Search in sources :

Example 1 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedResourceLookForAllUsers.

boolean isAllowedResourceLookForAllUsers(Principal principal) {
    // the authorization policy resides in official sys.auth domain
    AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
    if (domain == null) {
        return false;
    }
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    // our action are always converted to lowercase
    String resource = SYS_AUTH + ":resource-lookup-all";
    AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "access", resource, null, null);
    if (accessStatus == AccessStatus.ALLOWED) {
        return true;
    } else {
        return false;
    }
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 2 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method getAccessCheck.

Access getAccessCheck(Principal principal, String action, String resource, String trustDomain, String checkPrincipal) {
    final String caller = "getaccess";
    if (LOG.isDebugEnabled()) {
        LOG.debug("getAccessCheck:(" + action + ", " + resource + ", " + principal + ", " + trustDomain + ", " + checkPrincipal + ")");
    }
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    action = action.toLowerCase();
    resource = resource.toLowerCase();
    if (checkPrincipal != null) {
        checkPrincipal = checkPrincipal.toLowerCase();
    }
    if (trustDomain != null) {
        trustDomain = trustDomain.toLowerCase();
    }
    // retrieve the domain based on our resource and action/trustDomain pair
    String domainName = retrieveResourceDomain(resource, action, trustDomain);
    if (domainName == null) {
        metric.increment(ZMSConsts.HTTP_REQUEST, ZMSConsts.ZMS_INVALID_DOMAIN);
        metric.increment(caller, ZMSConsts.ZMS_INVALID_DOMAIN);
        throw ZMSUtils.notFoundError("getAccessCheck: Unable to extract resource domain", caller);
    }
    AthenzDomain domain = retrieveAccessDomain(domainName, principal);
    if (domain == null) {
        metric.increment(ZMSConsts.HTTP_REQUEST, ZMSConsts.ZMS_UNKNOWN_DOMAIN);
        metric.increment(caller, ZMSConsts.ZMS_UNKNOWN_DOMAIN);
        throw ZMSUtils.notFoundError("getAccessCheck: Resource Domain not found: '" + domainName + "'", caller);
    }
    if (domain.getDomain().getEnabled() == Boolean.FALSE) {
        throw ZMSUtils.forbiddenError("getAccessCheck: Disabled domain: '" + domainName + "'", caller);
    }
    // start our counter with domain dimension. we're moving the metric here
    // after the domain name has been confirmed as valid since with
    // dimensions we get stuck with persistent indexes so we only want
    // to create them for valid domain names
    metric.increment(ZMSConsts.HTTP_REQUEST, domainName);
    metric.increment(caller, domainName);
    Object timerMetric = metric.startTiming("getaccess_timing", domainName);
    if (checkPrincipal != null) {
        principal = createPrincipalForName(checkPrincipal);
        if (principal == null) {
            throw ZMSUtils.unauthorizedError("getAccessCheck: Invalid check principal value specified", caller);
        }
    }
    boolean accessAllowed = false;
    AccessStatus accessStatus = hasAccess(domain, action, resource, principal, trustDomain);
    if (accessStatus == AccessStatus.ALLOWED) {
        accessAllowed = true;
    }
    Access access = new Access().setGranted(accessAllowed);
    metric.stopTiming(timerMetric);
    return access;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 3 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class DBService method getAthenzDomain.

AthenzDomain getAthenzDomain(String domainName, boolean masterCopy) {
    // first check to see if we our data is in the cache
    AthenzDomain athenzDomain = getAthenzDomainFromCache(domainName, masterCopy);
    if (athenzDomain != null) {
        return athenzDomain;
    }
    try (ObjectStoreConnection con = store.getConnection(true, masterCopy)) {
        athenzDomain = con.getAthenzDomain(domainName);
        setMembersInDomain(athenzDomain);
    }
    if (athenzDomain != null) {
        DataCache dataCache = new DataCache(athenzDomain, athenzDomain.getDomain().getModified().millis());
        cacheStore.put(domainName, dataCache);
    }
    return athenzDomain;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 4 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class DBService method getDelegatedRoleMembers.

List<RoleMember> getDelegatedRoleMembers(String domainName, String trustDomain, String roleName) {
    if (domainName.equals(trustDomain)) {
        return null;
    }
    // retrieve our trust domain
    AthenzDomain domain = null;
    try {
        domain = getAthenzDomain(trustDomain, false);
    } catch (ResourceException ex) {
    }
    if (domain == null) {
        return null;
    }
    // we need to use a set since we might be matching
    // multiple assertions and we want to automatically
    // skip any duplicate members
    Map<String, RoleMember> roleMembers = new HashMap<>();
    // generate our full role name
    String fullRoleName = ZMSUtils.roleResourceName(domainName, roleName);
    for (Policy policy : domain.getPolicies()) {
        List<Assertion> assertions = policy.getAssertions();
        if (assertions == null) {
            continue;
        }
        for (Assertion assertion : assertions) {
            if (!ZMSUtils.assumeRoleResourceMatch(fullRoleName, assertion)) {
                continue;
            }
            String rolePattern = StringUtils.patternFromGlob(assertion.getRole());
            for (Role role : domain.getRoles()) {
                // make sure we have members before trying to match the name
                List<RoleMember> members = role.getRoleMembers();
                if (members == null || members.isEmpty()) {
                    continue;
                }
                if (!role.getName().matches(rolePattern)) {
                    continue;
                }
                for (RoleMember member : members) {
                    String memberName = member.getMemberName();
                    if (!roleMembers.containsKey(memberName)) {
                        roleMembers.put(memberName, member);
                    }
                }
            }
        }
    }
    return new ArrayList<RoleMember>(roleMembers.values());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList)

Example 5 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class JDBCConnectionTest method testSetName.

@Test
public void testSetName() {
    AthenzDomain athenzDomain = new AthenzDomain("my-domain");
    try {
        athenzDomain.setName("my-domain");
    } catch (Exception ex) {
        fail();
    }
    assertTrue(true);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) ResourceException(com.yahoo.athenz.zms.ResourceException) SQLException(java.sql.SQLException) Test(org.testng.annotations.Test)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1