use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testEvaluateAccessAssertionAllowCaseSensitive.
@Test
public void testEvaluateAccessAssertionAllowCaseSensitive() {
AthenzDomain domain = new AthenzDomain("coretech");
Role role = zmsTestInitializer.createRoleObject("coretech", "role1", null, "user.user1", null);
domain.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
Assertion assertion = new Assertion();
assertion.setAction("ReaD");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("coretech:*");
assertion.setRole("coretech:role.role1");
policy.setAssertions(new ArrayList<>());
policy.getAssertions().add(assertion);
domain.getPolicies().add(policy);
assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, "user.user1", "read", "coretech:resource1", null, null, zmsTestInitializer.getMockDomRestRsrcCtx().principal()), AccessStatus.ALLOWED);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testIsAllowedPutMembership.
@Test
public void testIsAllowedPutMembership() {
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
RoleMember roleMember = new RoleMember().setMemberName("user.user1");
// admin allowed
assertTrue(zmsTestInitializer.getZms().isAllowedPutMembership(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role, roleMember));
assertTrue(roleMember.getApproved());
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=bob";
final Principal rsrcPrince = SimplePrincipal.create("user", "bob", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
roleMember = new RoleMember().setMemberName("user.bob");
// bob trying to add himself
assertFalse(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
// without self-serve bob is not allowed to add dave
roleMember = new RoleMember().setMemberName("user.dave");
// bob trying to add dave
assertFalse(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
Role selfserverole = zmsTestInitializer.createRoleObject("testdomain1", "testrole2", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole2", zmsTestInitializer.getAuditRef(), selfserverole);
RoleMeta rm = createRoleMetaObject(true);
zmsTestInitializer.getZms().putRoleMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole2", zmsTestInitializer.getAuditRef(), rm);
domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
role = zmsTestInitializer.getZms().getRoleFromDomain("testrole2", domain);
roleMember = new RoleMember().setMemberName("user.bob");
// bob trying to add himself
assertTrue(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
assertFalse(roleMember.getApproved());
// with self-serve bob is now allowed to add dave
roleMember.setMemberName("user.dave");
// bob trying to add dave
assertTrue(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
assertFalse(roleMember.getApproved());
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Domain Meta for Role Meta test", "testOrg", true, true, "12345", 1001);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "auditenabled", zmsTestInitializer.getAuditRef(), meta);
Role auditedRole = zmsTestInitializer.createRoleObject("testdomain1", "testrole3", null, "user.john", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole3", zmsTestInitializer.getAuditRef(), auditedRole);
RoleSystemMeta rsm = createRoleSystemMetaObject(true);
zmsTestInitializer.getZms().putRoleSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole3", "auditenabled", zmsTestInitializer.getAuditRef(), rsm);
domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
role = zmsTestInitializer.getZms().getRoleFromDomain("testrole3", domain);
roleMember = new RoleMember().setMemberName("user.user1");
// admin allowed
assertTrue(zmsTestInitializer.getZms().isAllowedPutMembership(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role, roleMember));
assertFalse(roleMember.getApproved());
roleMember = new RoleMember().setMemberName("user.bob");
// bob trying to add himself not allowed
assertFalse(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
roleMember = new RoleMember().setMemberName("user.dave");
// bob trying to add dave not allowed
assertFalse(zmsTestInitializer.getZms().isAllowedPutMembership(rsrcPrince, domain, role, roleMember));
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBServiceTest method testUpdateDomainMembersExpirationObjectStoreFailure.
@Test
public void testUpdateDomainMembersExpirationObjectStoreFailure() {
final String domainName = "domain-meta-expiry";
List<String> admins = new ArrayList<>();
admins.add(adminUser);
zms.dbService.makeDomain(mockDomRsrcCtx, ZMSTestUtils.makeDomainObject(domainName, "test desc", "org", false, "", 1999, "", 0), admins, null, auditRef);
Domain domain = new Domain().setName(domainName).setMemberExpiryDays(100).setModified(Timestamp.fromCurrentTime());
Domain updateDomain = new Domain().setName(domainName).setMemberExpiryDays(50);
ObjectStoreConnection mockConn = Mockito.mock(ObjectStoreConnection.class);
AthenzDomain athenzDomain = new AthenzDomain(domainName);
athenzDomain.setDomain(domain);
Mockito.when(mockConn.getAthenzDomain(domainName)).thenReturn(athenzDomain);
Mockito.when(mockConn.insertRoleMember(Mockito.anyString(), Mockito.anyString(), Mockito.any(), Mockito.any(), Mockito.anyString())).thenReturn(false);
// we're going to make sure to throw an exception here
// since this should never be called
Mockito.when(mockConn.updateDomainModTimestamp(domainName)).thenThrow(new ResourceException(400));
Authority savedAuthority = zms.dbService.zmsConfig.getUserAuthority();
Authority authority = Mockito.mock(Authority.class);
zms.dbService.zmsConfig.setUserAuthority(authority);
zms.dbService.updateDomainMembersExpiration(mockDomRsrcCtx, mockConn, domain, updateDomain, auditRef, "testUpdateDomainMembersExpirationFailure");
zms.dbService.zmsConfig.setUserAuthority(savedAuthority);
zms.dbService.executeDeleteDomain(mockDomRsrcCtx, domainName, auditRef, "deletedomain");
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testEvaluateAccessNoAssertions.
@Test
public void testEvaluateAccessNoAssertions() {
AthenzDomain domain = new AthenzDomain("coretech");
Role role = new Role().setName("coretech:role.role1");
domain.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
domain.getPolicies().add(policy);
assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, null, null, null, null, null, zmsTestInitializer.getMockDomRestRsrcCtx().principal()), AccessStatus.DENIED);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testRetrieveAccessDomainMismatch.
@Test
public void testRetrieveAccessDomainMismatch() {
System.setProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "true");
ZMSImpl zmsTest = zmsTestInitializer.zmsInit();
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user", "user2", "v=U1;d=user;n=user2;s=signature", 0, principalAuthority);
AthenzDomain athenzDomain = zmsTest.retrieveAccessDomain("user.user1", principal);
assertNull(athenzDomain);
System.clearProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN);
}
Aggregations