use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAllowedDeletePendingMembership.
boolean isAllowedDeletePendingMembership(Principal principal, final String domainName, final String roleName, final String memberName) {
// first lets check if the principal has update access on the role
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingMembership");
}
if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.roleResourceName(domainName, roleName))) {
return true;
}
// check of the requestor of the pending request is the principal
Membership pendingMember = dbService.getMembership(domainName, roleName, memberName, 0, true);
return pendingMember != null && principal.getFullName().equals(pendingMember.getRequestPrincipal());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testSetupPolicyListWithAssertions.
@Test
public void testSetupPolicyListWithAssertions() {
final String domainName = "setup-policy-with-assert";
TopLevelDomain dom1 = createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", adminUser);
zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, dom1);
Policy policy1 = createPolicyObject(domainName, "policy1");
zms.putPolicy(mockDomRsrcCtx, domainName, "policy1", auditRef, policy1);
Policy policy2 = createPolicyObject(domainName, "policy2");
zms.putPolicy(mockDomRsrcCtx, domainName, "policy2", auditRef, policy2);
AthenzDomain domain = zms.getAthenzDomain(domainName, false);
List<Policy> policies = zms.setupPolicyList(domain, Boolean.valueOf(true));
// need to account for admin policy
assertEquals(3, policies.size());
boolean policy1Check = false;
boolean policy2Check = false;
List<Assertion> testAssertions = null;
for (Policy policy : policies) {
switch(policy.getName()) {
case "setup-policy-with-assert:policy.policy1":
testAssertions = policy.getAssertions();
assertEquals(testAssertions.size(), 1);
policy1Check = true;
break;
case "setup-policy-with-assert:policy.policy2":
testAssertions = policy.getAssertions();
assertEquals(testAssertions.size(), 1);
policy2Check = true;
break;
}
}
assertTrue(policy1Check);
assertTrue(policy2Check);
zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method retrieveSignedDomain.
SignedDomain retrieveSignedDomain(String domainName, long modifiedTime, Boolean setMetaDataOnly) {
// generate our signed domain object
SignedDomain signedDomain = new SignedDomain();
DomainData domainData = new DomainData().setName(domainName);
signedDomain.setDomain(domainData);
domainData.setModified(Timestamp.fromMillis(modifiedTime));
if (setMetaDataOnly) {
return signedDomain;
}
if (LOG.isDebugEnabled()) {
LOG.debug("retrieveSignedDomain: retrieving domain " + domainName);
}
AthenzDomain athenzDomain = getAthenzDomain(domainName, true, true);
if (athenzDomain == null) {
return null;
}
if (athenzDomain.getDomain().getEnabled() == Boolean.FALSE) {
domainData.setEnabled(athenzDomain.getDomain().getEnabled());
}
domainData.setAccount(athenzDomain.getDomain().getAccount());
domainData.setYpmId(athenzDomain.getDomain().getYpmId());
domainData.setRoles(athenzDomain.getRoles());
domainData.setServices(athenzDomain.getServices());
domainData.setApplicationId(athenzDomain.getDomain().getApplicationId());
// generate the domain policy object that includes the domain
// name and all policies. Then we'll sign this struct using
// server's private key to get signed policy object
DomainPolicies domainPolicies = new DomainPolicies().setDomain(domainName);
domainPolicies.setPolicies(getPolicyListWithoutAssertionId(athenzDomain.getPolicies()));
SignedPolicies signedPolicies = new SignedPolicies();
signedPolicies.setContents(domainPolicies);
domainData.setPolicies(signedPolicies);
String signature = Crypto.sign(SignUtils.asCanonicalString(signedDomain.getDomain().getPolicies().getContents()), privateKey);
signedDomain.getDomain().getPolicies().setSignature(signature).setKeyId(privateKeyId);
// then sign the data and set the data and signature in a SignedDomain
signature = Crypto.sign(SignUtils.asCanonicalString(signedDomain.getDomain()), privateKey);
signedDomain.setSignature(signature).setKeyId(privateKeyId);
return signedDomain;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAuthorizedProviderService.
boolean isAuthorizedProviderService(String authorizedService, String provSvcDomain, String provSvcName, String tenantDomain, String auditRef) {
if (authorizedService == null) {
return false;
}
if (!authorizedService.equals(provSvcDomain + "." + provSvcName)) {
return false;
}
// verify that provider service does indeed have access to provision
// its own tenants. the authorize statement for the putTenantRole
// command is defined in the RDL as:
// authorize ("UPDATE", "{domain}:tenant.{tenantDomain}");
AthenzDomain domain = getAthenzDomain(provSvcDomain, true);
if (domain == null) {
return false;
}
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
String resource = provSvcDomain + ":tenant." + tenantDomain;
AccessStatus accessStatus = evaluateAccess(domain, authorizedService, "update", resource, null, null);
if (accessStatus == AccessStatus.ALLOWED) {
return true;
} else {
return false;
}
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isSysAdminUser.
boolean isSysAdminUser(Principal principal) {
if (!principal.getDomain().equals(userDomain)) {
return false;
}
AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
if (domain == null) {
return false;
}
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
// our action are always converted to lowercase
String resource = SYS_AUTH + ":domain";
AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "create", resource, null, null);
if (accessStatus == AccessStatus.ALLOWED) {
return true;
} else {
return false;
}
}
Aggregations