Example 11 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testDeletePolicyVersion.
@Test
public void testDeletePolicyVersion() {
TestAuditLogger alogger = new TestAuditLogger();
List<String> aLogMsgs = alogger.getLogMsgList();
ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger);
String domainName = "PolicyGetDom1";
String policyName = "Policy1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
when(zmsTestInitializer.getMockDomRsrcCtx().getApiName()).thenReturn("posttopleveldomain").thenReturn("putpolicy").thenReturn("putpolicyversion").thenReturn("putassertion").thenReturn("putpolicyversion").thenReturn("deletepolicyversion");
zmsImpl.postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
createPolicyWithVersions(zmsImpl, domainName, policyName);
// delete non-active policy version
//
aLogMsgs.clear();
zmsImpl.deletePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "New-Version1", zmsTestInitializer.getAuditRef());
boolean foundError = false;
System.err.println("testDeletePolicyVersion: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(deletepolicyversion)")) {
continue;
}
assertTrue(msg.contains("CLIENT-IP=(" + ZMSTestInitializer.MOCKCLIENTADDR + ")"), msg);
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("{\"name\": \"policygetdom1:policy.policy1\", \"version\": \"new-version1\", \"active\": \"false\", \"modified\": ");
int index3 = msg.indexOf(", \"deleted-assertions\": [{\"role\": \"policygetdom1:role.admin\", \"action\": \"*\", \"effect\": \"ALLOW\", \"resource\": \"policygetdom1:*\"}]");
assertTrue(index < index2, msg);
assertTrue(index2 < index3, msg);
index2 = msg.indexOf("ERROR");
assertEquals(index2, -1, msg);
foundError = true;
break;
}
assertTrue(foundError);
// Verify when fetching the policy we still get the active version
Policy newActivePolicy = zmsImpl.getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName);
assertTrue(newActivePolicy.getActive());
assertEquals(newActivePolicy.getVersion(), "0");
assertEquals(newActivePolicy.getName(), "policygetdom1:policy.policy1");
// Verify assertions for active version
List<Assertion> assertList = newActivePolicy.getAssertions();
assertNotNull(assertList);
assertEquals(assertList.size(), 2);
Assertion obj = assertList.get(0);
assertEquals(obj.getAction(), "*");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), "policygetdom1:*");
assertEquals(obj.getRole(), "PolicyGetDom1:role.Admin".toLowerCase());
obj = assertList.get(1);
assertEquals(obj.getAction(), "updatetest");
assertEquals(obj.getEffect(), AssertionEffect.ALLOW);
assertEquals(obj.getResource(), domainName.toLowerCase() + ":resourcetest");
assertEquals(obj.getRole(), ResourceUtils.roleResourceName(domainName.toLowerCase(), "admin"));
// Verify exception is thrown when trying to set the deleted version active
try {
zmsImpl.setActivePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, new PolicyOptions().setVersion("New-Version1"), zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (404): {code: 404, message: \"unknown policy version: new-version1\"}");
}
// Verify exception is thrown when trying to delete non-existing policy version
try {
zmsImpl.deletePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "New-Version1", zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (404): {code: 404, message: \"deletepolicyversion: unable to read policy: policy1, version: new-version1\"}");
}
// Verify exception is thrown when trying to delete active policy version
try {
zmsImpl.deletePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "0", zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"deletepolicyversion: unable to delete active policy version. Policy: policy1, version: 0\"}");
}
// Verify when fetching the policy we still get the active version
newActivePolicy = zmsImpl.getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName);
assertTrue(newActivePolicy.getActive());
assertEquals(newActivePolicy.getVersion(), "0");
assertEquals(newActivePolicy.getName(), "policygetdom1:policy.policy1");
// Verify deleting policy version in read mode throws an exception
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsImpl.readOnlyMode = dynamicConfigBoolean;
try {
zmsImpl.deletePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "New-Version2", zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"Server in Maintenance Read-Only mode. Please try your request later\"}");
}
zmsImpl.readOnlyMode = dynamicConfigBoolean;
// Verify trying to delete admin policy version throws an exception
try {
zmsImpl.deletePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", "0", zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"deletepolicyversion: admin policy version cannot be deleted\"}");
}
// Delete entire policy, verify all versions are gone
zmsImpl.deletePolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, zmsTestInitializer.getAuditRef());
List<String> versions = Arrays.asList("0", "New-Version1", "New-Version2");
for (String version : versions) {
try {
zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, version);
fail();
} catch (Exception ex) {
assertTrue(ex.getMessage().contains("Policy not found: 'policygetdom1:policy.policy1' with version: " + version.toLowerCase() + "\"}"));
}
}
try {
zmsImpl.getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName);
fail();
} catch (Exception ex) {
assertTrue(ex.getMessage().contains(": Policy not found: 'policygetdom1:policy.policy1'\"}"));
}
zmsImpl.deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "PolicyGetDom1", zmsTestInitializer.getAuditRef());
}
Also used :
MockStatusCheckerNoException(com.yahoo.athenz.zms.status.MockStatusCheckerNoException)
JOSEException(com.nimbusds.jose.JOSEException)
ParseException(java.text.ParseException)
MockStatusCheckerThrowException(com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 12 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testValidatePolicyAssertionRoleNames.
@Test
public void testValidatePolicyAssertionRoleNames() {
final String domainName = "validate-policy-assertion-role";
final String roleName = "dev-role";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Assertion assertion = new Assertion();
assertion.setAction("update");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("domain1:resource1");
assertion.setRole(ResourceUtils.roleResourceName(domainName, roleName));
// with feature enabled the request is rejected because there is no role
DynamicConfigBoolean currentValue = zmsTestInitializer.getZms().validatePolicyAssertionRoles;
zmsTestInitializer.getZms().validatePolicyAssertionRoles = new DynamicConfigBoolean(true);
try {
zmsTestInitializer.getZms().validatePolicyAssertion(assertion, domainName, new HashSet<>(), "unitTest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 400);
}
// now disable the feature and we should be able to process the assertion
zmsTestInitializer.getZms().validatePolicyAssertionRoles = new DynamicConfigBoolean(false);
try {
zmsTestInitializer.getZms().validatePolicyAssertion(assertion, domainName, new HashSet<>(), "unitTest");
} catch (ResourceException ex) {
fail(ex.getMessage());
}
zmsTestInitializer.getZms().validatePolicyAssertionRoles = currentValue;
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 13 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testDeleteAssertionConditions.
@Test
public void testDeleteAssertionConditions() {
String domainName = "delete-assertion-conditions";
String roleName = "role1";
String polName = "pol1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane");
Policy pol = zmsTestInitializer.createPolicyObject(domainName, polName, roleName, "action1", domainName + ":resource1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, zmsTestInitializer.getAuditRef(), pol);
Policy policyResp = zmsTestInitializer.getZms().getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName);
AssertionConditions acs = new AssertionConditions().setConditionsList(new ArrayList<>());
AssertionCondition ac1 = createAssertionConditionObject(1, "instances", "HOST1,host2,Host3");
ac1.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("ENFORCE").setOperator(AssertionConditionOperator.EQUALS));
acs.getConditionsList().add(ac1);
AssertionCondition ac2 = createAssertionConditionObject(2, "instances", "HOST21,host22");
ac2.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("REPORT").setOperator(AssertionConditionOperator.EQUALS));
acs.getConditionsList().add(ac2);
zmsTestInitializer.getZms().putAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), acs);
Response response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
AssertionConditions conditionsResp;
AssertionCondition conditionResp = new AssertionCondition().setId(1).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp.getConditionsMap().put("instances", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("host1,host2,host3"));
conditionResp.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("enforce"));
// make sure assertion conditions are present first
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
conditionsResp = policy.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp));
}
}
// now delete all condition
zmsTestInitializer.getZms().deleteAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef());
response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
sdoms = (SignedDomains) response.getEntity();
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
assertNull(policy.getAssertions().get(0).getConditions());
}
}
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().deleteAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().deleteAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef());
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Example 14 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZTSImpl method loadConfigurationSettings.
void loadConfigurationSettings() {
// make sure all requests run in secure mode
secureRequestsOnly = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_SECURE_REQUESTS_ONLY, "true"));
// retrieve the regular and status ports
httpPort = ConfigProperties.getPortNumber(ZTSConsts.ZTS_PROP_HTTP_PORT, ZTSConsts.ZTS_HTTP_PORT_DEFAULT);
httpsPort = ConfigProperties.getPortNumber(ZTSConsts.ZTS_PROP_HTTPS_PORT, ZTSConsts.ZTS_HTTPS_PORT_DEFAULT);
statusPort = ConfigProperties.getPortNumber(ZTSConsts.ZTS_PROP_STATUS_PORT, 0);
successServerStatus = new Status().setCode(ResourceException.OK).setMessage("OK");
statusCertSigner = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_STATUS_CERT_SIGNER, "false"));
// check to see if we want to disable allowing clients to ask for role
// tokens without role name thus violating the least privilege principle
leastPrivilegePrincipal = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_LEAST_PRIVILEGE_PRINCIPLE, "false"));
// Default Role Token timeout is 2 hours. If the client asks for role tokens
// with a min expiry time of 1 hour, the setting of 2 hours allows the client
// to at least cache the tokens for 1 hour. We're going to set the ZTS client's
// min default value to 15 mins so that we can by default cache tokens for
// an hour and 45 minutes.
long timeout = TimeUnit.SECONDS.convert(2, TimeUnit.HOURS);
roleTokenDefaultTimeout = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_ROLE_TOKEN_DEFAULT_TIMEOUT, Long.toString(timeout)));
// Max Timeout - 30 days
timeout = TimeUnit.SECONDS.convert(30, TimeUnit.DAYS);
roleTokenMaxTimeout = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_ROLE_TOKEN_MAX_TIMEOUT, Long.toString(timeout)));
// default (1hr) and max (12hrs) id token timeouts
timeout = TimeUnit.SECONDS.convert(12, TimeUnit.HOURS);
idTokenMaxTimeout = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_ID_TOKEN_MAX_TIMEOUT, Long.toString(timeout)));
timeout = TimeUnit.SECONDS.convert(1, TimeUnit.HOURS);
idTokenDefaultTimeout = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_ID_TOKEN_DEFAULT_TIMEOUT, Long.toString(timeout)));
// signedPolicyTimeout is in milliseconds but the config setting should be in seconds
// to be consistent with other configuration properties
timeout = TimeUnit.SECONDS.convert(7, TimeUnit.DAYS);
signedPolicyTimeout = 1000 * Long.parseLong(System.getProperty(ZTSConsts.ZTS_PROP_SIGNED_POLICY_TIMEOUT, Long.toString(timeout)));
// default token timeout for issued tokens
timeout = TimeUnit.SECONDS.convert(1, TimeUnit.DAYS);
svcTokenTimeout = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_INSTANCE_NTOKEN_TIMEOUT, Long.toString(timeout)));
// retrieve the list of our authorized proxy users
final String authorizedProxyUserList = System.getProperty(ZTSConsts.ZTS_PROP_AUTHORIZED_PROXY_USERS);
if (authorizedProxyUserList != null) {
authorizedProxyUsers = new HashSet<>(Arrays.asList(authorizedProxyUserList.split(",")));
}
userDomain = System.getProperty(PROP_USER_DOMAIN, ZTSConsts.ATHENZ_USER_DOMAIN);
userDomainPrefix = userDomain + ".";
userDomainAlias = System.getProperty(ZTSConsts.ZTS_PROP_USER_DOMAIN_ALIAS);
if (userDomainAlias != null) {
userDomainAliasPrefix = userDomainAlias + ".";
}
// get the list of uris that we want to allow an-authenticated access
final String uriList = System.getProperty(ZTSConsts.ZTS_PROP_NOAUTH_URI_LIST);
if (uriList != null) {
authFreeUriSet = new HashSet<>();
authFreeUriList = new ArrayList<>();
String[] list = uriList.split(",");
for (String uri : list) {
if (uri.indexOf('+') != -1) {
authFreeUriList.add(Pattern.compile(uri));
} else {
authFreeUriSet.add(uri);
}
}
}
// check to see if we need to include the complete role token flag
includeRoleCompleteFlag = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_ROLE_COMPLETE_FLAG, "true"));
// check if we need to run in maintenance read only mode
readOnlyMode = new DynamicConfigBoolean(CONFIG_MANAGER, ZTSConsts.ZTS_PROP_READ_ONLY_MODE, false);
// configure if we should verify the IP address that's included
// in the certificate request
verifyCertRequestIP = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_CERT_REQUEST_VERIFY_IP, "false"));
// configure if we should validate subject ou fields to match
// provider names
verifyCertSubjectOU = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_CERT_REQUEST_VERIFY_SUBJECT_OU, "false"));
// x509 certificate issue reset time if configured
x509CertRefreshResetTime = new DynamicConfigLong(CONFIG_MANAGER, ZTSConsts.ZTS_PROP_CERT_REFRESH_RESET_TIME, 0L);
// list of valid O and OU values for any certificate request
final String validCertSubjectOrgValueList = System.getProperty(ZTSConsts.ZTS_PROP_CERT_ALLOWED_O_VALUES);
if (validCertSubjectOrgValueList != null) {
validCertSubjectOrgValues = new HashSet<>(Arrays.asList(validCertSubjectOrgValueList.split("\\|")));
}
final String validCertSubjectOrgUnitValueList = System.getProperty(ZTSConsts.ZTS_PROP_CERT_ALLOWED_OU_VALUES);
if (validCertSubjectOrgUnitValueList != null) {
validCertSubjectOrgUnitValues = new HashSet<>(Arrays.asList(validCertSubjectOrgUnitValueList.split("\\|")));
}
// retrieve our oauth settings
ztsOAuthIssuer = System.getProperty(ZTSConsts.ZTS_PROP_OAUTH_ISSUER, serverHostName);
ztsOpenIDIssuer = System.getProperty(ZTSConsts.ZTS_PROP_OPENID_ISSUER, ztsOAuthIssuer);
// set up our health check file
final String healthCheckPath = System.getProperty(ZTSConsts.ZTS_PROP_HEALTH_CHECK_PATH);
if (!StringUtil.isEmpty(healthCheckPath)) {
healthCheckFile = new File(healthCheckPath);
}
// get server region
serverRegion = System.getProperty(ZTSConsts.ZTS_PROP_SERVER_REGION);
// list of domains to be skipped when validating services for instance
// register/refresh operations since the services in these domains are
// dynamic - e.g. screwdriver projects
final String skipDomains = System.getProperty(ZTSConsts.ZTS_PROP_VALIDATE_SERVICE_SKIP_DOMAINS, "");
validateServiceSkipDomains = new HashSet<>(Arrays.asList(skipDomains.split(",")));
validateInstanceServiceIdentity = new DynamicConfigBoolean(CONFIG_MANAGER, ZTSConsts.ZTS_PROP_VALIDATE_SERVICE_IDENTITY, true);
// configured max length for authz details claims
maxAuthzDetailsLength = Integer.parseInt(System.getProperty(ZTSConsts.ZTS_PROP_MAX_AUTHZ_DETAILS_LENGTH, "1024"));
// if workloads store should be populated based on IPs from CSR
enableWorkloadStore = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_ENABLE_STORE_FEATURE, "false"));
}
Also used :
DynamicConfigLong(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong)
ConfigProviderFile(com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile)
File(java.io.File)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 15 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPutAssertionCondition.
@Test
public void testPutAssertionCondition() {
String domainName = "put-assertion-condition";
String roleName = "role1";
String polName = "pol1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane");
Policy pol = zmsTestInitializer.createPolicyObject(domainName, polName, roleName, "action1", domainName + ":resource1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, zmsTestInitializer.getAuditRef(), pol);
Policy policyResp = zmsTestInitializer.getZms().getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName);
AssertionCondition ac1 = createAssertionConditionObject(1, "instances", "HOST1,host2,Host3");
// insert does not need id
ac1.setId(null);
ac1.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("ENFORCE").setOperator(AssertionConditionOperator.EQUALS));
zmsTestInitializer.getZms().putAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), ac1);
Response response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
AssertionConditions conditionsResp;
AssertionCondition conditionResp = new AssertionCondition().setId(1).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp.getConditionsMap().put("instances", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("host1,host2,host3"));
conditionResp.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("enforce"));
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
conditionsResp = policy.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp));
}
}
// update condition
ac1.setId(1).setConditionsMap(new HashMap<>());
ac1.getConditionsMap().put("newkey", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("MYVAL"));
ac1.getConditionsMap().put("enforcementState", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("report"));
zmsTestInitializer.getZms().putAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), ac1);
response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
sdoms = (SignedDomains) response.getEntity();
conditionResp = new AssertionCondition().setId(1).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("report"));
conditionResp.getConditionsMap().put("newkey", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("myval"));
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
conditionsResp = policy.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp));
}
}
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().putAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), ac1);
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().putAssertionCondition(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), ac1);
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Aggregations
DynamicConfigBoolean (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)24
Test (org.testng.annotations.Test)6
Principal (com.yahoo.athenz.auth.Principal)5
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Response (javax.ws.rs.core.Response)4
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3
JOSEException (com.nimbusds.jose.JOSEException)3
Authority (com.yahoo.athenz.auth.Authority)3
ConfigProviderFile (com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile)3
MockStatusCheckerNoException (com.yahoo.athenz.zms.status.MockStatusCheckerNoException)3
MockStatusCheckerThrowException (com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)3
File (java.io.File)3
IOException (java.io.IOException)3
ParseException (java.text.ParseException)3
DynamicConfigLong (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong)2
ChangeLogStore (com.yahoo.athenz.common.server.store.ChangeLogStore)1
ZMSFileChangeLogStore (com.yahoo.athenz.common.server.store.impl.ZMSFileChangeLogStore)1
DynamicConfigCsv (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv)1
DynamicConfigDouble (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDouble)1
DynamicConfigDuration (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDuration)1
