Search in sources :

Example 26 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method generateJWSDomain.

JWSDomain generateJWSDomain(AthenzDomain athenzDomain, Boolean signatureP1363Format) {
    // set all domain attributes including roles and services
    final Domain domain = athenzDomain.getDomain();
    final String domainName = domain.getName();
    DomainData domainData = new DomainData().setName(domainName).setModified(domain.getModified()).setEnabled(domain.getEnabled());
    setDomainDataAttributes(domainData, domain);
    // set our roles/groups/entities
    domainData.setRoles(athenzDomain.getRoles());
    domainData.setGroups(athenzDomain.getGroups());
    domainData.setServices(athenzDomain.getServices());
    domainData.setEntities(athenzDomain.getEntities());
    // generate the domain policy object that includes the domain
    // name and all policies. However, for signature, we're going
    // generate one for the active policies only without any
    // conditions for backward compatibility reasons
    DomainPolicies domainPolicies = new DomainPolicies().setDomain(domainName);
    domainPolicies.setPolicies(getDomainPolicyList(athenzDomain.getPolicies(), false));
    final String signature = Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey.getKey());
    // reset the policy list to include all policies
    domainPolicies.setPolicies(athenzDomain.getPolicies());
    SignedPolicies signedPolicies = new SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(signature).setKeyId(privateKey.getId());
    domainData.setPolicies(signedPolicies);
    return signJwsDomain(domainData, signatureP1363Format);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 27 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method putGroupReview.

@Override
public void putGroupReview(ResourceContext ctx, String domainName, String groupName, String auditRef, Group group) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    if (readOnlyMode.get()) {
        throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
    }
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    validate(groupName, TYPE_ENTITY_NAME, caller);
    validate(group, TYPE_GROUP, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    setRequestDomain(ctx, domainName);
    groupName = groupName.toLowerCase();
    AthenzObject.GROUP.convertToLowerCase(group);
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
    if (!isConsistentGroupName(domainName, groupName, group)) {
        throw ZMSUtils.requestError(caller + ": Inconsistent group names - expected: " + ResourceUtils.groupResourceName(domainName, groupName) + ", actual: " + group.getName(), caller);
    }
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("No such domain: " + domainName, caller);
    }
    Group dbGroup = getGroupFromDomain(groupName, domain);
    // normalize and remove duplicate members
    normalizeGroupMembers(group);
    // update group expiry based on our configurations
    MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), dbGroup);
    updateGroupMemberExpiration(memberExpiryDueDays, group.getGroupMembers());
    // process our request
    dbService.executePutGroupReview(ctx, domainName, groupName, group, memberExpiryDueDays, auditRef);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 28 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method access.

public boolean access(String action, String resource, Principal principal, String trustDomain) {
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    resource = resource.toLowerCase();
    if (trustDomain != null) {
        trustDomain = trustDomain.toLowerCase();
    }
    action = action.toLowerCase();
    // if the resource starts with the user domain and the environment is using
    // a different domain name we'll dynamically update the resource value
    resource = userHomeDomainResource(resource);
    if (LOG.isDebugEnabled()) {
        LOG.debug("access:({}, {}, {}, {})", action, resource, principal, trustDomain);
    }
    if (!AuthzHelper.authorityAuthorizationAllowed(principal)) {
        LOG.error("Authority is not allowed to support authorization checks");
        return false;
    }
    // retrieve our domain based on resource and action/trustDomain pair
    // we want to provider better error reporting to the users so if we get a
    // request where the domain is not found instead of just returning 403
    // forbidden (which is confusing since it assumes the user doesn't have
    // access as oppose to possible mistype of the domain name by the user)
    // we want to return 404 not found. The athenz server common has special handling
    // for rest.ResourceExceptions so we'll throw that exception in this
    // special case of not found domains.
    String domainName = AuthzHelper.retrieveResourceDomain(resource, action, trustDomain);
    if (domainName == null) {
        throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.NOT_FOUND, "Domain not found");
    }
    AthenzDomain domain = retrieveAccessDomain(domainName, principal);
    if (domain == null) {
        throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.NOT_FOUND, "Domain not found");
    }
    if (domain.getDomain().getEnabled() == Boolean.FALSE) {
        throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.FORBIDDEN, "Disabled Domain");
    }
    AccessStatus accessStatus = hasAccess(domain, action, resource, principal, trustDomain);
    return accessStatus == AccessStatus.ALLOWED;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 29 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedAuditRoleMembershipApproval.

boolean isAllowedAuditRoleMembershipApproval(Principal principal, final AthenzDomain reqDomain) {
    // the authorization policy resides in official sys.auth.audit domains
    // first we're going to check the per domain one and then we'll
    // follow up with per org domain
    AthenzDomain authDomain = getAthenzDomain(ZMSConsts.SYS_AUTH_AUDIT_BY_DOMAIN, true);
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    // our action are always converted to lowercase
    String resource = ZMSConsts.SYS_AUTH_AUDIT_BY_DOMAIN + ":audit." + reqDomain.getDomain().getName();
    AccessStatus accessStatus = evaluateAccess(authDomain, principal.getFullName(), "update", resource, null, null, principal);
    if (accessStatus == AccessStatus.ALLOWED) {
        return true;
    }
    // if we didn't find any authorization for the per-domain setup
    // we're going to look at the per-org setup
    authDomain = getAthenzDomain(ZMSConsts.SYS_AUTH_AUDIT_BY_ORG, true);
    resource = ZMSConsts.SYS_AUTH_AUDIT_BY_ORG + ":audit." + reqDomain.getDomain().getOrg();
    accessStatus = evaluateAccess(authDomain, principal.getFullName(), "update", resource, null, null, principal);
    return accessStatus == AccessStatus.ALLOWED;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 30 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method putGroupMembershipDecision.

@Override
public void putGroupMembershipDecision(ResourceContext ctx, String domainName, String groupName, String memberName, String auditRef, GroupMembership membership) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    if (readOnlyMode.get()) {
        throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
    }
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    validate(groupName, TYPE_ENTITY_NAME, caller);
    validate(memberName, TYPE_MEMBER_NAME, caller);
    validate(membership, TYPE_GROUP_MEMBERSHIP, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    setRequestDomain(ctx, domainName);
    groupName = groupName.toLowerCase();
    memberName = memberName.toLowerCase();
    AthenzObject.GROUP_MEMBERSHIP.convertToLowerCase(membership);
    final Principal principal = ((RsrcCtxWrapper) ctx).principal();
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceGroupOperation(principal.getAuthorizedService(), caller, groupName);
    if (!memberName.equals(membership.getMemberName())) {
        throw ZMSUtils.requestError("putGroupMembershipDecision: Member name in URI and GroupMembership object do not match", caller);
    }
    if (membership.getGroupName() != null && !groupName.equals(membership.getGroupName())) {
        throw ZMSUtils.requestError("putGroupMembershipDecision: Group name in URI and GroupMembership object do not match", caller);
    }
    AthenzDomain domain = getAthenzDomain(domainName, false);
    Group group = getGroupFromDomain(groupName, domain);
    if (group == null) {
        throw ZMSUtils.requestError("Invalid groupname specified", caller);
    }
    // initially create the group member and only set the
    // user name which is all we need in case we need to
    // lookup the pending entry for review approval
    // we'll set the state and expiration after the
    // authorization check is successful
    GroupMember groupMember = new GroupMember();
    groupMember.setMemberName(normalizeDomainAliasUser(memberName));
    groupMember.setPrincipalType(principalType(groupMember.getMemberName()));
    // authorization check
    validatePutGroupMembershipDecisionAuthorization(principal, domain, group, groupMember);
    groupMember.setApproved(membership.getApproved());
    groupMember.setActive(membership.getActive());
    if (groupMember.getApproved() == Boolean.TRUE) {
        setGroupMemberExpiration(domain, group, groupMember, membership, caller);
        // check to see if we need to validate the principal
        // but only if the decision is to approve. We don't
        // want to block removal of rejected user requests
        final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
        validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter, caller);
    }
    dbService.executePutGroupMembershipDecision(ctx, domainName, group, groupMember, auditRef);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1