Search in sources :

Example 36 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedSystemMetaDelete.

boolean isAllowedSystemMetaDelete(Principal principal, final String reqDomain, final String attribute, final String objectType) {
    // the authorization policy resides in official sys.auth domain
    AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    // our action are always converted to lowercase
    String resource = SYS_AUTH + ":meta." + objectType + "." + attribute + "." + reqDomain;
    AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "delete", resource, null, null, principal);
    return accessStatus == AccessStatus.ALLOWED;
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 37 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedDeletePendingMembership.

boolean isAllowedDeletePendingMembership(Principal principal, final String domainName, final String roleName, final String memberName) {
    // first lets check if the principal has update access on the role
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingMembership");
    }
    if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.roleResourceName(domainName, roleName))) {
        return true;
    }
    // check of the requestor of the pending request is the principal
    Membership pendingMember = dbService.getMembership(domainName, roleName, memberName, 0, true);
    return pendingMember != null && principal.getFullName().equals(pendingMember.getRequestPrincipal());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 38 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method getJWSDomain.

@Override
public Response getJWSDomain(ResourceContext ctx, String domainName, Boolean signatureP1363Format, String matchingTag) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    setRequestDomain(ctx, domainName);
    long timestamp = getModTimestamp(matchingTag);
    AthenzDomain athenzDomain = getAthenzDomain(domainName, true, false);
    if (athenzDomain == null) {
        throw ZMSUtils.notFoundError("No such domain: " + domainName, caller);
    }
    long domainModTime = athenzDomain.getDomain().getModified().millis();
    EntityTag eTag = new EntityTag(athenzDomain.getDomain().getModified().toString());
    if (timestamp != 0 && domainModTime <= timestamp) {
        return Response.status(ResourceException.NOT_MODIFIED).header("ETag", eTag.toString()).build();
    }
    return Response.status(ResourceException.OK).entity(generateJWSDomain(athenzDomain, signatureP1363Format)).header("ETag", eTag.toString()).build();
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) EntityTag(javax.ws.rs.core.EntityTag)

Example 39 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testIsAllowedPutMembershipAccess.

@Test
public void testIsAllowedPutMembershipAccess() {
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.user1", "user.jane");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
    assertTrue(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role.getName()));
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=john";
    final Principal rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    // some random user does not have access
    assertFalse(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(rsrcPrince, domain, role.getName()));
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 40 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testSetupPolicyListWithOutAssertions.

@Test
public void testSetupPolicyListWithOutAssertions() {
    final String domainName = "setup-policy-without-assert";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Policy policy1 = zmsTestInitializer.createPolicyObject(domainName, "policy1");
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy1", zmsTestInitializer.getAuditRef(), policy1);
    Policy policy2 = zmsTestInitializer.createPolicyObject(domainName, "policy2");
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy2", zmsTestInitializer.getAuditRef(), policy2);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain(domainName, false);
    List<Policy> policies = zmsTestInitializer.getZms().setupPolicyList(domain, Boolean.FALSE, Boolean.FALSE);
    // need to account for admin policy
    assertEquals(3, policies.size());
    boolean policy1Check = false;
    boolean policy2Check = false;
    for (Policy policy : policies) {
        switch(policy.getName()) {
            case "setup-policy-without-assert:policy.policy1":
                assertNull(policy.getAssertions());
                policy1Check = true;
                break;
            case "setup-policy-without-assert:policy.policy2":
                assertNull(policy.getAssertions());
                policy2Check = true;
                break;
        }
    }
    assertTrue(policy1Check);
    assertTrue(policy2Check);
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1