Examples with Policy com.yahoo.athenz.zms.Policy used on opensource projects

Search in sources :

Example 21 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testAccess.

@Test
public void testAccess() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretechtrust");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
    Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject("coretechtrust", "access", "coretechtrust:role.role1", false, "update", "coretechtrust:table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("coretechtrust", domain);
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    assertTrue(authorizer.access("update", "coretechtrust:table1", principal1, null));
    assertFalse(authorizer.access("update", "coretechtrust:table2", principal1, null));
    assertFalse(authorizer.access("delete", "coretechtrust:table1", principal1, null));
    Principal principal2 = SimplePrincipal.create("user_domain", "user2", "v=U1;d=user_domain;n=user2;s=signature", 0, null);
    assertFalse(authorizer.access("update", "coretechtrust:table1", principal2, null));
    Principal principal3 = SimplePrincipal.create("user_domain", "user3", "v=U1;d=user_domain;n=user3;s=signature", 0, null);
    assertFalse(authorizer.access("update", "coretechtrust:table1", principal3, null));
    store.getCacheStore().invalidate("coretechtrust");
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 22 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method signedAuthorizedProviderDomain.

private SignedDomain signedAuthorizedProviderDomain() {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName("sys.auth", "providers"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("athenz.provider"));
    role.setRoleMembers(members);
    roles.add(role);
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion1 = new com.yahoo.athenz.zms.Assertion();
    assertion1.setResource("sys.auth:instance");
    assertion1.setAction("launch");
    assertion1.setRole("sys.auth:role.providers");
    com.yahoo.athenz.zms.Assertion assertion2 = new com.yahoo.athenz.zms.Assertion();
    assertion2.setResource("sys.auth:dns.ostk.athenz.cloud");
    assertion2.setAction("launch");
    assertion2.setRole("sys.auth:role.providers");
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion1);
    assertions.add(assertion2);
    policy.setAssertions(assertions);
    policy.setName("sys.auth:policy.providers");
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain("sys.auth");
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName("sys.auth");
    domain.setRoles(roles);
    domain.setPolicies(signedPolicies);
    domain.setModified(Timestamp.fromCurrentTime());
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Policy(com.yahoo.athenz.zms.Policy) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) Role(com.yahoo.athenz.zms.Role) SignedDomain(com.yahoo.athenz.zms.SignedDomain) RoleMember(com.yahoo.athenz.zms.RoleMember)

Example 23 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testResourceAccess.

@Test
public void testResourceAccess() {
    final String domainName = "coretechaccess";
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName(domainName);
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject(domainName, "role1", null, "user.user1", "user.user3");
    Role role2 = createRoleObject(domainName, "role2", null, "user.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject(domainName, "access", domainName + ":role.role1", false, "update", domainName + ":table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put(domainName, domain);
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
    ResourceContext ctx = createResourceContext(principal, null);
    // process
    ResourceAccess access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, null);
    assertTrue(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "update", domainName + ":table1", null, null);
    assertTrue(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "update", domainName + ":table2", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "delete", domainName + ":table1", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "delete", domainName + ":table1", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user2");
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user3");
    assertTrue(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, "user.user3");
    assertFalse(access.getGranted());
    store.getCacheStore().invalidate(domainName);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) UserAuthority(com.yahoo.athenz.auth.impl.UserAuthority) Authority(com.yahoo.athenz.auth.Authority) CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority) PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) Role(com.yahoo.athenz.zms.Role) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 24 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method createTenantSignedDomainWildCard.

private SignedDomain createTenantSignedDomainWildCard(String domainName, String providerDomain) {
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName(generateRoleName(domainName, "superusers"));
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.siteops_user_1"));
    role.setRoleMembers(members);
    roles.add(role);
    role = new Role();
    role.setName(generateRoleName(domainName, "users"));
    roles.add(role);
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource("*:role.netops_superusers");
    assertion.setAction("assume_role");
    assertion.setRole(generateRoleName(domainName, "superusers"));
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "netops_superusers"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + "netops:node.*");
    assertion.setAction("node_user");
    assertion.setRole(generateRoleName(domainName, "users"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "users"));
    policies.add(policy);
    policy = new com.yahoo.athenz.zms.Policy();
    assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource(domainName + "netops:node.*");
    assertion.setAction("node_sudo");
    assertion.setRole(generateRoleName(domainName, "superusers"));
    assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policy.setName(generatePolicyName(domainName, "superusers"));
    policies.add(policy);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain(domainName);
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey));
    signedPolicies.setKeyId("0");
    DomainData domain = new DomainData();
    domain.setName(domainName);
    domain.setRoles(roles);
    domain.setPolicies(signedPolicies);
    signedDomain.setDomain(domain);
    signedDomain.setSignature(Crypto.sign(SignUtils.asCanonicalString(domain), privateKey));
    signedDomain.setKeyId("0");
    return signedDomain;
}
Also used : Policy(com.yahoo.athenz.zms.Policy) Policy(com.yahoo.athenz.zms.Policy) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) Role(com.yahoo.athenz.zms.Role) SignedDomain(com.yahoo.athenz.zms.SignedDomain) RoleMember(com.yahoo.athenz.zms.RoleMember)

Example 25 with Policy

use of com.yahoo.athenz.zms.Policy in project athenz by yahoo.

the class ZTSImplTest method testAccessDelegatedTrust.

@Test
public void testAccessDelegatedTrust() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretechtrust");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
    Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject("coretechtrust", "trust", "coretechtrust:role.role1", false, "ASSUME_ROLE", "weather:role.role1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("coretechtrust", domain);
    domain = new DataCache();
    domainData = new DomainData();
    domainData.setName("weather");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    role1 = createRoleObject("weather", "role1", "coretechtrust");
    domainData.getRoles().add(role1);
    policy = createPolicyObject("weather", "access", "weather:role.role1", false, "update", "weather:table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("weather", domain);
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    assertTrue(authorizer.access("update", "weather:table1", principal1, null));
    assertTrue(authorizer.access("update", "weather:table1", principal1, "coretechtrust"));
    assertFalse(authorizer.access("update", "weather:table1", principal1, "unknowntrust"));
    assertFalse(authorizer.access("update", "weather:table2", principal1, null));
    assertFalse(authorizer.access("delete", "weather:table1", principal1, null));
    Principal principal2 = SimplePrincipal.create("user_domain", "user2", "v=U1;d=user_domain;n=user2;s=signature", 0, null);
    assertFalse(authorizer.access("update", "weather:table1", principal2, null));
    Principal principal3 = SimplePrincipal.create("user_domain", "user3", "v=U1;d=user_domain;n=user3;s=signature", 0, null);
    assertFalse(authorizer.access("update", "weather:table1", principal3, null));
    store.getCacheStore().invalidate("coretechtrust");
    store.getCacheStore().invalidate("weather");
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Aggregations

Policy (com.yahoo.athenz.zms.Policy)46 Assertion (com.yahoo.athenz.zms.Assertion)24 Test (org.testng.annotations.Test)24 Role (com.yahoo.athenz.zms.Role)22 ArrayList (java.util.ArrayList)18 DomainData (com.yahoo.athenz.zms.DomainData)16 RoleMember (com.yahoo.athenz.zms.RoleMember)13 DataCache (com.yahoo.athenz.zts.cache.DataCache)13 SignedDomain (com.yahoo.athenz.zms.SignedDomain)8 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)7 HashMap (java.util.HashMap)7 Domain (com.yahoo.athenz.zms.Domain)6 ResourceException (com.yahoo.athenz.zms.ResourceException)4 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)4 SQLException (java.sql.SQLException)4 Principal (com.yahoo.athenz.auth.Principal)3 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)3 Array (com.yahoo.rdl.Array)2 Struct (com.yahoo.rdl.Struct)2 PreparedStatement (java.sql.PreparedStatement)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial