Search in sources :

Example 81 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutRoleSystemMeta.

public void executePutRoleSystemMeta(ResourceContext ctx, final String domainName, final String roleName, RoleSystemMeta meta, final String attribute, final String auditRef, final String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            Domain domain = con.getDomain(domainName);
            if (domain == null) {
                con.rollbackChanges();
                throw ZMSUtils.notFoundError(caller + ": Unknown domain: " + domainName, caller);
            }
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domain, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_ROLE);
            if (domain.getAuditEnabled() != Boolean.TRUE) {
                throw ZMSUtils.requestError(caller + ": auditEnabled flag not set for domain: " + domainName + " to add it on the role: " + roleName, caller);
            }
            Role originalRole = getRole(con, domainName, roleName, false, false, false);
            // now process the request. first we're going to make a
            // copy of our role
            Role updatedRole = new Role().setName(originalRole.getName()).setAuditEnabled(originalRole.getAuditEnabled()).setTrust(originalRole.getTrust()).setSelfServe(originalRole.getSelfServe()).setMemberExpiryDays(originalRole.getMemberExpiryDays()).setServiceExpiryDays(originalRole.getServiceExpiryDays()).setGroupExpiryDays(originalRole.getGroupExpiryDays()).setGroupReviewDays(originalRole.getGroupReviewDays()).setTokenExpiryMins(originalRole.getTokenExpiryMins()).setCertExpiryMins(originalRole.getCertExpiryMins()).setMemberReviewDays(originalRole.getMemberReviewDays()).setServiceReviewDays(originalRole.getServiceReviewDays()).setSignAlgorithm(originalRole.getSignAlgorithm()).setReviewEnabled(originalRole.getReviewEnabled()).setNotifyRoles(originalRole.getNotifyRoles());
            // then we're going to apply the updated fields
            // from the given object
            updateRoleSystemMetaFields(con, updatedRole, originalRole, attribute, meta, ctx.getApiName());
            con.updateRole(domainName, updatedRole);
            saveChanges(con, domainName);
            // audit log the request
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            auditLogRoleSystemMeta(auditDetails, updatedRole, roleName);
            auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, domainName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection) AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)

Example 82 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutPublicKeyEntry.

void executePutPublicKeyEntry(ResourceContext ctx, String domainName, String serviceName, PublicKeyEntry keyEntry, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_SERVICE);
            // check to see if this key already exists or not
            PublicKeyEntry originalKeyEntry = con.getPublicKeyEntry(domainName, serviceName, keyEntry.getId(), false);
            if (originalKeyEntry == null) {
                quotaCheck.checkServiceIdentityPublicKeyQuota(con, domainName, serviceName, caller);
            }
            // now process the request
            boolean requestSuccess;
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            if (originalKeyEntry == null) {
                requestSuccess = con.insertPublicKeyEntry(domainName, serviceName, keyEntry);
                auditDetails.append("{\"added-publicKeys\": [");
            } else {
                requestSuccess = con.updatePublicKeyEntry(domainName, serviceName, keyEntry);
                auditDetails.append("{\"updated-publicKeys\": [");
            }
            if (!requestSuccess) {
                con.rollbackChanges();
                throw ZMSUtils.internalServerError("unable to put public key: " + keyEntry.getId() + " in service " + ResourceUtils.serviceResourceName(domainName, serviceName), caller);
            }
            // update our service and domain time-stamp and save changes
            con.updateServiceIdentityModTimestamp(domainName, serviceName);
            saveChanges(con, domainName);
            // audit log the request
            auditLogPublicKeyEntry(auditDetails, keyEntry, true);
            auditDetails.append("]}");
            auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, serviceName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, serviceName, DomainChangeMessage.ObjectType.SERVICE);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 83 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method setupTenantAdminPolicy.

void setupTenantAdminPolicy(ResourceContext ctx, String tenantDomain, String provSvcDomain, String provSvcName, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, tenantDomain, auditRef, caller, provSvcDomain + "." + provSvcName, AUDIT_TYPE_TENANCY);
            String domainAdminRole = ResourceUtils.roleResourceName(tenantDomain, ZMSConsts.ADMIN_ROLE_NAME);
            String serviceRoleResourceName = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, null) + ZMSConsts.ADMIN_ROLE_NAME;
            // our tenant admin role/policy name
            final String tenancyResource = "tenancy." + provSvcDomain + '.' + provSvcName;
            String adminName = tenancyResource + ".admin";
            String tenantAdminRole = ResourceUtils.roleResourceName(tenantDomain, adminName);
            if (con.getRole(tenantDomain, adminName) == null) {
                con.insertRole(tenantDomain, new Role().setName(tenantAdminRole));
                // add domain change event
                addDomainChangeMessage(ctx, tenantDomain, tenantAdminRole, DomainChangeMessage.ObjectType.ROLE);
            }
            if (con.getPolicy(tenantDomain, adminName, null) == null) {
                Policy adminPolicy = new Policy().setName(ResourceUtils.policyResourceName(tenantDomain, adminName));
                adminPolicy.setVersion(null);
                con.insertPolicy(tenantDomain, adminPolicy);
                // we are going to create 2 assertions - one for the domain admin role
                // and another for the tenant admin role
                Assertion assertion = new Assertion().setRole(domainAdminRole).setResource(serviceRoleResourceName).setAction(ZMSConsts.ACTION_ASSUME_ROLE).setEffect(AssertionEffect.ALLOW);
                con.insertAssertion(tenantDomain, adminName, null, assertion);
                assertion = new Assertion().setRole(tenantAdminRole).setResource(serviceRoleResourceName).setAction(ZMSConsts.ACTION_ASSUME_ROLE).setEffect(AssertionEffect.ALLOW);
                con.insertAssertion(tenantDomain, adminName, null, assertion);
                // the tenant admin role must have the capability to provision
                // new resource groups in the domain which requires update
                // action capability on resource tenancy.<prov_domain>.<prov_svc>
                String tenantResourceName = tenantDomain + ":" + tenancyResource;
                assertion = new Assertion().setRole(tenantAdminRole).setResource(tenantResourceName).setAction(ZMSConsts.ACTION_UPDATE).setEffect(AssertionEffect.ALLOW);
                con.insertAssertion(tenantDomain, adminName, null, assertion);
                // add domain change event
                addDomainChangeMessage(ctx, tenantDomain, adminPolicy.getName(), DomainChangeMessage.ObjectType.POLICY);
            }
            // update our domain time-stamp and save changes
            saveChanges(con, tenantDomain);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 84 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method getPendingDomainGroupMembers.

DomainGroupMembership getPendingDomainGroupMembers(final String principal, final String domainName) {
    DomainGroupMembership domainGroupMembership = new DomainGroupMembership();
    List<DomainGroupMembers> domainGroupMembersList = new ArrayList<>();
    boolean emptyDomainName = StringUtil.isEmpty(domainName);
    try (ObjectStoreConnection con = store.getConnection(true, false)) {
        if (!StringUtil.isEmpty(principal)) {
            Map<String, List<DomainGroupMember>> domainGroupMembersMap = con.getPendingDomainGroupMembersByPrincipal(principal);
            if (domainGroupMembersMap != null) {
                for (String domain : domainGroupMembersMap.keySet()) {
                    if (emptyDomainName || domain.equals(domainName) || "*".equals(domainName)) {
                        domainGroupMembersList.add(getDomainGroupMembers(domain, domainGroupMembersMap));
                    }
                }
                domainGroupMembership.setDomainGroupMembersList(domainGroupMembersList);
            }
        } else if (!emptyDomainName) {
            Map<String, List<DomainGroupMember>> domainGroupMembersMap = con.getPendingDomainGroupMembersByDomain(domainName);
            if (domainGroupMembersMap != null) {
                for (String domain : domainGroupMembersMap.keySet()) {
                    domainGroupMembersList.add(getDomainGroupMembers(domain, domainGroupMembersMap));
                }
                domainGroupMembership.setDomainGroupMembersList(domainGroupMembersList);
            }
        }
    }
    return domainGroupMembership;
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 85 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutServiceIdentity.

void executePutServiceIdentity(ResourceContext ctx, String domainName, String serviceName, ServiceIdentity service, String auditRef, String caller) {
    for (int retryCount = defaultRetryCount; ; retryCount--) {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_SERVICE);
            // check that quota is not exceeded
            quotaCheck.checkServiceIdentityQuota(con, domainName, service, caller);
            // retrieve our original service identity object
            ServiceIdentity originalService = getServiceIdentity(con, domainName, serviceName, false);
            // now process the request
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            if (!processServiceIdentity(ctx, con, originalService, domainName, serviceName, service, false, auditDetails)) {
                con.rollbackChanges();
                throw ZMSUtils.internalServerError("unable to put service: " + service.getName(), caller);
            }
            // update our domain time-stamp and save changes
            saveChanges(con, domainName);
            // audit log the request
            auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, serviceName, auditDetails.toString());
            // add domain change event
            addDomainChangeMessage(ctx, domainName, serviceName, DomainChangeMessage.ObjectType.SERVICE);
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Aggregations

ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)173 Test (org.testng.annotations.Test)96 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)38 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)34 Authority (com.yahoo.athenz.auth.Authority)23 Timestamp (com.yahoo.rdl.Timestamp)17 ArrayList (java.util.ArrayList)16 MemberDueDays (com.yahoo.athenz.zms.config.MemberDueDays)11 Principal (com.yahoo.athenz.auth.Principal)7 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7 EmbeddedMysql (com.wix.mysql.EmbeddedMysql)5 FilePrivateKeyStore (com.yahoo.athenz.auth.impl.FilePrivateKeyStore)5 Crypto (com.yahoo.athenz.auth.util.Crypto)5 AuditReferenceValidator (com.yahoo.athenz.common.server.audit.AuditReferenceValidator)5 NotificationManager (com.yahoo.athenz.common.server.notification.NotificationManager)5 ResourceUtils (com.yahoo.athenz.common.server.util.ResourceUtils)5 DataCache (com.yahoo.athenz.zms.DBService.DataCache)5 MockAuditReferenceValidatorImpl (com.yahoo.athenz.zms.audit.MockAuditReferenceValidatorImpl)5 JDBCConnection (com.yahoo.athenz.zms.store.impl.jdbc.JDBCConnection)5 ZMSUtils (com.yahoo.athenz.zms.utils.ZMSUtils)5