use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAllowedSystemMetaDelete.
boolean isAllowedSystemMetaDelete(Principal principal, final String reqDomain, final String attribute, final String objectType) {
// the authorization policy resides in official sys.auth domain
AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
// evaluate our domain's roles and policies to see if access
// is allowed or not for the given operation and resource
// our action are always converted to lowercase
String resource = SYS_AUTH + ":meta." + objectType + "." + attribute + "." + reqDomain;
AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "delete", resource, null, null, principal);
return accessStatus == AccessStatus.ALLOWED;
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method isAllowedDeletePendingMembership.
boolean isAllowedDeletePendingMembership(Principal principal, final String domainName, final String roleName, final String memberName) {
// first lets check if the principal has update access on the role
AthenzDomain domain = getAthenzDomain(domainName, false);
if (domain == null) {
throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingMembership");
}
if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.roleResourceName(domainName, roleName))) {
return true;
}
// check of the requestor of the pending request is the principal
Membership pendingMember = dbService.getMembership(domainName, roleName, memberName, 0, true);
return pendingMember != null && principal.getFullName().equals(pendingMember.getRequestPrincipal());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImpl method getJWSDomain.
@Override
public Response getJWSDomain(ResourceContext ctx, String domainName, Boolean signatureP1363Format, String matchingTag) {
final String caller = ctx.getApiName();
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domainName = domainName.toLowerCase();
setRequestDomain(ctx, domainName);
long timestamp = getModTimestamp(matchingTag);
AthenzDomain athenzDomain = getAthenzDomain(domainName, true, false);
if (athenzDomain == null) {
throw ZMSUtils.notFoundError("No such domain: " + domainName, caller);
}
long domainModTime = athenzDomain.getDomain().getModified().millis();
EntityTag eTag = new EntityTag(athenzDomain.getDomain().getModified().toString());
if (timestamp != 0 && domainModTime <= timestamp) {
return Response.status(ResourceException.NOT_MODIFIED).header("ETag", eTag.toString()).build();
}
return Response.status(ResourceException.OK).entity(generateJWSDomain(athenzDomain, signatureP1363Format)).header("ETag", eTag.toString()).build();
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testIsAllowedPutMembershipAccess.
@Test
public void testIsAllowedPutMembershipAccess() {
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.user1", "user.jane");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
assertTrue(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role.getName()));
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=john";
final Principal rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
// some random user does not have access
assertFalse(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(rsrcPrince, domain, role.getName()));
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testSetupPolicyListWithOutAssertions.
@Test
public void testSetupPolicyListWithOutAssertions() {
final String domainName = "setup-policy-without-assert";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Policy policy1 = zmsTestInitializer.createPolicyObject(domainName, "policy1");
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy1", zmsTestInitializer.getAuditRef(), policy1);
Policy policy2 = zmsTestInitializer.createPolicyObject(domainName, "policy2");
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy2", zmsTestInitializer.getAuditRef(), policy2);
AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain(domainName, false);
List<Policy> policies = zmsTestInitializer.getZms().setupPolicyList(domain, Boolean.FALSE, Boolean.FALSE);
// need to account for admin policy
assertEquals(3, policies.size());
boolean policy1Check = false;
boolean policy2Check = false;
for (Policy policy : policies) {
switch(policy.getName()) {
case "setup-policy-without-assert:policy.policy1":
assertNull(policy.getAssertions());
policy1Check = true;
break;
case "setup-policy-without-assert:policy.policy2":
assertNull(policy.getAssertions());
policy2Check = true;
break;
}
}
assertTrue(policy1Check);
assertTrue(policy2Check);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Aggregations