use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImplTest method testResourceAccess.
@Test
public void testResourceAccess() {
final String domainName = "coretechaccess";
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName(domainName);
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
Role role1 = createRoleObject(domainName, "role1", null, "user.user1", "user.user3");
Role role2 = createRoleObject(domainName, "role2", null, "user.user2", null);
domainData.getRoles().add(role1);
domainData.getRoles().add(role2);
Policy policy = createPolicyObject(domainName, "access", domainName + ":role.role1", false, "update", domainName + ":table1", AssertionEffect.ALLOW);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
store.getCacheStore().put(domainName, domain);
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority);
ResourceContext ctx = createResourceContext(principal, null);
// process
ResourceAccess access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, null);
assertTrue(access.getGranted());
access = zts.getResourceAccessExt(ctx, "update", domainName + ":table1", null, null);
assertTrue(access.getGranted());
access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, null);
assertFalse(access.getGranted());
access = zts.getResourceAccessExt(ctx, "update", domainName + ":table2", null, null);
assertFalse(access.getGranted());
access = zts.getResourceAccess(ctx, "delete", domainName + ":table1", null, null);
assertFalse(access.getGranted());
access = zts.getResourceAccessExt(ctx, "delete", domainName + ":table1", null, null);
assertFalse(access.getGranted());
access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user2");
assertFalse(access.getGranted());
access = zts.getResourceAccess(ctx, "update", domainName + ":table1", null, "user.user3");
assertTrue(access.getGranted());
access = zts.getResourceAccess(ctx, "update", domainName + ":table2", null, "user.user3");
assertFalse(access.getGranted());
store.getCacheStore().invalidate(domainName);
}
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImplTest method testAccessDelegatedTrust.
@Test
public void testAccessDelegatedTrust() {
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName("coretechtrust");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
domainData.getRoles().add(role1);
domainData.getRoles().add(role2);
Policy policy = createPolicyObject("coretechtrust", "trust", "coretechtrust:role.role1", false, "ASSUME_ROLE", "weather:role.role1", AssertionEffect.ALLOW);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
store.getCacheStore().put("coretechtrust", domain);
domain = new DataCache();
domainData = new DomainData();
domainData.setName("weather");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
role1 = createRoleObject("weather", "role1", "coretechtrust");
domainData.getRoles().add(role1);
policy = createPolicyObject("weather", "access", "weather:role.role1", false, "update", "weather:table1", AssertionEffect.ALLOW);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
store.getCacheStore().put("weather", domain);
Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
assertTrue(authorizer.access("update", "weather:table1", principal1, null));
assertTrue(authorizer.access("update", "weather:table1", principal1, "coretechtrust"));
assertFalse(authorizer.access("update", "weather:table1", principal1, "unknowntrust"));
assertFalse(authorizer.access("update", "weather:table2", principal1, null));
assertFalse(authorizer.access("delete", "weather:table1", principal1, null));
Principal principal2 = SimplePrincipal.create("user_domain", "user2", "v=U1;d=user_domain;n=user2;s=signature", 0, null);
assertFalse(authorizer.access("update", "weather:table1", principal2, null));
Principal principal3 = SimplePrincipal.create("user_domain", "user3", "v=U1;d=user_domain;n=user3;s=signature", 0, null);
assertFalse(authorizer.access("update", "weather:table1", principal3, null));
store.getCacheStore().invalidate("coretechtrust");
store.getCacheStore().invalidate("weather");
}
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImplTest method testEvaluateAccessAssertionAllow.
@Test
public void testEvaluateAccessAssertionAllow() {
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName("coretech");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
Role role = createRoleObject("coretech", "role1", null, "user_domain.user1", null);
domainData.getRoles().add(role);
Policy policy = new Policy().setName("coretech:policy.policy1");
Assertion assertion1 = new Assertion();
assertion1.setAction("read");
assertion1.setEffect(AssertionEffect.ALLOW);
assertion1.setResource("coretech:*");
assertion1.setRole("coretech:role.role1");
Assertion assertion2 = new Assertion();
assertion2.setAction("read");
assertion2.setEffect(AssertionEffect.ALLOW);
assertion2.setResource("coretech:resource1");
assertion2.setRole("coretech:role.role1");
policy.setAssertions(new ArrayList<Assertion>());
policy.getAssertions().add(assertion1);
policy.getAssertions().add(assertion2);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
assertEquals(authorizer.evaluateAccess(domain, "user_domain.user1", "read", "coretech:resource1", null), AccessStatus.ALLOWED);
}
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImplTest method testMatchPrincipalInRoleDelegatedTrustMatch.
@Test
public void testMatchPrincipalInRoleDelegatedTrustMatch() {
DataCache domain = new DataCache();
DomainData domainData = new DomainData();
domainData.setName("coretechtrust");
domain.setDomainData(domainData);
domainData.setRoles(new ArrayList<Role>());
Role role1 = createRoleObject("coretechtrust", "role1", null, "user_domain.user1", null);
Role role2 = createRoleObject("coretechtrust", "role2", null, "user_domain.user2", null);
domainData.getRoles().add(role1);
domainData.getRoles().add(role2);
Policy policy = createPolicyObject("coretechtrust", "trust", "coretechtrust:role.role1", false, "ASSUME_ROLE", "weather:role.role1", AssertionEffect.ALLOW);
domainData.setPolicies(new com.yahoo.athenz.zms.SignedPolicies());
domainData.getPolicies().setContents(new com.yahoo.athenz.zms.DomainPolicies());
domainData.getPolicies().getContents().setPolicies(new ArrayList<Policy>());
domainData.getPolicies().getContents().getPolicies().add(policy);
store.getCacheStore().put("coretechtrust", domain);
Role role = createRoleObject("weather", "role1", "coretechtrust");
assertTrue(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user1", "coretechtrust"));
assertFalse(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user1", "coretechtrust2"));
assertFalse(authorizer.matchPrincipalInRole(role, "weather:role.role1", "user_domain.user3", "coretechtrust"));
store.getCacheStore().invalidate("coretechtrust");
}
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class DataCacheTest method testProcessRoleTrustDomain.
@Test
public void testProcessRoleTrustDomain() {
DataCache cache = new DataCache();
cache.processRoleTrustDomain("dom.role1", "trustD");
Map<String, Set<String>> map = cache.getTrustMap();
assertNotNull(map);
assertEquals(map.size(), 1);
assertTrue(map.containsKey("trustD"));
assertEquals(map.get("trustD").size(), 1);
assertTrue(map.get("trustD").contains("dom.role1"));
}
Aggregations