Search in sources :

Example 41 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testRetrieveAccessDomainPrincialNullDomain.

@Test
public void testRetrieveAccessDomainPrincialNullDomain() {
    System.setProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "true");
    ZMSImpl zmsTest = zmsTestInitializer.zmsInit();
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal principal = SimplePrincipal.create("user1", "v=U1;d=user;n=user1;s=signature", principalAuthority);
    AthenzDomain athenzDomain = zmsTest.retrieveAccessDomain("user.user1", principal);
    assertNull(athenzDomain);
    System.clearProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 42 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testVirtualHomeDomain.

@Test
public void testVirtualHomeDomain() {
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
    AthenzDomain virtualDomain = zmsTestInitializer.getZms().virtualHomeDomain(principal, "user.user1");
    assertNotNull(virtualDomain);
    List<Role> roles = virtualDomain.getRoles();
    assertNotNull(roles);
    Role adminRole = null;
    for (Role role : roles) {
        if (role.getName().equals("user.user1:role.admin")) {
            adminRole = role;
            break;
        }
    }
    assertNotNull(adminRole);
    List<RoleMember> roleMembers = adminRole.getRoleMembers();
    assertEquals(roleMembers.size(), 1);
    assertEquals(roleMembers.get(0).getMemberName(), "user.user1");
    List<Policy> policies = virtualDomain.getPolicies();
    assertNotNull(policies);
    Policy adminPolicy = null;
    for (Policy policy : policies) {
        if (policy.getName().equals("user.user1:policy.admin")) {
            adminPolicy = policy;
            break;
        }
    }
    assertNotNull(adminPolicy);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 43 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testEvaluateAccessMtlsRestricted.

@Test
public void testEvaluateAccessMtlsRestricted() {
    AthenzDomain domain = new AthenzDomain("coretech");
    Role role = zmsTestInitializer.createRoleObject("coretech", "role1", null, "user.user1", null);
    domain.getRoles().add(role);
    Policy policy = new Policy().setName("coretech:policy.policy1");
    Assertion assertion = new Assertion();
    assertion.setAction("read");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("coretech:*");
    assertion.setRole("coretech:role.role1");
    policy.setAssertions(new ArrayList<>());
    policy.getAssertions().add(assertion);
    domain.getPolicies().add(policy);
    Authority certificateAuthority = new CertificateAuthority();
    String unsignedCreds = "v=U1;d=user;n=user2";
    final Principal rsrcPrince = SimplePrincipal.create("user", "user2", unsignedCreds + ";s=signature", 0, certificateAuthority);
    assertNotNull(rsrcPrince);
    assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, "user.user1", "read", "coretech:resource1", null, null, rsrcPrince), AccessStatus.ALLOWED);
    ((SimplePrincipal) rsrcPrince).setMtlsRestricted(true);
    assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, "user.user1", "read", "coretech:resource1", null, null, rsrcPrince), AccessStatus.DENIED);
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Example 44 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testSetupServiceListWithKeysHosts.

@Test
public void testSetupServiceListWithKeysHosts() {
    final String domainName = "setup-service-keys-hosts";
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    ServiceIdentity service1 = zmsTestInitializer.createServiceObject(domainName, "service1", "http://localhost", "/usr/bin/java", "root", "users", "host1");
    zmsTestInitializer.getZms().putServiceIdentity(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "service1", zmsTestInitializer.getAuditRef(), service1);
    ServiceIdentity service2 = zmsTestInitializer.createServiceObject(domainName, "service2", "http://localhost", "/usr/bin/java", "yahoo", "users", "host2");
    zmsTestInitializer.getZms().putServiceIdentity(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "service2", zmsTestInitializer.getAuditRef(), service2);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain(domainName, false);
    List<ServiceIdentity> services = zmsTestInitializer.getZms().setupServiceIdentityList(domain, Boolean.TRUE, Boolean.TRUE);
    assertEquals(2, services.size());
    boolean service1Check = false;
    boolean service2Check = false;
    for (ServiceIdentity service : services) {
        switch(service.getName()) {
            case "setup-service-keys-hosts.service1":
                assertEquals(service.getExecutable(), "/usr/bin/java");
                assertEquals(service.getUser(), "root");
                assertEquals(service.getPublicKeys().size(), 2);
                assertEquals(service.getHosts().size(), 1);
                assertEquals(service.getHosts().get(0), "host1");
                service1Check = true;
                break;
            case "setup-service-keys-hosts.service2":
                assertEquals(service.getExecutable(), "/usr/bin/java");
                assertEquals(service.getUser(), "yahoo");
                assertEquals(service.getPublicKeys().size(), 2);
                assertEquals(service.getHosts().size(), 1);
                assertEquals(service.getHosts().get(0), "host2");
                service2Check = true;
                break;
        }
    }
    assertTrue(service1Check);
    assertTrue(service2Check);
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 45 with AthenzDomain

use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.

the class ZMSImplTest method testIsAllowedPutRoleMetaAccess.

@Test
public void testIsAllowedPutRoleMetaAccess() {
    TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
    zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
    Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.user1", "user.john");
    zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
    AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
    assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role.getName()));
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    String unsignedCreds = "v=U1;d=user;n=john";
    final Principal rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
    assertNotNull(rsrcPrince);
    ((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
    // some random user does not have access
    assertFalse(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
    // create policy that allows the user something other than "update" or "update_meta" - will still be denied
    Policy policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update_somethingelse", role.getName(), AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
    domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    assertFalse(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
    // Finally create policy with "update_meta" which will allow access
    policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update_meta", role.getName(), AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
    domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    // Will now be allowed
    assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
    // Same thing with "update" instead of "update_meta"
    policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update", role.getName(), AssertionEffect.ALLOW);
    zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
    domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
    assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
    zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
Also used : AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain) Authority(com.yahoo.athenz.auth.Authority) Principal(com.yahoo.athenz.auth.Principal)

Aggregations

AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)104 Test (org.testng.annotations.Test)28 Principal (com.yahoo.athenz.auth.Principal)14 Authority (com.yahoo.athenz.auth.Authority)13 MetricNotificationService (com.yahoo.athenz.common.server.notification.impl.MetricNotificationService)13 ZMSNotificationManagerTest.getNotificationManager (com.yahoo.athenz.zms.notification.ZMSNotificationManagerTest.getNotificationManager)13 DBService (com.yahoo.athenz.zms.DBService)6 Role (com.yahoo.athenz.zms.Role)6 RoleMember (com.yahoo.athenz.zms.RoleMember)6 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)3 ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)3 java.sql (java.sql)3 SQLException (java.sql.SQLException)2 AuthzDetailsEntity (com.yahoo.athenz.common.config.AuthzDetailsEntity)1 DomainRoleMembersFetcher (com.yahoo.athenz.common.server.notification.DomainRoleMembersFetcher)1 DataCache (com.yahoo.athenz.zms.DBService.DataCache)1 Domain (com.yahoo.athenz.zms.Domain)1 ResourceException (com.yahoo.athenz.zms.ResourceException)1 JDBCConnection (com.yahoo.athenz.zms.store.jdbc.JDBCConnection)1 Timestamp (com.yahoo.rdl.Timestamp)1