use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method createTenantSignedDomainWildCard.
private SignedDomain createTenantSignedDomainWildCard(String domainName, String providerDomain) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "superusers"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.siteops_user_1"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "users"));
roles.add(role);
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource("*:role.netops_superusers");
assertion.setAction("assume_role");
assertion.setRole(generateRoleName(domainName, "superusers"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "netops_superusers"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + "netops:node.*");
assertion.setAction("node_user");
assertion.setRole(generateRoleName(domainName, "users"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "users"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + "netops:node.*");
assertion.setAction("node_sudo");
assertion.setRole(generateRoleName(domainName, "superusers"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "superusers"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setPolicies(signedPolicies);
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionValidWithPattern.
@Test
public void testMatchDelegatedTrustAssertionValidWithPattern() {
Assertion assertion = new Assertion();
assertion.setAction("ASSUME_ROLE");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*:role.Role");
assertion.setRole("weather:role.*");
Role role = null;
List<Role> roles = new ArrayList<>();
role = createRoleObject("weather", "Role1", null, "user_domain.user1", null);
roles.add(role);
role = createRoleObject("weather", "Role", null, "user_domain.user2", null);
roles.add(role);
assertTrue(authorizer.matchDelegatedTrustAssertion(assertion, "weather:role.Role", "user_domain.user2", roles));
}
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionValidWithOutPattern.
@Test
public void testMatchDelegatedTrustAssertionValidWithOutPattern() {
Assertion assertion = new Assertion();
assertion.setAction("ASSUME_ROLE");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*:role.Role");
assertion.setRole("weather:role.Role");
Role role = null;
List<Role> roles = new ArrayList<>();
role = createRoleObject("weather", "Role1", null, "user_domain.user1", null);
roles.add(role);
role = createRoleObject("weather", "Role", null, "user_domain.user2", null);
roles.add(role);
assertTrue(authorizer.matchDelegatedTrustAssertion(assertion, "weather:role.Role", "user_domain.user2", roles));
}
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method createMultipleSignedDomains.
private SignedDomain createMultipleSignedDomains(String domainName, String tenantDomain1, String tenantDomain2, String serviceName, boolean includeServices) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "admin"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.adminuser"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
role.setTrust(tenantDomain1);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
role.setTrust(tenantDomain2);
roles.add(role);
List<ServiceIdentity> services = new ArrayList<>();
if (includeServices) {
ServiceIdentity service = new ServiceIdentity();
service.setName(generateServiceIdentityName(domainName, serviceName));
setServicePublicKey(service, "0", ZTS_Y64_CERT0);
List<String> hosts = new ArrayList<>();
hosts.add("host1");
hosts.add("host2");
service.setHosts(hosts);
services.add(service);
}
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
// tenant admin domain
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain1 + ".*");
assertion.setAction("read");
assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain2 + ".*");
assertion.setAction("read");
assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setServices(services);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testEvaluateAccessAssertionAllow.
@Test
public void testEvaluateAccessAssertionAllow() {
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName("coretech");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
Role role = createRoleObject("coretech", "role1", null, "user_domain.user1", null);
domainData.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("read");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("coretech:*");
assertion1.setRole("coretech:role.role1");
Assertion assertion2 = new Assertion();
assertion2.setAction("read");
assertion2.setEffect(AssertionEffect.ALLOW);
assertion2.setResource("coretech:resource1");
assertion2.setRole("coretech:role.role1");
policy.setAssertions(new ArrayList<Assertion>());
policy.getAssertions().add(assertion1);
policy.getAssertions().add(assertion2);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
}
Aggregations