Examples with Policy com.yahoo.athenz.zms.Policy used on opensource projects

Search in sources :

Example 56 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testGetPolicyListEmptyValues.

@Test
public void testGetPolicyListEmptyValues() {
    DomainData domainData = new DomainData();
    SignedPolicies signedPolicies = new SignedPolicies();
    domainData.setPolicies(signedPolicies);
    List<com.yahoo.athenz.zts.Policy> policies = zts.getPolicyList(domainData, null);
    assertTrue(policies.isEmpty());
    DomainPolicies domainPolicies = new DomainPolicies();
    signedPolicies.setContents(domainPolicies);
    policies = zts.getPolicyList(domainData, null);
    assertTrue(policies.isEmpty());
    Policy policy = new Policy();
    policy.setName("policy1");
    List<Policy> zmsPolicies = new ArrayList<>();
    zmsPolicies.add(policy);
    domainPolicies.setPolicies(zmsPolicies);
    policies = zts.getPolicyList(domainData, null);
    assertEquals(1, policies.size());
    assertNull(policies.get(0).getAssertions());
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Test(org.testng.annotations.Test)

Example 57 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testAccess.

@Test
public void testAccess() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretechtrust");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<>());
    Role role1 = ZTSTestUtils.createRoleObject("coretechtrust", "role1", "user_domain.user1");
    Role role2 = ZTSTestUtils.createRoleObject("coretechtrust", "role2", "user_domain.user2");
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = ZTSTestUtils.createPolicyObject("coretechtrust", "access", "coretechtrust:role.role1", false, "update", "coretechtrust:table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("coretechtrust", domain);
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    assertTrue(authorizer.access("update", "coretechtrust:table1", principal1, null));
    assertFalse(authorizer.access("update", "coretechtrust:table2", principal1, null));
    assertFalse(authorizer.access("delete", "coretechtrust:table1", principal1, null));
    Principal principal2 = SimplePrincipal.create("user_domain", "user2", "v=U1;d=user_domain;n=user2;s=signature", 0, null);
    assertFalse(authorizer.access("update", "coretechtrust:table1", principal2, null));
    Principal principal3 = SimplePrincipal.create("user_domain", "user3", "v=U1;d=user_domain;n=user3;s=signature", 0, null);
    assertFalse(authorizer.access("update", "coretechtrust:table1", principal3, null));
    store.getCacheStore().invalidate("coretechtrust");
}
Also used : Policy(com.yahoo.athenz.zms.Policy) com.yahoo.athenz.zms(com.yahoo.athenz.zms) DataCache(com.yahoo.athenz.zts.cache.DataCache) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 58 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testEvaluateAccessAssertionAllow.

@Test
public void testEvaluateAccessAssertionAllow() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<>());
    Role role = ZTSTestUtils.createRoleObject("coretech", "role1", "user_domain.user1");
    domainData.getRoles().add(role);
    Policy policy = new Policy().setName("coretech:policy.policy1");
    Assertion assertion1 = new Assertion();
    assertion1.setAction("read");
    assertion1.setEffect(AssertionEffect.ALLOW);
    assertion1.setResource("coretech:*");
    assertion1.setRole("coretech:role.role1");
    Assertion assertion2 = new Assertion();
    assertion2.setAction("read");
    assertion2.setEffect(AssertionEffect.ALLOW);
    assertion2.setResource("coretech:resource1");
    assertion2.setRole("coretech:role.role1");
    policy.setAssertions(new ArrayList<>());
    policy.getAssertions().add(assertion1);
    policy.getAssertions().add(assertion2);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
    // we're going to mark the policy as inactive in which case
    // our access will return denied
    policy.setActive(false);
    assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.DENIED);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) com.yahoo.athenz.zms(com.yahoo.athenz.zms) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 59 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method createMultipleSignedDomains.

private SignedDomain createMultipleSignedDomains(String domainName, String tenantDomain1, String tenantDomain2, String serviceName, boolean includeServices) {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName(domainName, "admin"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.adminuser"));
    role.setRoleMembers(members);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    role.setTrust(tenantDomain1);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    role.setTrust(tenantDomain2);
    roles.add(role);
    List<ServiceIdentity> services = new ArrayList<>();
    if (includeServices) {
        ServiceIdentity service = new ServiceIdentity();
        service.setName(generateServiceIdentityName(domainName, serviceName));
        setServicePublicKey(service, "0", ZTS_Y64_CERT0);
        List<String> hosts = new ArrayList<>();
        hosts.add("host1");
        hosts.add("host2");
        service.setHosts(hosts);
        services.add(service);
    }
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    // tenant admin domain
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain1 + ".*");
    assertion.setAction("read");
    assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain1 + ".admin"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + ":service." + serviceName + ".tenant." + tenantDomain2 + ".*");
    assertion.setAction("read");
    assertion.setRole(generateRoleName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, serviceName + ".tenant." + tenantDomain2 + ".admin"));
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain(domainName);
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName(domainName);
    domain.setRoles(roles);
    domain.setServices(services);
    domain.setPolicies(signedPolicies);
    domain.setModified(Timestamp.fromCurrentTime());
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Assertion(com.yahoo.athenz.zms.Assertion) com.yahoo.athenz.zms(com.yahoo.athenz.zms) Policy(com.yahoo.athenz.zms.Policy) ServiceIdentity(com.yahoo.athenz.zms.ServiceIdentity) Assertion(com.yahoo.athenz.zms.Assertion)

Example 60 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSTestUtils method setupDomainsWithGroups.

public static void setupDomainsWithGroups(DataStore store, PrivateKey privateKey, final String domainName, List<String> skipGroups) {
    final String domainName1 = domainName + "1";
    final String domainName2 = domainName + "2";
    final String domainName3 = domainName + "3";
    final String groupName1 = "group1";
    final String groupName2 = "group2";
    final String groupName3 = "group3";
    final String groupName4 = "group4";
    final String groupName5 = "group5";
    final String groupName6 = "group6";
    final String roleName1 = "role1";
    final String roleName2 = "role2";
    final String roleName3 = "role3";
    final String roleName4 = "role4";
    final String roleName5 = "role5";
    final String policyName1 = "policy1";
    final String policyName2 = "policy2";
    final String policyName3 = "policy3";
    final String policyName4 = "policy4";
    Group group1 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName1, groupName1))) {
        group1 = createGroupObject(domainName1, groupName1, "user.user1", "user.user2");
    }
    Group group2 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName2, groupName2))) {
        group2 = createGroupObject(domainName2, groupName2, "user.user2", "user.user7");
    }
    // set elevated clearance so both users become expired
    Group group3 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName3, groupName3))) {
        group3 = createGroupObject(domainName3, groupName3, "user.user4");
        group3.getGroupMembers().add(new GroupMember().setMemberName("user.user1").setGroupName(ResourceUtils.groupResourceName(domainName3, groupName3)));
        group3.getGroupMembers().add(new GroupMember().setMemberName("user.user2").setGroupName(ResourceUtils.groupResourceName(domainName3, groupName3)));
    }
    // group 4 with no members
    Group group4 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName2, groupName4))) {
        group4 = new Group().setName(ResourceUtils.groupResourceName(domainName2, groupName4));
    }
    // group 5 with disabled and soon to be expired user
    Group group5 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName3, groupName5))) {
        group5 = createGroupObject(domainName3, groupName5, "user.user4");
        group5.getGroupMembers().add(new GroupMember().setMemberName("user.user5").setGroupName(ResourceUtils.groupResourceName(domainName3, groupName5)).setSystemDisabled(1));
        group5.getGroupMembers().add(new GroupMember().setMemberName("user.user6").setGroupName(ResourceUtils.groupResourceName(domainName3, groupName5)).setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 1000)));
    }
    // group 6 with users 3 and 6
    Group group6 = null;
    if (!skipGroups.contains(ResourceUtils.groupResourceName(domainName3, groupName6))) {
        group6 = createGroupObject(domainName3, groupName6, "user.user6", "user.user3");
    }
    // role1 will have user.user1 through group1
    List<Role> roles = new ArrayList<>();
    Role role1 = createRoleObject(domainName1, roleName1, "user.user2", "user.user3");
    if (group2 != null) {
        role1.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName2, groupName2)));
    }
    if (group1 != null) {
        role1.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName1, groupName1)));
    }
    roles.add(role1);
    // role2 has user1 as expired but ok from group1 as well
    Role role2 = createRoleObject(domainName1, roleName2, "user.user2", "user.user3");
    role2.getRoleMembers().add(new RoleMember().setMemberName("user.user1").setExpiration(Timestamp.fromMillis(System.currentTimeMillis() - 1000)));
    if (group2 != null) {
        role2.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName2, groupName2)));
    }
    if (group1 != null) {
        role2.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName1, groupName1)));
    }
    roles.add(role2);
    // role3 has user1 as expired but also group1 expired as well
    Role role3 = createRoleObject(domainName1, roleName3, "user.user2", "user.user3");
    role3.getRoleMembers().add(new RoleMember().setMemberName("user.user1").setExpiration(Timestamp.fromMillis(System.currentTimeMillis() - 1000)));
    if (group1 != null) {
        role3.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName1, groupName1)).setExpiration(Timestamp.fromMillis(System.currentTimeMillis() - 1000)));
    }
    roles.add(role3);
    // role4 does not have user1 at all
    Role role4 = createRoleObject(domainName1, roleName4, "user.user2");
    if (group2 != null) {
        role4.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName2, groupName2)));
    }
    if (group4 != null) {
        role4.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName2, groupName4)));
    }
    if (group6 != null) {
        role4.getRoleMembers().add(new RoleMember().setMemberName(ResourceUtils.groupResourceName(domainName3, groupName6)));
    }
    roles.add(role4);
    List<Policy> policies = new ArrayList<>();
    Policy policy1 = createPolicyObject(domainName1, policyName1, roleName1, true, "update", domainName1 + ":resource1", com.yahoo.athenz.zms.AssertionEffect.ALLOW);
    policies.add(policy1);
    Policy policy2 = createPolicyObject(domainName1, policyName2, roleName2, true, "update", domainName1 + ":resource2", com.yahoo.athenz.zms.AssertionEffect.ALLOW);
    policies.add(policy2);
    Policy policy3 = createPolicyObject(domainName1, policyName3, roleName3, true, "update", domainName1 + ":resource3", com.yahoo.athenz.zms.AssertionEffect.ALLOW);
    policies.add(policy3);
    Policy policy4 = createPolicyObject(domainName1, policyName4, roleName4, true, "update", domainName1 + ":resource4", com.yahoo.athenz.zms.AssertionEffect.ALLOW);
    policies.add(policy4);
    // setup our signed domains and process them
    List<Group> groups = new ArrayList<>();
    if (group1 != null) {
        groups.add(group1);
    }
    SignedDomain signedDomain = ZTSTestUtils.createSignedDomain(domainName1, roles, policies, null, groups, privateKey);
    store.processSignedDomain(signedDomain, false);
    groups = new ArrayList<>();
    if (group2 != null) {
        groups.add(group2);
    }
    if (group4 != null) {
        groups.add(group4);
    }
    // just admin role for domain
    Role adminRole = createRoleObject(domainName2, "admin", "user.admin1", "user.admin2");
    roles = new ArrayList<>();
    roles.add(adminRole);
    Policy adminPolicy = createPolicyObject(domainName2, "admin", "admin", true, "*", domainName2 + ":*", com.yahoo.athenz.zms.AssertionEffect.ALLOW);
    policies = new ArrayList<>();
    policies.add(adminPolicy);
    signedDomain = ZTSTestUtils.createSignedDomain(domainName2, roles, policies, null, groups, privateKey);
    store.processSignedDomain(signedDomain, false);
    groups = new ArrayList<>();
    if (group3 != null) {
        groups.add(group3);
    }
    if (group5 != null) {
        groups.add(group5);
    }
    if (group6 != null) {
        groups.add(group6);
    }
    // role5 in domain 3 has group5
    Role role5 = createRoleObject(domainName3, roleName5, "user.admin");
    if (group5 != null) {
        role5.getRoleMembers().add(new RoleMember().setMemberName(domainName3 + ":group." + groupName5));
    }
    if (group6 != null) {
        role5.getRoleMembers().add(new RoleMember().setMemberName(domainName3 + ":group." + groupName6).setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 1000)));
    }
    adminRole = createRoleObject(domainName3, "admin", "user.admin1", "user.admin2");
    roles = new ArrayList<>();
    roles.add(adminRole);
    roles.add(role5);
    adminPolicy = createPolicyObject(domainName3, "admin", "admin", true, "*", domainName3 + ":*", AssertionEffect.ALLOW);
    policies = new ArrayList<>();
    policies.add(adminPolicy);
    signedDomain = ZTSTestUtils.createSignedDomain(domainName3, roles, policies, null, groups, privateKey);
    store.processSignedDomain(signedDomain, false);
}
Also used : Policy(com.yahoo.athenz.zms.Policy)

Aggregations

Policy (com.yahoo.athenz.zms.Policy)61 Assertion (com.yahoo.athenz.zms.Assertion)36 Test (org.testng.annotations.Test)34 com.yahoo.athenz.zms (com.yahoo.athenz.zms)25 DataCache (com.yahoo.athenz.zts.cache.DataCache)12 Principal (com.yahoo.athenz.auth.Principal)8 Role (com.yahoo.athenz.zms.Role)8 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)7 Domain (com.yahoo.athenz.zms.Domain)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)5 ResourceException (com.yahoo.athenz.zms.ResourceException)4 Struct (com.yahoo.rdl.Struct)4 SQLException (java.sql.SQLException)4 Authority (com.yahoo.athenz.auth.Authority)3 InstanceCertManager (com.yahoo.athenz.zts.cert.InstanceCertManager)3 ArrayList (java.util.ArrayList)3 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)2 PreparedStatement (java.sql.PreparedStatement)2 ResultSet (java.sql.ResultSet)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial