Search in sources :

Example 31 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class DBServiceTest method testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure.

@Test
public void testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure() {
    final String domainName = "domain-meta-user-authority-filter";
    List<String> admins = new ArrayList<>();
    admins.add("user.john");
    zms.dbService.makeDomain(mockDomRsrcCtx, ZMSTestUtils.makeDomainObject(domainName, "test desc", "org", false, "", 1997, "", 0), admins, null, auditRef);
    AthenzDomain athenzDomain = zms.dbService.getAthenzDomain(domainName, false);
    Domain domain = new Domain().setName(domainName).setUserAuthorityFilter("contractor").setModified(Timestamp.fromCurrentTime());
    Domain updateDomain = new Domain().setName(domainName).setUserAuthorityFilter("employee");
    ObjectStoreConnection mockConn = Mockito.mock(ObjectStoreConnection.class);
    Mockito.when(mockConn.getAthenzDomain(domainName)).thenReturn(athenzDomain);
    Mockito.when(mockConn.updateRoleMemberDisabledState(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyInt(), Mockito.anyString())).thenReturn(false);
    // we're going to make sure to throw an exception here
    // since this should never be called
    Mockito.when(mockConn.updateDomainModTimestamp(domainName)).thenThrow(new IllegalArgumentException());
    Authority savedAuthority = zms.dbService.zmsConfig.getUserAuthority();
    Authority authority = Mockito.mock(Authority.class);
    zms.dbService.zmsConfig.setUserAuthority(authority);
    zms.dbService.updateDomainMembersUserAuthorityFilter(mockDomRsrcCtx, mockConn, domain, updateDomain, auditRef, "testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure");
    zms.dbService.zmsConfig.setUserAuthority(savedAuthority);
    zms.dbService.executeDeleteDomain(mockDomRsrcCtx, domainName, auditRef, "deletedomain");
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection) AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Test(org.testng.annotations.Test)

Example 32 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method putGroupMembership.

@Override
public void putGroupMembership(ResourceContext ctx, String domainName, String groupName, String memberName, String auditRef, GroupMembership membership) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    if (readOnlyMode.get()) {
        throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
    }
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    setRequestDomain(ctx, domainName);
    validate(groupName, TYPE_ENTITY_NAME, caller);
    validate(memberName, TYPE_MEMBER_NAME, caller);
    validate(membership, TYPE_GROUP_MEMBERSHIP, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    groupName = groupName.toLowerCase();
    memberName = memberName.toLowerCase();
    AthenzObject.GROUP_MEMBERSHIP.convertToLowerCase(membership);
    final Principal principal = ((RsrcCtxWrapper) ctx).principal();
    // verify that request is properly authenticated for this request
    verifyAuthorizedServiceGroupOperation(principal.getAuthorizedService(), caller, groupName);
    if (!memberName.equals(membership.getMemberName())) {
        throw ZMSUtils.requestError("putGroupMembership: Member name in URI and GroupMembership object do not match", caller);
    }
    if (membership.getGroupName() != null && !groupName.equals(membership.getGroupName())) {
        throw ZMSUtils.requestError("putGroupMembership: Group name in URI and GroupMembership object do not match", caller);
    }
    // extract our group object to get its attributes
    AthenzDomain domain = getAthenzDomain(domainName, false);
    Group group = getGroupFromDomain(groupName, domain);
    if (group == null) {
        throw ZMSUtils.requestError("Invalid groupname specified", caller);
    }
    // create and normalize the role member object
    GroupMember groupMember = new GroupMember();
    groupMember.setMemberName(normalizeDomainAliasUser(memberName));
    groupMember.setPrincipalType(principalType(groupMember.getMemberName()));
    setGroupMemberExpiration(domain, group, groupMember, membership, caller);
    // check to see if we need to validate the principal
    final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
    validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter, caller);
    if (!isAllowedPutGroupMembership(principal, domain, group, groupMember)) {
        throw ZMSUtils.forbiddenError("putGroupMembership: principal is not authorized to add members", caller);
    }
    // add the member to the specified role
    dbService.executePutGroupMembership(ctx, domainName, group, groupMember, auditRef);
    if (groupMember.getApproved() == Boolean.FALSE) {
        sendGroupMembershipApprovalNotification(domainName, domain.getDomain().getOrg(), groupName, groupMember.getMemberName(), auditRef, principal.getFullName(), group);
    }
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 33 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class DBService method updateDomainMembersUserAuthorityFilter.

void updateDomainMembersUserAuthorityFilter(ResourceContext ctx, ObjectStoreConnection con, Domain domain, Domain updatedDomain, String auditRef, String caller) {
    if (!isUserAuthorityFilterChanged(domain.getUserAuthorityFilter(), updatedDomain.getUserAuthorityFilter())) {
        return;
    }
    final String domainName = domain.getName();
    AthenzDomain athenzDomain;
    try {
        athenzDomain = getAthenzDomain(con, domainName);
    } catch (ResourceException ex) {
        LOG.error("unable to fetch domain {}: {}", domainName, ex.getMessage());
        return;
    }
    final String principal = getPrincipalName(ctx);
    for (Role role : athenzDomain.getRoles()) {
        if (role.getTrust() != null && !role.getTrust().isEmpty()) {
            continue;
        }
        // if no role members, then there is nothing to do
        final List<RoleMember> roleMembers = role.getRoleMembers();
        if (roleMembers == null || roleMembers.isEmpty()) {
            continue;
        }
        // process our role members and if there were any changes processed then update
        // our role and domain time-stamps, and invalidate local cache entry
        final String roleName = AthenzUtils.extractRoleName(role.getName());
        List<RoleMember> roleMembersWithUpdatedDisabledState = getRoleMembersWithUpdatedDisabledState(roleMembers, role.getUserAuthorityFilter(), updatedDomain.getUserAuthorityFilter());
        if (updateRoleMemberDisabledState(ctx, con, roleMembersWithUpdatedDisabledState, domainName, roleName, principal, auditRef, caller)) {
            // update our role and domain time-stamps, and invalidate local cache entry
            con.updateRoleModTimestamp(domainName, roleName);
            con.updateDomainModTimestamp(domainName);
            cacheStore.invalidate(domainName);
            // add domain change event
            addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
        }
    }
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 34 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class DBService method getPublicKeyFromCache.

PublicKeyEntry getPublicKeyFromCache(String domainName, String serviceName, String keyId) {
    DataCache data = cacheStore.getIfPresent(domainName);
    if (data == null) {
        return null;
    }
    AthenzDomain athenzDomain = data.getAthenzDomain();
    if (athenzDomain == null) {
        return null;
    }
    List<ServiceIdentity> services = athenzDomain.getServices();
    if (services == null) {
        return null;
    }
    final String fullServiceName = ResourceUtils.serviceResourceName(domainName, serviceName);
    for (ServiceIdentity service : services) {
        if (fullServiceName.equals(service.getName())) {
            List<PublicKeyEntry> publicKeys = service.getPublicKeys();
            if (publicKeys != null) {
                for (PublicKeyEntry publicKey : publicKeys) {
                    if (keyId.equals(publicKey.getId())) {
                        return publicKey;
                    }
                }
            }
            break;
        }
    }
    return null;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 35 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method deleteDomain.

void deleteDomain(ResourceContext ctx, String auditRef, String domainName, String caller) {
    if (reservedSystemDomains.contains(domainName)) {
        throw ZMSUtils.requestError("Cannot delete reserved system domain", caller);
    }
    DomainList subDomainList = listDomains(null, null, domainName + ".", null, 0, true);
    if (subDomainList.getNames().size() > 0) {
        throw ZMSUtils.requestError(caller + ": Cannot delete domain " + domainName + ": " + subDomainList.getNames().size() + " subdomains of it exist", caller);
    }
    // we're going to make sure the domain does not have any
    // groups that are referenced in other domains. if that is the
    // case the group should be removed from all those domains
    // before the domain can be deleted
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("Domain not found: '" + domainName + "'", caller);
    }
    for (Group group : domain.getGroups()) {
        groupMemberConsistencyCheck(domainName, group.getName(), true, caller);
    }
    // consistency checks are ok. Now make sure no service is dependent on the domain
    verifyNoServiceDependenciesOnDomain(domainName, caller);
    // no service is dependent on the domain, we can go ahead and delete the domain
    dbService.executeDeleteDomain(ctx, domainName, auditRef, caller);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1