Search in sources :

Example 21 with RoleMember

use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.

the class SignUtils method asStruct.

private static Struct asStruct(Role role) {
    // all of our fields are in canonical order based
    // on their attribute name
    Struct struct = new Struct();
    appendList(struct, ATTR_MEMBERS, role.getMembers());
    appendObject(struct, ATTR_MODIFIED, role.getModified());
    appendObject(struct, ATTR_NAME, role.getName());
    List<RoleMember> roleMembers = role.getRoleMembers();
    if (roleMembers != null) {
        Array roleMembersArray = new Array();
        for (RoleMember roleMember : roleMembers) {
            Struct structRoleMember = new Struct();
            appendObject(structRoleMember, ATTR_EXPIRATION, roleMember.getExpiration());
            appendObject(structRoleMember, ATTR_MEMBER_NAME, roleMember.getMemberName());
            roleMembersArray.add(structRoleMember);
        }
        appendArray(struct, ATTR_ROLE_MEMBERS, roleMembersArray);
    }
    appendObject(struct, ATTR_TRUST, role.getTrust());
    return struct;
}
Also used : Array(com.yahoo.rdl.Array) RoleMember(com.yahoo.athenz.zms.RoleMember) Struct(com.yahoo.rdl.Struct)

Example 22 with RoleMember

use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.

the class DataCache method processRoleMembers.

/**
 * Update {@code memberRoleCache}
 * @param roleName the new/updated role
 * @param members the list of members of that role
 */
void processRoleMembers(String roleName, List<RoleMember> members) {
    if (members == null) {
        return;
    }
    // memberRoleCache: add members
    long currentTime = System.currentTimeMillis();
    for (RoleMember member : members) {
        // if the role member is already expired then there
        // is no point to add it to the cache
        long expiration = member.getExpiration() == null ? 0 : member.getExpiration().millis();
        if (expiration != 0 && expiration < currentTime) {
            continue;
        }
        // we're going to process 3 types of members
        // * - all members have access to these roles
        // <prefix>* - members with the key name prefix
        // <member> - regular members
        final String memberName = member.getMemberName();
        if (memberName.equals("*")) {
            memberAllRoleCache.add(new MemberRole(roleName, expiration));
        } else if (memberName.endsWith("*")) {
            final String keyName = memberName.substring(0, memberName.length() - 1);
            if (!memberPrefixRoleCache.containsKey(keyName)) {
                memberPrefixRoleCache.put(keyName, new HashSet<>());
            }
            final Set<MemberRole> rolesForMember = memberPrefixRoleCache.get(keyName);
            rolesForMember.add(new MemberRole(roleName, expiration));
        } else {
            if (!memberRoleCache.containsKey(memberName)) {
                memberRoleCache.put(memberName, new HashSet<>());
            }
            final Set<MemberRole> rolesForMember = memberRoleCache.get(memberName);
            rolesForMember.add(new MemberRole(roleName, expiration));
        }
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) RoleMember(com.yahoo.athenz.zms.RoleMember) HashSet(java.util.HashSet)

Example 23 with RoleMember

use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.

the class DataCacheTest method testPolicyWithInvalidAssertionRole.

@Test
public void testPolicyWithInvalidAssertionRole() {
    Domain domain = new Domain();
    domain.setName("testDomain");
    Role role1 = new Role();
    role1.setName("testDomain.role.role1");
    List<RoleMember> members1 = new ArrayList<>();
    members1.add(new RoleMember().setMemberName("user_domain.user1"));
    members1.add(new RoleMember().setMemberName("user_domain.user2"));
    role1.setRoleMembers(members1);
    Role role2 = new Role();
    role2.setName("testDomain.role.role2");
    List<RoleMember> members2 = new ArrayList<>();
    members2.add(new RoleMember().setMemberName("user_domain.user2"));
    role2.setRoleMembers(members2);
    Role role3 = new Role();
    role3.setName("testDomain.role.role3");
    List<RoleMember> members3 = new ArrayList<>();
    members3.add(new RoleMember().setMemberName("user_domain.user3"));
    role3.setRoleMembers(members3);
    Policy policy = new Policy();
    policy.setName("testDomain.policy.policy1");
    Assertion assertion = new Assertion();
    assertion.setAction("assume_role");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("testDomain.role");
    assertion.setRole("testDomain.role.Invalid");
    List<Assertion> assertList = new ArrayList<Assertion>();
    assertList.add(assertion);
    policy.setAssertions(assertList);
    HashMap<String, Role> roleList = new HashMap<>();
    roleList.put(role1.getName(), role1);
    roleList.put(role2.getName(), role2);
    roleList.put(role3.getName(), role3);
    DataCache cache = new DataCache();
    cache.processRole(role1);
    cache.processRole(role2);
    cache.processRole(role3);
    cache.processPolicy(domain.getName(), policy, roleList);
    Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
    assertNotNull(set1);
    assertTrue(set1.contains(new MemberRole("testDomain.role.role1", 0)));
    assertEquals(set1.size(), 1);
    Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
    assertNotNull(set2);
    assertTrue(set2.contains(new MemberRole("testDomain.role.role1", 0)));
    assertTrue(set2.contains(new MemberRole("testDomain.role.role2", 0)));
    assertEquals(set2.size(), 2);
    Set<MemberRole> set3 = cache.getMemberRoleSet("user_domain.user3");
    assertNotNull(set3);
    assertTrue(set3.contains(new MemberRole("testDomain.role.role3", 0)));
    assertEquals(set3.size(), 1);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Role(com.yahoo.athenz.zms.Role) Domain(com.yahoo.athenz.zms.Domain) RoleMember(com.yahoo.athenz.zms.RoleMember) Test(org.testng.annotations.Test)

Example 24 with RoleMember

use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.

the class DataCacheTest method testPolicyWithAssertionRoleNoMember.

@Test
public void testPolicyWithAssertionRoleNoMember() {
    Domain domain = new Domain();
    domain.setName("testDomain");
    Role role1 = new Role();
    role1.setName("testDomain.role.role1");
    Role role2 = new Role();
    role2.setName("testDomain.role.role2");
    List<RoleMember> members2 = new ArrayList<>();
    members2.add(new RoleMember().setMemberName("user_domain.user2"));
    role2.setRoleMembers(members2);
    Role role3 = new Role();
    role3.setName("testDomain.role.role3");
    List<RoleMember> members3 = new ArrayList<>();
    members3.add(new RoleMember().setMemberName("user_domain.user3"));
    role3.setRoleMembers(members3);
    Policy policy = new Policy();
    policy.setName("testDomain.policy.policy1");
    Assertion assertion = new Assertion();
    assertion.setAction("assume_role");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("testDomain.roleA");
    assertion.setRole("testDomain.role.role1");
    List<Assertion> assertList = new ArrayList<Assertion>();
    assertList.add(assertion);
    policy.setAssertions(assertList);
    HashMap<String, Role> roleList = new HashMap<>();
    roleList.put(role1.getName(), role1);
    roleList.put(role2.getName(), role2);
    roleList.put(role3.getName(), role3);
    DataCache cache = new DataCache();
    cache.processRole(role1);
    cache.processRole(role2);
    cache.processRole(role3);
    cache.processPolicy(domain.getName(), policy, roleList);
    Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
    assertNull(set1);
    Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
    assertNotNull(set2);
    assertTrue(set2.contains(new MemberRole("testDomain.role.role2", 0)));
    assertEquals(set2.size(), 1);
    Set<MemberRole> set3 = cache.getMemberRoleSet("user_domain.user3");
    assertNotNull(set3);
    assertTrue(set3.contains(new MemberRole("testDomain.role.role3", 0)));
    assertEquals(set3.size(), 1);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Role(com.yahoo.athenz.zms.Role) Domain(com.yahoo.athenz.zms.Domain) RoleMember(com.yahoo.athenz.zms.RoleMember) Test(org.testng.annotations.Test)

Example 25 with RoleMember

use of com.yahoo.athenz.zms.RoleMember in project athenz by yahoo.

the class DataCacheTest method testPolicyNoRoleProcessed.

@Test
public void testPolicyNoRoleProcessed() {
    Domain domain = new Domain();
    domain.setName("testDomain");
    Role role1 = new Role();
    role1.setName("testDomain.role.role1");
    List<RoleMember> members1 = new ArrayList<>();
    members1.add(new RoleMember().setMemberName("user_domain.user1"));
    role1.setRoleMembers(members1);
    Policy policy = new Policy();
    policy.setName("testDomain.policy.policy1");
    Assertion assertion1 = new Assertion();
    assertion1.setAction("assume_role");
    assertion1.setEffect(AssertionEffect.ALLOW);
    assertion1.setResource("testDomain.roleA");
    assertion1.setRole("testDomain.role.role1");
    List<Assertion> assertList = new ArrayList<Assertion>();
    assertList.add(assertion1);
    policy.setAssertions(assertList);
    DataCache cache = new DataCache();
    HashMap<String, Role> roleList = new HashMap<>();
    roleList.put(role1.getName(), role1);
    cache.processPolicy(domain.getName(), policy, roleList);
    Set<MemberRole> set1 = cache.getMemberRoleSet("user_domain.user1");
    assertNotNull(set1);
    assertTrue(set1.contains(new MemberRole("testDomain.roleA", 0)));
    assertEquals(set1.size(), 1);
    Set<MemberRole> set2 = cache.getMemberRoleSet("user_domain.user2");
    assertNull(set2);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Role(com.yahoo.athenz.zms.Role) Domain(com.yahoo.athenz.zms.Domain) RoleMember(com.yahoo.athenz.zms.RoleMember) Test(org.testng.annotations.Test)

Aggregations

RoleMember (com.yahoo.athenz.zms.RoleMember)65 ArrayList (java.util.ArrayList)48 Role (com.yahoo.athenz.zms.Role)47 Test (org.testng.annotations.Test)35 SignedDomain (com.yahoo.athenz.zms.SignedDomain)26 DomainData (com.yahoo.athenz.zms.DomainData)25 DataCache (com.yahoo.athenz.zts.cache.DataCache)23 MemberRole (com.yahoo.athenz.zts.cache.MemberRole)18 Policy (com.yahoo.athenz.zms.Policy)13 MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)13 Assertion (com.yahoo.athenz.zms.Assertion)12 ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)12 PrincipalRole (com.yahoo.athenz.zms.PrincipalRole)9 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)8 HashSet (java.util.HashSet)7 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)6 File (java.io.File)6 HashMap (java.util.HashMap)6 Domain (com.yahoo.athenz.zms.Domain)5 Set (java.util.Set)5