Search in sources :

Example 61 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutRoleReview.

void executePutRoleReview(ResourceContext ctx, String domainName, String roleName, Role role, MemberDueDays memberExpiryDueDays, MemberDueDays memberReminderDueDays, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            final String principal = getPrincipalName(ctx);
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
            // retrieve our original role
            Role originalRole = getRole(con, domainName, roleName, false, false, false);
            if (originalRole.getTrust() != null && !originalRole.getTrust().isEmpty()) {
                throw ZMSUtils.requestError(caller + ": role " + roleName + " is delegated. Review should happen on the trusted role. ", caller);
            }
            // now process the request. first we're going to make a copy of our role
            Role updatedRole = new Role().setName(originalRole.getName());
            // then we're going to apply the updated expiry and/or active status from the incoming role
            List<RoleMember> noActionMembers = applyMembershipChanges(updatedRole, originalRole, role, memberExpiryDueDays, memberReminderDueDays, auditRef);
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            List<RoleMember> deletedMembers = new ArrayList<>();
            List<RoleMember> extendedMembers = new ArrayList<>();
            auditDetails.append("{\"name\": \"").append(roleName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(originalRole.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(originalRole.getAuditEnabled(), Boolean.TRUE));
            for (RoleMember member : updatedRole.getRoleMembers()) {
                if (member.getActive() == Boolean.FALSE) {
                    if (!con.deleteRoleMember(domainName, roleName, member.getMemberName(), principal, auditRef)) {
                        con.rollbackChanges();
                        throw ZMSUtils.notFoundError(caller + ": unable to delete role member: " + member.getMemberName() + " from role: " + roleName, caller);
                    }
                    deletedMembers.add(member);
                } else {
                    if (!con.insertRoleMember(domainName, roleName, member, principal, auditRef)) {
                        con.rollbackChanges();
                        throw ZMSUtils.notFoundError(caller + ": unable to extend role member: " + member.getMemberName() + " for the role: " + roleName, caller);
                    }
                    extendedMembers.add(member);
                }
            }
            // construct audit log details
            auditLogRoleMembers(auditDetails, "deleted-members", deletedMembers);
            auditLogRoleMembers(auditDetails, "extended-members", extendedMembers);
            auditLogRoleMembers(auditDetails, "no-action-members", noActionMembers);
            auditDetails.append("}");
            if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
                // we have one or more changes to the role. We should update
                // both lastReviewed as well as modified timestamps
                con.updateRoleModTimestamp(domainName, roleName);
            }
            con.updateRoleReviewTimestamp(domainName, roleName);
            saveChanges(con, domainName);
            // audit log the request
            auditLogRequest(ctx, domainName, auditRef, caller, "REVIEW", roleName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 62 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutMembership.

void executePutMembership(ResourceContext ctx, String domainName, String roleName, RoleMember roleMember, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(true, true)) {
            final String principal = getPrincipalName(ctx);
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
            // make sure the role auditing requirements are met
            Role originalRole = con.getRole(domainName, roleName);
            if (originalRole == null) {
                con.rollbackChanges();
                throw ZMSUtils.notFoundError(caller + ": Unknown role: " + roleName, caller);
            }
            checkObjectAuditEnabled(con, originalRole.getAuditEnabled(), originalRole.getName(), auditRef, caller, principal);
            if (isTrustRole(originalRole)) {
                con.rollbackChanges();
                throw ZMSUtils.requestError(caller + ": " + roleName + " is a delegated role", caller);
            }
            // now we need verify our quota check
            quotaCheck.checkRoleMembershipQuota(con, domainName, roleName, caller);
            if (!con.insertRoleMember(domainName, roleName, roleMember, principal, auditRef)) {
                con.rollbackChanges();
                throw ZMSUtils.requestError(caller + ": unable to insert role member: " + roleMember.getMemberName() + " to role: " + roleName, caller);
            }
            // update our role and domain time-stamps, and invalidate local cache entry
            con.updateRoleModTimestamp(domainName, roleName);
            con.updateDomainModTimestamp(domainName);
            cacheStore.invalidate(domainName);
            // audit log the request
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            auditLogRoleMember(auditDetails, roleMember, true);
            auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, roleName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 63 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executeDeleteDomain.

void executeDeleteDomain(ResourceContext ctx, String domainName, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_DOMAIN);
            // now process the request
            con.deleteDomain(domainName);
            con.commitChanges();
            cacheStore.invalidate(domainName);
            // audit log the request
            auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_DELETE, domainName, null);
            // add domain change event
            addDomainChangeMessage(ctx, domainName, domainName, DomainChangeMessage.ObjectType.DOMAIN);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 64 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutGroupReview.

void executePutGroupReview(ResourceContext ctx, final String domainName, final String groupName, Group group, MemberDueDays memberExpiryDueDays, final String auditRef) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            final String principal = getPrincipalName(ctx);
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, ctx.getApiName(), principal, AUDIT_TYPE_GROUP);
            // retrieve our original group
            Group originalGroup = getGroup(con, domainName, groupName, false, false);
            // now process the request. first we're going to make a copy of our group
            Group updatedGroup = new Group().setName(originalGroup.getName());
            // then we're going to apply the updated expiry and/or active status from the incoming group
            List<GroupMember> noActionMembers = applyMembershipChangesGroup(updatedGroup, originalGroup, group, memberExpiryDueDays, auditRef);
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            List<GroupMember> deletedMembers = new ArrayList<>();
            List<GroupMember> extendedMembers = new ArrayList<>();
            auditDetails.append("{\"name\": \"").append(groupName).append('\"').append(", \"selfServe\": ").append(auditLogBooleanDefault(group.getSelfServe(), Boolean.TRUE)).append(", \"auditEnabled\": ").append(auditLogBooleanDefault(group.getAuditEnabled(), Boolean.TRUE));
            for (GroupMember member : updatedGroup.getGroupMembers()) {
                if (member.getActive() == Boolean.FALSE) {
                    if (!con.deleteGroupMember(domainName, groupName, member.getMemberName(), principal, auditRef)) {
                        con.rollbackChanges();
                        throw ZMSUtils.notFoundError("unable to delete group member: " + member.getMemberName() + " from group: " + groupName, ctx.getApiName());
                    }
                    deletedMembers.add(member);
                } else {
                    if (!con.insertGroupMember(domainName, groupName, member, principal, auditRef)) {
                        con.rollbackChanges();
                        throw ZMSUtils.notFoundError("unable to extend group member: " + member.getMemberName() + " for the group: " + groupName, ctx.getApiName());
                    }
                    extendedMembers.add(member);
                }
            }
            // construct audit log details
            auditLogGroupMembers(auditDetails, "deleted-members", deletedMembers);
            auditLogGroupMembers(auditDetails, "extended-members", extendedMembers);
            auditLogGroupMembers(auditDetails, "no-action-members", noActionMembers);
            auditDetails.append("}");
            if (!deletedMembers.isEmpty() || !extendedMembers.isEmpty()) {
                // we have one or more changes to the group. We should update
                // both lastReviewed as well as modified timestamps
                con.updateGroupModTimestamp(domainName, groupName);
            }
            con.updateGroupReviewTimestamp(domainName, groupName);
            saveChanges(con, domainName);
            // audit log the request
            auditLogRequest(ctx, domainName, auditRef, ctx.getApiName(), "REVIEW", groupName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, groupName, DomainChangeMessage.ObjectType.GROUP);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 65 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method processExpiredPendingGroupMembers.

public void processExpiredPendingGroupMembers(int pendingGroupMemberLifespan, final String monitorIdentity) {
    final String auditRef = "Expired - auto reject";
    final String caller = "processExpiredPendingGroupMembers";
    Map<String, List<DomainGroupMember>> memberList;
    try (ObjectStoreConnection con = store.getConnection(true, false)) {
        memberList = con.getExpiredPendingDomainGroupMembers(pendingGroupMemberLifespan);
    }
    for (String domainName : memberList.keySet()) {
        for (DomainGroupMember domainGroupMember : memberList.get(domainName)) {
            final String principalName = domainGroupMember.getMemberName();
            for (GroupMember groupMember : domainGroupMember.getMemberGroups()) {
                try (ObjectStoreConnection con = store.getConnection(true, true)) {
                    if (con.deletePendingGroupMember(domainName, groupMember.getGroupName(), principalName, monitorIdentity, auditRef)) {
                        auditLogRequest(monitorIdentity, domainName, auditRef, caller, "REJECT", groupMember.getGroupName(), "{\"member\": \"" + principalName + "\"}");
                    }
                }
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Aggregations

ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)173 Test (org.testng.annotations.Test)96 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)38 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)34 Authority (com.yahoo.athenz.auth.Authority)23 Timestamp (com.yahoo.rdl.Timestamp)17 ArrayList (java.util.ArrayList)16 MemberDueDays (com.yahoo.athenz.zms.config.MemberDueDays)11 Principal (com.yahoo.athenz.auth.Principal)7 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7 EmbeddedMysql (com.wix.mysql.EmbeddedMysql)5 FilePrivateKeyStore (com.yahoo.athenz.auth.impl.FilePrivateKeyStore)5 Crypto (com.yahoo.athenz.auth.util.Crypto)5 AuditReferenceValidator (com.yahoo.athenz.common.server.audit.AuditReferenceValidator)5 NotificationManager (com.yahoo.athenz.common.server.notification.NotificationManager)5 ResourceUtils (com.yahoo.athenz.common.server.util.ResourceUtils)5 DataCache (com.yahoo.athenz.zms.DBService.DataCache)5 MockAuditReferenceValidatorImpl (com.yahoo.athenz.zms.audit.MockAuditReferenceValidatorImpl)5 JDBCConnection (com.yahoo.athenz.zms.store.impl.jdbc.JDBCConnection)5 ZMSUtils (com.yahoo.athenz.zms.utils.ZMSUtils)5