Example 91 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getRoles.
public Roles getRoles(ResourceContext ctx, String domainName, Boolean members, String tagKey, String tagValue) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
Roles result = new Roles();
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("getRoles: Domain not found: '" + domainName + "'", caller);
}
result.setList(setupRoleList(domain, members, tagKey, tagValue));
return result;
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 92 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method retrieveSignedDomainData.
SignedDomain retrieveSignedDomainData(Domain domain, boolean masterCopy, boolean includeConditions) {
// generate our signed domain object
final String domainName = domain.getName();
SignedDomain signedDomain = createSignedDomain(domainName, domain.getModified().millis(), domain.getEnabled());
if (LOG.isDebugEnabled()) {
LOG.debug("retrieveSignedDomain: retrieving domain {}", domainName);
}
AthenzDomain athenzDomain = getAthenzDomain(domainName, true, masterCopy);
if (athenzDomain == null) {
return null;
}
// set domain attributes - for enabled flag only set it
// if it set to false
DomainData domainData = signedDomain.getDomain();
if (athenzDomain.getDomain().getEnabled() == Boolean.FALSE) {
domainData.setEnabled(false);
}
if (athenzDomain.getDomain().getAuditEnabled() == Boolean.TRUE) {
domainData.setAuditEnabled(true);
}
domainData.setAccount(athenzDomain.getDomain().getAccount());
domainData.setAzureSubscription(athenzDomain.getDomain().getAzureSubscription());
domainData.setYpmId(athenzDomain.getDomain().getYpmId());
domainData.setApplicationId(athenzDomain.getDomain().getApplicationId());
domainData.setSignAlgorithm(athenzDomain.getDomain().getSignAlgorithm());
domainData.setBusinessService(athenzDomain.getDomain().getBusinessService());
domainData.setDescription(athenzDomain.getDomain().getDescription());
domainData.setCertDnsDomain(athenzDomain.getDomain().getCertDnsDomain());
domainData.setOrg(athenzDomain.getDomain().getOrg());
domainData.setUserAuthorityFilter(athenzDomain.getDomain().getUserAuthorityFilter());
if (athenzDomain.getDomain().getServiceCertExpiryMins() != null) {
domainData.setServiceCertExpiryMins(athenzDomain.getDomain().getServiceCertExpiryMins());
}
if (athenzDomain.getDomain().getRoleCertExpiryMins() != null) {
domainData.setRoleCertExpiryMins(athenzDomain.getDomain().getRoleCertExpiryMins());
}
if (athenzDomain.getDomain().getTokenExpiryMins() != null) {
domainData.setTokenExpiryMins(athenzDomain.getDomain().getTokenExpiryMins());
}
if (athenzDomain.getDomain().getMemberExpiryDays() != null) {
domainData.setMemberExpiryDays(athenzDomain.getDomain().getMemberExpiryDays());
}
if (athenzDomain.getDomain().getGroupExpiryDays() != null) {
domainData.setGroupExpiryDays(athenzDomain.getDomain().getGroupExpiryDays());
}
if (athenzDomain.getDomain().getServiceExpiryDays() != null) {
domainData.setServiceExpiryDays(athenzDomain.getDomain().getServiceExpiryDays());
}
// set the domain tags
domainData.setTags(athenzDomain.getDomain().getTags());
// set the roles, services, groups and entities
domainData.setRoles(athenzDomain.getRoles());
domainData.setServices(athenzDomain.getServices());
domainData.setGroups(athenzDomain.getGroups());
domainData.setEntities(athenzDomain.getEntities());
// generate the domain policy object that includes the domain
// name and all policies. Then we'll sign this struct using
// server's private key to get signed policy object
DomainPolicies domainPolicies = new DomainPolicies().setDomain(domainName);
domainPolicies.setPolicies(getDomainPolicyList(athenzDomain.getPolicies(), includeConditions));
SignedPolicies signedPolicies = new SignedPolicies();
signedPolicies.setContents(domainPolicies);
domainData.setPolicies(signedPolicies);
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicies.getContents()), privateKey.getKey());
signedPolicies.setSignature(signature).setKeyId(privateKey.getId());
// then sign the data and set the data and signature in a SignedDomain
signature = Crypto.sign(SignUtils.asCanonicalString(domainData), privateKey.getKey());
signedDomain.setSignature(signature).setKeyId(privateKey.getId());
return signedDomain;
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 93 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getPolicies.
@Override
public Policies getPolicies(ResourceContext ctx, String domainName, Boolean assertions, Boolean includeNonActive) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
Policies result = new Policies();
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError(caller + ": Domain not found: '" + domainName + "'", caller);
}
result.setList(setupPolicyList(domain, assertions, includeNonActive));
return result;
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 94 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method putMembership.
@Override
public void putMembership(ResourceContext ctx, String domainName, String roleName, String memberName, String auditRef, Membership membership) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
if (readOnlyMode.get()) {
throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
}
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
setRequestDomain(ctx, domainName);
validate(roleName, TYPE_ENTITY_NAME, caller);
validate(memberName, TYPE_MEMBER_NAME, caller);
validate(membership, TYPE_MEMBERSHIP, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
roleName = roleName.toLowerCase();
memberName = memberName.toLowerCase();
AthenzObject.MEMBERSHIP.convertToLowerCase(membership);
final Principal principal = ((RsrcCtxWrapper) ctx).principal();
// verify that request is properly authenticated for this request
verifyAuthorizedServiceRoleOperation(principal.getAuthorizedService(), caller, roleName);
if (!memberName.equals(membership.getMemberName())) {
throw ZMSUtils.requestError("putMembership: Member name in URI and Membership object do not match", caller);
}
if (membership.getRoleName() != null && !roleName.equals(membership.getRoleName())) {
throw ZMSUtils.requestError("putMembership: Role name in URI and Membership object do not match", caller);
}
// extract our role object to get its attributes
AthenzDomain domain = getAthenzDomain(domainName, false);
Role role = getRoleFromDomain(roleName, domain);
if (role == null) {
throw ZMSUtils.requestError("Invalid role name specified", caller);
}
// create and normalize the role member object
RoleMember roleMember = new RoleMember();
roleMember.setMemberName(normalizeDomainAliasUser(memberName));
roleMember.setPrincipalType(principalType(roleMember.getMemberName()));
setRoleMemberExpiration(domain, role, roleMember, membership, caller);
setRoleMemberReview(role, roleMember, membership);
// check to see if we need to validate the principal
final String userAuthorityFilter = enforcedUserAuthorityFilter(role.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
boolean disallowGroups = ADMIN_ROLE_NAME.equals(roleName);
validateRoleMemberPrincipal(roleMember.getMemberName(), roleMember.getPrincipalType(), userAuthorityFilter, role.getUserAuthorityExpiration(), role.getAuditEnabled(), disallowGroups, caller);
if (!isAllowedPutMembership(principal, domain, role, roleMember)) {
throw ZMSUtils.forbiddenError("putMembership: principal is not authorized to add members", caller);
}
// add the member to the specified role
dbService.executePutMembership(ctx, domainName, roleName, roleMember, auditRef, caller);
if (roleMember.getApproved() == Boolean.FALSE) {
sendMembershipApprovalNotification(domainName, domain.getDomain().getOrg(), roleName, roleMember.getMemberName(), auditRef, principal.getFullName(), role);
}
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 95 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getDomainDataCheck.
public DomainDataCheck getDomainDataCheck(ResourceContext ctx, String domainName) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: domain={}", domainName);
}
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("getDomainDataCheck: Domain not found: '" + domainName + "'", caller);
}
// build set of roles
// iterate them to look for trust roles - in case this is a provider domain
Set<String> roleSet = new HashSet<>();
Set<String> trustRoleSet = new HashSet<>();
// map per trust/tenant domain that contains the trust roles
Map<String, Set<String>> trustRoleMap = new HashMap<>();
for (Role role : domain.getRoles()) {
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: processing role - {}", role.getName());
}
roleSet.add(role.getName());
String roleName = ZMSUtils.removeDomainPrefix(role.getName(), domainName, ROLE_PREFIX);
String trustDomain = role.getTrust();
if (trustDomain != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("trust role for domain: {}", trustDomain);
}
trustRoleSet.add(trustDomain);
Set<String> tset = trustRoleMap.computeIfAbsent(trustDomain, k -> new HashSet<>());
tset.add(roleName);
}
}
// look for dangling roles and policies
//
int assertionCount = 0;
// keep track of roles used by policies
Set<String> usedRoleSet = new HashSet<>();
// keep track of providers from assume_role policies
Set<String> providerSet = new HashSet<>();
// assume_role resources are placed into the set per provider service domain
Map<String, Set<String>> svcRoleMap = new HashMap<>();
List<DanglingPolicy> danglingPolicies = new ArrayList<>();
List<Policy> policies = domain.getPolicies();
for (Policy policy : policies) {
if (policy.getActive() == Boolean.FALSE) {
continue;
}
String pname = ZMSUtils.removeDomainPrefix(policy.getName(), domainName, POLICY_PREFIX);
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: processing policy={} in domain={}", pname, domainName);
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
assertionCount++;
if (ZMSConsts.ACTION_ASSUME_ROLE.equalsIgnoreCase(assertion.getAction())) {
// get provider domain+service name and add to set of providers
// Note there may be a resource appended - to be dealt with later
// ex: testgetdomaindatacheck:policy.tenancy.testgetdomaindatacheckprovider.storage.reader
// ex: testgetdomaindatacheck:policy.tenancy.testgetdomaindatacheckprovider.sub.storage.res_group.ravers.reader
// index after "tenancy." and index of last dot
int index = pname.indexOf("tenancy.");
if (index == -1) {
continue;
}
int lindex = pname.lastIndexOf('.');
if (lindex == -1) {
continue;
}
String provSvcDomain = pname.substring(index + "tenancy.".length(), lindex);
providerSet.add(provSvcDomain);
// lets collect the resource field that is name of role in provider
// ex: testgetdomaindatacheckprovider.sub:role.storage.tenant.testgetdomaindatacheck.reader
// ex: testgetdomaindatacheckprovider.sub:role.storage.tenant.testgetdomaindatacheck.res_group.ravers.reader
String rsrc = assertion.getResource();
Set<String> rset = svcRoleMap.computeIfAbsent(provSvcDomain, k -> new HashSet<>());
rset.add(rsrc);
}
String roleName = assertion.getRole();
if (roleSet.contains(roleName)) {
usedRoleSet.add(roleName);
} else {
// dangling policy
DanglingPolicy dp = new DanglingPolicy();
// we need to remove the domain:role. and domain:policy prefixes
// according to RDL definitions for role and policy names
dp.setRoleName(ZMSUtils.removeDomainPrefix(roleName, domainName, ROLE_PREFIX));
dp.setPolicyName(ZMSUtils.removeDomainPrefix(pname, domainName, POLICY_PREFIX));
danglingPolicies.add(dp);
}
}
}
DomainDataCheck ddc = new DomainDataCheck();
ddc.setPolicyCount(policies.size());
ddc.setAssertionCount(assertionCount);
if (!danglingPolicies.isEmpty()) {
ddc.setDanglingPolicies(danglingPolicies);
}
if (roleSet.size() != usedRoleSet.size()) {
// oh oh, some roles are unused - need to subtract the usedRoleSet
// from roleSet - the leftovers are the unused roles
roleSet.removeAll(usedRoleSet);
// we need to remove the domain:role. prefix according to
// RDL definition for dangling role names
List<String> danglingRoleList = new ArrayList<>();
for (String roleName : roleSet) {
danglingRoleList.add(ZMSUtils.removeDomainPrefix(roleName, domainName, ROLE_PREFIX));
}
ddc.setDanglingRoles(danglingRoleList);
}
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: domain={} policy-count={} assertion-count={} dangling-policies={} dangling-roles={}", domainName, policies.size(), assertionCount, danglingPolicies.size(), roleSet.size());
}
// Tenant Domain Check: does each provider fully support this tenant?
// collect Service names (domain.service) for domains that don't contain
// trust role
List<String> provsWithoutTrust = new ArrayList<>();
for (String provSvc : providerSet) {
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: domain={} provider-service={}", domainName, provSvc);
}
// 2 cases to resolve, one with resource group, one without
// ex: iaas.stuff.storage.read
// ex: iaas.stuff.storage.res_group.my_resource_group.read
int idx = provSvc.indexOf(".res_group.");
String provSvcDomain;
if (idx == -1) {
provSvcDomain = providerServiceDomain(provSvc);
} else {
provSvcDomain = providerServiceDomain(provSvc.substring(0, idx));
}
AthenzDomain providerDomain = getAthenzDomain(provSvcDomain, true);
Set<String> rset = svcRoleMap.get(provSvc);
if (rset == null || rset.isEmpty() || providerDomain == null) {
provsWithoutTrust.add(provSvc);
continue;
}
// find trust role in the provider that contains the tenant domain
int foundTrust = 0;
for (Role role : providerDomain.getRoles()) {
String trustDomain = role.getTrust();
if (trustDomain != null) {
if (domainName.equals(trustDomain)) {
// look for the role in the role set for this service
if (rset.contains(role.getName())) {
foundTrust++;
}
}
}
}
if (foundTrust != rset.size()) {
provsWithoutTrust.add(provSvc);
}
}
if (!provsWithoutTrust.isEmpty()) {
ddc.setProvidersWithoutTrust(provsWithoutTrust);
}
// Provider Domain Check: does each tenant have all the assume_role
// assertions to match each trust role.
// tenantsWithoutProv: names of Tenant domains that don't contain assume
// role assertions if this is a provider domain
List<String> tenantsWithoutProv = new ArrayList<>();
// tenantDomMap: optimize reading tenant domains once already read
// This is optimizing for Providers with lots of tenants.
Map<String, AthenzDomain> tenantDomMap = new HashMap<>();
for (String trustRole : trustRoleSet) {
if (LOG.isDebugEnabled()) {
LOG.debug("getDomainDataCheck: processing trust role: {}", trustRole);
}
AthenzDomain tenantDomain = tenantDomMap.get(trustRole);
if (tenantDomain == null) {
tenantDomain = getAthenzDomain(trustRole, true);
if (tenantDomain == null) {
tenantsWithoutProv.add(trustRole);
continue;
} else {
tenantDomMap.put(trustRole, tenantDomain);
}
}
// Get set of providers trust roles for trust/tenant domain.
Set<String> tset = trustRoleMap.get(trustRole);
if (tset == null || tset.isEmpty()) {
tenantsWithoutProv.add(trustRole);
continue;
}
int foundProviderCnt = 0;
// Check for assume_role containing the provider in the tenantDomain
for (Policy policy : tenantDomain.getPolicies()) {
// ignore any inactive/multi-version policies
if (policy.getActive() == Boolean.FALSE) {
continue;
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
if (ZMSConsts.ACTION_ASSUME_ROLE.equalsIgnoreCase(assertion.getAction())) {
String rsrc = assertion.getResource();
// the tenant domain resource - then the tenant is supported
if (roleSet.contains(rsrc)) {
// HAVE: an assume_role with resource pointing at the provider
foundProviderCnt++;
}
}
}
}
if (foundProviderCnt < tset.size()) {
// didn't find all required matching provider trust-role to assume_role-resource pairs
tenantsWithoutProv.add(trustRole);
}
}
if (!tenantsWithoutProv.isEmpty()) {
ddc.setTenantsWithoutAssumeRole(tenantsWithoutProv);
}
return ddc;
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Aggregations
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104
Test (org.testng.annotations.Test)28
Principal (com.yahoo.athenz.auth.Principal)14
Authority (com.yahoo.athenz.auth.Authority)13
MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13
ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13
DBService (com.yahoo.athenz.zms.DBService)6
Role (com.yahoo.athenz.zms.Role)6
RoleMember (com.yahoo.athenz.zms.RoleMember)6
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3
java.sql (java.sql)3
SQLException (java.sql.SQLException)2
AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1
DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1
DataCache (com.yahoo.athenz.zms.DBService.DataCache)1
Domain (com.yahoo.athenz.zms.Domain)1
ResourceException (com.yahoo.athenz.zms.ResourceException)1
JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1
Timestamp (com.yahoo.rdl.Timestamp)1
