Example 26 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class DataCacheTest method testPolicyNoRoleProcessed.
@Test
public void testPolicyNoRoleProcessed() {
Domain domain = new Domain();
domain.setName("testDomain");
Role role1 = new Role();
role1.setName("testDomain.role.role1");
List<RoleMember> members1 = new ArrayList<>();
members1.add(new RoleMember().setMemberName("user_domain.user1"));
role1.setRoleMembers(members1);
Policy policy = new Policy();
policy.setName("testDomain.policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("assume_role");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("testDomain.roleA");
assertion1.setRole("testDomain.role.role1");
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion1);
policy.setAssertions(assertList);
DataCache cache = new DataCache();
HashMap<String, Role> roleList = new HashMap<>();
roleList.put(role1.getName(), role1);
cache.processPolicy(domain.getName(), policy, roleList);
Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
assertNotNull(set1);
assertTrue(set1.contains(new MemberRole("testDomain.roleA", 0)));
assertEquals(set1.size(), 1);
Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
assertNull(set2);
}
Also used :
Policy(com.yahoo.athenz.zms.Policy)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Assertion(com.yahoo.athenz.zms.Assertion)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
Role(com.yahoo.athenz.zms.Role)
Domain(com.yahoo.athenz.zms.Domain)
RoleMember(com.yahoo.athenz.zms.RoleMember)
Test(org.testng.annotations.Test)
Example 27 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class JDBCConnection method listResourceAccess.
@Override
public ResourceAccessList listResourceAccess(String principal, String action, String userDomain) {
final String caller = "listResourceAccess";
ResourceAccessList rsrcAccessList = new ResourceAccessList();
List<ResourceAccess> resources = new ArrayList<>();
rsrcAccessList.setResources(resources);
// check to see if this an aws request based on
// the action query
boolean awsQuery = (action != null && action.equals(ZMSConsts.ACTION_ASSUME_AWS_ROLE));
boolean singlePrincipalQuery = (principal != null && !principal.isEmpty());
// first let's get the principal list that we're asked to check for
// since if we have no matches then we have nothing to do
Map<String, List<String>> rolePrincipals = getRolePrincipals(principal, awsQuery, userDomain, caller);
if (rolePrincipals.isEmpty()) {
if (singlePrincipalQuery) {
if (getPrincipalId(principal) == 0) {
throw notFoundError(caller, ZMSConsts.OBJECT_PRINCIPAL, principal);
}
resources.add(getResourceAccessObject(principal, null));
}
return rsrcAccessList;
}
// now let's get the list of role assertions. if we have
// no matches, then we have nothing to do
Map<String, List<Assertion>> roleAssertions = getRoleAssertions(action, caller);
if (roleAssertions.isEmpty()) {
if (singlePrincipalQuery) {
resources.add(getResourceAccessObject(principal, null));
}
return rsrcAccessList;
}
// finally we need to get all the trusted role maps
Map<String, List<String>> trustedRoles = getTrustedRoles(caller);
// couple of special cases - if we're asked for action assume_aws_role
// then we're looking for role access in AWS. So we're going to retrieve
// the domains that have aws account configured only and update
// the resource to generate aws role resources. If the action is
// assume_aws_role with no principal - then another special case to
// look for actual users only
Map<String, String> awsDomains = null;
if (awsQuery) {
awsDomains = getAwsDomains(caller);
}
// now let's go ahead and combine all of our data together
// we're going to go through each principal, lookup
// the assertions for the role and add them to the return object
// if the role has no corresponding assertions, then we're going
// to look at the trust role map in case it's a trusted role
Map<String, List<Assertion>> principalAssertions = new HashMap<>();
for (Map.Entry<String, List<String>> entry : rolePrincipals.entrySet()) {
String roleIndex = entry.getKey();
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing role: " + roleIndex);
}
// get the list of principals for this role
List<String> rPrincipals = entry.getValue();
for (String rPrincipal : rPrincipals) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing role principal: " + rPrincipal);
}
if (skipAwsUserQuery(awsDomains, principal, rPrincipal, userDomain)) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": skipping non-user: " + rPrincipal);
}
continue;
}
List<Assertion> assertions = principalAssertions.get(rPrincipal);
if (assertions == null) {
assertions = new ArrayList<>();
principalAssertions.put(rPrincipal, assertions);
}
// retrieve the assertions for this role
addRoleAssertions(assertions, roleAssertions.get(roleIndex), awsDomains);
// check to see if this is a trusted role. There might be multiple
// roles all being mapped as trusted, so we need to process them all
List<String> mappedTrustedRoles = trustedRoles.get(roleIndex);
if (mappedTrustedRoles != null) {
for (String mappedTrustedRole : mappedTrustedRoles) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing trusted role: " + mappedTrustedRole);
}
addRoleAssertions(assertions, roleAssertions.get(mappedTrustedRole), awsDomains);
}
}
}
}
for (Map.Entry<String, List<Assertion>> entry : principalAssertions.entrySet()) {
// if this is a query for all principals in Athenz then we're
// automatically going to skip any principals who have no
// assertions
List<Assertion> assertions = entry.getValue();
if (!singlePrincipalQuery && (assertions == null || assertions.isEmpty())) {
continue;
}
resources.add(getResourceAccessObject(entry.getKey(), assertions));
}
return rsrcAccessList;
}
Also used :
ResourceAccess(com.yahoo.athenz.zms.ResourceAccess)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Assertion(com.yahoo.athenz.zms.Assertion)
ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList)
ArrayList(java.util.ArrayList)
DomainModifiedList(com.yahoo.athenz.zms.DomainModifiedList)
ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 28 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionNoRoleMatchWithPattern.
@Test
public void testMatchDelegatedTrustAssertionNoRoleMatchWithPattern() {
Assertion assertion = new Assertion();
assertion.setAction("ASSUME_ROLE");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*:role.Role");
assertion.setRole("weather:role.*");
Role role = null;
List<Role> roles = new ArrayList<>();
role = createRoleObject("coretech", "readers", null);
roles.add(role);
role = createRoleObject("coretech", "writers", null);
roles.add(role);
role = createRoleObject("coretech", "updaters", null);
roles.add(role);
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "coretech:role.Role", null, roles));
}Example 29 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionInvalidAction.
@Test
public void testMatchDelegatedTrustAssertionInvalidAction() {
Assertion assertion = new Assertion();
assertion.setAction("READ");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("domain:*");
assertion.setRole("domain:role.Role");
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, null, null, null));
}Example 30 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionNoResPatternMatchWithOutPattern.
@Test
public void testMatchDelegatedTrustAssertionNoResPatternMatchWithOutPattern() {
Assertion assertion = new Assertion();
assertion.setAction("ASSUME_ROLE");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("domain:role.Role");
assertion.setRole("domain:role.Role");
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "domain:role.Role2", null, null));
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "coretech:role.Role", null, null));
}Aggregations
Assertion (com.yahoo.athenz.zms.Assertion)61
Test (org.testng.annotations.Test)38
ArrayList (java.util.ArrayList)29
Policy (com.yahoo.athenz.zms.Policy)23
Role (com.yahoo.athenz.zms.Role)19
JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)16
RoleMember (com.yahoo.athenz.zms.RoleMember)11
DomainData (com.yahoo.athenz.zms.DomainData)10
HashMap (java.util.HashMap)9
SQLException (java.sql.SQLException)8
SignedDomain (com.yahoo.athenz.zms.SignedDomain)7
DataCache (com.yahoo.athenz.zts.cache.DataCache)7
Domain (com.yahoo.athenz.zms.Domain)5
ResourceAccessList (com.yahoo.athenz.zms.ResourceAccessList)5
ResourceAccess (com.yahoo.athenz.zms.ResourceAccess)4
ResourceException (com.yahoo.athenz.zms.ResourceException)4
PreparedStatement (java.sql.PreparedStatement)4
ResultSet (java.sql.ResultSet)4
DomainModifiedList (com.yahoo.athenz.zms.DomainModifiedList)3
ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)3
