Search in sources :

Example 1 with ResourceAccess

use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.

the class JDBCConnectionTest method testListResourceAccess.

@Test
public void testListResourceAccess() throws SQLException {
    JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
    Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role principals
    false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role assertions
    false).thenReturn(// no trusted role
    false);
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn(// up to here is role principals
    "user.user3").thenReturn("dom1").thenReturn("dom1").thenReturn("dom2");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("101").thenReturn(// up to here is role principals
    "102").thenReturn("101").thenReturn("101").thenReturn("102");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_RESOURCE)).thenReturn("resource1").thenReturn("resource2").thenReturn("resource3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACTION)).thenReturn("update");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_EFFECT)).thenReturn("ALLOW");
    ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess(null, "update", "user");
    List<ResourceAccess> resources = resourceAccessList.getResources();
    assertEquals(3, resources.size());
    boolean userUser1 = false;
    boolean userUser2 = false;
    boolean userUser3 = false;
    for (ResourceAccess rsrcAccess : resources) {
        switch(rsrcAccess.getPrincipal()) {
            case "user.user1":
                userUser1 = true;
                assertEquals(2, rsrcAccess.getAssertions().size());
                break;
            case "user.user2":
                userUser2 = true;
                assertEquals(2, rsrcAccess.getAssertions().size());
                break;
            case "user.user3":
                userUser3 = true;
                assertEquals(1, rsrcAccess.getAssertions().size());
                break;
        }
    }
    assertTrue(userUser1);
    assertTrue(userUser2);
    assertTrue(userUser3);
    jdbcConn.close();
}
Also used : ResourceAccess(com.yahoo.athenz.zms.ResourceAccess) ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList) JDBCConnection(com.yahoo.athenz.zms.store.jdbc.JDBCConnection) Test(org.testng.annotations.Test)

Example 2 with ResourceAccess

use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.

the class JDBCConnection method getResourceAccessObject.

ResourceAccess getResourceAccessObject(String principal, List<Assertion> assertions) {
    ResourceAccess rsrcAccess = new ResourceAccess();
    rsrcAccess.setPrincipal(principal);
    rsrcAccess.setAssertions(assertions != null ? assertions : new ArrayList<Assertion>());
    return rsrcAccess;
}
Also used : ResourceAccess(com.yahoo.athenz.zms.ResourceAccess) ArrayList(java.util.ArrayList)

Example 3 with ResourceAccess

use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.

the class JDBCConnectionTest method testListResourceAccessAws.

@Test
public void testListResourceAccessAws() throws SQLException {
    JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
    Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role principals
    false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here is role assertions
    false).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// up to here standard trusted roles
    false).thenReturn(// up to here wildcard trusted roles
    false).thenReturn(true).thenReturn(true).thenReturn(// up to here is aws domains
    false);
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn(// up to here is role principals
    "user.user3.service").thenReturn("dom1").thenReturn("dom2").thenReturn(// up to here is role assertions
    "dom3").thenReturn("trole1").thenReturn("trole2").thenReturn(// up to here trusted roles
    "trole3").thenReturn("dom1").thenReturn("dom2");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("102").thenReturn(// up to here is role principals
    "103").thenReturn("101").thenReturn("102").thenReturn(// up to here role assertions
    "103").thenReturn("101").thenReturn("102").thenReturn(// up to here trusted roles
    "103");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role2").thenReturn("role3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE)).thenReturn("role1").thenReturn("role2").thenReturn(// up to here role assertions
    "role3").thenReturn("role1").thenReturn("role2").thenReturn(// up to here trusted roles
    "role3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_RESOURCE)).thenReturn("dom1:role1").thenReturn("dom2:role2").thenReturn("resource3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACTION)).thenReturn("assume_aws_role");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_EFFECT)).thenReturn("ALLOW");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ACCOUNT)).thenReturn("12345").thenReturn("12346");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ASSERT_DOMAIN_ID)).thenReturn("101").thenReturn("102").thenReturn("103");
    ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess(null, "assume_aws_role", "user");
    List<ResourceAccess> resources = resourceAccessList.getResources();
    assertEquals(2, resources.size());
    boolean userUser1 = false;
    boolean userUser2 = false;
    // must be skipped
    boolean userUser3 = false;
    for (ResourceAccess rsrcAccess : resources) {
        switch(rsrcAccess.getPrincipal()) {
            case "user.user1":
                userUser1 = true;
                assertEquals(1, rsrcAccess.getAssertions().size());
                assertEquals("arn:aws:iam::12345:role/role1", rsrcAccess.getAssertions().get(0).getResource());
                break;
            case "user.user2":
                userUser2 = true;
                assertEquals(1, rsrcAccess.getAssertions().size());
                assertEquals("arn:aws:iam::12346:role/role2", rsrcAccess.getAssertions().get(0).getResource());
                break;
            case "user.user3.service":
                userUser3 = true;
                break;
        }
    }
    assertTrue(userUser1);
    assertTrue(userUser2);
    assertFalse(userUser3);
    jdbcConn.close();
}
Also used : ResourceAccess(com.yahoo.athenz.zms.ResourceAccess) ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList) JDBCConnection(com.yahoo.athenz.zms.store.jdbc.JDBCConnection) Test(org.testng.annotations.Test)

Example 4 with ResourceAccess

use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.

the class JDBCConnectionTest method testListResourceAccessEmptyRoleAssertions.

@Test
public void testListResourceAccessEmptyRoleAssertions() throws SQLException {
    JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
    Mockito.when(mockResultSet.next()).thenReturn(true).thenReturn(true).thenReturn(true).thenReturn(// upto here is role principals
    false).thenReturn(// we have no role assertions
    false);
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_NAME)).thenReturn("user.user1").thenReturn("user.user2").thenReturn("user.user3");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_DOMAIN_ID)).thenReturn("101").thenReturn("101").thenReturn("102");
    Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ROLE_NAME)).thenReturn("role1").thenReturn("role1").thenReturn("role3");
    ResourceAccessList resourceAccessList = jdbcConn.listResourceAccess("user.user1", "update", "user");
    // we should get an empty assertion set for the principal
    List<ResourceAccess> resources = resourceAccessList.getResources();
    assertEquals(1, resources.size());
    ResourceAccess rsrcAccess = resources.get(0);
    assertEquals("user.user1", rsrcAccess.getPrincipal());
    List<Assertion> assertions = rsrcAccess.getAssertions();
    assertTrue(assertions.isEmpty());
    jdbcConn.close();
}
Also used : ResourceAccess(com.yahoo.athenz.zms.ResourceAccess) ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList) Assertion(com.yahoo.athenz.zms.Assertion) JDBCConnection(com.yahoo.athenz.zms.store.jdbc.JDBCConnection) Test(org.testng.annotations.Test)

Example 5 with ResourceAccess

use of com.yahoo.athenz.zms.ResourceAccess in project athenz by yahoo.

the class JDBCConnection method listResourceAccess.

@Override
public ResourceAccessList listResourceAccess(String principal, String action, String userDomain) {
    final String caller = "listResourceAccess";
    ResourceAccessList rsrcAccessList = new ResourceAccessList();
    List<ResourceAccess> resources = new ArrayList<>();
    rsrcAccessList.setResources(resources);
    // check to see if this an aws request based on
    // the action query
    boolean awsQuery = (action != null && action.equals(ZMSConsts.ACTION_ASSUME_AWS_ROLE));
    boolean singlePrincipalQuery = (principal != null && !principal.isEmpty());
    // first let's get the principal list that we're asked to check for
    // since if we have no matches then we have nothing to do
    Map<String, List<String>> rolePrincipals = getRolePrincipals(principal, awsQuery, userDomain, caller);
    if (rolePrincipals.isEmpty()) {
        if (singlePrincipalQuery) {
            if (getPrincipalId(principal) == 0) {
                throw notFoundError(caller, ZMSConsts.OBJECT_PRINCIPAL, principal);
            }
            resources.add(getResourceAccessObject(principal, null));
        }
        return rsrcAccessList;
    }
    // now let's get the list of role assertions. if we have
    // no matches, then we have nothing to do
    Map<String, List<Assertion>> roleAssertions = getRoleAssertions(action, caller);
    if (roleAssertions.isEmpty()) {
        if (singlePrincipalQuery) {
            resources.add(getResourceAccessObject(principal, null));
        }
        return rsrcAccessList;
    }
    // finally we need to get all the trusted role maps
    Map<String, List<String>> trustedRoles = getTrustedRoles(caller);
    // couple of special cases - if we're asked for action assume_aws_role
    // then we're looking for role access in AWS. So we're going to retrieve
    // the domains that have aws account configured only and update
    // the resource to generate aws role resources. If the action is
    // assume_aws_role with no principal - then another special case to
    // look for actual users only
    Map<String, String> awsDomains = null;
    if (awsQuery) {
        awsDomains = getAwsDomains(caller);
    }
    // now let's go ahead and combine all of our data together
    // we're going to go through each principal, lookup
    // the assertions for the role and add them to the return object
    // if the role has no corresponding assertions, then we're going
    // to look at the trust role map in case it's a trusted role
    Map<String, List<Assertion>> principalAssertions = new HashMap<>();
    for (Map.Entry<String, List<String>> entry : rolePrincipals.entrySet()) {
        String roleIndex = entry.getKey();
        if (LOG.isDebugEnabled()) {
            LOG.debug(caller + ": processing role: " + roleIndex);
        }
        // get the list of principals for this role
        List<String> rPrincipals = entry.getValue();
        for (String rPrincipal : rPrincipals) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(caller + ": processing role principal: " + rPrincipal);
            }
            if (skipAwsUserQuery(awsDomains, principal, rPrincipal, userDomain)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(caller + ": skipping non-user: " + rPrincipal);
                }
                continue;
            }
            List<Assertion> assertions = principalAssertions.get(rPrincipal);
            if (assertions == null) {
                assertions = new ArrayList<>();
                principalAssertions.put(rPrincipal, assertions);
            }
            // retrieve the assertions for this role
            addRoleAssertions(assertions, roleAssertions.get(roleIndex), awsDomains);
            // check to see if this is a trusted role. There might be multiple
            // roles all being mapped as trusted, so we need to process them all
            List<String> mappedTrustedRoles = trustedRoles.get(roleIndex);
            if (mappedTrustedRoles != null) {
                for (String mappedTrustedRole : mappedTrustedRoles) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(caller + ": processing trusted role: " + mappedTrustedRole);
                    }
                    addRoleAssertions(assertions, roleAssertions.get(mappedTrustedRole), awsDomains);
                }
            }
        }
    }
    for (Map.Entry<String, List<Assertion>> entry : principalAssertions.entrySet()) {
        // if this is a query for all principals in Athenz then we're
        // automatically going to skip any principals who have no
        // assertions
        List<Assertion> assertions = entry.getValue();
        if (!singlePrincipalQuery && (assertions == null || assertions.isEmpty())) {
            continue;
        }
        resources.add(getResourceAccessObject(entry.getKey(), assertions));
    }
    return rsrcAccessList;
}
Also used : ResourceAccess(com.yahoo.athenz.zms.ResourceAccess) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList) ArrayList(java.util.ArrayList) DomainModifiedList(com.yahoo.athenz.zms.DomainModifiedList) ResourceAccessList(com.yahoo.athenz.zms.ResourceAccessList) List(java.util.List) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

ResourceAccess (com.yahoo.athenz.zms.ResourceAccess)7 ResourceAccessList (com.yahoo.athenz.zms.ResourceAccessList)5 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)5 Test (org.testng.annotations.Test)5 Assertion (com.yahoo.athenz.zms.Assertion)4 ArrayList (java.util.ArrayList)3 DomainModifiedList (com.yahoo.athenz.zms.DomainModifiedList)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1