Examples with ProviderClient com.yahoo.athenz.provider.ProviderClient used on opensource projects

Example 1 with ProviderClient

use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.

the class ZMSImpl method getProviderClient.

ProviderClient getProviderClient(String url, Principal tenantAdmin) {
    final String caller = "getproviderclient";
    ProviderClient prov = null;
    if (providerClass == null) {
        prov = new ProviderClient(url);
        prov.addCredentials(tenantAdmin.getAuthority().getHeader(), tenantAdmin.getCredentials());
    } else {
        try {
            prov = providerClass.getConstructor(new Class[] { String.class, Principal.class }).newInstance(url, tenantAdmin);
        } catch (Exception e) {
            throw ZMSUtils.requestError("getProviderClient: Provider Class does not have the appropriate constructor", caller);
        }
    }
    return prov;
}

Example 2 with ProviderClient

use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.

the class ZMSImpl method getTenancy.

public Tenancy getTenancy(ResourceContext ctx, String tenantDomain, String providerService) {
    final String caller = "gettenancy";
    metric.increment(ZMSConsts.HTTP_GET);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(providerService, TYPE_SERVICE_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    providerService = providerService.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("gettenancy_timing", tenantDomain);
    // first verify that we have a valid tenant domain with policies
    Domain domain = dbService.getDomain(tenantDomain, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("getTenancy: No such tenant domain: " + tenantDomain, caller);
    }
    // we need to contact the provider to retrieve tenancy details
    // since we don't know if the provider supports resource groups
    // and as such the policies we have are for tenant's subdomains
    // or for tenant's domain with resource groups.
    String provSvcDomain = providerServiceDomain(providerService);
    String provSvcName = providerServiceName(providerService);
    Domain providerDomain = dbService.getDomain(provSvcDomain, false);
    if (providerDomain == null) {
        throw ZMSUtils.requestError("getTenancy: No such provider domain: " + provSvcDomain, caller);
    }
    // now retrieve our provider service object
    ServiceIdentity service = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (service == null) {
        throw ZMSUtils.requestError("getTenancy: unable to retrieve service=" + providerService, caller);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("getTenancy: serviceIdentity: provider=" + service);
    }
    // contact the provider and get the tenant object
    String url = service.getProviderEndpoint();
    if (url == null || url.isEmpty()) {
        throw ZMSUtils.requestError("getTenancy: cannot get tenancy on provider service=" + providerService + " -- not a provider service", caller);
    }
    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
    Tenant tenant = null;
    try {
        ProviderClient prov = getProviderClient(url, tenantAdmin);
        tenant = prov.getTenant(provSvcName, tenantDomain);
    } catch (com.yahoo.athenz.provider.ResourceException ex) {
        LOG.error("getTenancy: ProviderClient exception code: {} message: {}", ex.getCode(), ex.getMessage());
        throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
    }
    if (tenant == null) {
        throw ZMSUtils.notFoundError("getTenancy: Provider reports no such tenant: " + tenantDomain, caller);
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("getTenancy: ---- result of provider.getTenant: " + tenant);
    }
    // now we are going to verify to make sure that both tenant
    // and provider domains have the appropriate policies. however we
    // are not going to reject any requests because of missing policies
    // and instead for resource group support we'll just not report
    // the resource group as a valid provisioned one.
    Tenancy tenancy = new Tenancy();
    tenancy.setDomain(tenantDomain).setService(providerService);
    List<String> resourceGroups = tenant.getResourceGroups();
    if (resourceGroups != null) {
        List<String> tenantPolicies = dbService.listPolicies(tenantDomain);
        Set<String> providerPolicies = new HashSet<>(dbService.listPolicies(provSvcDomain));
        List<String> tenancyResouceGroups = new ArrayList<>();
        for (String resourceGroup : resourceGroups) {
            if (!verifyTenancyPolicies(tenantDomain, tenantPolicies, providerPolicies, provSvcDomain, provSvcName, resourceGroup)) {
                if (LOG.isInfoEnabled()) {
                    LOG.info("getTenancy: Invalid Resource Group: " + resourceGroup + " for tenant: " + tenantDomain);
                }
            } else {
                tenancyResouceGroups.add(resourceGroup);
            }
        }
        tenancy.setResourceGroups(tenancyResouceGroups);
    }
    metric.stopTiming(timerMetric);
    return tenancy;
}

Example 3 with ProviderClient

use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.

the class ZMSImpl method putTenancyResourceGroup.

public TenancyResourceGroup putTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef, TenancyResourceGroup detail) {
    final String caller = "puttenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_PUT);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // the fully qualified service name to provision on
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    AthenzObject.TENANCY_RESOURCE_GROUP.convertToLowerCase(detail);
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("puttenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    if (LOG.isDebugEnabled()) {
        LOG.debug("putTenancyResourceGroup: tenant domain(" + tenantDomain + ") resourceGroup(" + resourceGroup + ")");
    }
    // provider service domain
    String provSvcDomain = providerServiceDomain(provider);
    // provider service name
    String provSvcName = providerServiceName(provider);
    ServiceIdentity ent = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (ent == null) {
        throw ZMSUtils.requestError("Unable to retrieve service=" + provider, caller);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("serviceIdentity: provider=" + ent);
    }
    String url = ent.getProviderEndpoint();
    if (url == null || url.isEmpty()) {
        throw ZMSUtils.requestError("Cannot put tenancy resource group on provider service=" + provider + " -- not a provider service", caller);
    }
    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
    TenantResourceGroup tenantResourceGroup = new TenantResourceGroup();
    tenantResourceGroup.setService(provSvcName).setName(tenantDomain).setResourceGroup(resourceGroup);
    TenantResourceGroup tenantWithRoles = null;
    try {
        ProviderClient prov = getProviderClient(url, tenantAdmin);
        tenantWithRoles = prov.putTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef, tenantResourceGroup);
    } catch (com.yahoo.athenz.provider.ResourceException ex) {
        throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("---- result of provider.putTenantResourceGroup: " + tenantWithRoles);
    }
    List<String> providerRoles = tenantWithRoles.getRoles();
    if (providerRoles == null || providerRoles.isEmpty()) {
        throw ZMSUtils.requestError("Provider Controller did not return any roles to provision", caller);
    }
    // we're going to create a separate role for each one of tenant roles returned
    // based on its action and set the caller as a member in each role
    dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, providerRoles, auditRef, caller);
    if (LOG.isInfoEnabled()) {
        LOG.info("---- END put Tenant Resource Group -> " + detail);
    }
    metric.stopTiming(timerMetric);
    return null;
}

Example 4 with ProviderClient

use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.

the class ZMSImpl method deleteTenancyResourceGroup.

public TenancyResourceGroup deleteTenancyResourceGroup(ResourceContext ctx, String tenantDomain, String provider, String resourceGroup, String auditRef) {
    final String caller = "deletetenancyresourcegroup";
    metric.increment(ZMSConsts.HTTP_DELETE);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(provider, TYPE_SERVICE_NAME, caller);
    validate(resourceGroup, TYPE_COMPOUND_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    resourceGroup = resourceGroup.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("deletetenancyresourcegroup_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    // for delete tenant resource group operation we're going to go through
    // the steps of lookup up provider's service object and make sure it has
    // an endpoint configured and we can talk to it and request the tenant
    // resource group to be deleted. if any of these operations fail, we're not
    // going to reject the request but rather continue on and do the local cleanup.
    // However, at the end we're going to return an exception with an error message
    // stating exactly what failed so the administrator can go ahead and contact
    // the provider manually, if necessary, to complete the delete tenancy
    // resource group process
    String errorMessage = null;
    // before local clean-up, we're going to contact the provider at their
    // configured endpoint and request the tenant resource group to be deleted.
    String provSvcDomain = providerServiceDomain(provider);
    String provSvcName = providerServiceName(provider);
    ServiceIdentity provSvcId = dbService.getServiceIdentity(provSvcDomain, provSvcName);
    if (provSvcId == null) {
        errorMessage = "service does not exist";
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("provider serviceIdentity(" + provSvcId + ")");
        }
        String url = provSvcId.getProviderEndpoint();
        if (url == null) {
            errorMessage = "service does not have endpoint configured";
        } else {
            if (LOG.isInfoEnabled()) {
                LOG.info("Tenant will contact provider at endpoint: " + url);
            }
            try {
                Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
                ProviderClient prov = getProviderClient(url, tenantAdmin);
                prov.deleteTenantResourceGroup(provSvcName, tenantDomain, resourceGroup, auditRef);
            } catch (Exception exc) {
                errorMessage = "failed to delete tenant resource group. Error: " + exc.getMessage();
            }
        }
    }
    // now clean-up local domain roles and policies for this tenant
    dbService.executeDeleteTenancy(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup, auditRef, caller);
    metric.stopTiming(timerMetric);
    if (errorMessage != null) {
        final String tenantCleanupMsg = "Tenant cleanup in(" + tenantDomain + "): ";
        throw ZMSUtils.requestError(tenantCleanupMsg + "completed successfully. However, there " + "was an error when contacting the Provider Service: " + provider + ":" + errorMessage + ". Please contact the Provider administrator directly " + "to complete this delete tenancy resource group request", caller);
    }
    return null;
}

Example 5 with ProviderClient

use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.

the class ZMSImpl method deleteTenancy.

public Tenancy deleteTenancy(ResourceContext ctx, String tenantDomain, String provider, String auditRef) {
    final String caller = "deletetenancy";
    metric.increment(ZMSConsts.HTTP_DELETE);
    logPrincipal(ctx);
    if (readOnlyMode) {
        throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
    }
    validateRequest(ctx.request(), caller);
    validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
    // fully qualified provider's service name
    validate(provider, TYPE_SERVICE_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    tenantDomain = tenantDomain.toLowerCase();
    provider = provider.toLowerCase();
    metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
    metric.increment(caller, tenantDomain);
    Object timerMetric = metric.startTiming("deletetenancy_timing", tenantDomain);
    // verify that request is properly authenticated for this request
    String authorizedService = ((RsrcCtxWrapper) ctx).principal().getAuthorizedService();
    verifyAuthorizedServiceOperation(authorizedService, caller);
    // for delete tenant operation we're going to go through the steps of
    // lookup up provider's service object and make sure it has an endpoint
    // configured and we can talk to it and request the tenant to be deleted
    // if any of these operations fail, we're not going to reject the request
    // but rather continue on and do the local cleanup. However, at the end
    // we're going to return an exception with an error message stating exactly
    // what failed so the administrator can go ahead and contact the provider
    // manually, if necessary, to complete the delete tenancy process
    String errorMessage = null;
    // before local clean-up, we're going to contact the provider at their
    // configured endpoint and request the tenant to be deleted. We need
    // to do this before the local cleanup in ZMS because provider rdl
    // has an authorize statement to validate that the specified domain
    // is a valid tenant for the given provider.
    String provSvcDomain = providerServiceDomain(provider);
    String provSvcName = providerServiceName(provider);
    // we are going to allow the authorize service token owner to call
    // delete tenancy on its own service without configuring a controller
    // end point
    boolean authzServiceTokenOperation = isAuthorizedProviderService(authorizedService, provSvcDomain, provSvcName, tenantDomain, auditRef);
    if (authzServiceTokenOperation) {
        dbService.executeDeleteTenantRoles(ctx, provSvcDomain, provSvcName, tenantDomain, null, auditRef, caller);
    } else {
        ServiceIdentity provSvcId = dbService.getServiceIdentity(provSvcDomain, provSvcName);
        if (provSvcId == null) {
            errorMessage = "service does not exist";
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("provider serviceIdentity(" + provSvcId + ")");
            }
            String url = provSvcId.getProviderEndpoint();
            if (url == null || url.isEmpty()) {
                errorMessage = "service does not have endpoint configured";
            } else {
                if (LOG.isInfoEnabled()) {
                    LOG.info("Tenant will contact provider at endpoint: " + url);
                }
                try {
                    Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
                    ProviderClient prov = getProviderClient(url, tenantAdmin);
                    prov.deleteTenant(provSvcName, tenantDomain, auditRef);
                } catch (Exception exc) {
                    errorMessage = "failed to delete tenant. Error: " + exc.getMessage();
                }
            }
        }
    }
    // now clean-up local domain roles and policies for this tenant
    dbService.executeDeleteTenancy(ctx, tenantDomain, provSvcDomain, provSvcName, null, auditRef, caller);
    metric.stopTiming(timerMetric);
    if (errorMessage != null) {
        final String tenantCleanupMsg = "deleteTenancy: Tenant cleanup in(" + tenantDomain + "): ";
        throw ZMSUtils.requestError(tenantCleanupMsg + "completed successfully. However, there " + "was an error when contacting the Provider Service: " + provider + ":" + errorMessage + ". Please contact the Provider administrator directly " + "to complete this delete tenancy request", caller);
    }
    return null;
}