Search in sources :

Example 46 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedDeletePendingMembership.

boolean isAllowedDeletePendingMembership(Principal principal, final String domainName, final String roleName, final String memberName) {
    // first lets check if the principal has update access on the role
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingMembership");
    }
    if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.roleResourceName(domainName, roleName))) {
        return true;
    }
    // check of the requestor of the pending request is the principal
    Membership pendingMember = dbService.getMembership(domainName, roleName, memberName, 0, true);
    return pendingMember != null && principal.getFullName().equals(pendingMember.getRequestPrincipal());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 47 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testSetupPolicyListWithAssertions.

@Test
public void testSetupPolicyListWithAssertions() {
    final String domainName = "setup-policy-with-assert";
    TopLevelDomain dom1 = createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", adminUser);
    zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, dom1);
    Policy policy1 = createPolicyObject(domainName, "policy1");
    zms.putPolicy(mockDomRsrcCtx, domainName, "policy1", auditRef, policy1);
    Policy policy2 = createPolicyObject(domainName, "policy2");
    zms.putPolicy(mockDomRsrcCtx, domainName, "policy2", auditRef, policy2);
    AthenzDomain domain = zms.getAthenzDomain(domainName, false);
    List<Policy> policies = zms.setupPolicyList(domain, Boolean.valueOf(true));
    // need to account for admin policy
    assertEquals(3, policies.size());
    boolean policy1Check = false;
    boolean policy2Check = false;
    List<Assertion> testAssertions = null;
    for (Policy policy : policies) {
        switch(policy.getName()) {
            case "setup-policy-with-assert:policy.policy1":
                testAssertions = policy.getAssertions();
                assertEquals(testAssertions.size(), 1);
                policy1Check = true;
                break;
            case "setup-policy-with-assert:policy.policy2":
                testAssertions = policy.getAssertions();
                assertEquals(testAssertions.size(), 1);
                policy2Check = true;
                break;
        }
    }
    assertTrue(policy1Check);
    assertTrue(policy2Check);
    zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 48 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method retrieveSignedDomain.

SignedDomain retrieveSignedDomain(String domainName, long modifiedTime, Boolean setMetaDataOnly) {
    // generate our signed domain object
    SignedDomain signedDomain = new SignedDomain();
    DomainData domainData = new DomainData().setName(domainName);
    signedDomain.setDomain(domainData);
    domainData.setModified(Timestamp.fromMillis(modifiedTime));
    if (setMetaDataOnly) {
        return signedDomain;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("retrieveSignedDomain: retrieving domain " + domainName);
    }
    AthenzDomain athenzDomain = getAthenzDomain(domainName, true, true);
    if (athenzDomain == null) {
        return null;
    }
    if (athenzDomain.getDomain().getEnabled() == Boolean.FALSE) {
        domainData.setEnabled(athenzDomain.getDomain().getEnabled());
    }
    domainData.setAccount(athenzDomain.getDomain().getAccount());
    domainData.setYpmId(athenzDomain.getDomain().getYpmId());
    domainData.setRoles(athenzDomain.getRoles());
    domainData.setServices(athenzDomain.getServices());
    domainData.setApplicationId(athenzDomain.getDomain().getApplicationId());
    // generate the domain policy object that includes the domain
    // name and all policies. Then we'll sign this struct using
    // server's private key to get signed policy object
    DomainPolicies domainPolicies = new DomainPolicies().setDomain(domainName);
    domainPolicies.setPolicies(getPolicyListWithoutAssertionId(athenzDomain.getPolicies()));
    SignedPolicies signedPolicies = new SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    domainData.setPolicies(signedPolicies);
    String signature = Crypto.sign(SignUtils.asCanonicalString(signedDomain.getDomain().getPolicies().getContents()), privateKey);
    signedDomain.getDomain().getPolicies().setSignature(signature).setKeyId(privateKeyId);
    // then sign the data and set the data and signature in a SignedDomain
    signature = Crypto.sign(SignUtils.asCanonicalString(signedDomain.getDomain()), privateKey);
    signedDomain.setSignature(signature).setKeyId(privateKeyId);
    return signedDomain;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 49 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAuthorizedProviderService.

boolean isAuthorizedProviderService(String authorizedService, String provSvcDomain, String provSvcName, String tenantDomain, String auditRef) {
    if (authorizedService == null) {
        return false;
    }
    if (!authorizedService.equals(provSvcDomain + "." + provSvcName)) {
        return false;
    }
    // verify that provider service does indeed have access to provision
    // its own tenants. the authorize statement for the putTenantRole
    // command is defined in the RDL as:
    // authorize ("UPDATE", "{domain}:tenant.{tenantDomain}");
    AthenzDomain domain = getAthenzDomain(provSvcDomain, true);
    if (domain == null) {
        return false;
    }
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    String resource = provSvcDomain + ":tenant." + tenantDomain;
    AccessStatus accessStatus = evaluateAccess(domain, authorizedService, "update", resource, null, null);
    if (accessStatus == AccessStatus.ALLOWED) {
        return true;
    } else {
        return false;
    }
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 50 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isSysAdminUser.

boolean isSysAdminUser(Principal principal) {
    if (!principal.getDomain().equals(userDomain)) {
        return false;
    }
    AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
    if (domain == null) {
        return false;
    }
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    // our action are always converted to lowercase
    String resource = SYS_AUTH + ":domain";
    AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "create", resource, null, null);
    if (accessStatus == AccessStatus.ALLOWED) {
        return true;
    } else {
        return false;
    }
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1