Example 36 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method createSignedDomainWildCard.
private SignedDomain createSignedDomainWildCard(String domainName, String tenantDomain) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "superusers"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.admin_user"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "users"));
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "netops_superusers"));
role.setTrust(tenantDomain);
roles.add(role);
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_user");
assertion.setRole(generateRoleName(domainName, "users"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "users"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_sudo");
assertion.setRole(generateRoleName(domainName, "netops_superusers"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "netops_superusers"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_user");
assertion.setRole(generateRoleName(domainName, "superusers"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "superusers"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
Also used :
Policy(com.yahoo.athenz.zms.Policy)
Policy(com.yahoo.athenz.zms.Policy)
ArrayList(java.util.ArrayList)
Assertion(com.yahoo.athenz.zms.Assertion)
DomainData(com.yahoo.athenz.zms.DomainData)
Assertion(com.yahoo.athenz.zms.Assertion)
Role(com.yahoo.athenz.zms.Role)
SignedDomain(com.yahoo.athenz.zms.SignedDomain)
RoleMember(com.yahoo.athenz.zms.RoleMember)
Example 37 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method createSignedDomain.
private SignedDomain createSignedDomain(String domainName, String tenantDomain, String serviceName, List<RoleMember> writers, List<RoleMember> readers, boolean includeServices) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "admin"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.adminuser"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "writers"));
role.setRoleMembers(writers);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "readers"));
role.setRoleMembers(readers);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "tenant.readers"));
role.setTrust(tenantDomain);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain + ".admin"));
role.setTrust(tenantDomain);
roles.add(role);
List<ServiceIdentity> services = new ArrayList<>();
if (includeServices) {
ServiceIdentity service = new ServiceIdentity();
service.setName(generateServiceIdentityName(domainName, serviceName));
setServicePublicKey(service, "0", ZTS_Y64_CERT0);
List<String> hosts = new ArrayList<>();
hosts.add("host1");
hosts.add("host2");
service.setHosts(hosts);
services.add(service);
service = new ServiceIdentity();
service.setName(generateServiceIdentityName(domainName, "backup"));
setServicePublicKey(service, "0", ZTS_Y64_CERT0);
hosts = new ArrayList<>();
hosts.add("host2");
hosts.add("host3");
service.setHosts(hosts);
services.add(service);
}
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":tenant." + tenantDomain + ".*");
assertion.setAction("read");
assertion.setRole(generateRoleName(domainName, "tenant.readers"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "tenant.reader"));
policies.add(policy);
// tenant admin domain
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain + ".*");
assertion.setAction("read");
assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain + ".admin"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain + ".admin"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setServices(services);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
Also used :
Policy(com.yahoo.athenz.zms.Policy)
ArrayList(java.util.ArrayList)
DomainData(com.yahoo.athenz.zms.DomainData)
Assertion(com.yahoo.athenz.zms.Assertion)
SignedDomain(com.yahoo.athenz.zms.SignedDomain)
Policy(com.yahoo.athenz.zms.Policy)
ServiceIdentity(com.yahoo.athenz.zms.ServiceIdentity)
Assertion(com.yahoo.athenz.zms.Assertion)
Role(com.yahoo.athenz.zms.Role)
RoleMember(com.yahoo.athenz.zms.RoleMember)
Example 38 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class ZTSImplTest method testMatchDelegatedTrustAssertionNoResPatternMatchWithPattern.
@Test
public void testMatchDelegatedTrustAssertionNoResPatternMatchWithPattern() {
Assertion assertion = new Assertion();
assertion.setAction("ASSUME_ROLE");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*:role.Role");
assertion.setRole("domain:role.Role");
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "domain:role.Role2", null, null));
assertFalse(authorizer.matchDelegatedTrustAssertion(assertion, "coretech:role.Role2", null, null));
}Example 39 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class DataCacheTest method testPolicyWithAssertions.
@Test
public void testPolicyWithAssertions() {
Domain domain = new Domain();
domain.setName("testDomain");
Role role1 = new Role();
role1.setName("testDomain.role.role1");
List<RoleMember> members1 = new ArrayList<>();
members1.add(new RoleMember().setMemberName("user_domain.user1"));
members1.add(new RoleMember().setMemberName("user_domain.user2"));
role1.setRoleMembers(members1);
Role role2 = new Role();
role2.setName("testDomain.role.role2");
List<RoleMember> members2 = new ArrayList<>();
members2.add(new RoleMember().setMemberName("user_domain.user2"));
role2.setRoleMembers(members2);
Role role3 = new Role();
role3.setName("testDomain.role.role3");
List<RoleMember> members3 = new ArrayList<>();
members3.add(new RoleMember().setMemberName("user_domain.user3"));
role3.setRoleMembers(members3);
Policy policy = new Policy();
policy.setName("testDomain.policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("assume_role");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("testDomain.roleA");
assertion1.setRole("testDomain.role.role1");
Assertion assertion2 = new Assertion();
assertion2.setAction("read");
assertion2.setEffect(AssertionEffect.ALLOW);
assertion2.setResource("testDomain.data:*");
assertion2.setRole("testDomain.role.role1");
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion1);
assertList.add(assertion2);
policy.setAssertions(assertList);
DataCache cache = new DataCache();
cache.processRole(role1);
cache.processRole(role2);
cache.processRole(role3);
HashMap<String, Role> roleList = new HashMap<>();
roleList.put(role1.getName(), role1);
roleList.put(role2.getName(), role2);
roleList.put(role3.getName(), role3);
cache.processPolicy(domain.getName(), policy, roleList);
Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
assertNotNull(set1);
assertTrue(set1.contains(new MemberRole("testDomain.role.role1", 0)));
assertTrue(set1.contains(new MemberRole("testDomain.roleA", 0)));
assertEquals(set1.size(), 2);
Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
assertNotNull(set2);
assertTrue(set2.contains(new MemberRole("testDomain.role.role1", 0)));
assertTrue(set2.contains(new MemberRole("testDomain.role.role2", 0)));
assertTrue(set2.contains(new MemberRole("testDomain.roleA", 0)));
assertEquals(set2.size(), 3);
Set<MemberRole> set3 = cache.getMemberRoleSet("user_domain.user3");
assertNotNull(set3);
assertTrue(set3.contains(new MemberRole("testDomain.role.role3", 0)));
assertEquals(set3.size(), 1);
}
Also used :
Policy(com.yahoo.athenz.zms.Policy)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Assertion(com.yahoo.athenz.zms.Assertion)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
Role(com.yahoo.athenz.zms.Role)
Domain(com.yahoo.athenz.zms.Domain)
RoleMember(com.yahoo.athenz.zms.RoleMember)
Test(org.testng.annotations.Test)
Example 40 with Assertion
use of com.yahoo.athenz.zms.Assertion in project athenz by yahoo.
the class DataCache method processPolicy.
public void processPolicy(String domainName, Policy policy, Map<String, Role> roles) {
String policyName = policy.getName();
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Processing policy: " + policyName);
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null || assertions.isEmpty()) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Policy: {} does not have any assertions, skipping.", policyName);
}
return;
}
for (Assertion assertion : assertions) {
switch(assertion.getAction()) {
case ACTION_ASSUME_AWS_ROLE:
processAWSAssumeRoleAssertion(assertion);
break;
case ACTION_ASSUME_ROLE:
processAssumeRoleAssertion(assertion, roles);
break;
}
}
}
Also used :
Assertion(com.yahoo.athenz.zms.Assertion)
Aggregations
Assertion (com.yahoo.athenz.zms.Assertion)61
Test (org.testng.annotations.Test)38
ArrayList (java.util.ArrayList)29
Policy (com.yahoo.athenz.zms.Policy)23
Role (com.yahoo.athenz.zms.Role)19
JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)16
RoleMember (com.yahoo.athenz.zms.RoleMember)11
DomainData (com.yahoo.athenz.zms.DomainData)10
HashMap (java.util.HashMap)9
SQLException (java.sql.SQLException)8
SignedDomain (com.yahoo.athenz.zms.SignedDomain)7
DataCache (com.yahoo.athenz.zts.cache.DataCache)7
Domain (com.yahoo.athenz.zms.Domain)5
ResourceAccessList (com.yahoo.athenz.zms.ResourceAccessList)5
ResourceAccess (com.yahoo.athenz.zms.ResourceAccess)4
ResourceException (com.yahoo.athenz.zms.ResourceException)4
PreparedStatement (java.sql.PreparedStatement)4
ResultSet (java.sql.ResultSet)4
DomainModifiedList (com.yahoo.athenz.zms.DomainModifiedList)3
ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)3
