use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.
the class SignUtils method asStruct.
private static Struct asStruct(Role role) {
// all of our fields are in canonical order based
// on their attribute name
Struct struct = new Struct();
appendList(struct, ATTR_MEMBERS, role.getMembers());
appendObject(struct, ATTR_MODIFIED, role.getModified());
appendObject(struct, ATTR_NAME, role.getName());
List<RoleMember> roleMembers = role.getRoleMembers();
if (roleMembers != null) {
Array roleMembersArray = new Array();
for (RoleMember roleMember : roleMembers) {
Struct structRoleMember = new Struct();
appendObject(structRoleMember, ATTR_EXPIRATION, roleMember.getExpiration());
appendObject(structRoleMember, ATTR_MEMBER_NAME, roleMember.getMemberName());
roleMembersArray.add(structRoleMember);
}
appendArray(struct, ATTR_ROLE_MEMBERS, roleMembersArray);
}
appendObject(struct, ATTR_TRUST, role.getTrust());
return struct;
}
use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.
the class DataCache method processRoleMembers.
/**
* Update {@code memberRoleCache}
* @param roleName the new/updated role
* @param members the list of members of that role
*/
void processRoleMembers(String roleName, List<RoleMember> members) {
if (members == null) {
return;
}
// memberRoleCache: add members
long currentTime = System.currentTimeMillis();
for (RoleMember member : members) {
// if the role member is already expired then there
// is no point to add it to the cache
long expiration = member.getExpiration() == null ? 0 : member.getExpiration().millis();
if (expiration != 0 && expiration < currentTime) {
continue;
}
// we're going to process 3 types of members
// * - all members have access to these roles
// <prefix>* - members with the key name prefix
// <member> - regular members
final String memberName = member.getMemberName();
if (memberName.equals("*")) {
memberAllRoleCache.add(new MemberRole(roleName, expiration));
} else if (memberName.endsWith("*")) {
final String keyName = memberName.substring(0, memberName.length() - 1);
if (!memberPrefixRoleCache.containsKey(keyName)) {
memberPrefixRoleCache.put(keyName, new HashSet<>());
}
final Set<MemberRole> rolesForMember = memberPrefixRoleCache.get(keyName);
rolesForMember.add(new MemberRole(roleName, expiration));
} else {
if (!memberRoleCache.containsKey(memberName)) {
memberRoleCache.put(memberName, new HashSet<>());
}
final Set<MemberRole> rolesForMember = memberRoleCache.get(memberName);
rolesForMember.add(new MemberRole(roleName, expiration));
}
}
}
use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.
the class DataCacheTest method testPolicyWithInvalidAssertionRole.
@Test
public void testPolicyWithInvalidAssertionRole() {
Domain domain = new Domain();
domain.setName("testDomain");
Role role1 = new Role();
role1.setName("testDomain.role.role1");
List<RoleMember> members1 = new ArrayList<>();
members1.add(new RoleMember().setMemberName("user_domain.user1"));
members1.add(new RoleMember().setMemberName("user_domain.user2"));
role1.setRoleMembers(members1);
Role role2 = new Role();
role2.setName("testDomain.role.role2");
List<RoleMember> members2 = new ArrayList<>();
members2.add(new RoleMember().setMemberName("user_domain.user2"));
role2.setRoleMembers(members2);
Role role3 = new Role();
role3.setName("testDomain.role.role3");
List<RoleMember> members3 = new ArrayList<>();
members3.add(new RoleMember().setMemberName("user_domain.user3"));
role3.setRoleMembers(members3);
Policy policy = new Policy();
policy.setName("testDomain.policy.policy1");
Assertion assertion = new Assertion();
assertion.setAction("assume_role");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("testDomain.role");
assertion.setRole("testDomain.role.Invalid");
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion);
policy.setAssertions(assertList);
HashMap<String, Role> roleList = new HashMap<>();
roleList.put(role1.getName(), role1);
roleList.put(role2.getName(), role2);
roleList.put(role3.getName(), role3);
DataCache cache = new DataCache();
cache.processRole(role1);
cache.processRole(role2);
cache.processRole(role3);
cache.processPolicy(domain.getName(), policy, roleList);
Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
assertNotNull(set1);
assertTrue(set1.contains(new MemberRole("testDomain.role.role1", 0)));
assertEquals(set1.size(), 1);
Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
assertNotNull(set2);
assertTrue(set2.contains(new MemberRole("testDomain.role.role1", 0)));
assertTrue(set2.contains(new MemberRole("testDomain.role.role2", 0)));
assertEquals(set2.size(), 2);
Set<MemberRole> set3 = cache.getMemberRoleSet("user_domain.user3");
assertNotNull(set3);
assertTrue(set3.contains(new MemberRole("testDomain.role.role3", 0)));
assertEquals(set3.size(), 1);
}
use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.
the class DataCacheTest method testPolicyWithAssertionRoleNoMember.
@Test
public void testPolicyWithAssertionRoleNoMember() {
Domain domain = new Domain();
domain.setName("testDomain");
Role role1 = new Role();
role1.setName("testDomain.role.role1");
Role role2 = new Role();
role2.setName("testDomain.role.role2");
List<RoleMember> members2 = new ArrayList<>();
members2.add(new RoleMember().setMemberName("user_domain.user2"));
role2.setRoleMembers(members2);
Role role3 = new Role();
role3.setName("testDomain.role.role3");
List<RoleMember> members3 = new ArrayList<>();
members3.add(new RoleMember().setMemberName("user_domain.user3"));
role3.setRoleMembers(members3);
Policy policy = new Policy();
policy.setName("testDomain.policy.policy1");
Assertion assertion = new Assertion();
assertion.setAction("assume_role");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("testDomain.roleA");
assertion.setRole("testDomain.role.role1");
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion);
policy.setAssertions(assertList);
HashMap<String, Role> roleList = new HashMap<>();
roleList.put(role1.getName(), role1);
roleList.put(role2.getName(), role2);
roleList.put(role3.getName(), role3);
DataCache cache = new DataCache();
cache.processRole(role1);
cache.processRole(role2);
cache.processRole(role3);
cache.processPolicy(domain.getName(), policy, roleList);
Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
assertNull(set1);
Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
assertNotNull(set2);
assertTrue(set2.contains(new MemberRole("testDomain.role.role2", 0)));
assertEquals(set2.size(), 1);
Set<MemberRole> set3 = cache.getMemberRoleSet("user_domain.user3");
assertNotNull(set3);
assertTrue(set3.contains(new MemberRole("testDomain.role.role3", 0)));
assertEquals(set3.size(), 1);
}
use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.
the class DataCacheTest method testPolicyNoRoleProcessed.
@Test
public void testPolicyNoRoleProcessed() {
Domain domain = new Domain();
domain.setName("testDomain");
Role role1 = new Role();
role1.setName("testDomain.role.role1");
List<RoleMember> members1 = new ArrayList<>();
members1.add(new RoleMember().setMemberName("user_domain.user1"));
role1.setRoleMembers(members1);
Policy policy = new Policy();
policy.setName("testDomain.policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("assume_role");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("testDomain.roleA");
assertion1.setRole("testDomain.role.role1");
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion1);
policy.setAssertions(assertList);
DataCache cache = new DataCache();
HashMap<String, Role> roleList = new HashMap<>();
roleList.put(role1.getName(), role1);
cache.processPolicy(domain.getName(), policy, roleList);
Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
assertNotNull(set1);
assertTrue(set1.contains(new MemberRole("testDomain.roleA", 0)));
assertEquals(set1.size(), 1);
Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
assertNull(set2);
}
Aggregations