Search in sources :

Example 31 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method createTenantSignedDomainWildCard.

private SignedDomain createTenantSignedDomainWildCard(String domainName, String providerDomain) {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName(domainName, "superusers"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.siteops_user_1"));
    role.setRoleMembers(members);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, "users"));
    roles.add(role);
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource("*:role.netops_superusers");
    assertion.setAction("assume_role");
    assertion.setRole(generateRoleName(domainName, "superusers"));
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "netops_superusers"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + "netops:node.*");
    assertion.setAction("node_user");
    assertion.setRole(generateRoleName(domainName, "users"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "users"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + "netops:node.*");
    assertion.setAction("node_sudo");
    assertion.setRole(generateRoleName(domainName, "superusers"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "superusers"));
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain(domainName);
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName(domainName);
    domain.setRoles(roles);
    domain.setPolicies(signedPolicies);
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Policy(com.yahoo.athenz.zms.Policy) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) Role(com.yahoo.athenz.zms.Role) SignedDomain(com.yahoo.athenz.zms.SignedDomain) RoleMember(com.yahoo.athenz.zms.RoleMember)

Example 32 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method testMatchDelegatedTrustAssertionValidWithPattern.

@Test
public void testMatchDelegatedTrustAssertionValidWithPattern() {
    Assertion assertion = new Assertion();
    assertion.setAction("ASSUME_ROLE");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("*:role.Role");
    assertion.setRole("weather:role.*");
    Role role = null;
    List<Role> roles = new ArrayList<>();
    role = createRoleObject("weather", "Role1", null, "user_domain.user1", null);
    roles.add(role);
    role = createRoleObject("weather", "Role", null, "user_domain.user2", null);
    roles.add(role);
    assertTrue(authorizer.matchDelegatedTrustAssertion(assertion, "weather:role.Role", "user_domain.user2", roles));
}
Also used : Role(com.yahoo.athenz.zms.Role) Assertion(com.yahoo.athenz.zms.Assertion) ArrayList(java.util.ArrayList) Test(org.testng.annotations.Test)

Example 33 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method testMatchDelegatedTrustAssertionValidWithOutPattern.

@Test
public void testMatchDelegatedTrustAssertionValidWithOutPattern() {
    Assertion assertion = new Assertion();
    assertion.setAction("ASSUME_ROLE");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("*:role.Role");
    assertion.setRole("weather:role.Role");
    Role role = null;
    List<Role> roles = new ArrayList<>();
    role = createRoleObject("weather", "Role1", null, "user_domain.user1", null);
    roles.add(role);
    role = createRoleObject("weather", "Role", null, "user_domain.user2", null);
    roles.add(role);
    assertTrue(authorizer.matchDelegatedTrustAssertion(assertion, "weather:role.Role", "user_domain.user2", roles));
}
Also used : Role(com.yahoo.athenz.zms.Role) Assertion(com.yahoo.athenz.zms.Assertion) ArrayList(java.util.ArrayList) Test(org.testng.annotations.Test)

Example 34 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method createMultipleSignedDomains.

private SignedDomain createMultipleSignedDomains(String domainName, String tenantDomain1, String tenantDomain2, String serviceName, boolean includeServices) {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName(domainName, "admin"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.adminuser"));
    role.setRoleMembers(members);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    role.setTrust(tenantDomain1);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    role.setTrust(tenantDomain2);
    roles.add(role);
    List<ServiceIdentity> services = new ArrayList<>();
    if (includeServices) {
        ServiceIdentity service = new ServiceIdentity();
        service.setName(generateServiceIdentityName(domainName, serviceName));
        setServicePublicKey(service, "0", ZTS_Y64_CERT0);
        List<String> hosts = new ArrayList<>();
        hosts.add("host1");
        hosts.add("host2");
        service.setHosts(hosts);
        services.add(service);
    }
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    // tenant admin domain
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain1 + ".*");
    assertion.setAction("read");
    assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain2 + ".*");
    assertion.setAction("read");
    assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain(domainName);
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName(domainName);
    domain.setRoles(roles);
    domain.setServices(services);
    domain.setPolicies(signedPolicies);
    domain.setModified(Timestamp.fromCurrentTime());
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) ArrayList(java.util.ArrayList) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) SignedDomain(com.yahoo.athenz.zms.SignedDomain) Policy(com.yahoo.athenz.zms.Policy) ServiceIdentity(com.yahoo.athenz.zms.ServiceIdentity) Assertion(com.yahoo.athenz.zms.Assertion) Role(com.yahoo.athenz.zms.Role) RoleMember(com.yahoo.athenz.zms.RoleMember)

Example 35 with Assertion

use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.

the class ZTSImplTest method testEvaluateAccessAssertionAllow.

@Test
public void testEvaluateAccessAssertionAllow() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role = createRoleObject("coretech", "role1", null, "user_domain.user1", null);
    domainData.getRoles().add(role);
    Policy policy = new Policy().setName("coretech:policy.policy1");
    Assertion assertion1 = new Assertion();
    assertion1.setAction("read");
    assertion1.setEffect(AssertionEffect.ALLOW);
    assertion1.setResource("coretech:*");
    assertion1.setRole("coretech:role.role1");
    Assertion assertion2 = new Assertion();
    assertion2.setAction("read");
    assertion2.setEffect(AssertionEffect.ALLOW);
    assertion2.setResource("coretech:resource1");
    assertion2.setRole("coretech:role.role1");
    policy.setAssertions(new ArrayList<Assertion>());
    policy.getAssertions().add(assertion1);
    policy.getAssertions().add(assertion2);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Aggregations

Assertion (com.yahoo.athenz.zms.Assertion)61 Test (org.testng.annotations.Test)38 ArrayList (java.util.ArrayList)29 Policy (com.yahoo.athenz.zms.Policy)23 Role (com.yahoo.athenz.zms.Role)19 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)16 RoleMember (com.yahoo.athenz.zms.RoleMember)11 DomainData (com.yahoo.athenz.zms.DomainData)10 HashMap (java.util.HashMap)9 SQLException (java.sql.SQLException)8 SignedDomain (com.yahoo.athenz.zms.SignedDomain)7 DataCache (com.yahoo.athenz.zts.cache.DataCache)7 Domain (com.yahoo.athenz.zms.Domain)5 ResourceAccessList (com.yahoo.athenz.zms.ResourceAccessList)5 ResourceAccess (com.yahoo.athenz.zms.ResourceAccess)4 ResourceException (com.yahoo.athenz.zms.ResourceException)4 PreparedStatement (java.sql.PreparedStatement)4 ResultSet (java.sql.ResultSet)4 DomainModifiedList (com.yahoo.athenz.zms.DomainModifiedList)3 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)3