use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method generateJWSDomain.
JWSDomain generateJWSDomain(AthenzDomain athenzDomain, Boolean signatureP1363Format) {
// set all domain attributes including roles and services
final Domain domain = athenzDomain.getDomain();
final String domainName = domain.getName();
DomainData domainData = new DomainData().setName(domainName).setModified(domain.getModified()).setEnabled(domain.getEnabled());
setDomainDataAttributes(domainData, domain);
// set our roles/groups/entities
domainData.setRoles(athenzDomain.getRoles());
domainData.setGroups(athenzDomain.getGroups());
domainData.setServices(athenzDomain.getServices());
domainData.setEntities(athenzDomain.getEntities());
// generate the domain policy object that includes the domain
// name and all policies. However, for signature, we're going
// generate one for the active policies only without any
// conditions for backward compatibility reasons
DomainPolicies domainPolicies = new DomainPolicies().setDomain(domainName);
domainPolicies.setPolicies(getDomainPolicyList(athenzDomain.getPolicies(), false));
final String signature = Crypto.sign(SignUtils.asCanonicalString(domainPolicies), privateKey.getKey());
// reset the policy list to include all policies
domainPolicies.setPolicies(athenzDomain.getPolicies());
SignedPolicies signedPolicies = new SignedPolicies();
signedPolicies.setContents(domainPolicies);
signedPolicies.setSignature(signature).setKeyId(privateKey.getId());
domainData.setPolicies(signedPolicies);
return signJwsDomain(domainData, signatureP1363Format);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method putGroupReview.
@Override
public void putGroupReview(ResourceContext ctx, String domainName, String groupName, String auditRef, Group group) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
if (readOnlyMode.get()) {
throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
}
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
validate(groupName, TYPE_ENTITY_NAME, caller);
validate(group, TYPE_GROUP, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
groupName = groupName.toLowerCase();
AthenzObject.GROUP.convertToLowerCase(group);
// verify that request is properly authenticated for this request
verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
if (!isConsistentGroupName(domainName, groupName, group)) {
throw ZMSUtils.requestError(caller + ": Inconsistent group names - expected: " + ResourceUtils.groupResourceName(domainName, groupName) + ", actual: " + group.getName(), caller);
}
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("No such domain: " + domainName, caller);
}
Group dbGroup = getGroupFromDomain(groupName, domain);
// normalize and remove duplicate members
normalizeGroupMembers(group);
// update group expiry based on our configurations
MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), dbGroup);
updateGroupMemberExpiration(memberExpiryDueDays, group.getGroupMembers());
// process our request
dbService.executePutGroupReview(ctx, domainName, groupName, group, memberExpiryDueDays, auditRef);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method access.
public boolean access(String action, String resource, Principal principal, String trustDomain) {
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
resource = resource.toLowerCase();
if (trustDomain != null) {
trustDomain = trustDomain.toLowerCase();
}
action = action.toLowerCase();
// if the resource starts with the user domain and the environment is using
// a different domain name we'll dynamically update the resource value
resource = userHomeDomainResource(resource);
if (LOG.isDebugEnabled()) {
LOG.debug("access:({}, {}, {}, {})", action, resource, principal, trustDomain);
}
if (!AuthzHelper.authorityAuthorizationAllowed(principal)) {
LOG.error("Authority is not allowed to support authorization checks");
return false;
}
// retrieve our domain based on resource and action/trustDomain pair
// we want to provider better error reporting to the users so if we get a
// request where the domain is not found instead of just returning 403
// forbidden (which is confusing since it assumes the user doesn't have
// access as oppose to possible mistype of the domain name by the user)
// we want to return 404 not found. The athenz server common has special handling
// for rest.ResourceExceptions so we'll throw that exception in this
// special case of not found domains.
String domainName = AuthzHelper.retrieveResourceDomain(resource, action, trustDomain);
if (domainName == null) {
throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.NOT_FOUND, "Domain not found");
}
AthenzDomain domain = retrieveAccessDomain(domainName, principal);
if (domain == null) {
throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.NOT_FOUND, "Domain not found");
}
if (domain.getDomain().getEnabled() == Boolean.FALSE) {
throw new com.yahoo.athenz.common.server.rest.ResourceException(ResourceException.FORBIDDEN, "Disabled Domain");
}
AccessStatus accessStatus = hasAccess(domain, action, resource, principal, trustDomain);
return accessStatus == AccessStatus.ALLOWED;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAllowedAuditRoleMembershipApproval.
boolean isAllowedAuditRoleMembershipApproval(Principal principal, final AthenzDomain reqDomain) {
// the authorization policy resides in official sys.auth.audit domains
// first we're going to check the per domain one and then we'll
// follow up with per org domain
AthenzDomain authDomain = getAthenzDomain(ZMSConsts.SYS_AUTH_AUDIT_BY_DOMAIN, true);
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
// our action are always converted to lowercase
String resource = ZMSConsts.SYS_AUTH_AUDIT_BY_DOMAIN + ":audit." + reqDomain.getDomain().getName();
AccessStatus accessStatus = evaluateAccess(authDomain, principal.getFullName(), "update", resource, null, null, principal);
if (accessStatus == AccessStatus.ALLOWED) {
return true;
}
// if we didn't find any authorization for the per-domain setup
// we're going to look at the per-org setup
authDomain = getAthenzDomain(ZMSConsts.SYS_AUTH_AUDIT_BY_ORG, true);
resource = ZMSConsts.SYS_AUTH_AUDIT_BY_ORG + ":audit." + reqDomain.getDomain().getOrg();
accessStatus = evaluateAccess(authDomain, principal.getFullName(), "update", resource, null, null, principal);
return accessStatus == AccessStatus.ALLOWED;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method putGroupMembershipDecision.
@Override
public void putGroupMembershipDecision(ResourceContext ctx, String domainName, String groupName, String memberName, String auditRef, GroupMembership membership) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
if (readOnlyMode.get()) {
throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
}
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
validate(groupName, TYPE_ENTITY_NAME, caller);
validate(memberName, TYPE_MEMBER_NAME, caller);
validate(membership, TYPE_GROUP_MEMBERSHIP, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
groupName = groupName.toLowerCase();
memberName = memberName.toLowerCase();
AthenzObject.GROUP_MEMBERSHIP.convertToLowerCase(membership);
final Principal principal = ((RsrcCtxWrapper) ctx).principal();
// verify that request is properly authenticated for this request
verifyAuthorizedServiceGroupOperation(principal.getAuthorizedService(), caller, groupName);
if (!memberName.equals(membership.getMemberName())) {
throw ZMSUtils.requestError("putGroupMembershipDecision: Member name in URI and GroupMembership object do not match", caller);
}
if (membership.getGroupName() != null && !groupName.equals(membership.getGroupName())) {
throw ZMSUtils.requestError("putGroupMembershipDecision: Group name in URI and GroupMembership object do not match", caller);
}
AthenzDomain domain = getAthenzDomain(domainName, false);
Group group = getGroupFromDomain(groupName, domain);
if (group == null) {
throw ZMSUtils.requestError("Invalid groupname specified", caller);
}
// initially create the group member and only set the
// user name which is all we need in case we need to
// lookup the pending entry for review approval
// we'll set the state and expiration after the
// authorization check is successful
GroupMember groupMember = new GroupMember();
groupMember.setMemberName(normalizeDomainAliasUser(memberName));
groupMember.setPrincipalType(principalType(groupMember.getMemberName()));
// authorization check
validatePutGroupMembershipDecisionAuthorization(principal, domain, group, groupMember);
groupMember.setApproved(membership.getApproved());
groupMember.setActive(membership.getActive());
if (groupMember.getApproved() == Boolean.TRUE) {
setGroupMemberExpiration(domain, group, groupMember, membership, caller);
// check to see if we need to validate the principal
// but only if the decision is to approve. We don't
// want to block removal of rejected user requests
final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter, caller);
}
dbService.executePutGroupMembershipDecision(ctx, domainName, group, groupMember, auditRef);
}
Aggregations