Search in sources :

Example 86 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method enforceRoleUserAuthorityRestrictions.

void enforceRoleUserAuthorityRestrictions(final String domainName, final String roleName, final String domainUserAuthorityFilter) {
    final String caller = "enforceRoleUserAuthorityRestrictions";
    try (ObjectStoreConnection con = store.getConnection(true, true)) {
        // get the role from the storage system
        Role role = getRole(con, domainName, roleName, false, false, false);
        if (role == null) {
            return;
        }
        // update the role membership
        List<RoleMember> roleMembers = role.getRoleMembers();
        if (roleMembers == null) {
            return;
        }
        // first process the authority expiration restriction
        boolean expiryDBUpdated = false;
        final String userAuthorityExpiry = role.getUserAuthorityExpiration();
        if (userAuthorityExpiry != null) {
            List<RoleMember> updatedMembers = new ArrayList<>();
            for (RoleMember roleMember : roleMembers) {
                if (updateUserAuthorityExpiry(roleMember, userAuthorityExpiry)) {
                    updatedMembers.add(roleMember);
                }
            }
            expiryDBUpdated = insertRoleMembers(null, con, updatedMembers, domainName, roleName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
        }
        // now process authority filter restriction
        boolean filterDBUpdated = false;
        final String userAuthorityFilter = ZMSUtils.combineUserAuthorityFilters(role.getUserAuthorityFilter(), domainUserAuthorityFilter);
        if (userAuthorityFilter != null) {
            List<RoleMember> updatedMembers = new ArrayList<>();
            for (RoleMember roleMember : roleMembers) {
                if (updateUserAuthorityFilter(roleMember, userAuthorityFilter)) {
                    updatedMembers.add(roleMember);
                }
            }
            filterDBUpdated = updateRoleMemberDisabledState(null, con, updatedMembers, domainName, roleName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
        }
        if (expiryDBUpdated || filterDBUpdated) {
            // update our role and domain time-stamps, and invalidate local cache entry
            con.updateRoleModTimestamp(domainName, roleName);
            con.updateDomainModTimestamp(domainName);
            cacheStore.invalidate(domainName);
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 87 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method enforceGroupUserAuthorityRestrictions.

void enforceGroupUserAuthorityRestrictions(final String domainName, final String groupName, final String domainUserAuthorityFilter) {
    final String caller = "enforceGroupUserAuthorityRestrictions";
    try (ObjectStoreConnection con = store.getConnection(true, true)) {
        // get the role from the storage system
        Group group = getGroup(con, domainName, groupName, false, false);
        if (group == null) {
            return;
        }
        // update the group membership
        List<GroupMember> groupMembers = group.getGroupMembers();
        if (groupMembers == null) {
            return;
        }
        // first process the authority expiration restriction
        boolean expiryDBUpdated = false;
        final String userAuthorityExpiry = group.getUserAuthorityExpiration();
        if (userAuthorityExpiry != null) {
            List<GroupMember> updatedMembers = new ArrayList<>();
            for (GroupMember groupMember : groupMembers) {
                if (updateUserAuthorityExpiry(groupMember, userAuthorityExpiry)) {
                    updatedMembers.add(groupMember);
                }
            }
            expiryDBUpdated = insertGroupMembers(null, con, updatedMembers, domainName, groupName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
        }
        // now process authority filter restriction
        boolean filterDBUpdated = false;
        final String userAuthorityFilter = ZMSUtils.combineUserAuthorityFilters(group.getUserAuthorityFilter(), domainUserAuthorityFilter);
        if (userAuthorityFilter != null) {
            List<GroupMember> updatedMembers = new ArrayList<>();
            for (GroupMember groupMember : groupMembers) {
                if (updateUserAuthorityFilter(groupMember, userAuthorityFilter)) {
                    updatedMembers.add(groupMember);
                }
            }
            filterDBUpdated = updateGroupMemberDisabledState(null, con, updatedMembers, domainName, groupName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
        }
        if (expiryDBUpdated || filterDBUpdated) {
            // update our group and domain time-stamps, and invalidate local cache entry
            con.updateGroupModTimestamp(domainName, groupName);
            con.updateDomainModTimestamp(domainName);
            cacheStore.invalidate(domainName);
        }
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 88 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method getMembership.

Membership getMembership(String domainName, String roleName, String principal) {
    try (ObjectStoreConnection con = store.getConnection(true, false)) {
        Membership membership = con.getRoleMember(domainName, roleName, principal);
        Timestamp expiration = membership.getExpiration();
        if (expiration != null && expiration.millis() < System.currentTimeMillis()) {
            membership.setIsMember(false);
        }
        return membership;
    }
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection) Timestamp(com.yahoo.rdl.Timestamp)

Example 89 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutProviderRoles.

void executePutProviderRoles(ResourceContext ctx, String tenantDomain, String provSvcDomain, String provSvcName, String resourceGroup, List<String> roles, String auditRef, String caller) {
    int retryCount = defaultRetryCount;
    do {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, tenantDomain, auditRef, caller);
            // we're going to create a separate role for each one of tenant roles returned
            // based on its action and set the caller as a member in each role
            String principalName = getPrincipalName(ctx);
            List<RoleMember> roleMembers = new ArrayList<>();
            if (principalName != null) {
                RoleMember roleMember = new RoleMember();
                roleMember.setMemberName(principalName);
                roleMembers.add(roleMember);
            }
            // now set up the roles and policies for all the provider roles returned.
            String rolePrefix = ZMSUtils.getProviderResourceGroupRolePrefix(provSvcDomain, provSvcName, resourceGroup);
            String trustedRolePrefix = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, resourceGroup);
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            auditDetails.append("{\"put-provider-roles\": [");
            boolean firstEntry = true;
            for (String role : roles) {
                role = role.toLowerCase();
                if (LOG.isInfoEnabled()) {
                    LOG.info("executePutProviderRoles: provision ASSUME_ROLE policy for access remote role in " + provSvcDomain + "." + provSvcName + ": " + resourceGroup + "." + role);
                }
                firstEntry = auditLogSeparator(auditDetails, firstEntry);
                addAssumeRolePolicy(con, rolePrefix, trustedRolePrefix, role, roleMembers, tenantDomain, principalName, auditRef, auditDetails, caller);
            }
            auditDetails.append("]}");
            // update our domain time-stamp and save changes
            saveChanges(con, tenantDomain);
            // audit log the request
            auditLogRequest(ctx, tenantDomain, auditRef, caller, ZMSConsts.HTTP_PUT, provSvcDomain, auditDetails.toString());
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
        retryCount -= 1;
    } while (retryCount > 0);
}
Also used : ArrayList(java.util.ArrayList) ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Example 90 with ObjectStoreConnection

use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.

the class DBService method executePutTenantRoles.

void executePutTenantRoles(ResourceContext ctx, String provSvcDomain, String provSvcName, String tenantDomain, String resourceGroup, List<TenantRoleAction> roles, String auditRef, String caller) {
    int retryCount = defaultRetryCount;
    do {
        try (ObjectStoreConnection con = store.getConnection(false, true)) {
            // first verify that auditing requirements are met
            checkDomainAuditEnabled(con, provSvcDomain, auditRef, caller);
            String trustedRolePrefix = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, resourceGroup);
            StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
            auditDetails.append("{\"put-tenant-roles\": [");
            boolean firstEntry = true;
            for (TenantRoleAction ra : roles) {
                String tenantRole = ra.getRole();
                String tenantAction = ra.getAction();
                String trustedRole = trustedRolePrefix + tenantRole;
                String trustedName = trustedRole.substring((provSvcDomain + ":role.").length());
                Role role = new Role().setName(trustedRole).setTrust(tenantDomain);
                if (LOG.isInfoEnabled()) {
                    LOG.info(caller + ": add trusted Role to domain " + provSvcDomain + ": " + trustedRole + " -> " + role);
                }
                // retrieve our original role in case one exists
                Role originalRole = getRole(con, provSvcDomain, trustedName, false, false);
                // now process the request
                firstEntry = auditLogSeparator(auditDetails, firstEntry);
                auditDetails.append("{\"role\": ");
                if (!processRole(con, originalRole, provSvcDomain, trustedName, role, getPrincipalName(ctx), auditRef, false, auditDetails)) {
                    con.rollbackChanges();
                    throw ZMSUtils.internalServerError("unable to put role: " + trustedRole, caller);
                }
                String policyResourceName = ZMSUtils.policyResourceName(provSvcDomain, trustedName);
                StringBuilder resourceName = new StringBuilder(256);
                resourceName.append(provSvcDomain).append(":service.").append(ZMSUtils.getTenantResourceGroupRolePrefix(provSvcName, tenantDomain, resourceGroup)).append('*');
                List<Assertion> assertions = Arrays.asList(new Assertion().setRole(trustedRole).setResource(resourceName.toString()).setAction(tenantAction));
                Policy policy = new Policy().setName(policyResourceName).setAssertions(assertions);
                if (LOG.isInfoEnabled()) {
                    LOG.info(caller + ": add trust policy to domain " + provSvcDomain + ": " + trustedRole + " -> " + policy);
                }
                // retrieve our original policy
                Policy originalPolicy = getPolicy(con, provSvcDomain, trustedName);
                // now process the request
                auditDetails.append(", \"policy\": ");
                if (!processPolicy(con, originalPolicy, provSvcDomain, trustedName, policy, false, auditDetails)) {
                    con.rollbackChanges();
                    throw ZMSUtils.internalServerError("unable to put policy: " + policy.getName(), caller);
                }
                auditDetails.append('}');
            }
            // update our domain time-stamp and save changes
            saveChanges(con, provSvcDomain);
            // audit log the request
            auditLogRequest(ctx, provSvcDomain, auditRef, caller, ZMSConsts.HTTP_PUT, tenantDomain, auditDetails.toString());
            return;
        } catch (ResourceException ex) {
            if (!shouldRetryOperation(ex, retryCount)) {
                throw ex;
            }
        }
        retryCount -= 1;
    } while (retryCount > 0);
}
Also used : ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)

Aggregations

ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)173 Test (org.testng.annotations.Test)96 ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)38 AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)34 Authority (com.yahoo.athenz.auth.Authority)23 Timestamp (com.yahoo.rdl.Timestamp)17 ArrayList (java.util.ArrayList)16 MemberDueDays (com.yahoo.athenz.zms.config.MemberDueDays)11 Principal (com.yahoo.athenz.auth.Principal)7 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7 EmbeddedMysql (com.wix.mysql.EmbeddedMysql)5 FilePrivateKeyStore (com.yahoo.athenz.auth.impl.FilePrivateKeyStore)5 Crypto (com.yahoo.athenz.auth.util.Crypto)5 AuditReferenceValidator (com.yahoo.athenz.common.server.audit.AuditReferenceValidator)5 NotificationManager (com.yahoo.athenz.common.server.notification.NotificationManager)5 ResourceUtils (com.yahoo.athenz.common.server.util.ResourceUtils)5 DataCache (com.yahoo.athenz.zms.DBService.DataCache)5 MockAuditReferenceValidatorImpl (com.yahoo.athenz.zms.audit.MockAuditReferenceValidatorImpl)5 JDBCConnection (com.yahoo.athenz.zms.store.impl.jdbc.JDBCConnection)5 ZMSUtils (com.yahoo.athenz.zms.utils.ZMSUtils)5