Examples with DataCache com.yahoo.athenz.zts.cache.DataCache used on opensource projects

Example 71 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImpl method getRoleToken.

// Token interface
public RoleToken getRoleToken(ResourceContext ctx, String domainName, String roleName, Integer minExpiryTime, Integer maxExpiryTime, String proxyForPrincipal) {
    final String caller = "getroletoken";
    final String callerTiming = "getroletoken_timing";
    metric.increment(HTTP_GET);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    if (roleName != null && !roleName.isEmpty()) {
        validate(roleName, TYPE_ENTITY_LIST, caller);
    }
    if (proxyForPrincipal != null && !proxyForPrincipal.isEmpty()) {
        validate(proxyForPrincipal, TYPE_ENTITY_NAME, caller);
    }
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case since ZMS Server
    // saves all of its object names in lower case
    domainName = domainName.toLowerCase();
    if (roleName != null) {
        roleName = roleName.toLowerCase();
    }
    if (proxyForPrincipal != null) {
        proxyForPrincipal = normalizeDomainAliasUser(proxyForPrincipal.toLowerCase());
    }
    Object timerMetric = metric.startTiming(callerTiming, domainName);
    // get our principal's name
    final Principal principal = ((RsrcCtxWrapper) ctx).principal();
    String principalName = principal.getFullName();
    if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("getRoleToken(domain: " + domainName + ", principal: " + principalName + ", role-name: " + roleName + ", proxy-for: " + proxyForPrincipal + ")");
    }
    // do not allow empty (not null) values for role
    roleName = convertEmptyStringToNull(roleName);
    proxyForPrincipal = convertEmptyStringToNull(proxyForPrincipal);
    if (leastPrivilegePrincipal && roleName == null) {
        throw requestError("getRoleToken: Client must specify a roleName to request a token for", caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    if (proxyForPrincipal != null && !isAuthorizedProxyUser(authorizedProxyUsers, principalName)) {
        LOGGER.error("getRoleToken: Principal: " + principalName + " not authorized for proxy role token request");
        throw forbiddenError("getRoleToken: Principal: " + principalName + " not authorized for proxy role token request", caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    StringBuilder auditLogDetails = new StringBuilder(512);
    auditLogDetails.append("RoleName=").append(roleName);
    AuditLogMsgBuilder msgBldr = getAuditLogMsgBuilder(ctx, domainName, caller, HTTP_GET);
    msgBldr.when(Timestamp.fromCurrentTime().toString()).whatEntity("RoleToken").why("zts-audit");
    // first retrieve our domain data object from the cache
    DataCache data = dataStore.getDataCache(domainName);
    if (data == null) {
        // just increment the request counter without any dimension
        // we don't want to get persistent indexes for invalid domains
        metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        throw notFoundError("getRoleToken: No such domain: " + domainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    // update our metric with dimension. we're moving the metric here
    // after the domain name has been confirmed as valid since with
    // dimensions we get stuck with persistent indexes so we only want
    // to create them for valid domain names
    metric.increment(HTTP_REQUEST, domainName);
    metric.increment(caller, domainName);
    // check if the authorized service domain matches to the
    // requested domain name
    checkRoleTokenAuthorizedServiceRequest(principal, domainName, caller);
    // we need to convert our request role name into array since
    // it could contain multiple values separated by commas
    String[] requestedRoleList = null;
    if (roleName != null) {
        requestedRoleList = roleName.split(",");
    }
    // process our request and retrieve the roles for the principal
    Set<String> roles = new HashSet<>();
    dataStore.getAccessibleRoles(data, domainName, principalName, requestedRoleList, roles, false);
    if (roles.isEmpty()) {
        throw forbiddenError("getRoleToken: No access to any roles in domain: " + domainName, caller, domainName);
    }
    // if this is proxy for operation then we want to make sure that
    // both principals have access to the same set of roles so we'll
    // remove any roles that are authorized by only one of the principals
    String proxyUser = null;
    if (proxyForPrincipal != null) {
        Set<String> rolesForProxy = new HashSet<>();
        dataStore.getAccessibleRoles(data, domainName, proxyForPrincipal, requestedRoleList, rolesForProxy, false);
        roles.retainAll(rolesForProxy);
        if (roles.isEmpty()) {
            throw forbiddenError("getRoleToken: No access to any roles by User and Proxy Principals", caller, domainName);
        }
        // we need to switch our principal and proxy for user
        proxyUser = principalName;
        principalName = proxyForPrincipal;
    }
    long tokenTimeout = determineTokenTimeout(minExpiryTime, maxExpiryTime);
    List<String> roleList = new ArrayList<>(roles);
    boolean domainCompleteRoleSet = (includeRoleCompleteFlag && roleName == null);
    com.yahoo.athenz.auth.token.RoleToken token = new com.yahoo.athenz.auth.token.RoleToken.Builder(ZTS_ROLE_TOKEN_VERSION, domainName, roleList).expirationWindow(tokenTimeout).host(serverHostName).keyId(privateKeyId).principal(principalName).ip(ServletRequestUtil.getRemoteAddress(ctx.request())).proxyUser(proxyUser).domainCompleteRoleSet(domainCompleteRoleSet).build();
    token.sign(privateKey);
    RoleToken roleToken = new RoleToken();
    roleToken.setToken(token.getSignedToken());
    roleToken.setExpiryTime(token.getExpiryTime());
    metric.stopTiming(timerMetric);
    return roleToken;
}

Example 72 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class InstanceProviderManager method getProvider.

public InstanceProvider getProvider(String provider) {
    int idx = provider.lastIndexOf('.');
    if (idx == -1) {
        LOGGER.error("getProviderClient: Invalid provider service name: {}", provider);
        return null;
    }
    final String domainName = provider.substring(0, idx);
    DataCache dataCache = dataStore.getDataCache(domainName);
    if (dataCache == null) {
        LOGGER.error("getProviderClient: Unknown domain: {}", domainName);
        return null;
    }
    String providerEndpoint = null;
    boolean validProviderName = false;
    List<com.yahoo.athenz.zms.ServiceIdentity> services = dataCache.getDomainData().getServices();
    if (services == null) {
        LOGGER.error("getProviderClient: Unknown provider servicee: {}", provider);
        return null;
    }
    for (com.yahoo.athenz.zms.ServiceIdentity service : services) {
        if (service.getName().equals(provider)) {
            providerEndpoint = service.getProviderEndpoint();
            validProviderName = true;
            break;
        }
    }
    if (providerEndpoint == null || providerEndpoint.isEmpty()) {
        if (validProviderName) {
            LOGGER.error("getProviderClient: Unknown provider service name: {}", provider);
        } else {
            LOGGER.error("getProviderClient: Provider service {} does not have endpoint defined", provider);
        }
        return null;
    }
    // before using our endpoint we need to make sure
    // it's valid according to configuration settings
    InstanceProvider instanceProvider = null;
    URI uri = null;
    try {
        uri = new URI(providerEndpoint);
    } catch (URISyntaxException ex) {
        LOGGER.error("getProviderClient: Unable to parse {}: {}", providerEndpoint, ex.getMessage());
        return null;
    }
    ProviderScheme schemeType = getProviderEndpointScheme(uri);
    switch(schemeType) {
        case HTTPS:
            instanceProvider = new InstanceHttpProvider();
            instanceProvider.initialize(provider, providerEndpoint, keyStore);
            break;
        case CLASS:
            instanceProvider = getClassProvider(uri.getHost(), provider);
            break;
        default:
            break;
    }
    return instanceProvider;
}

Example 73 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testProcessTrustedDomainRoleValid.

@Test
public void testProcessTrustedDomainRoleValid() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    DataCache dataCache = createDataCache("coretech");
    Set<String> accessibleRoles = new HashSet<>();
    String prefix = "coretech" + ROLE_POSTFIX;
    String identity = "user_domain.user1";
    String[] requestedRoleList = { "coretech:role.admin" };
    Set<String> trustedResources = new HashSet<>();
    trustedResources.add("coretech:role.admin");
    trustedResources.add("coretech:role.readers");
    store.processTrustedDomain(dataCache, identity, prefix, requestedRoleList, trustedResources, accessibleRoles, false);
    assertEquals(accessibleRoles.size(), 1);
    assertTrue(accessibleRoles.contains("admin"));
}

Example 74 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testProcessDomainPolicies.

@Test
public void testProcessDomainPolicies() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    List<com.yahoo.athenz.zms.Policy> policies = new ArrayList<>();
    com.yahoo.athenz.zms.Policy policy = new com.yahoo.athenz.zms.Policy();
    com.yahoo.athenz.zms.Assertion assertion = new com.yahoo.athenz.zms.Assertion();
    assertion.setResource("sports:role.readers");
    assertion.setAction("assume_role");
    assertion.setRole("coretech:role.readers");
    List<com.yahoo.athenz.zms.Assertion> assertions = new ArrayList<>();
    assertions.add(assertion);
    policy.setAssertions(assertions);
    policies.add(policy);
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName("coretech:role.admin");
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.user"));
    role.setRoleMembers(members);
    roles.add(role);
    role = new Role();
    role.setName("coretech:role.readers");
    members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.user"));
    role.setRoleMembers(members);
    roles.add(role);
    com.yahoo.athenz.zms.DomainPolicies domainPolicies = new com.yahoo.athenz.zms.DomainPolicies();
    domainPolicies.setDomain("coretech");
    domainPolicies.setPolicies(policies);
    com.yahoo.athenz.zms.SignedPolicies signedPolicies = new com.yahoo.athenz.zms.SignedPolicies();
    signedPolicies.setContents(domainPolicies);
    signedPolicies.setSignature(Crypto.sign(SignUtils.asCanonicalString(domainPolicies), pkey));
    signedPolicies.setKeyId("0");
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domainData.setPolicies(signedPolicies);
    domainData.setRoles(roles);
    DataCache dataCache = new DataCache();
    dataCache.setDomainData(domainData);
    store.processDomainRoles(domainData, dataCache);
    assertEquals(dataCache.getMemberRoleSet("user_domain.user").size(), 2);
    assertTrue(dataCache.getMemberRoleSet("user_domain.user").contains(new MemberRole("coretech:role.admin", 0)));
    assertTrue(dataCache.getMemberRoleSet("user_domain.user").contains(new MemberRole("coretech:role.readers", 0)));
}

Example 75 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testDeleteDomainFromCacheHosts.

@Test
public void testDeleteDomainFromCacheHosts() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    DataCache dataCache = new DataCache();
    ServiceIdentity service = new ServiceIdentity();
    service.setName("coretech.storage");
    List<String> hosts = new ArrayList<>();
    hosts.add("host1");
    service.setHosts(hosts);
    List<ServiceIdentity> services = new ArrayList<>();
    dataCache.processServiceIdentity(service);
    services.add(service);
    DomainData domainData = new DomainData();
    domainData.setServices(services);
    dataCache.setDomainData(domainData);
    store.addDomainToCache("coretech", dataCache);
    store.deleteDomainFromCache("coretech");
    HostServices hostServices = store.getHostServices("host1");
    hosts = hostServices.getNames();
    assertEquals(hosts.size(), 0);
}