Examples with AthenzDomain com.yahoo.athenz.zms.store.AthenzDomain used on opensource projects

Example 71 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method putRoleMeta.

@Override
public void putRoleMeta(ResourceContext ctx, String domainName, String roleName, String auditRef, RoleMeta meta) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    if (readOnlyMode.get()) {
        throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
    }
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    validate(roleName, TYPE_ENTITY_NAME, caller);
    // validate meta values - validator will enforce any patters
    // defined in the schema and we need to validate the rest of the
    // integer and string values. for now we're making sure we're not
    // getting any negative values for our integer settings
    validate(meta, TYPE_ROLE_META, caller);
    validateRoleMetaValues(meta);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    setRequestDomain(ctx, domainName);
    roleName = roleName.toLowerCase();
    AthenzObject.ROLE_META.convertToLowerCase(meta);
    // validate the user authority settings if they're provided
    validateUserAuthorityAttributes(meta.getUserAuthorityFilter(), meta.getUserAuthorityExpiration(), caller);
    // verify that request is properly authenticated for this request
    Principal principal = ((RsrcCtxWrapper) ctx).principal();
    verifyAuthorizedServiceOperation(principal.getAuthorizedService(), caller);
    // make sure to fetch our domain and role objects
    AthenzDomain domain = getAthenzDomain(domainName, false);
    Role role = getRoleFromDomain(roleName, domain);
    if (role == null) {
        throw ZMSUtils.notFoundError("Invalid domain/role name specified", caller);
    }
    if (!isAllowedPutRoleMetaAccess(principal, domain, role.getName())) {
        throw ZMSUtils.forbiddenError("putRoleMeta: principal is not authorized to update metadata", caller);
    }
    // we need to validate that if the role contains groups then the
    // group members must have the same filters otherwise we will not
    // allow the filter to be set
    validateGroupMemberAuthorityAttributes(role, meta.getUserAuthorityFilter(), meta.getUserAuthorityExpiration(), caller);
    if (LOG.isDebugEnabled()) {
        LOG.debug("putRoleMeta: name={}, role={} meta={}", domainName, roleName, meta);
    }
    dbService.executePutRoleMeta(ctx, domainName, roleName, role, meta, auditRef, caller);
}

Example 72 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method postSubDomain.

public Domain postSubDomain(ResourceContext ctx, String parent, String auditRef, SubDomain detail) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    if (readOnlyMode.get()) {
        throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
    }
    validateRequest(ctx.request(), caller);
    validate(detail, TYPE_SUB_DOMAIN, caller);
    validate(parent, TYPE_DOMAIN_NAME, caller);
    validate(detail.getName(), TYPE_SIMPLE_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    parent = parent.toLowerCase();
    setRequestDomain(ctx, parent);
    AthenzObject.SUB_DOMAIN.convertToLowerCase(detail);
    if (detail.getName().indexOf('_') != -1 && !isSysAdminUser(((RsrcCtxWrapper) ctx).principal())) {
        throw ZMSUtils.requestError("Domain name cannot contain underscores", caller);
    }
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    if (!parent.equals(detail.getParent())) {
        throw ZMSUtils.forbiddenError("postSubDomain: Request and detail parent domains do not match", caller);
    }
    if (virtualDomainLimit != 0 && isVirtualDomain(parent) && hasExceededVirtualSubDomainLimit(parent)) {
        throw ZMSUtils.forbiddenError("postSubDomain: Exceeding the configured number of virtual subdomains", caller);
    }
    List<String> solutionTemplates = null;
    DomainTemplateList templates = detail.getTemplates();
    if (templates != null) {
        solutionTemplates = templates.getTemplateNames();
        validateSolutionTemplates(solutionTemplates, caller);
    }
    // verify that the parent domain exists
    AthenzDomain parentDomain = getAthenzDomain(parent, false);
    if (parentDomain == null || parentDomain.getDomain() == null) {
        throw ZMSUtils.notFoundError("Invalid parent domain: " + parent, caller);
    }
    // inherit audit_enabled flag, organization and user authority settings
    // from the parent domain
    detail.setAuditEnabled(parentDomain.getDomain().getAuditEnabled());
    detail.setOrg(parentDomain.getDomain().getOrg());
    detail.setUserAuthorityFilter(parentDomain.getDomain().getUserAuthorityFilter());
    // generate and verify admin users
    List<String> adminUsers = normalizedAdminUsers(detail.getAdminUsers(), detail.getUserAuthorityFilter(), caller);
    Domain subDomain = new Domain().setName(detail.getParent() + "." + detail.getName()).setAuditEnabled(detail.getAuditEnabled()).setDescription(detail.getDescription()).setOrg(detail.getOrg()).setId(UUID.fromCurrentTime()).setModified(Timestamp.fromCurrentTime()).setApplicationId(detail.getApplicationId()).setMemberExpiryDays(detail.getMemberExpiryDays()).setServiceExpiryDays(detail.getServiceExpiryDays()).setGroupExpiryDays(detail.getGroupExpiryDays()).setTokenExpiryMins(detail.getTokenExpiryMins()).setServiceCertExpiryMins(detail.getServiceCertExpiryMins()).setRoleCertExpiryMins(detail.getRoleCertExpiryMins()).setSignAlgorithm(detail.getSignAlgorithm()).setTags(detail.getTags()).setBusinessService(detail.getBusinessService());
    // before processing validate the fields
    validateDomainValues(subDomain);
    return createSubDomain(ctx, subDomain, adminUsers, solutionTemplates, auditRef, caller);
}

Example 73 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method virtualHomeDomain.

AthenzDomain virtualHomeDomain(Principal principal, String domainName) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("homeDomain: home domain detected. Create on the fly.");
    }
    AthenzDomain athenzDomain = new AthenzDomain(domainName);
    Domain domain = new Domain().setName(domainName).setEnabled(Boolean.TRUE);
    athenzDomain.setDomain(domain);
    List<String> adminUsers = new ArrayList<>();
    adminUsers.add(principal.getFullName());
    Role role = ZMSUtils.makeAdminRole(domainName, adminUsers);
    athenzDomain.getRoles().add(role);
    Policy policy = ZMSUtils.makeAdminPolicy(domainName, role);
    athenzDomain.getPolicies().add(policy);
    return athenzDomain;
}

Example 74 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedDeletePendingGroupMembership.

boolean isAllowedDeletePendingGroupMembership(Principal principal, final String domainName, final String groupName, final String memberName) {
    // first lets check if the principal has update access on the group
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingGroupMembership");
    }
    if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.groupResourceName(domainName, groupName))) {
        return true;
    }
    // check of the requestor of the pending request is the principal
    GroupMembership pendingGroupMember = dbService.getGroupMembership(domainName, groupName, memberName, 0, true);
    return pendingGroupMember != null && principal.getFullName().equals(pendingGroupMember.getRequestPrincipal());
}

Example 75 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class JDBCConnection method getAthenzDomain.

@Override
public AthenzDomain getAthenzDomain(String domainName) {
    final String caller = "getAthenzDomain";
    int domainId = 0;
    AthenzDomain athenzDomain = new AthenzDomain(domainName);
    try (PreparedStatement ps = con.prepareStatement(SQL_GET_DOMAIN)) {
        ps.setString(1, domainName);
        try (ResultSet rs = executeQuery(ps, caller)) {
            if (rs.next()) {
                athenzDomain.setDomain(saveDomainSettings(domainName, rs, true));
                domainId = rs.getInt(ZMSConsts.DB_COLUMN_DOMAIN_ID);
            }
        }
    } catch (SQLException ex) {
        throw sqlError(ex, caller);
    }
    if (domainId == 0) {
        throw notFoundError(caller, ZMSConsts.OBJECT_DOMAIN, domainName);
    }
    getAthenzDomainRoles(domainName, domainId, athenzDomain);
    getAthenzDomainGroups(domainName, domainId, athenzDomain);
    getAthenzDomainPolicies(domainName, domainId, athenzDomain);
    getAthenzDomainServices(domainName, domainId, athenzDomain);
    getAthenzDomainEntities(domainName, domainId, athenzDomain);
    return athenzDomain;
}