use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.
the class ZTSImplTest method testGetRoleAccessWithDelegatedRolesWithGroups.
void testGetRoleAccessWithDelegatedRolesWithGroups(final String roleName, final String assumeRoleName, boolean wildCardAssumeDomain, boolean multipleUsers) {
final String newsDomainName = "news";
final String sportsDomainName = "sports";
final String weatherDomainName = "weather";
SignedDomain weatherDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
// create the admin role
Role role = new Role();
role.setName(generateRoleName(weatherDomainName, "admin"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.adminuser"));
role.setRoleMembers(members);
roles.add(role);
// create the trusted role
roles.add(new Role().setName(generateRoleName(weatherDomainName, roleName)).setTrust(sportsDomainName));
// no services
List<ServiceIdentity> services = new ArrayList<>();
// create admin policy
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(weatherDomainName + ".*");
assertion.setAction("*");
assertion.setRole(generateRoleName(weatherDomainName, "admin"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(weatherDomainName, "admin"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(weatherDomainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(weatherDomainName);
domain.setRoles(roles);
domain.setServices(services);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
weatherDomain.setDomain(domain);
weatherDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
weatherDomain.setKeyId("0");
// now process the domain in ZTS
store.processSignedDomain(weatherDomain, false);
// now create the sports domain that includes the delegated role
SignedDomain sportsDomain = new SignedDomain();
roles = new ArrayList<>();
role = new Role();
role.setName(generateRoleName(sportsDomainName, "admin"));
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.adminuser"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(sportsDomainName, roleName));
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.user2"));
members.add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(newsDomainName, "group1")));
role.setRoleMembers(members);
roles.add(role);
policies = new ArrayList<>();
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(sportsDomainName + ".*");
assertion.setAction("*");
assertion.setRole(generateRoleName(sportsDomainName, "admin"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(sportsDomainName, "admin"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
final String assumeRoleDomain = wildCardAssumeDomain ? "*" : weatherDomainName;
assertion.setResource(generateRoleName(assumeRoleDomain, assumeRoleName));
assertion.setAction("assume_role");
assertion.setRole(generateRoleName(sportsDomainName, roleName));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(sportsDomainName, roleName));
policies.add(policy);
domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(sportsDomainName);
domainPolicies.setPolicies(policies);
signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
domain = new DomainData();
domain.setName(sportsDomainName);
domain.setRoles(roles);
domain.setServices(services);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
sportsDomain.setDomain(domain);
sportsDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
sportsDomain.setKeyId("0");
store.processSignedDomain(sportsDomain, false);
// create and process our new domain in ZTS
SignedDomain newsDomain = createGroupNewsDomain(newsDomainName, weatherDomainName, multipleUsers, null);
store.processSignedDomain(newsDomain, false);
// now let's carry out our checks - we should get role1 for user1
// when asked for both sports and weather domains
Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=sig", 0, null);
ResourceContext context = createResourceContext(principal);
RoleAccess roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
// user2 should have same access as user1
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
if (multipleUsers) {
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
}
// now we're going to expire our user1 group member
// and process the domain
newsDomain = createGroupNewsDomain(newsDomainName, weatherDomainName, multipleUsers, Timestamp.fromMillis(System.currentTimeMillis() - 60 * 60 * 1000L));
store.processSignedDomain(newsDomain, false);
// now let's verify our role access again. user1
// should not have access in weather domain
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 0);
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 0);
// user2 should still have access to both roles
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
if (multipleUsers) {
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
}
// now we're going to reset our expiry for the user into the future
newsDomain = createGroupNewsDomain(newsDomainName, weatherDomainName, multipleUsers, Timestamp.fromMillis(System.currentTimeMillis() + 60 * 60 * 1000L));
store.processSignedDomain(newsDomain, false);
// verify all previous access as expected
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user1");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
// user2 should have same access as user1
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user2");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
if (multipleUsers) {
roleAccess = zts.getRoleAccess(context, weatherDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
roleAccess = zts.getRoleAccess(context, sportsDomainName, "user_domain.user3");
assertEquals(roleAccess.getRoles().size(), 1);
assertTrue(roleAccess.getRoles().contains(roleName));
}
}
use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.
the class ZTSImplTest method signedAuthorizedProviderDomain.
private SignedDomain signedAuthorizedProviderDomain() {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName("sys.auth", "providers"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("athenz.provider"));
members.add(new RoleMember().setMemberName("sys.auth.zts"));
role.setRoleMembers(members);
roles.add(role);
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion1 = new com.yahoo.athenz.zms.Assertion();
assertion1.setResource("sys.auth:instance");
assertion1.setAction("launch");
assertion1.setRole("sys.auth:role.providers");
com.yahoo.athenz.zms.Assertion assertion2 = new com.yahoo.athenz.zms.Assertion();
assertion2.setResource("sys.auth:dns.ostk.athenz.cloud");
assertion2.setAction("launch");
assertion2.setRole("sys.auth:role.providers");
com.yahoo.athenz.zms.Assertion assertion3 = new com.yahoo.athenz.zms.Assertion();
assertion3.setResource("sys.auth:hostname.athenz.cloud");
assertion3.setAction("launch");
assertion3.setRole("sys.auth:role.providers");
com.yahoo.athenz.zms.Assertion assertion4 = new com.yahoo.athenz.zms.Assertion();
assertion4.setResource("sys.auth:hostname.athenz.info");
assertion4.setAction("launch");
assertion4.setRole("sys.auth:role.providers");
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion1);
assertions.add(assertion2);
assertions.add(assertion3);
assertions.add(assertion4);
policy.setAssertions(assertions);
policy.setName("sys.auth:policy.providers");
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain("sys.auth");
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName("sys.auth");
domain.setRoles(roles);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.
the class ZTSImplTest method createSignedDomainWildCard.
private SignedDomain createSignedDomainWildCard(String domainName, String tenantDomain) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "superusers"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.admin_user"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "users"));
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "netops_superusers"));
role.setTrust(tenantDomain);
roles.add(role);
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_user");
assertion.setRole(generateRoleName(domainName, "users"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "users"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_sudo");
assertion.setRole(generateRoleName(domainName, "netops_superusers"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "netops_superusers"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(domainName + ":node.*");
assertion.setAction("node_user");
assertion.setRole(generateRoleName(domainName, "superusers"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "superusers"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setPolicies(signedPolicies);
domain.setModified(Timestamp.fromCurrentTime());
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.
the class ZTSImplTest method testEvaluateAccessAssertionAllowCaseSensitive.
@Test
public void testEvaluateAccessAssertionAllowCaseSensitive() {
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName("coretech");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<>());
Role role = ZTSTestUtils.createRoleObject("coretech", "role1", "user_domain.user1");
domainData.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("ReaD");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("coretech:*");
assertion1.setRole("coretech:role.role1");
Assertion assertion2 = new Assertion();
assertion2.setAction("ReaD");
assertion2.setEffect(AssertionEffect.ALLOW);
assertion2.setResource("coretech:ResourcE1");
assertion2.setRole("coretech:role.role1");
policy.setAssertions(new ArrayList<>());
policy.getAssertions().add(assertion1);
policy.getAssertions().add(assertion2);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<>());
domainData.getPolicies().getContents().getPolicies().add(policy);
assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
}
use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.
the class ZTSImplTest method createTenantSignedDomain.
private SignedDomain createTenantSignedDomain(String domainName, String providerDomain, String providerService) {
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName(generateRoleName(domainName, "admin"));
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.user"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "tenancy." + providerDomain + "." + providerService + ".admin"));
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.user100"));
members.add(new RoleMember().setMemberName("user_domain.user101"));
role.setRoleMembers(members);
roles.add(role);
role = new Role();
role.setName(generateRoleName(domainName, "readers"));
members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.user100"));
members.add(new RoleMember().setMemberName("user_domain.user101"));
role.setRoleMembers(members);
roles.add(role);
ServiceIdentity service = new ServiceIdentity();
service.setName(domainName + ".storage");
setServicePublicKey(service, "0", ZTS_Y64_CERT0);
List<String> hosts = new ArrayList<>();
hosts.add("host1");
hosts.add("host2");
service.setHosts(hosts);
List<ServiceIdentity> services = new ArrayList<>();
services.add(service);
List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(generateRoleName(providerDomain, "tenant.readers"));
assertion.setAction("assume_role");
assertion.setRole(generateRoleName(domainName, "readers"));
List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "tenancy.readers"));
policies.add(policy);
policy = new com.yahoo.athenz.zms.Policy();
assertion = new com.yahoo.athenz.zms.Assertion();
assertion.setResource(generateRoleName(providerDomain, providerService + ".tenant." + domainName + ".admin"));
assertion.setAction("assume_role");
assertion.setRole(generateRoleName(domainName, "tenancy." + providerDomain + "." + providerService + ".admin"));
assertions = new ArrayList<>();
assertions.add(assertion);
policy.setAssertions(assertions);
policy.setName(generatePolicyName(domainName, "tenancy." + providerDomain + "." + providerService + ".admin"));
policies.add(policy);
com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
domainPolicies.setDomain(domainName);
domainPolicies.setPolicies(policies);
com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
signedPolicies.setKeyId("0");
DomainData domain = new DomainData();
domain.setName(domainName);
domain.setRoles(roles);
domain.setServices(services);
domain.setPolicies(signedPolicies);
signedDomain.setDomain(domain);
signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
signedDomain.setKeyId("0");
return signedDomain;
}
Aggregations