use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBServiceTest method testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure.
@Test
public void testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure() {
final String domainName = "domain-meta-user-authority-filter";
List<String> admins = new ArrayList<>();
admins.add("user.john");
zms.dbService.makeDomain(mockDomRsrcCtx, ZMSTestUtils.makeDomainObject(domainName, "test desc", "org", false, "", 1997, "", 0), admins, null, auditRef);
AthenzDomain athenzDomain = zms.dbService.getAthenzDomain(domainName, false);
Domain domain = new Domain().setName(domainName).setUserAuthorityFilter("contractor").setModified(Timestamp.fromCurrentTime());
Domain updateDomain = new Domain().setName(domainName).setUserAuthorityFilter("employee");
ObjectStoreConnection mockConn = Mockito.mock(ObjectStoreConnection.class);
Mockito.when(mockConn.getAthenzDomain(domainName)).thenReturn(athenzDomain);
Mockito.when(mockConn.updateRoleMemberDisabledState(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyInt(), Mockito.anyString())).thenReturn(false);
// we're going to make sure to throw an exception here
// since this should never be called
Mockito.when(mockConn.updateDomainModTimestamp(domainName)).thenThrow(new IllegalArgumentException());
Authority savedAuthority = zms.dbService.zmsConfig.getUserAuthority();
Authority authority = Mockito.mock(Authority.class);
zms.dbService.zmsConfig.setUserAuthority(authority);
zms.dbService.updateDomainMembersUserAuthorityFilter(mockDomRsrcCtx, mockConn, domain, updateDomain, auditRef, "testUpdateDomainMemberUserAuthorityFilterObjectStoreFailure");
zms.dbService.zmsConfig.setUserAuthority(savedAuthority);
zms.dbService.executeDeleteDomain(mockDomRsrcCtx, domainName, auditRef, "deletedomain");
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method putGroupMembership.
@Override
public void putGroupMembership(ResourceContext ctx, String domainName, String groupName, String memberName, String auditRef, GroupMembership membership) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
if (readOnlyMode.get()) {
throw ZMSUtils.requestError(SERVER_READ_ONLY_MESSAGE, caller);
}
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
setRequestDomain(ctx, domainName);
validate(groupName, TYPE_ENTITY_NAME, caller);
validate(memberName, TYPE_MEMBER_NAME, caller);
validate(membership, TYPE_GROUP_MEMBERSHIP, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
groupName = groupName.toLowerCase();
memberName = memberName.toLowerCase();
AthenzObject.GROUP_MEMBERSHIP.convertToLowerCase(membership);
final Principal principal = ((RsrcCtxWrapper) ctx).principal();
// verify that request is properly authenticated for this request
verifyAuthorizedServiceGroupOperation(principal.getAuthorizedService(), caller, groupName);
if (!memberName.equals(membership.getMemberName())) {
throw ZMSUtils.requestError("putGroupMembership: Member name in URI and GroupMembership object do not match", caller);
}
if (membership.getGroupName() != null && !groupName.equals(membership.getGroupName())) {
throw ZMSUtils.requestError("putGroupMembership: Group name in URI and GroupMembership object do not match", caller);
}
// extract our group object to get its attributes
AthenzDomain domain = getAthenzDomain(domainName, false);
Group group = getGroupFromDomain(groupName, domain);
if (group == null) {
throw ZMSUtils.requestError("Invalid groupname specified", caller);
}
// create and normalize the role member object
GroupMember groupMember = new GroupMember();
groupMember.setMemberName(normalizeDomainAliasUser(memberName));
groupMember.setPrincipalType(principalType(groupMember.getMemberName()));
setGroupMemberExpiration(domain, group, groupMember, membership, caller);
// check to see if we need to validate the principal
final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(), domain.getDomain().getUserAuthorityFilter());
validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter, caller);
if (!isAllowedPutGroupMembership(principal, domain, group, groupMember)) {
throw ZMSUtils.forbiddenError("putGroupMembership: principal is not authorized to add members", caller);
}
// add the member to the specified role
dbService.executePutGroupMembership(ctx, domainName, group, groupMember, auditRef);
if (groupMember.getApproved() == Boolean.FALSE) {
sendGroupMembershipApprovalNotification(domainName, domain.getDomain().getOrg(), groupName, groupMember.getMemberName(), auditRef, principal.getFullName(), group);
}
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method updateDomainMembersUserAuthorityFilter.
void updateDomainMembersUserAuthorityFilter(ResourceContext ctx, ObjectStoreConnection con, Domain domain, Domain updatedDomain, String auditRef, String caller) {
if (!isUserAuthorityFilterChanged(domain.getUserAuthorityFilter(), updatedDomain.getUserAuthorityFilter())) {
return;
}
final String domainName = domain.getName();
AthenzDomain athenzDomain;
try {
athenzDomain = getAthenzDomain(con, domainName);
} catch (ResourceException ex) {
LOG.error("unable to fetch domain {}: {}", domainName, ex.getMessage());
return;
}
final String principal = getPrincipalName(ctx);
for (Role role : athenzDomain.getRoles()) {
if (role.getTrust() != null && !role.getTrust().isEmpty()) {
continue;
}
// if no role members, then there is nothing to do
final List<RoleMember> roleMembers = role.getRoleMembers();
if (roleMembers == null || roleMembers.isEmpty()) {
continue;
}
// process our role members and if there were any changes processed then update
// our role and domain time-stamps, and invalidate local cache entry
final String roleName = AthenzUtils.extractRoleName(role.getName());
List<RoleMember> roleMembersWithUpdatedDisabledState = getRoleMembersWithUpdatedDisabledState(roleMembers, role.getUserAuthorityFilter(), updatedDomain.getUserAuthorityFilter());
if (updateRoleMemberDisabledState(ctx, con, roleMembersWithUpdatedDisabledState, domainName, roleName, principal, auditRef, caller)) {
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domainName, roleName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
}
}
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class DBService method getPublicKeyFromCache.
PublicKeyEntry getPublicKeyFromCache(String domainName, String serviceName, String keyId) {
DataCache data = cacheStore.getIfPresent(domainName);
if (data == null) {
return null;
}
AthenzDomain athenzDomain = data.getAthenzDomain();
if (athenzDomain == null) {
return null;
}
List<ServiceIdentity> services = athenzDomain.getServices();
if (services == null) {
return null;
}
final String fullServiceName = ResourceUtils.serviceResourceName(domainName, serviceName);
for (ServiceIdentity service : services) {
if (fullServiceName.equals(service.getName())) {
List<PublicKeyEntry> publicKeys = service.getPublicKeys();
if (publicKeys != null) {
for (PublicKeyEntry publicKey : publicKeys) {
if (keyId.equals(publicKey.getId())) {
return publicKey;
}
}
}
break;
}
}
return null;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method deleteDomain.
void deleteDomain(ResourceContext ctx, String auditRef, String domainName, String caller) {
if (reservedSystemDomains.contains(domainName)) {
throw ZMSUtils.requestError("Cannot delete reserved system domain", caller);
}
DomainList subDomainList = listDomains(null, null, domainName + ".", null, 0, true);
if (subDomainList.getNames().size() > 0) {
throw ZMSUtils.requestError(caller + ": Cannot delete domain " + domainName + ": " + subDomainList.getNames().size() + " subdomains of it exist", caller);
}
// we're going to make sure the domain does not have any
// groups that are referenced in other domains. if that is the
// case the group should be removed from all those domains
// before the domain can be deleted
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("Domain not found: '" + domainName + "'", caller);
}
for (Group group : domain.getGroups()) {
groupMemberConsistencyCheck(domainName, group.getName(), true, caller);
}
// consistency checks are ok. Now make sure no service is dependent on the domain
verifyNoServiceDependenciesOnDomain(domainName, caller);
// no service is dependent on the domain, we can go ahead and delete the domain
dbService.executeDeleteDomain(ctx, domainName, auditRef, caller);
}
Aggregations