Examples with AthenzDomain com.yahoo.athenz.zms.store.AthenzDomain used on opensource projects

Example 36 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedSystemMetaDelete.

boolean isAllowedSystemMetaDelete(Principal principal, final String reqDomain, final String attribute, final String objectType) {
    // the authorization policy resides in official sys.auth domain
    AthenzDomain domain = getAthenzDomain(SYS_AUTH, true);
    // evaluate our domain's roles and policies to see if access
    // is allowed or not for the given operation and resource
    // our action are always converted to lowercase
    String resource = SYS_AUTH + ":meta." + objectType + "." + attribute + "." + reqDomain;
    AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), "delete", resource, null, null, principal);
    return accessStatus == AccessStatus.ALLOWED;
}

Example 37 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method isAllowedDeletePendingMembership.

boolean isAllowedDeletePendingMembership(Principal principal, final String domainName, final String roleName, final String memberName) {
    // first lets check if the principal has update access on the role
    AthenzDomain domain = getAthenzDomain(domainName, false);
    if (domain == null) {
        throw ZMSUtils.notFoundError("Domain not found: " + domainName, "deletePendingMembership");
    }
    if (isAllowedPutMembershipAccess(principal, domain, ResourceUtils.roleResourceName(domainName, roleName))) {
        return true;
    }
    // check of the requestor of the pending request is the principal
    Membership pendingMember = dbService.getMembership(domainName, roleName, memberName, 0, true);
    return pendingMember != null && principal.getFullName().equals(pendingMember.getRequestPrincipal());
}

Example 38 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImpl method getJWSDomain.

@Override
public Response getJWSDomain(ResourceContext ctx, String domainName, Boolean signatureP1363Format, String matchingTag) {
    final String caller = ctx.getApiName();
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domainName = domainName.toLowerCase();
    setRequestDomain(ctx, domainName);
    long timestamp = getModTimestamp(matchingTag);
    AthenzDomain athenzDomain = getAthenzDomain(domainName, true, false);
    if (athenzDomain == null) {
        throw ZMSUtils.notFoundError("No such domain: " + domainName, caller);
    }
    long domainModTime = athenzDomain.getDomain().getModified().millis();
    EntityTag eTag = new EntityTag(athenzDomain.getDomain().getModified().toString());
    if (timestamp != 0 && domainModTime <= timestamp) {
        return Response.status(ResourceException.NOT_MODIFIED).header("ETag", eTag.toString()).build();
    }
    return Response.status(ResourceException.OK).entity(generateJWSDomain(athenzDomain, signatureP1363Format)).header("ETag", eTag.toString()).build();
}

Example 39 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testIsAllowedPutMembershipAccess.

@Test
public void testIsAllowedPutMembershipAccess() {
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.user1", "user.jane");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
    assertTrue(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role.getName()));
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=john";
    final Principal rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    // some random user does not have access
    assertFalse(zmsTestInitializer.getZms().isAllowedPutMembershipAccess(rsrcPrince, domain, role.getName()));
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}

Example 40 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testSetupPolicyListWithOutAssertions.

@Test
public void testSetupPolicyListWithOutAssertions() {
    final String domainName = "setup-policy-without-assert";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Policy policy1 = zmsTestInitializer.createPolicyObject(domainName, "policy1");
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy1", zmsTestInitializer.getAuditRef(), policy1);
    Policy policy2 = zmsTestInitializer.createPolicyObject(domainName, "policy2");
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "policy2", zmsTestInitializer.getAuditRef(), policy2);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain(domainName, false);
    List<Policy> policies = zmsTestInitializer.getZms().setupPolicyList(domain, Boolean.FALSE, Boolean.FALSE);
    // need to account for admin policy
    assertEquals(3, policies.size());
    boolean policy1Check = false;
    boolean policy2Check = false;
    for (Policy policy : policies) {
        switch(policy.getName()) {
            case "setup-policy-without-assert:policy.policy1":
                assertNull(policy.getAssertions());
                policy1Check = true;
                break;
            case "setup-policy-without-assert:policy.policy2":
                assertNull(policy.getAssertions());
                policy2Check = true;
                break;
        }
    }
    assertTrue(policy1Check);
    assertTrue(policy2Check);
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}