Example 16 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testEnablePolicyVersion.
@Test
public void testEnablePolicyVersion() {
TestAuditLogger alogger = new TestAuditLogger();
List<String> aLogMsgs = alogger.getLogMsgList();
ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger);
String domainName = "PolicyGetDom1";
String policyName = "Policy1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
when(zmsTestInitializer.getMockDomRsrcCtx().getApiName()).thenReturn("posttopleveldomain").thenReturn("setActivePolicyVersion");
zmsImpl.postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
createPolicyWithVersions(zmsImpl, domainName, policyName);
// enable a different version
//
aLogMsgs.clear();
zmsImpl.setActivePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, new PolicyOptions().setVersion("New-Version1"), zmsTestInitializer.getAuditRef());
boolean foundError = false;
System.err.println("testEnablePolicyVersion: Number of lines: " + aLogMsgs.size());
for (String msg : aLogMsgs) {
if (!msg.contains("WHAT-api=(setActivePolicyVersion)")) {
continue;
}
assertTrue(msg.contains("CLIENT-IP=(" + ZMSTestInitializer.MOCKCLIENTADDR + ")"), msg);
int index = msg.indexOf("WHAT-details=(");
assertTrue(index != -1, msg);
int index2 = msg.indexOf("set-active-policy\": [{\"name\": \"policygetdom1:policy.policy1\", \"version\": \"0\", \"active\": \"false\", \"modified\": ");
int index3 = msg.indexOf("},{\"name\": \"policygetdom1:policy.policy1\", \"version\": \"new-version1\", \"active\": \"true\", \"modified\": ");
assertTrue(index < index2, msg);
assertTrue(index2 < index3, msg);
index2 = msg.indexOf("ERROR");
assertEquals(index2, -1, msg);
foundError = true;
break;
}
assertTrue(foundError);
// Verify when fetching the policy we get the new active version
Policy newActivePolicy = zmsImpl.getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName);
assertTrue(newActivePolicy.getActive());
assertEquals(newActivePolicy.getVersion(), "new-version1");
assertEquals(newActivePolicy.getName(), "policygetdom1:policy.policy1");
assertEquals(newActivePolicy.getAssertions().size(), 1);
assertEquals(newActivePolicy.getAssertions().get(0).getResource(), "policygetdom1:*");
assertEquals(newActivePolicy.getAssertions().get(0).getRole(), "PolicyGetDom1:role.Admin".toLowerCase());
// Verify fetching other versions show them as non-active
Policy oldVersion = zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "0");
assertFalse(oldVersion.getActive());
assertEquals(oldVersion.getVersion(), "0");
assertEquals(oldVersion.getName(), "policygetdom1:policy.policy1");
oldVersion = zmsImpl.getPolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, "new-version2");
assertFalse(oldVersion.getActive());
assertEquals(oldVersion.getVersion(), "new-version2");
assertEquals(oldVersion.getName(), "policygetdom1:policy.policy1");
// Verify trying to activate version in admin policy throws an exception
try {
zmsImpl.setActivePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", new PolicyOptions().setVersion("newversion"), zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"setActivePolicyVersion: admin policy cannot be modified\"}");
}
// Verify setting active version in read mode throws an exception
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsImpl.readOnlyMode = dynamicConfigBoolean;
try {
zmsImpl.setActivePolicyVersion(zmsTestInitializer.getMockDomRsrcCtx(), domainName, policyName, new PolicyOptions().setVersion("New-Version2"), zmsTestInitializer.getAuditRef());
fail();
} catch (Exception ex) {
assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"Server in Maintenance Read-Only mode. Please try your request later\"}");
}
zmsImpl.readOnlyMode = dynamicConfigBoolean;
zmsImpl.deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "PolicyGetDom1", zmsTestInitializer.getAuditRef());
}
Also used :
MockStatusCheckerNoException(com.yahoo.athenz.zms.status.MockStatusCheckerNoException)
JOSEException(com.nimbusds.jose.JOSEException)
ParseException(java.text.ParseException)
MockStatusCheckerThrowException(com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 17 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPutGroupMembershipDecisionAuditEnabledGroupInvalidUser.
@Test
public void testPutGroupMembershipDecisionAuditEnabledGroupInvalidUser() {
final String domainName = "group-mbr-dec-invalid";
final String groupName = "testgroup1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Approval Test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for approval test", "testOrg", true, true, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "auditenabled", zmsTestInitializer.getAuditRef(), meta);
Group auditedGroup = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, zmsTestInitializer.getAuditRef(), auditedGroup);
GroupSystemMeta rsm = createGroupSystemMetaObject(true);
zmsTestInitializer.getZms().putGroupSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
GroupMembership mbr = new GroupMembership();
mbr.setMemberName("user.joe");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putGroupMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.joe", zmsTestInitializer.getAuditRef(), mbr);
mbr = new GroupMembership();
mbr.setMemberName("user.bob");
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putGroupMembership(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
setupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "user.fury", "testOrg");
Authority auditAdminPrincipalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String auditAdminUnsignedCreds = "v=U1;d=user;n=fury";
final Principal rsrcAuditAdminPrince = SimplePrincipal.create("user", "fury", auditAdminUnsignedCreds + ";s=signature", 0, auditAdminPrincipalAuthority);
assertNotNull(rsrcAuditAdminPrince);
((SimplePrincipal) rsrcAuditAdminPrince).setUnsignedCreds(auditAdminUnsignedCreds);
when(zmsTestInitializer.getMockDomRsrcCtx().principal()).thenReturn(rsrcAuditAdminPrince);
// enable user authority check - joe and jane are the only
// valid users in the system
zmsTestInitializer.getZms().userAuthority = new TestUserPrincipalAuthority();
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true);
zmsTestInitializer.getZms().validateUserRoleMembers = dynamicConfigBoolean;
// first let's approve user.joe which should be ok since user joe
// is a valid user based on our test authority
mbr = new GroupMembership();
mbr.setMemberName("user.joe");
mbr.setActive(true);
mbr.setApproved(true);
zmsTestInitializer.getZms().putGroupMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.joe", zmsTestInitializer.getAuditRef(), mbr);
// now let's approve our bob user which is going to be rejected
// since bob is not a valid user based on our test authority
mbr.setMemberName("user.bob");
try {
zmsTestInitializer.getZms().putGroupMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
fail();
} catch (ResourceException ex) {
assertEquals(ex.code, 400);
}
// now let's just reject user bob which should work
// ok because we no longer validate users when we
// are rejecting thus deleting group members
mbr.setActive(false);
mbr.setApproved(false);
zmsTestInitializer.getZms().putGroupMembershipDecision(zmsTestInitializer.getMockDomRsrcCtx(), domainName, groupName, "user.bob", zmsTestInitializer.getAuditRef(), mbr);
cleanupPrincipalAuditedRoleApprovalByOrg(zmsTestInitializer.getZms(), "testOrg");
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Principal(com.yahoo.athenz.auth.Principal)
Example 18 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testPutAssertionConditions.
@Test
public void testPutAssertionConditions() {
String domainName = "put-assertion-conditions";
String roleName = "role1";
String polName = "pol1";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane");
Policy pol = zmsTestInitializer.createPolicyObject(domainName, polName, roleName, "action1", domainName + ":resource1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), domainName, roleName, zmsTestInitializer.getAuditRef(), role);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, zmsTestInitializer.getAuditRef(), pol);
Policy policyResp = zmsTestInitializer.getZms().getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName);
AssertionConditions acs = new AssertionConditions().setConditionsList(new ArrayList<>());
AssertionCondition ac1 = createAssertionConditionObject(1, "instances", "HOST1,host2,Host3");
ac1.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("ENFORCE").setOperator(AssertionConditionOperator.EQUALS));
acs.getConditionsList().add(ac1);
AssertionCondition ac2 = createAssertionConditionObject(2, "instances", "HOST21,host22");
ac2.getConditionsMap().put("enforcementState", new AssertionConditionData().setValue("REPORT").setOperator(AssertionConditionOperator.EQUALS));
acs.getConditionsList().add(ac2);
zmsTestInitializer.getZms().putAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), acs);
Response response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "false", null, true, true, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
AssertionConditions conditionsResp;
AssertionCondition conditionResp = new AssertionCondition().setId(1).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp.getConditionsMap().put("instances", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("host1,host2,host3"));
conditionResp.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("enforce"));
AssertionCondition conditionResp2 = new AssertionCondition().setId(2).setConditionsMap(new HashMap<>());
// zms is going to lowercase data
conditionResp2.getConditionsMap().put("instances", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("host21,host22"));
conditionResp2.getConditionsMap().put("enforcementstate", new AssertionConditionData().setOperator(AssertionConditionOperator.EQUALS).setValue("report"));
for (Policy policy : sdoms.getDomains().get(0).getDomain().getPolicies().getContents().getPolicies()) {
if ((domainName + ":policy." + polName).equals(policy.getName())) {
conditionsResp = policy.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp, conditionResp2));
}
}
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true).thenReturn(false);
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().putAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, polName, policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), acs);
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().readOnlyMode = dynamicConfigBoolean;
try {
zmsTestInitializer.getZms().putAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "admin", policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), acs);
fail();
} catch (ResourceException re) {
assertEquals(re.getCode(), ResourceException.BAD_REQUEST);
}
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Example 19 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImplTest method testValidateRoleMemberPrincipalService.
@Test
public void testValidateRoleMemberPrincipalService() {
DynamicConfigBoolean dynamicConfigBoolean = Mockito.mock(DynamicConfigBoolean.class);
when(dynamicConfigBoolean.get()).thenReturn(true);
zmsTestInitializer.getZms().validateServiceRoleMembers = dynamicConfigBoolean;
// wildcards are always valid with no exception
zmsTestInitializer.getZms().validateRoleMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech.*", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(), "employee", null, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("coretech", "Test Domain1", "testorg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("coretech2", "Test Domain2", "testorg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom2);
ServiceIdentity service1 = zmsTestInitializer.createServiceObject("coretech", "api", "http://localhost", "/usr/bin/java", "root", "users", "host1");
zmsTestInitializer.getZms().putServiceIdentity(zmsTestInitializer.getMockDomRsrcCtx(), "coretech", "api", zmsTestInitializer.getAuditRef(), service1);
// known service - no exception
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
// include coretech in the skip domain list and try
// the operation again
System.setProperty(ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS_SKIP_DOMAINS, "unix,coretech");
zmsTestInitializer.getZms().loadConfigurationSettings();
zmsTestInitializer.getZms().validateServiceRoleMembers = dynamicConfigBoolean;
// coretech is now accepted
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
try {
zmsTestInitializer.getZms().validateRoleMemberPrincipal("coretech2.backend", Principal.Type.SERVICE.getValue(), null, null, null, false, "unittest");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
}
// user principals by default are accepted
zmsTestInitializer.getZms().validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null, null, false, "unittest");
// reset our setting
System.clearProperty(ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS_SKIP_DOMAINS);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "coretech", zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "coretech2", zmsTestInitializer.getAuditRef());
}
Also used :
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Example 20 with DynamicConfigBoolean
use of com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean in project athenz by yahoo.
the class ZMSImpl method loadConfigurationSettings.
void loadConfigurationSettings() {
// make sure all requests run in secure mode
secureRequestsOnly = Boolean.parseBoolean(System.getProperty(ZMSConsts.ZMS_PROP_SECURE_REQUESTS_ONLY, "true"));
// retrieve the regular and status ports
httpPort = ConfigProperties.getPortNumber(ZMSConsts.ZMS_PROP_HTTP_PORT, ZMSConsts.ZMS_HTTP_PORT_DEFAULT);
httpsPort = ConfigProperties.getPortNumber(ZMSConsts.ZMS_PROP_HTTPS_PORT, ZMSConsts.ZMS_HTTPS_PORT_DEFAULT);
statusPort = ConfigProperties.getPortNumber(ZMSConsts.ZMS_PROP_STATUS_PORT, 0);
successServerStatus = new Status().setCode(ResourceException.OK).setMessage("OK");
// retrieve the user domain we're supposed to use
userDomain = System.getProperty(ZMSConsts.ZMS_PROP_USER_DOMAIN, ZMSConsts.USER_DOMAIN);
userDomainPrefix = userDomain + ".";
userDomainAlias = System.getProperty(ZMSConsts.ZMS_PROP_USER_DOMAIN_ALIAS);
if (!StringUtil.isEmpty(userDomainAlias)) {
userDomainAliasPrefix = userDomainAlias + ".";
}
final String addlUserCheckDomains = System.getProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS);
if (!StringUtil.isEmpty(addlUserCheckDomains)) {
String[] checkDomains = addlUserCheckDomains.split(",");
addlUserCheckDomainSet = new HashSet<>();
addlUserCheckDomainPrefixList = new ArrayList<>();
for (String checkDomain : checkDomains) {
addlUserCheckDomainSet.add(checkDomain);
addlUserCheckDomainPrefixList.add(checkDomain + ".");
}
}
homeDomain = System.getProperty(ZMSConsts.ZMS_PROP_HOME_DOMAIN, userDomain);
homeDomainPrefix = homeDomain + ".";
// default token timeout for issued tokens
userTokenTimeout = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_TIMEOUT, "3600"));
// check if we need to run in maintenance read only mode
readOnlyMode = new DynamicConfigBoolean(CONFIG_MANAGER, ZMSConsts.ZMS_PROP_READ_ONLY_MODE, false);
// check to see if we need to validate all user and service members
// when adding them to roles
validateServiceRoleMembers = new DynamicConfigBoolean(CONFIG_MANAGER, ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS, false);
validateUserRoleMembers = new DynamicConfigBoolean(CONFIG_MANAGER, ZMSConsts.ZMS_PROP_VALIDATE_USER_MEMBERS, false);
validatePolicyAssertionRoles = new DynamicConfigBoolean(CONFIG_MANAGER, ZMSConsts.ZMS_PROP_VALIDATE_ASSERTION_ROLES, false);
// there are going to be domains like our ci/cd dynamic project domain
// where we can't verify the service role members so for those we're
// going to skip specific domains from validation checks
final String skipDomains = System.getProperty(ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS_SKIP_DOMAINS, "");
validateServiceMemberSkipDomains = new HashSet<>(Arrays.asList(skipDomains.split(",")));
// check to see if we need to support product ids as required
// for top level domains
productIdSupport = Boolean.parseBoolean(System.getProperty(ZMSConsts.ZMS_PROP_PRODUCT_ID_SUPPORT, "false"));
// get the list of valid provider endpoints
final String endPoints = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_ENDPOINTS);
if (!StringUtil.isEmpty(endPoints)) {
providerEndpoints = Arrays.asList(endPoints.split(","));
}
// retrieve virtual domain support and limit. If we're given an invalid negative
// value for limit, we'll default back to our configured value of 5
virtualDomainSupport = Boolean.parseBoolean(System.getProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "true"));
virtualDomainLimit = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN_LIMIT, "5"));
if (virtualDomainLimit < 0) {
virtualDomainLimit = 5;
}
// signedPolicyTimeout is in milliseconds but the config setting should be in seconds
// to be consistent with other configuration properties (Default 7 days)
signedPolicyTimeout = 1000 * Long.parseLong(System.getProperty(ZMSConsts.ZMS_PROP_SIGNED_POLICY_TIMEOUT, "604800"));
if (signedPolicyTimeout < 0) {
signedPolicyTimeout = 1000 * 604800;
}
useMasterCopyForSignedDomains = Boolean.parseBoolean(System.getProperty(ZMSConsts.ZMS_PROP_MASTER_COPY_FOR_SIGNED_DOMAINS, "false"));
// get the maximum length allowed for a top level domain name
domainNameMaxLen = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DOMAIN_NAME_MAX_SIZE, ZMSConsts.ZMS_DOMAIN_NAME_MAX_SIZE_DEFAULT));
if (domainNameMaxLen < 10) {
// 10 is arbitrary
int domNameMaxDefault = Integer.parseInt(ZMSConsts.ZMS_DOMAIN_NAME_MAX_SIZE_DEFAULT);
LOG.warn("init: Warning: maximum domain name length specified is too small: {} reverting to default: {}", domainNameMaxLen, domNameMaxDefault);
domainNameMaxLen = domNameMaxDefault;
}
LOG.info("init: using maximum domain name length: {}", domainNameMaxLen);
// get the list of uris that we want to allow an-authenticated access
final String uriList = System.getProperty(ZMSConsts.ZMS_PROP_NOAUTH_URI_LIST);
if (!StringUtil.isEmpty(uriList)) {
authFreeUriSet = new HashSet<>();
authFreeUriList = new ArrayList<>();
String[] list = uriList.split(",");
for (String uri : list) {
if (uri.indexOf('+') != -1) {
authFreeUriList.add(Pattern.compile(uri));
} else {
authFreeUriSet.add(uri);
}
}
}
// get the list of allowed origin values for cors requests
final String originList = System.getProperty(ZMSConsts.ZMS_PROP_CORS_ORIGIN_LIST);
if (!StringUtil.isEmpty(originList)) {
corsOriginList = new HashSet<>(Arrays.asList(originList.split(",")));
}
// get the list of allowed header names for cors requests
final String headerList = System.getProperty(ZMSConsts.ZMS_PROP_CORS_HEADER_LIST, "*,Accept,Accept-Language,Content-Language,Content-Type,Authorization");
corsRequestHeaderList = Arrays.stream(headerList.split(",")).map(String::toLowerCase).collect(Collectors.toSet());
// get the list of valid provider endpoints
final String serviceNames = System.getProperty(ZMSConsts.ZMS_PROP_RESERVED_SERVICE_NAMES, ZMSConsts.ZMS_RESERVED_SERVICE_NAMES_DEFAULT);
reservedServiceNames = new HashSet<>(Arrays.asList(serviceNames.split(",")));
// min length for service names
serviceNameMinLength = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_SERVICE_NAME_MIN_LENGTH, "3"));
// setup our reserved system domain names
reservedSystemDomains = new HashSet<>();
reservedSystemDomains.add("sys");
reservedSystemDomains.add(SYS_AUTH);
reservedSystemDomains.add("sys.auth.audit");
reservedSystemDomains.add("sys.auth.audit.org");
reservedSystemDomains.add("sys.auth.audit.domain");
reservedSystemDomains.add(userDomain);
reservedSystemDomains.add(homeDomain);
// setup our health check file
final String healthCheckPath = System.getProperty(ZMSConsts.ZMS_PROP_HEALTH_CHECK_PATH);
if (!StringUtil.isEmpty(healthCheckPath)) {
healthCheckFile = new File(healthCheckPath);
}
// get server region
serverRegion = System.getProperty(ZMSConsts.ZMS_PROP_SERVER_REGION);
}
Also used :
ConfigProviderFile(com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile)
File(java.io.File)
DynamicConfigBoolean(com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)
Aggregations
DynamicConfigBoolean (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean)24
Test (org.testng.annotations.Test)6
Principal (com.yahoo.athenz.auth.Principal)5
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Response (javax.ws.rs.core.Response)4
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3
JOSEException (com.nimbusds.jose.JOSEException)3
Authority (com.yahoo.athenz.auth.Authority)3
ConfigProviderFile (com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile)3
MockStatusCheckerNoException (com.yahoo.athenz.zms.status.MockStatusCheckerNoException)3
MockStatusCheckerThrowException (com.yahoo.athenz.zms.status.MockStatusCheckerThrowException)3
File (java.io.File)3
IOException (java.io.IOException)3
ParseException (java.text.ParseException)3
DynamicConfigLong (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong)2
ChangeLogStore (com.yahoo.athenz.common.server.store.ChangeLogStore)1
ZMSFileChangeLogStore (com.yahoo.athenz.common.server.store.impl.ZMSFileChangeLogStore)1
DynamicConfigCsv (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv)1
DynamicConfigDouble (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDouble)1
DynamicConfigDuration (com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigDuration)1
