Examples with DataCache com.yahoo.athenz.zts.cache.DataCache used on opensource projects

Example 1 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSAuthorizer method access.

@Override
public boolean access(String op, String resource, Principal principal, String trustDomain) {
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    resource = resource.toLowerCase();
    if (trustDomain != null) {
        trustDomain = trustDomain.toLowerCase();
    }
    op = op.toLowerCase();
    if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("access:(" + op + ", " + resource + ", " + principal + ", " + trustDomain + ")");
    }
    if (!authorityAuthorizationAllowed(principal)) {
        LOGGER.error("Authority is not allowed to support authorization checks");
        return false;
    }
    // retrieve our domain based on resource and action/trustDomain pair
    // we want to provider better error reporting to the users so if we get a
    // request where the domain is not found instead of just returning 403
    // forbidden (which is confusing since it assumes the user doesn't have
    // access as oppose to possible mistype of the domain name by the user)
    // we want to return 404 not found. The rest_core has special handling
    // for rest.ResourceExceptions so we'll throw that exception in this
    // special case of not found domains.
    String domainName = retrieveResourceDomain(resource, op, trustDomain);
    if (domainName == null) {
        throw new ResourceException(ResourceException.NOT_FOUND, new ResourceError().code(ResourceException.NOT_FOUND).message("Domain not found"));
    }
    DataCache domain = dataStore.getDataCache(domainName);
    if (domain == null) {
        throw new ResourceException(ResourceException.NOT_FOUND, new ResourceError().code(ResourceException.NOT_FOUND).message("Domain not found"));
    }
    AccessStatus accessStatus = evaluateAccess(domain, principal.getFullName(), op, resource, trustDomain);
    if (accessStatus == AccessStatus.ALLOWED) {
        return true;
    }
    return false;
}

Example 2 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testGetAccessibleRolesNoRoles.

@Test
public void testGetAccessibleRolesNoRoles() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    store.loadZMSPublicKeys();
    SignedDomain signedDomain = createSignedDomain("coretech", "weather");
    store.processDomain(signedDomain, true);
    Set<String> accessibleRoles = new HashSet<>();
    DataCache data = store.getDataCache("coretech");
    store.getAccessibleRoles(data, "coretech", "user_domain.nonexistentuser", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 0);
}

Example 3 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testAddDomainToCacheUpdatedPublicKeysVersions.

@Test
public void testAddDomainToCacheUpdatedPublicKeysVersions() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    DataCache dataCache = new DataCache();
    ServiceIdentity service = new ServiceIdentity();
    service.setName("coretech.storage");
    setServicePublicKey(service, "0", ZTS_Y64_CERT0);
    com.yahoo.athenz.zms.PublicKeyEntry publicKey = new com.yahoo.athenz.zms.PublicKeyEntry();
    publicKey.setKey(ZTS_Y64_CERT1);
    publicKey.setId("1");
    List<com.yahoo.athenz.zms.PublicKeyEntry> publicKeys = new ArrayList<com.yahoo.athenz.zms.PublicKeyEntry>();
    publicKeys.add(publicKey);
    service.setPublicKeys(publicKeys);
    List<ServiceIdentity> services = new ArrayList<>();
    services.add(service);
    dataCache.processServiceIdentity(service);
    DomainData domainData = new DomainData();
    domainData.setServices(services);
    dataCache.setDomainData(domainData);
    store.addDomainToCache("coretech", dataCache);
    /* update multiple version public keys */
    dataCache = new DataCache();
    service = new ServiceIdentity();
    service.setName("coretech.storage");
    publicKeys = new ArrayList<com.yahoo.athenz.zms.PublicKeyEntry>();
    publicKey = new com.yahoo.athenz.zms.PublicKeyEntry();
    publicKey.setKey(ZTS_Y64_CERT0);
    publicKey.setId("0");
    publicKeys.add(publicKey);
    publicKey = new com.yahoo.athenz.zms.PublicKeyEntry();
    publicKey.setKey(ZTS_Y64_CERT3);
    publicKey.setId("1");
    publicKeys.add(publicKey);
    publicKey = new com.yahoo.athenz.zms.PublicKeyEntry();
    publicKey.setKey(ZTS_Y64_CERT2);
    publicKey.setId("2");
    publicKeys.add(publicKey);
    service.setPublicKeys(publicKeys);
    services = new ArrayList<>();
    services.add(service);
    dataCache.processServiceIdentity(service);
    domainData = new DomainData();
    domainData.setServices(services);
    dataCache.setDomainData(domainData);
    store.addDomainToCache("coretech", dataCache);
    assertEquals(store.getPublicKey("coretech", "storage", "0"), ZTS_PEM_CERT0);
    assertEquals(store.getPublicKey("coretech", "storage", "1"), ZTS_PEM_CERT3);
    assertEquals(store.getPublicKey("coretech", "storage", "2"), ZTS_PEM_CERT2);
    assertNull(store.getPublicKey("coretech", "storage", "3"));
}

Example 4 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testProcessDomainServiceIdentities.

@Test
public void testProcessDomainServiceIdentities() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    ServiceIdentity service = new ServiceIdentity();
    service.setName("coretech.storage");
    List<String> hosts = new ArrayList<>();
    hosts.add("host1");
    service.setHosts(hosts);
    List<ServiceIdentity> services = new ArrayList<>();
    services.add(service);
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domainData.setServices(services);
    DataCache dataCache = new DataCache();
    dataCache.setDomainData(domainData);
    store.processDomainServiceIdentities(domainData, dataCache);
    store.addDomainToCache(domainData.getName(), dataCache);
    HostServices hostServices = store.getHostServices("host1");
    hosts = hostServices.getNames();
    assertEquals(hosts.size(), 1);
    assertTrue(hosts.contains("coretech.storage"));
}

Example 5 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testGetAccessibleRolesWildCards.

@Test
public void testGetAccessibleRolesWildCards() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    store.loadZMSPublicKeys();
    SignedDomain signedDomain = createSignedDomainWildCardMembers("coretech", "weather");
    store.processDomain(signedDomain, true);
    Set<String> accessibleRoles = new HashSet<>();
    DataCache data = store.getDataCache("coretech");
    store.getAccessibleRoles(data, "coretech", "user_domain.user1", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 2);
    assertTrue(accessibleRoles.contains("writers"));
    assertTrue(accessibleRoles.contains("all"));
    accessibleRoles.clear();
    store.getAccessibleRoles(data, "coretech", "user_domain.user3", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 3);
    assertTrue(accessibleRoles.contains("readers"));
    assertTrue(accessibleRoles.contains("writers"));
    assertTrue(accessibleRoles.contains("all"));
    accessibleRoles.clear();
    store.getAccessibleRoles(data, "coretech", "user_domain.user5", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 2);
    assertTrue(accessibleRoles.contains("writers"));
    assertTrue(accessibleRoles.contains("all"));
    accessibleRoles.clear();
    store.getAccessibleRoles(data, "coretech", "athenz.service", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 1);
    assertTrue(accessibleRoles.contains("all"));
    // make sure the prefix is fully matched
    accessibleRoles.clear();
    store.getAccessibleRoles(data, "coretech", "athenz.use", null, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 1);
    assertTrue(accessibleRoles.contains("all"));
}