Example 1 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPolicyVersions.
@Test
public void testPolicyVersions() {
TestAuditLogger alogger = new TestAuditLogger();
List<String> aLogMsgs = alogger.getLogMsgList();
ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger);
String domainName = "PolicyGetDom1";
String policyName = "Policy1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
when(zmsTestInitializer.getMockDomRsrcCtx().getApiName()).thenReturn("posttopleveldomain").thenReturn("putpolicy");
zmsImpl.postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Policy policy1 = createPolicyWithVersions(zmsImpl, domainName, policyName);
// Verify policy and non-active versions are as expected
Policy policy = zmsImpl.getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName);
assertNotNull(policy);
assertEquals(policy.getName(), "PolicyGetDom1:policy.Policy1".toLowerCase());
assertEquals(policy.getVersion(), "0".toLowerCase());
assertTrue(policy.getActive());
Policy policyVer1 = zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "New-Version1");
assertNotNull(policyVer1);
assertEquals(policyVer1.getName(), "PolicyGetDom1:policy.Policy1".toLowerCase());
assertEquals(policyVer1.getVersion(), "New-Version1".toLowerCase());
assertFalse(policyVer1.getActive());
Policy policyVer2 = zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "New-Version2");
assertNotNull(policyVer2);
assertEquals(policyVer2.getName(), "PolicyGetDom1:policy.Policy1".toLowerCase());
assertEquals(policyVer2.getVersion(), "New-Version2".toLowerCase());
assertFalse(policyVer2.getActive());
// Verify assertions for active version
List<Assertion> assertList = policy.getAssertions();
assertNotNull(assertList);
assertEquals(assertList.size(), 2);
Assertion obj = assertList.get(0);
assertEquals(obj.getAction(), "*");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), "policygetdom1:*");
assertEquals(obj.getRole(), "PolicyGetDom1:role.Admin".toLowerCase());
obj = assertList.get(1);
assertEquals(obj.getAction(), "updatetest");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), domainName.toLowerCase() + ":resourcetest");
assertEquals(obj.getRole(), ResourceUtils.roleResourceName(domainName.toLowerCase(), "admin"));
// Verify assertion for New-Version1
assertList = policyVer1.getAssertions();
assertNotNull(assertList);
assertEquals(assertList.size(), 1);
obj = assertList.get(0);
assertEquals(obj.getAction(), "*");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), "policygetdom1:*");
assertEquals(obj.getRole(), "PolicyGetDom1:role.Admin".toLowerCase());
// Verify assertion for New-Version2
assertList = policyVer2.getAssertions();
assertNotNull(assertList);
assertEquals(assertList.size(), 2);
obj = assertList.get(0);
assertEquals(obj.getAction(), "*");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), "policygetdom1:*");
assertEquals(obj.getRole(), "PolicyGetDom1:role.Admin".toLowerCase());
obj = assertList.get(1);
assertEquals(obj.getAction(), "updatetest");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), domainName.toLowerCase() + ":resourcetest");
assertEquals(obj.getRole(), ResourceUtils.roleResourceName(domainName.toLowerCase(), "admin"));
boolean foundError = false;
System.err.println("testGetPolicyVersions: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(putpolicy)")) {
continue;
}
assertTrue(msg.contains("CLIENT-IP=(" + ZMSTestInitializer.MOCKCLIENTADDR + ")"), msg);
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("\"added-assertions\": [{\"role\": \"policygetdom1:role.admin\", \"action\": \"*\", \"effect\": \"ALLOW\", \"resource\": \"policygetdom1:*\"}]");
assertTrue(index < index2, msg);
index2 = msg.indexOf("ERROR");
assertEquals(index2, -1, msg);
foundError = true;
break;
}
assertTrue(foundError);
// modify the assertion: result is add of new assertion, delete of old
//
obj.setAction("layup");
obj.setEffect(AssertionEffect.DENY);
List<Assertion> assertions = new ArrayList<>();
assertions.add(obj);
policy1.setAssertions(assertions);
aLogMsgs.clear();
zmsImpl.putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, zmsTestInitializer.getAuditRef(), policy1);
foundError = false;
System.err.println("testGetPolicyVersions: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(putpolicy)")) {
continue;
}
assertTrue(msg.contains("CLIENT-IP=(" + ZMSTestInitializer.MOCKCLIENTADDR + ")"), msg);
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("\"added-assertions\": [{\"role\": \"policygetdom1:role.admin\", \"action\": \"layup\", \"effect\": \"DENY\", \"resource\": \"policygetdom1:resourcetest\"}]");
assertTrue(index < index2, msg);
index2 = msg.indexOf("ERROR");
assertEquals(index2, -1, msg);
foundError = true;
break;
}
assertTrue(foundError);
// create new version, verify assertions are copied
//
aLogMsgs.clear();
zmsImpl.putPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, new PolicyOptions().setVersion("New-Version3"), zmsTestInitializer.getAuditRef());
foundError = false;
System.err.println("testGetPolicyVersions: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(putpolicy)")) {
continue;
}
assertTrue(msg.contains("CLIENT-IP=(" + ZMSTestInitializer.MOCKCLIENTADDR + ")"), msg);
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("\"copied-assertions\": [{\"role\": \"policygetdom1:role.admin\", \"action\": \"layup\", \"effect\": \"DENY\", \"resource\": \"policygetdom1:resourcetest\"}]");
assertTrue(index < index2, msg);
index2 = msg.indexOf("ERROR");
assertEquals(index2, -1, msg);
foundError = true;
break;
}
assertTrue(foundError);
// Verify getting unknown version throws exception
try {
zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "unknownversion");
fail();
} catch (Exception ex) {
assertTrue(ex.getMessage().contains(": Policy not found: 'policygetdom1:policy.policy1' with version: unknownversion\"}"));
}
// Verify trying to create new version for admin policy throws an exception
try {
zmsImpl.putPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", new PolicyOptions().setVersion("NewVersion"), zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertTrue(ex.getMessage().contains(": admin policy cannot be modified\"}"));
}
// Verify putting policy version in read mode throws an exception
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsImpl.readOnlyMode = dynamicConfigBoolean;
try {
zmsImpl.putPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, new PolicyOptions().setVersion("New-Version4"), zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"Server in Maintenance Read-Only mode. Please try your request later\"}");
}
zmsImpl.readOnlyMode = dynamicConfigBoolean;
zmsImpl.deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
MockStatusCheckerNoException(com.yahoo.athenz.zms.status.MockStatusCheckerNoException)
JOSEException(com.nimbusds.jose.JOSEException)
ParseException(java.text.ParseException)
MockStatusCheckerThrowException(com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 2 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testValidateRoleMemberPrincipals.
@Test
public void testValidateRoleMemberPrincipals() {
DynamicConfigBoolean validateUserRoleMembersBool = Mockito.mock(DynamicConfigBoolean.class);
when(validateUserRoleMembersBool.get()).thenReturn(false);
zmsTestInitializer.getZms().validateUserRoleMembers = validateUserRoleMembersBool;
DynamicConfigBoolean validateServiceRoleMembersBool = Mockito.mock(DynamicConfigBoolean.class);
when(validateServiceRoleMembersBool.get()).thenReturn(false);
zmsTestInitializer.getZms().validateServiceRoleMembers = validateServiceRoleMembersBool;
// if both are false then any invalid users are ok
List<RoleMember> roleMembers = new ArrayList<>();
roleMembers.add(new RoleMember().setMemberName("user").setPrincipalType(Principal.Type.SERVICE.getValue()));
roleMembers.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
roleMembers.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
roleMembers.add(new RoleMember().setMemberName("coretech.api").setPrincipalType(Principal.Type.SERVICE.getValue()));
roleMembers.add(new RoleMember().setMemberName("coretech.backend").setPrincipalType(Principal.Type.SERVICE.getValue()));
Role role = new Role().setRoleMembers(roleMembers);
zmsTestInitializer.getZms().validateRoleMemberPrincipals(role, null, false, "unittest");
// enable user authority check
zmsTestInitializer.getZms().userAuthority = new TestUserPrincipalAuthority();
DynamicConfigBoolean validateUserRoleMembersBoolTrue = Mockito.mock(DynamicConfigBoolean.class);
when(validateUserRoleMembersBoolTrue.get()).thenReturn(true);
zmsTestInitializer.getZms().validateUserRoleMembers = validateUserRoleMembersBoolTrue;
// include all valid principals
roleMembers = new ArrayList<>();
roleMembers.add(new RoleMember().setMemberName("user.joe").setPrincipalType(Principal.Type.USER.getValue()));
roleMembers.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
role.setRoleMembers(roleMembers);
zmsTestInitializer.getZms().validateRoleMemberPrincipals(role, null, false, "unittest");
// add one more invalid user
roleMembers.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipals(role, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
// do not allow any groups
roleMembers = new ArrayList<>();
roleMembers.add(new RoleMember().setMemberName("user.joe").setPrincipalType(Principal.Type.USER.getValue()));
roleMembers.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
roleMembers.add(new RoleMember().setMemberName("coretech:group.dev-team").setPrincipalType(Principal.Type.GROUP.getValue()));
role.setRoleMembers(roleMembers);
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipals(role, null, true, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
// unknown types are always rejected
roleMembers = new ArrayList<>();
roleMembers.add(new RoleMember().setMemberName("unknown").setPrincipalType(Principal.Type.UNKNOWN.getValue()));
role.setRoleMembers(roleMembers);
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipals(role, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 3 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPutMembership.
@Test
public void testPutMembership() {
TestAuditLogger alogger = new TestAuditLogger();
ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger);
when(zmsTestInitializer.getMockDomRsrcCtx().getApiName()).thenReturn("posttopleveldomain").thenReturn(// called twice in domain api
"posttopleveldomain").thenReturn("posttopleveldomain").thenReturn(// called twice in domain api
"posttopleveldomain").thenReturn("postsubdomain").thenReturn(// called twice in domain api
"postsubdomain").thenReturn("putrole").thenReturn("putmembership");
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("MbrAddDom1", "Test Domain1", "testOrg", "user.user1");
zmsImpl.postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("coretech", "Test Domain2", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom2);
SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("storage", "coretech", "Test Domain2", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postSubDomain(zmsTestInitializer.getMockDomRsrcCtx(), "coretech", zmsTestInitializer.getAuditRef(), subDom2);
Role role1 = zmsTestInitializer.createRoleObject("MbrAddDom1", "Role1", null, "user.joe", "user.jane");
zmsImpl.putRole(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "Role1", zmsTestInitializer.getAuditRef(), role1);
Membership mbr = zmsTestInitializer.generateMembership("Role1", "user.doe");
zmsImpl.putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "Role1", "user.doe", zmsTestInitializer.getAuditRef(), mbr);
// check audit log msg for putRole
boolean foundError = false;
List<String> aLogMsgs = alogger.getLogMsgList();
System.err.println("testPutMembership: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(putmembership)")) {
continue;
}
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("{\"member\": \"user.doe\", \"approved\": true, \"system-disabled\": 0}");
assertTrue(index2 > index, msg);
foundError = true;
break;
}
assertTrue(foundError);
aLogMsgs.clear();
mbr = zmsTestInitializer.generateMembership("Role1", "coretech.storage");
zmsImpl.putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "Role1", "coretech.storage", zmsTestInitializer.getAuditRef(), mbr);
Role role = zmsImpl.getRole(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "Role1", false, false, false);
assertNotNull(role);
List<RoleMember> members = role.getRoleMembers();
assertNotNull(members);
assertEquals(members.size(), 4);
List<String> checkList = new ArrayList<>();
checkList.add("user.joe");
checkList.add("user.jane");
checkList.add("user.doe");
checkList.add("coretech.storage");
zmsTestInitializer.checkRoleMember(checkList, members);
foundError = false;
System.err.println("testPutMembership: now Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(putmembership)")) {
continue;
}
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("{\"member\": \"coretech.storage\", \"approved\": true, \"system-disabled\": 0}");
assertTrue(index2 > index, msg);
foundError = true;
break;
}
assertTrue(foundError);
// enable user validation for the test
zmsImpl.userAuthority = new TestUserPrincipalAuthority();
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true);
zmsImpl.validateUserRoleMembers = dynamicConfigBoolean;
// valid users no exception
mbr = zmsTestInitializer.generateMembership("role1", "user.joe");
zmsImpl.putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "role1", "user.joe", zmsTestInitializer.getAuditRef(), mbr);
// invalid user with exception
mbr = zmsTestInitializer.generateMembership("role1", "user.john");
try {
zmsImpl.putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", "role1", "user.john", zmsTestInitializer.getAuditRef(), mbr);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
zmsImpl.deleteSubDomain(zmsTestInitializer.getMockDomRsrcCtx(), "coretech", "storage", zmsTestInitializer.getAuditRef());
zmsImpl.deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "coretech", zmsTestInitializer.getAuditRef());
zmsImpl.deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "MbrAddDom1", zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 4 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testDeleteAssertionCondition.
@Test
public void testDeleteAssertionCondition() {
String domainName = "delete-assertion-condition";
String roleName = "role1";
String polName = "pol1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane");
Policy pol = zmsTestInitializer.createPolicyObject(domainName, polName, roleName, "action1", domainName + ":resource1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, zmsTestInitializer.getAuditRef(), pol);
Policy policyResp = zmsTestInitializer.getZms().getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName);
AssertionCondition ac1 = createAssertionConditionObject(1, "instances", "HOST1,host2,Host3");
// insert does not need id
ac1.setId(null);
ac1.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("ENFORCE").setOperator(AssertionConditionOperator.EQUALS));
zmsTestInitializer.getZms().putAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), ac1);
Response response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
AssertionConditions conditionsResp;
AssertionCondition conditionResp = new AssertionCondition().setId(1).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp.getConditionsMap().put("instances", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("host1,host2,host3"));
conditionResp.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("enforce"));
// make sure assertion conditions are present first
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
conditionsResp = policy.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp));
}
}
// now delete all condition
zmsTestInitializer.getZms().deleteAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), 1, zmsTestInitializer.getAuditRef());
response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
sdoms = (SignedDomains) response.getEntity();
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
assertNull(policy.getAssertions().get(0).getConditions());
}
}
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().deleteAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), 1, zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().deleteAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", policyResp.getAssertions().get(0).getId(), 1, zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 5 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPutMembershipDecisionAuditEnabledRoleInvalidUser.
@Test
public void testPutMembershipDecisionAuditEnabledRoleInvalidUser() {
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Approval Test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testOrg", true, true, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "auditenabled", zmsTestInitializer.getAuditRef(), meta);
Role auditedRole = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), auditedRole);
RoleSystemMeta rsm = createRoleSystemMetaObject(true);
zmsTestInitializer.getZms().putRoleSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
Membership mbr = new Membership();
mbr.setMemberName("user.joe");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "user.joe", zmsTestInitializer.getAuditRef(), mbr);
mbr = new Membership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putMembership(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
setupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "user.fury", "testOrg");
Authority auditAdminPrincipalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String auditAdminUnsignedCreds = "v=U1;d=user;n=fury";
final Principal rsrcAuditAdminPrince = SimplePrincipal.create("user", "fury", auditAdminUnsignedCreds + ";s=signature", 0, auditAdminPrincipalAuthority);
assertNotNull(rsrcAuditAdminPrince);
((SimplePrincipal) rsrcAuditAdminPrince).setUnsignedCreds(auditAdminUnsignedCreds);
when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcAuditAdminPrince);
// enable user authority check - joe and jane are the only
// valid users in the system
zmsTestInitializer.getZms().userAuthority = new TestUserPrincipalAuthority();
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true);
zmsTestInitializer.getZms().validateUserRoleMembers = dynamicConfigBoolean;
// first let's approve user.joe which should be ok since user joe
// is a valid user based on our test authority
mbr = new Membership();
mbr.setMemberName("user.joe");
mbr.setActive(true);
mbr.setApproved(true);
zmsTestInitializer.getZms().putMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "user.joe", zmsTestInitializer.getAuditRef(), mbr);
// now let's approve our bob user which is going to be rejected
// since bob is not a valid user based on our test authority
mbr.setMemberName("user.bob");
try {
zmsTestInitializer.getZms().putMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
fail();
} catch (ResourceException ex) {
assertEquals(ex.code, 400);
}
// now let's just reject user bob which should work
// ok because we no longer validate users when we
// are rejecting thus deleting role members
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", "user.bob", zmsTestInitializer.getAuditRef(), mbr);
cleanupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "testOrg");
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
DynamicConfigBoolean (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)24
Test (org.testng.annotations.Test)6
Principal (com.yahoo.athenz.auth.Principal)5
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Response (javax.ws.rs.core.Response)4
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3
JOSEException (com.nimbusds.jose.JOSEException)3
Authority (com.yahoo.athenz.auth.Authority)3
ConfigProviderFile (com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile)3
MockStatusCheckerNoException (com.yahoo.athenz.zms.status.MockStatusCheckerNoException)3
MockStatusCheckerThrowException (com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)3
File (java.io.File)3
IOException (java.io.IOException)3
ParseException (java.text.ParseException)3
DynamicConfigLong (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong)2
ChangeLogStore (com.yahoo.athenz.common.server.store.ChangeLogStore)1
ZMSFileChangeLogStore (com.yahoo.athenz.common.server.store.impl.ZMSFileChangeLogStore)1
DynamicConfigCsv (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv)1
DynamicConfigDouble (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDouble)1
DynamicConfigDuration (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDuration)1
