Search in sources :

Example 41 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImplTest method testResourceAccess.

@Test
public void testResourceAccess() {
    final String domainName = "coretechaccess";
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName(domainName);
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject(domainName, "role1", null, "user.user1", "user.user3");
    Role role2 = createRoleObject(domainName, "role2", null, "user.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject(domainName, "access", domainName + ":role.role1", false, "update", domainName + ":table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put(domainName, domain);
    Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
    Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
    ResourceContext ctx = createResourceContext(principal, null);
    // process
    ResourceAccess access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, null);
    assertTrue(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "update", domainName + ":table1", null, null);
    assertTrue(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "update", domainName + ":table2", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "delete", domainName + ":table1", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccessExt(ctx, "delete", domainName + ":table1", null, null);
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user2");
    assertFalse(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user3");
    assertTrue(access.getGranted());
    access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, "user.user3");
    assertFalse(access.getGranted());
    store.getCacheStore().invalidate(domainName);
}
Also used : Policy(com.yahoo.athenz.zms.Policy) UserAuthority(com.yahoo.athenz.auth.impl.UserAuthority) Authority(com.yahoo.athenz.auth.Authority) CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority) PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) Role(com.yahoo.athenz.zms.Role) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 42 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImplTest method testAccessDelegatedTrust.

@Test
public void testAccessDelegatedTrust() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretechtrust");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
    Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject("coretechtrust", "trust", "coretechtrust:role.role1", false, "ASSUME_ROLE", "weather:role.role1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("coretechtrust", domain);
    domain = new DataCache();
    domainData = new DomainData();
    domainData.setName("weather");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    role1 = createRoleObject("weather", "role1", "coretechtrust");
    domainData.getRoles().add(role1);
    policy = createPolicyObject("weather", "access", "weather:role.role1", false, "update", "weather:table1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("weather", domain);
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    assertTrue(authorizer.access("update", "weather:table1", principal1, null));
    assertTrue(authorizer.access("update", "weather:table1", principal1, "coretechtrust"));
    assertFalse(authorizer.access("update", "weather:table1", principal1, "unknowntrust"));
    assertFalse(authorizer.access("update", "weather:table2", principal1, null));
    assertFalse(authorizer.access("delete", "weather:table1", principal1, null));
    Principal principal2 = SimplePrincipal.create("user_domain", "user2", "v=U1;d=user_domain;n=user2;s=signature", 0, null);
    assertFalse(authorizer.access("update", "weather:table1", principal2, null));
    Principal principal3 = SimplePrincipal.create("user_domain", "user3", "v=U1;d=user_domain;n=user3;s=signature", 0, null);
    assertFalse(authorizer.access("update", "weather:table1", principal3, null));
    store.getCacheStore().invalidate("coretechtrust");
    store.getCacheStore().invalidate("weather");
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 43 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImplTest method testEvaluateAccessAssertionAllow.

@Test
public void testEvaluateAccessAssertionAllow() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role = createRoleObject("coretech", "role1", null, "user_domain.user1", null);
    domainData.getRoles().add(role);
    Policy policy = new Policy().setName("coretech:policy.policy1");
    Assertion assertion1 = new Assertion();
    assertion1.setAction("read");
    assertion1.setEffect(AssertionEffect.ALLOW);
    assertion1.setResource("coretech:*");
    assertion1.setRole("coretech:role.role1");
    Assertion assertion2 = new Assertion();
    assertion2.setAction("read");
    assertion2.setEffect(AssertionEffect.ALLOW);
    assertion2.setResource("coretech:resource1");
    assertion2.setRole("coretech:role.role1");
    policy.setAssertions(new ArrayList<Assertion>());
    policy.getAssertions().add(assertion1);
    policy.getAssertions().add(assertion2);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) Assertion(com.yahoo.athenz.zms.Assertion) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 44 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImplTest method testMatchPrincipalInRoleDelegatedTrustMatch.

@Test
public void testMatchPrincipalInRoleDelegatedTrustMatch() {
    DataCache domain = new DataCache();
    DomainData domainData = new DomainData();
    domainData.setName("coretechtrust");
    domain.setDomainData(domainData);
    domainData.setRoles(new ArrayList<Role>());
    Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
    Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
    domainData.getRoles().add(role1);
    domainData.getRoles().add(role2);
    Policy policy = createPolicyObject("coretechtrust", "trust", "coretechtrust:role.role1", false, "ASSUME_ROLE", "weather:role.role1", AssertionEffect.ALLOW);
    domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
    domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
    domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
    domainData.getPolicies().getContents().getPolicies().add(policy);
    store.getCacheStore().put("coretechtrust", domain);
    Role role = createRoleObject("weather", "role1", "coretechtrust");
    assertTrue(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user1", "coretechtrust"));
    assertFalse(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user1", "coretechtrust2"));
    assertFalse(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user3", "coretechtrust"));
    store.getCacheStore().invalidate("coretechtrust");
}
Also used : Role(com.yahoo.athenz.zms.Role) Policy(com.yahoo.athenz.zms.Policy) DomainData(com.yahoo.athenz.zms.DomainData) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 45 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataCacheTest method testProcessRoleTrustDomain.

@Test
public void testProcessRoleTrustDomain() {
    DataCache cache = new DataCache();
    cache.processRoleTrustDomain("dom.role1", "trustD");
    Map<String, Set<String>> map = cache.getTrustMap();
    assertNotNull(map);
    assertEquals(map.size(), 1);
    assertTrue(map.containsKey("trustD"));
    assertEquals(map.get("trustD").size(), 1);
    assertTrue(map.get("trustD").contains("dom.role1"));
}
Also used : Set(java.util.Set) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Aggregations

DataCache (com.yahoo.athenz.zts.cache.DataCache)84 Test (org.testng.annotations.Test)68 ArrayList (java.util.ArrayList)44 MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)39 ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)38 DomainData (com.yahoo.athenz.zms.DomainData)32 Role (com.yahoo.athenz.zms.Role)31 HashSet (java.util.HashSet)24 RoleMember (com.yahoo.athenz.zms.RoleMember)23 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)17 SignedDomain (com.yahoo.athenz.zms.SignedDomain)14 Policy (com.yahoo.athenz.zms.Policy)13 Domain (com.yahoo.athenz.zms.Domain)12 MemberRole (com.yahoo.athenz.zts.cache.MemberRole)12 Set (java.util.Set)12 Assertion (com.yahoo.athenz.zms.Assertion)7 HostServices (com.yahoo.athenz.zts.HostServices)6 HashMap (java.util.HashMap)6 SignedDomains (com.yahoo.athenz.zms.SignedDomains)5 Principal (com.yahoo.athenz.auth.Principal)4