use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testRetrieveAccessDomainPrincialNullDomain.
@Test
public void testRetrieveAccessDomainPrincialNullDomain() {
System.setProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN, "true");
ZMSImpl zmsTest = zmsTestInitializer.zmsInit();
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user1", "v=U1;d=user;n=user1;s=signature", principalAuthority);
AthenzDomain athenzDomain = zmsTest.retrieveAccessDomain("user.user1", principal);
assertNull(athenzDomain);
System.clearProperty(ZMSConsts.ZMS_PROP_VIRTUAL_DOMAIN);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testVirtualHomeDomain.
@Test
public void testVirtualHomeDomain() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
AthenzDomain virtualDomain = zmsTestInitializer.getZms().virtualHomeDomain(principal, "user.user1");
assertNotNull(virtualDomain);
List<Role> roles = virtualDomain.getRoles();
assertNotNull(roles);
Role adminRole = null;
for (Role role : roles) {
if (role.getName().equals("user.user1:role.admin")) {
adminRole = role;
break;
}
}
assertNotNull(adminRole);
List<RoleMember> roleMembers = adminRole.getRoleMembers();
assertEquals(roleMembers.size(), 1);
assertEquals(roleMembers.get(0).getMemberName(), "user.user1");
List<Policy> policies = virtualDomain.getPolicies();
assertNotNull(policies);
Policy adminPolicy = null;
for (Policy policy : policies) {
if (policy.getName().equals("user.user1:policy.admin")) {
adminPolicy = policy;
break;
}
}
assertNotNull(adminPolicy);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testEvaluateAccessMtlsRestricted.
@Test
public void testEvaluateAccessMtlsRestricted() {
AthenzDomain domain = new AthenzDomain("coretech");
Role role = zmsTestInitializer.createRoleObject("coretech", "role1", null, "user.user1", null);
domain.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
Assertion assertion = new Assertion();
assertion.setAction("read");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("coretech:*");
assertion.setRole("coretech:role.role1");
policy.setAssertions(new ArrayList<>());
policy.getAssertions().add(assertion);
domain.getPolicies().add(policy);
Authority certificateAuthority = new CertificateAuthority();
String unsignedCreds = "v=U1;d=user;n=user2";
final Principal rsrcPrince = SimplePrincipal.create("user", "user2", unsignedCreds + ";s=signature", 0, certificateAuthority);
assertNotNull(rsrcPrince);
assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, "user.user1", "read", "coretech:resource1", null, null, rsrcPrince), AccessStatus.ALLOWED);
((SimplePrincipal) rsrcPrince).setMtlsRestricted(true);
assertEquals(zmsTestInitializer.getZms().evaluateAccess(domain, "user.user1", "read", "coretech:resource1", null, null, rsrcPrince), AccessStatus.DENIED);
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testSetupServiceListWithKeysHosts.
@Test
public void testSetupServiceListWithKeysHosts() {
final String domainName = "setup-service-keys-hosts";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
ServiceIdentity service1 = zmsTestInitializer.createServiceObject(domainName, "service1", "http://localhost", "/usr/bin/java", "root", "users", "host1");
zmsTestInitializer.getZms().putServiceIdentity(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "service1", zmsTestInitializer.getAuditRef(), service1);
ServiceIdentity service2 = zmsTestInitializer.createServiceObject(domainName, "service2", "http://localhost", "/usr/bin/java", "yahoo", "users", "host2");
zmsTestInitializer.getZms().putServiceIdentity(zmsTestInitializer.getMockDomRsrcCtx(), domainName, "service2", zmsTestInitializer.getAuditRef(), service2);
AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain(domainName, false);
List<ServiceIdentity> services = zmsTestInitializer.getZms().setupServiceIdentityList(domain, Boolean.TRUE, Boolean.TRUE);
assertEquals(2, services.size());
boolean service1Check = false;
boolean service2Check = false;
for (ServiceIdentity service : services) {
switch(service.getName()) {
case "setup-service-keys-hosts.service1":
assertEquals(service.getExecutable(), "/usr/bin/java");
assertEquals(service.getUser(), "root");
assertEquals(service.getPublicKeys().size(), 2);
assertEquals(service.getHosts().size(), 1);
assertEquals(service.getHosts().get(0), "host1");
service1Check = true;
break;
case "setup-service-keys-hosts.service2":
assertEquals(service.getExecutable(), "/usr/bin/java");
assertEquals(service.getUser(), "yahoo");
assertEquals(service.getPublicKeys().size(), 2);
assertEquals(service.getHosts().size(), 1);
assertEquals(service.getHosts().get(0), "host2");
service2Check = true;
break;
}
}
assertTrue(service1Check);
assertTrue(service2Check);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
use of com.yahoo.athenz.zms.store.AthenzDomain in project athenz by yahoo.
the class ZMSImplTest method testIsAllowedPutRoleMetaAccess.
@Test
public void testIsAllowedPutRoleMetaAccess() {
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("testdomain1", "Role Test Domain1", "testOrg", "user.user1");
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Role role1 = zmsTestInitializer.createRoleObject("testdomain1", "testrole1", null, "user.user1", "user.john");
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", "testrole1", zmsTestInitializer.getAuditRef(), role1);
AthenzDomain domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
Role role = zmsTestInitializer.getZms().getRoleFromDomain("testrole1", domain);
assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(zmsTestInitializer.getMockDomRestRsrcCtx().principal(), domain, role.getName()));
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=john";
final Principal rsrcPrince = SimplePrincipal.create("user", "john", unsignedCreds + ";s=signature", 0, principalAuthority);
assertNotNull(rsrcPrince);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
// some random user does not have access
assertFalse(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
// create policy that allows the user something other than "update" or "update_meta" - will still be denied
Policy policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update_somethingelse", role.getName(), AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
assertFalse(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
// Finally create policy with "update_meta" which will allow access
policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update_meta", role.getName(), AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
// Will now be allowed
assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
// Same thing with "update" instead of "update_meta"
policy = zmsTestInitializer.createPolicyObject(domain.getName(), "testupdatemta", "testrole1", "update", role.getName(), AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), domain.getName(), "testupdatemta", zmsTestInitializer.getAuditRef(), policy);
domain = zmsTestInitializer.getZms().getAthenzDomain("testdomain1", false);
assertTrue(zmsTestInitializer.getZms().isAllowedPutRoleMetaAccess(rsrcPrince, domain, role.getName()));
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "testdomain1", zmsTestInitializer.getAuditRef());
}
Aggregations