use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutRoleReview.
void executePutRoleReview(ResourceContext ctx, String domainName, String roleName, Role role, MemberDueDays memberExpiryDueDays, MemberDueDays memberReminderDueDays, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
// retrieve our original role
Role originalRole = getRole(con, domainName, roleName, false, false, false);
if (originalRole.getTrust() != null && !originalRole.getTrust().isEmpty()) {
throw ZMSUtils.requestError(caller + ": role " + roleName + " is delegated. Review should happen on the trusted role. ", caller);
}
// now process the request. first we're going to make a copy of our role
Role updatedRole = new Role().setName(originalRole.getName());
// then we're going to apply the updated expiry and/or active status from the incoming role
List<RoleMember> noActionMembers = applyMembershipChanges(updatedRole, originalRole, role, memberExpiryDueDays, memberReminderDueDays, auditRef);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
List<RoleMember> deletedMembers = new ArrayList<>();
List<RoleMember> extendedMembers = new ArrayList<>();
auditDetails.append("{\"name\": \"").append(roleName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(originalRole.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(originalRole.getAuditEnabled(), Boolean.TRUE));
for (RoleMember member : updatedRole.getRoleMembers()) {
if (member.getActive() == Boolean.FALSE) {
if (!con.deleteRoleMember(domainName, roleName, member.getMemberName(), principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to delete role member: " + member.getMemberName() + " from role: " + roleName, caller);
}
deletedMembers.add(member);
} else {
if (!con.insertRoleMember(domainName, roleName, member, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to extend role member: " + member.getMemberName() + " for the role: " + roleName, caller);
}
extendedMembers.add(member);
}
}
// construct audit log details
auditLogRoleMembers(auditDetails, "deleted-members", deletedMembers);
auditLogRoleMembers(auditDetails, "extended-members", extendedMembers);
auditLogRoleMembers(auditDetails, "no-action-members", noActionMembers);
auditDetails.append("}");
if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
// we have one or more changes to the role. We should update
// both lastReviewed as well as modified timestamps
con.updateRoleModTimestamp(domainName, roleName);
}
con.updateRoleReviewTimestamp(domainName, roleName);
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, "REVIEW", roleName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutMembership.
void executePutMembership(ResourceContext ctx, String domainName, String roleName, RoleMember roleMember, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
// make sure the role auditing requirements are met
Role originalRole = con.getRole(domainName, roleName);
if (originalRole == null) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": Unknown role: " + roleName, caller);
}
checkObjectAuditEnabled(con, originalRole.getAuditEnabled(), originalRole.getName(), auditRef, caller, principal);
if (isTrustRole(originalRole)) {
con.rollbackChanges();
throw ZMSUtils.requestError(caller + ": " + roleName + " is a delegated role", caller);
}
// now we need verify our quota check
quotaCheck.checkRoleMembershipQuota(con, domainName, roleName, caller);
if (!con.insertRoleMember(domainName, roleName, roleMember, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.requestError(caller + ": unable to insert role member: " + roleMember.getMemberName() + " to role: " + roleName, caller);
}
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domainName, roleName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
// audit log the request
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditLogRoleMember(auditDetails, roleMember, true);
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, roleName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executeDeleteDomain.
void executeDeleteDomain(ResourceContext ctx, String domainName, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_DOMAIN);
// now process the request
con.deleteDomain(domainName);
con.commitChanges();
cacheStore.invalidate(domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_DELETE, domainName, null);
// add domain change event
addDomainChangeMessage(ctx, domainName, domainName, DomainChangeMessage.ObjectType.DOMAIN);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutGroupReview.
void executePutGroupReview(ResourceContext ctx, final String domainName, final String groupName, Group group, MemberDueDays memberExpiryDueDays, final String auditRef) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, ctx.getApiName(), principal, AUDIT_TYPE_GROUP);
// retrieve our original group
Group originalGroup = getGroup(con, domainName, groupName, false, false);
// now process the request. first we're going to make a copy of our group
Group updatedGroup = new Group().setName(originalGroup.getName());
// then we're going to apply the updated expiry and/or active status from the incoming group
List<GroupMember> noActionMembers = applyMembershipChangesGroup(updatedGroup, originalGroup, group, memberExpiryDueDays, auditRef);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
List<GroupMember> deletedMembers = new ArrayList<>();
List<GroupMember> extendedMembers = new ArrayList<>();
auditDetails.append("{\"name\": \"").append(groupName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(group.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(group.getAuditEnabled(), Boolean.TRUE));
for (GroupMember member : updatedGroup.getGroupMembers()) {
if (member.getActive() == Boolean.FALSE) {
if (!con.deleteGroupMember(domainName, groupName, member.getMemberName(), principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError("unable to delete group member: " + member.getMemberName() + " from group: " + groupName, ctx.getApiName());
}
deletedMembers.add(member);
} else {
if (!con.insertGroupMember(domainName, groupName, member, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError("unable to extend group member: " + member.getMemberName() + " for the group: " + groupName, ctx.getApiName());
}
extendedMembers.add(member);
}
}
// construct audit log details
auditLogGroupMembers(auditDetails, "deleted-members", deletedMembers);
auditLogGroupMembers(auditDetails, "extended-members", extendedMembers);
auditLogGroupMembers(auditDetails, "no-action-members", noActionMembers);
auditDetails.append("}");
if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
// we have one or more changes to the group. We should update
// both lastReviewed as well as modified timestamps
con.updateGroupModTimestamp(domainName, groupName);
}
con.updateGroupReviewTimestamp(domainName, groupName);
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, ctx.getApiName(), "REVIEW", groupName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, groupName, DomainChangeMessage.ObjectType.GROUP);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method processExpiredPendingGroupMembers.
public void processExpiredPendingGroupMembers(int pendingGroupMemberLifespan, final String monitorIdentity) {
final String auditRef = "Expired - auto reject";
final String caller = "processExpiredPendingGroupMembers";
Map<String, List<DomainGroupMember>> memberList;
try (ObjectStoreConnection con = store.getConnection(true, false)) {
memberList = con.getExpiredPendingDomainGroupMembers(pendingGroupMemberLifespan);
}
for (String domainName : memberList.keySet()) {
for (DomainGroupMember domainGroupMember : memberList.get(domainName)) {
final String principalName = domainGroupMember.getMemberName();
for (GroupMember groupMember : domainGroupMember.getMemberGroups()) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
if (con.deletePendingGroupMember(domainName, groupMember.getGroupName(), principalName, monitorIdentity, auditRef)) {
auditLogRequest(monitorIdentity, domainName, auditRef, caller, "REJECT", groupMember.getGroupName(), "{\"member\": \"" + principalName + "\"}");
}
}
}
}
}
}
Aggregations