Example 96 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getAccessCheck.
Access getAccessCheck(Principal principal, String action, String resource, String trustDomain, String checkPrincipal, ResourceContext ctx) {
final String caller = "getaccess";
if (LOG.isDebugEnabled()) {
LOG.debug("getAccessCheck:({}, {}, {}, {}, {})", action, resource, principal, trustDomain, checkPrincipal);
}
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
action = action.toLowerCase();
resource = resource.toLowerCase();
if (checkPrincipal != null) {
checkPrincipal = checkPrincipal.toLowerCase();
}
if (trustDomain != null) {
trustDomain = trustDomain.toLowerCase();
}
// retrieve the domain based on our resource and action/trustDomain pair
String domainName = AuthzHelper.retrieveResourceDomain(resource, action, trustDomain);
setRequestDomain(ctx, domainName);
if (domainName == null) {
setRequestDomain(ctx, ZMSConsts.ZMS_INVALID_DOMAIN);
throw ZMSUtils.notFoundError("getAccessCheck: Unable to extract resource domain", caller);
}
AthenzDomain domain = retrieveAccessDomain(domainName, principal);
if (domain == null) {
setRequestDomain(ctx, ZMSConsts.ZMS_UNKNOWN_DOMAIN);
throw ZMSUtils.notFoundError("getAccessCheck: Resource Domain not found: '" + domainName + "'", caller);
}
if (domain.getDomain().getEnabled() == Boolean.FALSE) {
throw ZMSUtils.forbiddenError("getAccessCheck: Disabled domain: '" + domainName + "'", caller);
}
if (checkPrincipal != null) {
principal = ZMSUtils.createPrincipalForName(checkPrincipal, userDomain, userDomainAlias);
if (principal == null) {
throw ZMSUtils.unauthorizedError("getAccessCheck: Invalid check principal value specified", caller);
}
}
boolean accessAllowed = false;
AccessStatus accessStatus = hasAccess(domain, action, resource, principal, trustDomain);
if (accessStatus == AccessStatus.ALLOWED) {
accessAllowed = true;
}
return new Access().setGranted(accessAllowed);
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 97 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method putMembershipDecision.
@Override
public void putMembershipDecision(ResourceContext ctx, String domainName, String roleName, String memberName, String auditRef, Membership membership) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
if (readOnlyMode.get()) {
throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
}
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
validate(roleName, TYPE_ENTITY_NAME, caller);
validate(memberName, TYPE_MEMBER_NAME, caller);
validate(membership, TYPE_MEMBERSHIP, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
roleName = roleName.toLowerCase();
memberName = memberName.toLowerCase();
AthenzObject.MEMBERSHIP.convertToLowerCase(membership);
final Principal principal = ((RsrcCtxWrapper) ctx).principal();
// verify that request is properly authenticated for this request
verifyAuthorizedServiceRoleOperation(principal.getAuthorizedService(), caller, roleName);
if (!memberName.equals(membership.getMemberName())) {
throw ZMSUtils.requestError("putMembershipDecision: Member name in URI and Membership object do not match", caller);
}
if (membership.getRoleName() != null && !roleName.equals(membership.getRoleName())) {
throw ZMSUtils.requestError("putMembershipDecision: Role name in URI and Membership object do not match", caller);
}
AthenzDomain domain = getAthenzDomain(domainName, false);
Role role = getRoleFromDomain(roleName, domain);
if (role == null) {
throw ZMSUtils.requestError("Invalid rolename specified", caller);
}
// initially create the role member and only set the
// user name which is all we need in case we need to
// lookup the pending entry for review approval
// we'll set the state and expiration after the
// authorization check is successful
RoleMember roleMember = new RoleMember();
roleMember.setMemberName(normalizeDomainAliasUser(memberName));
roleMember.setPrincipalType(principalType(roleMember.getMemberName()));
// authorization check
validatePutMembershipDecisionAuthorization(principal, domain, role, roleMember);
roleMember.setApproved(membership.getApproved());
roleMember.setActive(membership.getActive());
if (roleMember.getApproved() == Boolean.TRUE) {
setRoleMemberExpiration(domain, role, roleMember, membership, caller);
setRoleMemberReview(role, roleMember, membership);
// check to see if we need to validate the principal
// but only if the decision is to approve. We don't
// want to block removal of rejected user requests
final String userAuthorityFilter = enforcedUserAuthorityFilter(role.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
boolean disallowGroups = ADMIN_ROLE_NAME.equals(roleName);
validateRoleMemberPrincipal(roleMember.getMemberName(), roleMember.getPrincipalType(), userAuthorityFilter, role.getUserAuthorityExpiration(), role.getAuditEnabled(), disallowGroups, caller);
}
dbService.executePutMembershipDecision(ctx, domainName, roleName, roleMember, auditRef, caller);
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 98 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method updateDomainMembersExpiration.
void updateDomainMembersExpiration(ResourceContext ctx, ObjectStoreConnection con, Domain domain, Domain updatedDomain, String auditRef, String caller) {
// we only need to process the domain role members if the new expiration
// is more restrictive than what we had before
boolean userMemberExpiryDayReduced = isNumOfDaysReduced(domain.getMemberExpiryDays(), updatedDomain.getMemberExpiryDays());
boolean serviceMemberExpiryDayReduced = isNumOfDaysReduced(domain.getServiceExpiryDays(), updatedDomain.getServiceExpiryDays());
boolean groupMemberExpiryDayReduced = isNumOfDaysReduced(domain.getGroupExpiryDays(), updatedDomain.getGroupExpiryDays());
if (!userMemberExpiryDayReduced && !serviceMemberExpiryDayReduced && !groupMemberExpiryDayReduced) {
return;
}
AthenzDomain athenzDomain;
try {
athenzDomain = getAthenzDomain(con, domain.getName());
} catch (ResourceException ex) {
LOG.error("unable to fetch domain {}: {}", domain.getName(), ex.getMessage());
return;
}
long userExpiryMillis = userMemberExpiryDayReduced ? System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(updatedDomain.getMemberExpiryDays(), TimeUnit.DAYS) : 0;
long serviceExpiryMillis = serviceMemberExpiryDayReduced ? System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(updatedDomain.getServiceExpiryDays(), TimeUnit.DAYS) : 0;
long groupExpiryMillis = groupMemberExpiryDayReduced ? System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(updatedDomain.getGroupExpiryDays(), TimeUnit.DAYS) : 0;
Timestamp userExpiration = Timestamp.fromMillis(userExpiryMillis);
Timestamp serviceExpiration = Timestamp.fromMillis(serviceExpiryMillis);
Timestamp groupExpiration = Timestamp.fromMillis(groupExpiryMillis);
final String principal = getPrincipalName(ctx);
boolean domainModified = false;
for (Role role : athenzDomain.getRoles()) {
if (role.getMemberExpiryDays() != null || role.getServiceExpiryDays() != null || role.getGroupExpiryDays() != null) {
continue;
}
if (role.getTrust() != null && !role.getTrust().isEmpty()) {
continue;
}
// if no role members, then there is nothing to do
final List<RoleMember> roleMembers = role.getRoleMembers();
if (roleMembers == null || roleMembers.isEmpty()) {
continue;
}
// process our role members and if there were any changes processed then update
// our role and domain time-stamps, and invalidate local cache entry
final String roleName = AthenzUtils.extractRoleName(role.getName());
List<RoleMember> roleMembersWithUpdatedDueDates = getRoleMembersWithUpdatedDueDates(roleMembers, userExpiration, userExpiryMillis, serviceExpiration, serviceExpiryMillis, groupExpiration, groupExpiryMillis, null, 0, null, 0, null, null, 0);
if (insertRoleMembers(ctx, con, roleMembersWithUpdatedDueDates, domain.getName(), roleName, principal, auditRef, caller)) {
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domain.getName(), roleName);
domainModified = true;
}
}
for (Group group : athenzDomain.getGroups()) {
if (group.getMemberExpiryDays() != null || group.getServiceExpiryDays() != null) {
continue;
}
// if no group members, then there is nothing to do
final List<GroupMember> groupMembers = group.getGroupMembers();
if (groupMembers == null || groupMembers.isEmpty()) {
continue;
}
// process our group members and if there were any changes processed then update
// our group and domain time-stamps, and invalidate local cache entry
final String groupName = AthenzUtils.extractGroupName(group.getName());
List<GroupMember> groupMembersWithUpdatedDueDates = getGroupMembersWithUpdatedDueDates(groupMembers, userExpiration, userExpiryMillis, serviceExpiration, serviceExpiryMillis, null);
if (insertGroupMembers(ctx, con, groupMembersWithUpdatedDueDates, domain.getName(), groupName, principal, auditRef, caller)) {
// update our group and domain time-stamps, and invalidate local cache entry
con.updateGroupModTimestamp(domain.getName(), groupName);
domainModified = true;
}
}
if (domainModified) {
con.updateDomainModTimestamp(domain.getName());
cacheStore.invalidate(domain.getName());
}
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Timestamp(com.yahoo.rdl.Timestamp)
Example 99 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method getDelegatedRoleMembers.
List<RoleMember> getDelegatedRoleMembers(ObjectStoreConnection con, final String domainName, final String trustDomain, final String roleName) {
if (domainName.equals(trustDomain)) {
return null;
}
// retrieve our trust domain
AthenzDomain domain = null;
try {
domain = getAthenzDomain(con, trustDomain);
} catch (ResourceException ex) {
LOG.error("unable to fetch domain {}: {}", trustDomain, ex.getMessage());
}
if (domain == null) {
return null;
}
// we need to use a set since we might be matching
// multiple assertions and we want to automatically
// skip any duplicate members
Map<String, RoleMember> roleMembers = new HashMap<>();
// generate our full role name
String fullRoleName = ResourceUtils.roleResourceName(domainName, roleName);
for (Policy policy : domain.getPolicies()) {
// ignore any inactive/multi-version policies
if (policy.getActive() == Boolean.FALSE) {
continue;
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
if (!AuthzHelper.assumeRoleResourceMatch(fullRoleName, assertion)) {
continue;
}
String rolePattern = StringUtils.patternFromGlob(assertion.getRole());
for (Role role : domain.getRoles()) {
// make sure we have members before trying to match the name
List<RoleMember> members = role.getRoleMembers();
if (members == null || members.isEmpty()) {
continue;
}
if (!role.getName().matches(rolePattern)) {
continue;
}
for (RoleMember member : members) {
String memberName = member.getMemberName();
if (!roleMembers.containsKey(memberName)) {
roleMembers.put(memberName, member);
}
}
}
}
}
return new ArrayList<>(roleMembers.values());
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Example 100 with AthenzDomain
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isSysAdminUser.
boolean isSysAdminUser(Principal principal, boolean prefixMustBeUserDomain) {
if (prefixMustBeUserDomain) {
if (!principal.getDomain().equals(userDomain)) {
return false;
}
}
AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
// our action are always converted to lowercase
String resource = SYS_AUTH + ":domain";
AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "create", resource, null, null, principal);
return accessStatus == AccessStatus.ALLOWED;
}
Also used :
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
Aggregations
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104
Test (org.testng.annotations.Test)28
Principal (com.yahoo.athenz.auth.Principal)14
Authority (com.yahoo.athenz.auth.Authority)13
MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13
ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13
DBService (com.yahoo.athenz.zms.DBService)6
Role (com.yahoo.athenz.zms.Role)6
RoleMember (com.yahoo.athenz.zms.RoleMember)6
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3
java.sql (java.sql)3
SQLException (java.sql.SQLException)2
AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1
DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1
DataCache (com.yahoo.athenz.zms.DBService.DataCache)1
Domain (com.yahoo.athenz.zms.Domain)1
ResourceException (com.yahoo.athenz.zms.ResourceException)1
JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1
Timestamp (com.yahoo.rdl.Timestamp)1
