use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAllowedResourceLookForAllUsers.
boolean isAllowedResourceLookForAllUsers(Principal principal) {
// the authorization policy resides in official sys.auth domain
AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
if (domain == null) {
return false;
}
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
// our action are always converted to lowercase
String resource = SYS_AUTH + ":resource-lookup-all";
AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "access", resource, null, null);
if (accessStatus == AccessStatus.ALLOWED) {
return true;
} else {
return false;
}
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getAccessCheck.
Access getAccessCheck(Principal principal, String action, String resource, String trustDomain, String checkPrincipal) {
final String caller = "getaccess";
if (LOG.isDebugEnabled()) {
LOG.debug("getAccessCheck:(" + action + ", " + resource + ", " + principal + ", " + trustDomain + ", " + checkPrincipal + ")");
}
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
action = action.toLowerCase();
resource = resource.toLowerCase();
if (checkPrincipal != null) {
checkPrincipal = checkPrincipal.toLowerCase();
}
if (trustDomain != null) {
trustDomain = trustDomain.toLowerCase();
}
// retrieve the domain based on our resource and action/trustDomain pair
String domainName = retrieveResourceDomain(resource, action, trustDomain);
if (domainName == null) {
metric.increment(ZMSConsts.HTTP_REQUEST, ZMSConsts.ZMS_INVALID_DOMAIN);
metric.increment(caller, ZMSConsts.ZMS_INVALID_DOMAIN);
throw ZMSUtils.notFoundError("getAccessCheck: Unable to extract resource domain", caller);
}
AthenzDomain domain = retrieveAccessDomain(domainName, principal);
if (domain == null) {
metric.increment(ZMSConsts.HTTP_REQUEST, ZMSConsts.ZMS_UNKNOWN_DOMAIN);
metric.increment(caller, ZMSConsts.ZMS_UNKNOWN_DOMAIN);
throw ZMSUtils.notFoundError("getAccessCheck: Resource Domain not found: '" + domainName + "'", caller);
}
if (domain.getDomain().getEnabled() == Boolean.FALSE) {
throw ZMSUtils.forbiddenError("getAccessCheck: Disabled domain: '" + domainName + "'", caller);
}
// start our counter with domain dimension. we're moving the metric here
// after the domain name has been confirmed as valid since with
// dimensions we get stuck with persistent indexes so we only want
// to create them for valid domain names
metric.increment(ZMSConsts.HTTP_REQUEST, domainName);
metric.increment(caller, domainName);
Object timerMetric = metric.startTiming("getaccess_timing", domainName);
if (checkPrincipal != null) {
principal = createPrincipalForName(checkPrincipal);
if (principal == null) {
throw ZMSUtils.unauthorizedError("getAccessCheck: Invalid check principal value specified", caller);
}
}
boolean accessAllowed = false;
AccessStatus accessStatus = hasAccess(domain, action, resource, principal, trustDomain);
if (accessStatus == AccessStatus.ALLOWED) {
accessAllowed = true;
}
Access access = new Access().setGranted(accessAllowed);
metric.stopTiming(timerMetric);
return access;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method getAthenzDomain.
AthenzDomain getAthenzDomain(String domainName, boolean masterCopy) {
// first check to see if we our data is in the cache
AthenzDomain athenzDomain = getAthenzDomainFromCache(domainName, masterCopy);
if (athenzDomain != null) {
return athenzDomain;
}
try (ObjectStoreConnection con = store.getConnection(true, masterCopy)) {
athenzDomain = con.getAthenzDomain(domainName);
setMembersInDomain(athenzDomain);
}
if (athenzDomain != null) {
DataCache dataCache = new DataCache(athenzDomain, athenzDomain.getDomain().getModified().millis());
cacheStore.put(domainName, dataCache);
}
return athenzDomain;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method getDelegatedRoleMembers.
List<RoleMember> getDelegatedRoleMembers(String domainName, String trustDomain, String roleName) {
if (domainName.equals(trustDomain)) {
return null;
}
// retrieve our trust domain
AthenzDomain domain = null;
try {
domain = getAthenzDomain(trustDomain, false);
} catch (ResourceException ex) {
}
if (domain == null) {
return null;
}
// we need to use a set since we might be matching
// multiple assertions and we want to automatically
// skip any duplicate members
Map<String, RoleMember> roleMembers = new HashMap<>();
// generate our full role name
String fullRoleName = ZMSUtils.roleResourceName(domainName, roleName);
for (Policy policy : domain.getPolicies()) {
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
if (!ZMSUtils.assumeRoleResourceMatch(fullRoleName, assertion)) {
continue;
}
String rolePattern = StringUtils.patternFromGlob(assertion.getRole());
for (Role role : domain.getRoles()) {
// make sure we have members before trying to match the name
List<RoleMember> members = role.getRoleMembers();
if (members == null || members.isEmpty()) {
continue;
}
if (!role.getName().matches(rolePattern)) {
continue;
}
for (RoleMember member : members) {
String memberName = member.getMemberName();
if (!roleMembers.containsKey(memberName)) {
roleMembers.put(memberName, member);
}
}
}
}
}
return new ArrayList<RoleMember>(roleMembers.values());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class JDBCConnectionTest method testSetName.
@Test
public void testSetName() {
AthenzDomain athenzDomain = new AthenzDomain("my-domain");
try {
athenzDomain.setName("my-domain");
} catch (Exception ex) {
fail();
}
assertTrue(true);
}
Aggregations