use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.
the class JDBCConnectionTest method testListResourceAccess.
@Test
public void testListResourceAccess() throws SQLException {
JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role principals
false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role assertions
false).thenReturn(// no trusted role
false);
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn(// up to here is role principals
"user.user3").thenReturn("dom1").thenReturn("dom1").thenReturn("dom2");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("101").thenReturn(// up to here is role principals
"102").thenReturn("101").thenReturn("101").thenReturn("102");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_RESOURCE)).thenReturn("resource1").thenReturn("resource2").thenReturn("resource3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACTION)).thenReturn("update");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_EFFECT)).thenReturn("ALLOW");
ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess(null, "update", "user");
List<ResourceAccess> resources = resourceAccessList.getResources();
assertEquals(3, resources.size());
boolean userUser1 = false;
boolean userUser2 = false;
boolean userUser3 = false;
for (ResourceAccess rsrcAccess : resources) {
switch(rsrcAccess.getPrincipal()) {
case "user.user1":
userUser1 = true;
assertEquals(2, rsrcAccess.getAssertions().size());
break;
case "user.user2":
userUser2 = true;
assertEquals(2, rsrcAccess.getAssertions().size());
break;
case "user.user3":
userUser3 = true;
assertEquals(1, rsrcAccess.getAssertions().size());
break;
}
}
assertTrue(userUser1);
assertTrue(userUser2);
assertTrue(userUser3);
jdbcConn.close();
}
use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.
the class JDBCConnection method getResourceAccessObject.
ResourceAccess getResourceAccessObject(String principal, List<Assertion> assertions) {
ResourceAccess rsrcAccess = new ResourceAccess();
rsrcAccess.setPrincipal(principal);
rsrcAccess.setAssertions(assertions != null ? assertions : new ArrayList<Assertion>());
return rsrcAccess;
}
use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.
the class JDBCConnectionTest method testListResourceAccessAws.
@Test
public void testListResourceAccessAws() throws SQLException {
JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role principals
false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role assertions
false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here standard trusted roles
false).thenReturn(// up to here wildcard trusted roles
false).thenReturn(true).thenReturn(true).thenReturn(// up to here is aws domains
false);
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn(// up to here is role principals
"user.user3.service").thenReturn("dom1").thenReturn("dom2").thenReturn(// up to here is role assertions
"dom3").thenReturn("trole1").thenReturn("trole2").thenReturn(// up to here trusted roles
"trole3").thenReturn("dom1").thenReturn("dom2");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("102").thenReturn(// up to here is role principals
"103").thenReturn("101").thenReturn("102").thenReturn(// up to here role assertions
"103").thenReturn("101").thenReturn("102").thenReturn(// up to here trusted roles
"103");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role2").thenReturn("role3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE)).thenReturn("role1").thenReturn("role2").thenReturn(// up to here role assertions
"role3").thenReturn("role1").thenReturn("role2").thenReturn(// up to here trusted roles
"role3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_RESOURCE)).thenReturn("dom1:role1").thenReturn("dom2:role2").thenReturn("resource3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACTION)).thenReturn("assume_aws_role");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_EFFECT)).thenReturn("ALLOW");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACCOUNT)).thenReturn("12345").thenReturn("12346");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ASSERT_DOMAIN_ID)).thenReturn("101").thenReturn("102").thenReturn("103");
ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess(null, "assume_aws_role", "user");
List<ResourceAccess> resources = resourceAccessList.getResources();
assertEquals(2, resources.size());
boolean userUser1 = false;
boolean userUser2 = false;
// must be skipped
boolean userUser3 = false;
for (ResourceAccess rsrcAccess : resources) {
switch(rsrcAccess.getPrincipal()) {
case "user.user1":
userUser1 = true;
assertEquals(1, rsrcAccess.getAssertions().size());
assertEquals("arn:aws:iam::12345:role/role1", rsrcAccess.getAssertions().get(0).getResource());
break;
case "user.user2":
userUser2 = true;
assertEquals(1, rsrcAccess.getAssertions().size());
assertEquals("arn:aws:iam::12346:role/role2", rsrcAccess.getAssertions().get(0).getResource());
break;
case "user.user3.service":
userUser3 = true;
break;
}
}
assertTrue(userUser1);
assertTrue(userUser2);
assertFalse(userUser3);
jdbcConn.close();
}
use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.
the class JDBCConnectionTest method testListResourceAccessEmptyRoleAssertions.
@Test
public void testListResourceAccessEmptyRoleAssertions() throws SQLException {
JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// upto here is role principals
false).thenReturn(// we have no role assertions
false);
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn("user.user3");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("101").thenReturn("102");
Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess("user.user1", "update", "user");
// we should get an empty assertion set for the principal
List<ResourceAccess> resources = resourceAccessList.getResources();
assertEquals(1, resources.size());
ResourceAccess rsrcAccess = resources.get(0);
assertEquals("user.user1", rsrcAccess.getPrincipal());
List<Assertion> assertions = rsrcAccess.getAssertions();
assertTrue(assertions.isEmpty());
jdbcConn.close();
}
use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.
the class JDBCConnection method listResourceAccess.
@Override
public ResourceAccessList listResourceAccess(String principal, String action, String userDomain) {
final String caller = "listResourceAccess";
ResourceAccessList rsrcAccessList = new ResourceAccessList();
List<ResourceAccess> resources = new ArrayList<>();
rsrcAccessList.setResources(resources);
// check to see if this an aws request based on
// the action query
boolean awsQuery = (action != null && action.equals(ZMSConsts.ACTION_ASSUME_AWS_ROLE));
boolean singlePrincipalQuery = (principal != null && !principal.isEmpty());
// first let's get the principal list that we're asked to check for
// since if we have no matches then we have nothing to do
Map<String, List<String>> rolePrincipals = getRolePrincipals(principal, awsQuery, userDomain, caller);
if (rolePrincipals.isEmpty()) {
if (singlePrincipalQuery) {
if (getPrincipalId(principal) == 0) {
throw notFoundError(caller, ZMSConsts.OBJECT_PRINCIPAL, principal);
}
resources.add(getResourceAccessObject(principal, null));
}
return rsrcAccessList;
}
// now let's get the list of role assertions. if we have
// no matches, then we have nothing to do
Map<String, List<Assertion>> roleAssertions = getRoleAssertions(action, caller);
if (roleAssertions.isEmpty()) {
if (singlePrincipalQuery) {
resources.add(getResourceAccessObject(principal, null));
}
return rsrcAccessList;
}
// finally we need to get all the trusted role maps
Map<String, List<String>> trustedRoles = getTrustedRoles(caller);
// couple of special cases - if we're asked for action assume_aws_role
// then we're looking for role access in AWS. So we're going to retrieve
// the domains that have aws account configured only and update
// the resource to generate aws role resources. If the action is
// assume_aws_role with no principal - then another special case to
// look for actual users only
Map<String, String> awsDomains = null;
if (awsQuery) {
awsDomains = getAwsDomains(caller);
}
// now let's go ahead and combine all of our data together
// we're going to go through each principal, lookup
// the assertions for the role and add them to the return object
// if the role has no corresponding assertions, then we're going
// to look at the trust role map in case it's a trusted role
Map<String, List<Assertion>> principalAssertions = new HashMap<>();
for (Map.Entry<String, List<String>> entry : rolePrincipals.entrySet()) {
String roleIndex = entry.getKey();
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing role: " + roleIndex);
}
// get the list of principals for this role
List<String> rPrincipals = entry.getValue();
for (String rPrincipal : rPrincipals) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing role principal: " + rPrincipal);
}
if (skipAwsUserQuery(awsDomains, principal, rPrincipal, userDomain)) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": skipping non-user: " + rPrincipal);
}
continue;
}
List<Assertion> assertions = principalAssertions.get(rPrincipal);
if (assertions == null) {
assertions = new ArrayList<>();
principalAssertions.put(rPrincipal, assertions);
}
// retrieve the assertions for this role
addRoleAssertions(assertions, roleAssertions.get(roleIndex), awsDomains);
// check to see if this is a trusted role. There might be multiple
// roles all being mapped as trusted, so we need to process them all
List<String> mappedTrustedRoles = trustedRoles.get(roleIndex);
if (mappedTrustedRoles != null) {
for (String mappedTrustedRole : mappedTrustedRoles) {
if (LOG.isDebugEnabled()) {
LOG.debug(caller + ": processing trusted role: " + mappedTrustedRole);
}
addRoleAssertions(assertions, roleAssertions.get(mappedTrustedRole), awsDomains);
}
}
}
}
for (Map.Entry<String, List<Assertion>> entry : principalAssertions.entrySet()) {
// if this is a query for all principals in Athenz then we're
// automatically going to skip any principals who have no
// assertions
List<Assertion> assertions = entry.getValue();
if (!singlePrincipalQuery && (assertions == null || assertions.isEmpty())) {
continue;
}
resources.add(getResourceAccessObject(entry.getKey(), assertions));
}
return rsrcAccessList;
}
Aggregations