue time 2 hours before the current time
long issueTime = (System.currentTimeMillis() / 1000) - 7200;
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
String userId = "george";
Principal principal = SimplePrincipal.create("user", userId, userId + ":password", 0, userAuthority);
((SimplePrincipal) principal).setUnsignedCreds(userId);
ResourceContext rsrcCtx1 = createResourceContext(principal);
zms.privateKeyId = "0";
zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKey));
UserToken token = zms.getUserToken(rsrcCtx1, userId, null, null);
assertNotNull(token);
// Verify signature
Principal principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
// verify that the issue time for the user token is not our issue time
PrincipalToken pToken = new PrincipalToken(token.getToken());
assertNotEquals(pToken.getTimestamp(), issueTime);
// verify that our expiry is close to 1 hour default value
assertTrue(pToken.getExpiryTime() - (System.currentTimeMillis() / 1000) > 3500);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Example 23 with PrincipalAuthority
use of com.yahoo.athenz.auth.impl.PrincipalAuthority in project athenz by yahoo.
the class ZMSImplTest method testVirtualHomeDomain.
@Test
public void testVirtualHomeDomain() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
AthenzDomain virtualDomain = zms.virtualHomeDomain(principal, "user.user1");
assertNotNull(virtualDomain);
List<Role> roles = virtualDomain.getRoles();
assertNotNull(roles);
Role adminRole = null;
for (Role role : roles) {
if (role.getName().equals("user.user1:role.admin")) {
adminRole = role;
break;
}
}
assertNotNull(adminRole);
List<RoleMember> roleMembers = adminRole.getRoleMembers();
assertEquals(roleMembers.size(), 1);
assertEquals(roleMembers.get(0).getMemberName(), "user.user1");
List<Policy> policies = virtualDomain.getPolicies();
assertNotNull(policies);
Policy adminPolicy = null;
for (Policy policy : policies) {
if (policy.getName().equals("user.user1:policy.admin")) {
adminPolicy = policy;
break;
}
}
assertNotNull(adminPolicy);
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 24 with PrincipalAuthority
use of com.yahoo.athenz.auth.impl.PrincipalAuthority in project athenz by yahoo.
the class ZMSImplTest method testPutTenancyWithAuthorizedService.
@Test
public void testPutTenancyWithAuthorizedService() {
String tenantDomain = "puttenancyauthorizedservice";
String providerService = "storage";
String providerDomain = "coretech";
String provider = providerDomain + "." + providerService;
setupTenantDomainProviderService(tenantDomain, providerDomain, providerService, null);
// tenant is setup so let's setup up policy to authorize access to tenants
// without this role/policy we won't be authorized to add tenant roles
// to the provider domain even with authorized service details
Role role = createRoleObject(providerDomain, "self_serve", null, providerDomain + "." + providerService, null);
zms.putRole(mockDomRsrcCtx, providerDomain, "self_serve", auditRef, role);
Policy policy = createPolicyObject(providerDomain, "self_serve", "self_serve", "update", providerDomain + ":tenant.*", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, providerDomain, "self_serve", auditRef, policy);
// we are going to create a principal object with authorized service
// set to coretech.storage
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String userId = "user1";
String unsignedCreds = "v=U1;d=user;u=" + userId;
Principal principal = SimplePrincipal.create("user", userId, unsignedCreds + ";s=signature", 0, principalAuthority);
((SimplePrincipal) principal).setUnsignedCreds(unsignedCreds);
((SimplePrincipal) principal).setAuthorizedService(provider);
ResourceContext ctx = createResourceContext(principal);
// after this call we should have admin roles set for both provider and tenant
Tenancy tenant = createTenantObject(tenantDomain, provider);
zms.putTenancy(ctx, tenantDomain, provider, auditRef, tenant);
// make sure our policy has been created
policy = zms.getPolicy(mockDomRsrcCtx, tenantDomain, "tenancy." + provider + ".admin");
assertNotNull(policy);
String tenantRoleInProviderDomain = providerService + ".tenant." + tenantDomain + ".admin";
List<Assertion> assertList = policy.getAssertions();
assertEquals(3, assertList.size());
boolean domainAdminRoleCheck = false;
boolean tenantAdminRoleCheck = false;
boolean tenantUpdateCheck = false;
for (Assertion obj : assertList) {
assertEquals(AssertionEffect.ALLOW, obj.getEffect());
if (obj.getRole().equals(tenantDomain + ":role.admin")) {
assertEquals("assume_role", obj.getAction());
assertEquals("coretech:role.storage.tenant.puttenancyauthorizedservice.admin", obj.getResource());
domainAdminRoleCheck = true;
} else if (obj.getRole().equals(tenantDomain + ":role.tenancy." + provider + ".admin")) {
if (obj.getAction().equals("assume_role")) {
assertEquals("coretech:role.storage.tenant.puttenancyauthorizedservice.admin", obj.getResource());
tenantAdminRoleCheck = true;
} else if (obj.getAction().equals("update")) {
assertEquals(tenantDomain + ":tenancy." + provider, obj.getResource());
tenantUpdateCheck = true;
}
}
}
assertTrue(domainAdminRoleCheck);
assertTrue(tenantAdminRoleCheck);
assertTrue(tenantUpdateCheck);
// now let's verify the provider side by using the get tenant roles call
TenantRoles tRoles = zms.getTenantRoles(mockDomRsrcCtx, providerDomain, providerService, tenantDomain);
assertNotNull(tRoles);
assertEquals(1, tRoles.getRoles().size());
TenantRoleAction roleAction = tRoles.getRoles().get(0);
assertEquals("*", roleAction.getAction());
assertEquals("admin", roleAction.getRole());
role = zms.getRole(mockDomRsrcCtx, providerDomain, tenantRoleInProviderDomain, false, false);
assertNotNull(role);
// now let's call delete tenancy support with the same authorized service token
zms.deleteTenancy(ctx, tenantDomain, provider, auditRef);
try {
zms.getPolicy(mockDomRsrcCtx, tenantDomain, "tenancy." + provider + ".admin");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 404);
}
try {
zms.getRole(mockDomRsrcCtx, providerDomain, tenantRoleInProviderDomain, false, false);
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 404);
}
// get tenant roles now returns an empty set
tRoles = zms.getTenantRoles(mockDomRsrcCtx, providerDomain, providerService, tenantDomain);
assertNotNull(tRoles);
assertEquals(0, tRoles.getRoles().size());
// clean up our domains
zms.deleteTopLevelDomain(mockDomRsrcCtx, tenantDomain, auditRef);
zms.deleteTopLevelDomain(mockDomRsrcCtx, providerDomain, auditRef);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Example 25 with PrincipalAuthority
use of com.yahoo.athenz.auth.impl.PrincipalAuthority in project athenz by yahoo.
the class ZMSImplTest method testGetUserToken.
@Test
public void testGetUserToken() {
// Use real Principal Authority to verify signatures
PrincipalAuthority principalAuthority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
principalAuthority.setKeyStore(zms);
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
String userId = "george";
Principal principal = SimplePrincipal.create("user", userId, userId + ":password", 0, userAuthority);
((SimplePrincipal) principal).setUnsignedCreds(userId);
ResourceContext rsrcCtx1 = createResourceContext(principal);
zms.privateKeyId = "0";
zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKey));
UserToken token = zms.getUserToken(rsrcCtx1, userId, null, null);
assertNotNull(token);
assertTrue(token.getToken().startsWith("v=U1;d=user;n=" + userId + ";"));
assertTrue(token.getToken().contains(";h=localhost"));
assertTrue(token.getToken().contains(";i=10.11.12.13"));
assertTrue(token.getToken().contains(";k=0"));
// Verify signature
Principal principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
zms.privateKeyId = "1";
zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKeyK1));
token = zms.getUserToken(rsrcCtx1, userId, null, false);
assertNotNull(token);
assertTrue(token.getToken().contains("k=1"));
// Verify signature
principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
zms.privateKeyId = "2";
zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKeyK2));
token = zms.getUserToken(rsrcCtx1, userId, null, null);
assertNotNull(token);
assertTrue(token.getToken().contains("k=2"));
// Verify signature
principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Aggregations
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)101
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)74
Test (org.testng.annotations.Test)62
Principal (com.yahoo.athenz.auth.Principal)44
Authority (com.yahoo.athenz.auth.Authority)40
BeforeTest (org.testng.annotations.BeforeTest)26
KeyStore (com.yahoo.athenz.auth.KeyStore)16
SignedDomain (com.yahoo.athenz.zms.SignedDomain)16
IOException (java.io.IOException)16
WebApplicationException (javax.ws.rs.WebApplicationException)16
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)13
Path (java.nio.file.Path)13
ArrayList (java.util.ArrayList)12
ChangeLogStore (com.yahoo.athenz.zts.store.ChangeLogStore)11
DataStore (com.yahoo.athenz.zts.store.DataStore)11
MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)11
ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)11
HttpServletRequest (javax.servlet.http.HttpServletRequest)10
UnsupportedEncodingException (java.io.UnsupportedEncodingException)9
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)7
