Search in sources :

Example 16 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method signedBootstrapTenantDomain.

private SignedDomain signedBootstrapTenantDomain(String provider, String domainName, String serviceName, String awsAccount) {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName(domainName, "providers"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName(provider));
    role.setRoleMembers(members);
    roles.add(role);
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + ":service." + serviceName);
    assertion.setAction("launch");
    assertion.setRole(generateRoleName(domainName, "providers"));
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "providers"));
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain(domainName);
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName(domainName);
    domain.setRoles(roles);
    domain.setAccount(awsAccount);
    domain.setPolicies(signedPolicies);
    domain.setModified(Timestamp.fromCurrentTime());
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Policy(com.yahoo.athenz.zms.Policy) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) Role(com.yahoo.athenz.zms.Role) SignedDomain(com.yahoo.athenz.zms.SignedDomain) RoleMember(com.yahoo.athenz.zms.RoleMember)

Example 17 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method testEvaluateAccessAssertionDeny.

@Test
public void testEvaluateAccessAssertionDeny() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role = createRoleObject("coretech", "role1", null, "user_domain.user1", null);
    domainData.getRoles().add(role);
    Policy policy = new Policy().setName("coretech:policy.policy1");
    Assertion assertion = new Assertion();
    assertion.setAction("read");
    assertion.setEffect(AssertionEffect.DENY);
    assertion.setResource("coretech:*");
    assertion.setRole("coretech:role.role1");
    policy.setAssertions(new ArrayList<Assertion>());
    policy.getAssertions().add(assertion);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.DENIED);
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 18 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class DataCacheTest method testPolicyWithInvalidDomainNoRoles.

@Test
public void testPolicyWithInvalidDomainNoRoles() {
    Domain domain = new Domain();
    domain.setName("testDomain");
    Policy policy = new Policy();
    policy.setName("testDomain.policy.policy1");
    Assertion assertion = new Assertion();
    assertion.setAction("assume_role");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("testDomain.role");
    assertion.setRole("testDomain.role.role1");
    List<Assertion> assertList = new ArrayList<Assertion>();
    assertList.add(assertion);
    policy.setAssertions(assertList);
    HashMap<String, Role> roleList = new HashMap<>();
    DataCache cache = new DataCache();
    cache.processPolicy(domain.getName(), policy, roleList);
    Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
    assertNull(set1);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Role(com.yahoo.athenz.zms.Role) HashMap(java.util.HashMap) Assertion(com.yahoo.athenz.zms.Assertion) ArrayList(java.util.ArrayList) Domain(com.yahoo.athenz.zms.Domain) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 19 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method testMatchDelegatedTrustAssertionNoMemberMatch.

@Test
public void testMatchDelegatedTrustAssertionNoMemberMatch() {
    Assertion assertion = new Assertion();
    assertion.setAction("ASSUME_ROLE");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("*:role.Role");
    assertion.setRole("weather:role.Role");
    Role role = null;
    List<Role> roles = new ArrayList<>();
    role = createRoleObject("weather", "Role1", null, "user_domain.user1", null);
    roles.add(role);
    role = createRoleObject("weather", "Role", null, "user_domain.user2", null);
    roles.add(role);
    assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "weather:role.Role", "user_domain.user1", roles));
}
Also used : Role(com.yahoo.athenz.zms.Role) Assertion(com.yahoo.athenz.zms.Assertion) ArrayList(java.util.ArrayList) Test(org.testng.annotations.Test)

Example 20 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class SignUtils method asStruct.

private static Struct asStruct(Policy policy) {
    // all of our fields are in canonical order based
    // on their attribute name
    Struct struct = new Struct();
    List<Assertion> assertions = policy.getAssertions();
    if (assertions != null && !assertions.isEmpty()) {
        Array assertionsArray = new Array();
        for (Assertion assertion : assertions) {
            Struct structAssertion = new Struct();
            appendObject(structAssertion, ATTR_ACTION, assertion.getAction());
            appendObject(structAssertion, ATTR_EFFECT, assertion.getEffect());
            appendObject(structAssertion, ATTR_RESOURCE, assertion.getResource());
            appendObject(structAssertion, ATTR_ROLE, assertion.getRole());
            assertionsArray.add(structAssertion);
        }
        appendArray(struct, ATTR_ASSERTIONS, assertionsArray);
    }
    appendObject(struct, ATTR_MODIFIED, policy.getModified());
    appendObject(struct, ATTR_NAME, policy.getName());
    return struct;
}
Also used : Array(com.yahoo.rdl.Array) Assertion(com.yahoo.athenz.zms.Assertion) Struct(com.yahoo.rdl.Struct)

Aggregations

Assertion (com.yahoo.athenz.zms.Assertion)61 Test (org.testng.annotations.Test)38 ArrayList (java.util.ArrayList)29 Policy (com.yahoo.athenz.zms.Policy)23 Role (com.yahoo.athenz.zms.Role)19 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)16 RoleMember (com.yahoo.athenz.zms.RoleMember)11 DomainData (com.yahoo.athenz.zms.DomainData)10 HashMap (java.util.HashMap)9 SQLException (java.sql.SQLException)8 SignedDomain (com.yahoo.athenz.zms.SignedDomain)7 DataCache (com.yahoo.athenz.zts.cache.DataCache)7 Domain (com.yahoo.athenz.zms.Domain)5 ResourceAccessList (com.yahoo.athenz.zms.ResourceAccessList)5 ResourceAccess (com.yahoo.athenz.zms.ResourceAccess)4 ResourceException (com.yahoo.athenz.zms.ResourceException)4 PreparedStatement (java.sql.PreparedStatement)4 ResultSet (java.sql.ResultSet)4 DomainModifiedList (com.yahoo.athenz.zms.DomainModifiedList)3 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)3