Example 61 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutRoleReview.
void executePutRoleReview(ResourceContext ctx, String domainName, String roleName, Role role, MemberDueDays memberExpiryDueDays, MemberDueDays memberReminderDueDays, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
// retrieve our original role
Role originalRole = getRole(con, domainName, roleName, false, false, false);
if (originalRole.getTrust() != null && !originalRole.getTrust().isEmpty()) {
throw ZMSUtils.requestError(caller + ": role " + roleName + " is delegated. Review should happen on the trusted role. ", caller);
}
// now process the request. first we're going to make a copy of our role
Role updatedRole = new Role().setName(originalRole.getName());
// then we're going to apply the updated expiry and/or active status from the incoming role
List<RoleMember> noActionMembers = applyMembershipChanges(updatedRole, originalRole, role, memberExpiryDueDays, memberReminderDueDays, auditRef);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
List<RoleMember> deletedMembers = new ArrayList<>();
List<RoleMember> extendedMembers = new ArrayList<>();
auditDetails.append("{\"name\": \"").append(roleName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(originalRole.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(originalRole.getAuditEnabled(), Boolean.TRUE));
for (RoleMember member : updatedRole.getRoleMembers()) {
if (member.getActive() == Boolean.FALSE) {
if (!con.deleteRoleMember(domainName, roleName, member.getMemberName(), principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to delete role member: " + member.getMemberName() + " from role: " + roleName, caller);
}
deletedMembers.add(member);
} else {
if (!con.insertRoleMember(domainName, roleName, member, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to extend role member: " + member.getMemberName() + " for the role: " + roleName, caller);
}
extendedMembers.add(member);
}
}
// construct audit log details
auditLogRoleMembers(auditDetails, "deleted-members", deletedMembers);
auditLogRoleMembers(auditDetails, "extended-members", extendedMembers);
auditLogRoleMembers(auditDetails, "no-action-members", noActionMembers);
auditDetails.append("}");
if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
// we have one or more changes to the role. We should update
// both lastReviewed as well as modified timestamps
con.updateRoleModTimestamp(domainName, roleName);
}
con.updateRoleReviewTimestamp(domainName, roleName);
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, "REVIEW", roleName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 62 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutMembership.
void executePutMembership(ResourceContext ctx, String domainName, String roleName, RoleMember roleMember, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
// make sure the role auditing requirements are met
Role originalRole = con.getRole(domainName, roleName);
if (originalRole == null) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": Unknown role: " + roleName, caller);
}
checkObjectAuditEnabled(con, originalRole.getAuditEnabled(), originalRole.getName(), auditRef, caller, principal);
if (isTrustRole(originalRole)) {
con.rollbackChanges();
throw ZMSUtils.requestError(caller + ": " + roleName + " is a delegated role", caller);
}
// now we need verify our quota check
quotaCheck.checkRoleMembershipQuota(con, domainName, roleName, caller);
if (!con.insertRoleMember(domainName, roleName, roleMember, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.requestError(caller + ": unable to insert role member: " + roleMember.getMemberName() + " to role: " + roleName, caller);
}
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domainName, roleName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
// audit log the request
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditLogRoleMember(auditDetails, roleMember, true);
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, roleName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 63 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executeDeleteDomain.
void executeDeleteDomain(ResourceContext ctx, String domainName, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_DOMAIN);
// now process the request
con.deleteDomain(domainName);
con.commitChanges();
cacheStore.invalidate(domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_DELETE, domainName, null);
// add domain change event
addDomainChangeMessage(ctx, domainName, domainName, DomainChangeMessage.ObjectType.DOMAIN);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 64 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutGroupReview.
void executePutGroupReview(ResourceContext ctx, final String domainName, final String groupName, Group group, MemberDueDays memberExpiryDueDays, final String auditRef) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, ctx.getApiName(), principal, AUDIT_TYPE_GROUP);
// retrieve our original group
Group originalGroup = getGroup(con, domainName, groupName, false, false);
// now process the request. first we're going to make a copy of our group
Group updatedGroup = new Group().setName(originalGroup.getName());
// then we're going to apply the updated expiry and/or active status from the incoming group
List<GroupMember> noActionMembers = applyMembershipChangesGroup(updatedGroup, originalGroup, group, memberExpiryDueDays, auditRef);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
List<GroupMember> deletedMembers = new ArrayList<>();
List<GroupMember> extendedMembers = new ArrayList<>();
auditDetails.append("{\"name\": \"").append(groupName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(group.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(group.getAuditEnabled(), Boolean.TRUE));
for (GroupMember member : updatedGroup.getGroupMembers()) {
if (member.getActive() == Boolean.FALSE) {
if (!con.deleteGroupMember(domainName, groupName, member.getMemberName(), principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError("unable to delete group member: " + member.getMemberName() + " from group: " + groupName, ctx.getApiName());
}
deletedMembers.add(member);
} else {
if (!con.insertGroupMember(domainName, groupName, member, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError("unable to extend group member: " + member.getMemberName() + " for the group: " + groupName, ctx.getApiName());
}
extendedMembers.add(member);
}
}
// construct audit log details
auditLogGroupMembers(auditDetails, "deleted-members", deletedMembers);
auditLogGroupMembers(auditDetails, "extended-members", extendedMembers);
auditLogGroupMembers(auditDetails, "no-action-members", noActionMembers);
auditDetails.append("}");
if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
// we have one or more changes to the group. We should update
// both lastReviewed as well as modified timestamps
con.updateGroupModTimestamp(domainName, groupName);
}
con.updateGroupReviewTimestamp(domainName, groupName);
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, ctx.getApiName(), "REVIEW", groupName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, groupName, DomainChangeMessage.ObjectType.GROUP);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 65 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method processExpiredPendingGroupMembers.
public void processExpiredPendingGroupMembers(int pendingGroupMemberLifespan, final String monitorIdentity) {
final String auditRef = "Expired - auto reject";
final String caller = "processExpiredPendingGroupMembers";
Map<String, List<DomainGroupMember>> memberList;
try (ObjectStoreConnection con = store.getConnection(true, false)) {
memberList = con.getExpiredPendingDomainGroupMembers(pendingGroupMemberLifespan);
}
for (String domainName : memberList.keySet()) {
for (DomainGroupMember domainGroupMember : memberList.get(domainName)) {
final String principalName = domainGroupMember.getMemberName();
for (GroupMember groupMember : domainGroupMember.getMemberGroups()) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
if (con.deletePendingGroupMember(domainName, groupMember.getGroupName(), principalName, monitorIdentity, auditRef)) {
auditLogRequest(monitorIdentity, domainName, auditRef, caller, "REJECT", groupMember.getGroupName(), "{\"member\": \"" + principalName + "\"}");
}
}
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Aggregations
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)173
Test (org.testng.annotations.Test)96
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)38
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)34
Authority (com.yahoo.athenz.auth.Authority)23
Timestamp (com.yahoo.rdl.Timestamp)17
ArrayList (java.util.ArrayList)16
MemberDueDays (com.yahoo.athenz.zms.config.MemberDueDays)11
Principal (com.yahoo.athenz.auth.Principal)7
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7
EmbeddedMysql (com.wix.mysql.EmbeddedMysql)5
FilePrivateKeyStore (com.yahoo.athenz.auth.impl.FilePrivateKeyStore)5
Crypto (com.yahoo.athenz.auth.util.Crypto)5
AuditReferenceValidator (com.yahoo.athenz.common.server.audit.AuditReferenceValidator)5
NotificationManager (com.yahoo.athenz.common.server.notification.NotificationManager)5
ResourceUtils (com.yahoo.athenz.common.server.util.ResourceUtils)5
DataCache (com.yahoo.athenz.zms.DBService.DataCache)5
MockAuditReferenceValidatorImpl (com.yahoo.athenz.zms.audit.MockAuditReferenceValidatorImpl)5
JDBCConnection (com.yahoo.athenz.zms.store.impl.jdbc.JDBCConnection)5
ZMSUtils (com.yahoo.athenz.zms.utils.ZMSUtils)5
