diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go index 67c26db9997..c0257671673 100644 --- a/clients/go/zms/model.go +++ b/clients/go/zms/model.go @@ -363,6 +363,16 @@ type DomainMeta struct { // ownership information for the domain (read-only attribute) // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` } // NewDomainMeta - creates an initialized DomainMeta instance, returns a pointer to it @@ -495,6 +505,18 @@ func (self *DomainMeta) Validate() error { return fmt.Errorf("DomainMeta.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("DomainMeta.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("DomainMeta.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } return nil } @@ -658,6 +680,16 @@ type Domain struct { // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` + // // the common name to be referred to, the symbolic id. It is immutable // @@ -804,6 +836,18 @@ func (self *Domain) Validate() error { return fmt.Errorf("Domain.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("Domain.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("Domain.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } if self.Name == "" { return fmt.Errorf("Domain.name is missing but is a required field") } else { @@ -4103,6 +4147,16 @@ type TopLevelDomain struct { // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` + // // name of the domain // @@ -4252,6 +4306,18 @@ func (self *TopLevelDomain) Validate() error { return fmt.Errorf("TopLevelDomain.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("TopLevelDomain.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("TopLevelDomain.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } if self.Name == "" { return fmt.Errorf("TopLevelDomain.name is missing but is a required field") } else { @@ -4421,6 +4487,16 @@ type SubDomain struct { // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` + // // name of the domain // @@ -4575,6 +4651,18 @@ func (self *SubDomain) Validate() error { return fmt.Errorf("SubDomain.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("SubDomain.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("SubDomain.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } if self.Name == "" { return fmt.Errorf("SubDomain.name is missing but is a required field") } else { @@ -4753,6 +4841,16 @@ type UserDomain struct { // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` + // // user id which will be the domain name // @@ -4894,6 +4992,18 @@ func (self *UserDomain) Validate() error { return fmt.Errorf("UserDomain.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("UserDomain.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("UserDomain.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } if self.Name == "" { return fmt.Errorf("UserDomain.name is missing but is a required field") } else { @@ -7400,6 +7510,16 @@ type DomainData struct { // ResourceOwnership *ResourceDomainOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"` + // + // requested x509 cert signer key id (system attribute) + // + X509CertSignerKeyId string `json:"x509CertSignerKeyId" rdl:"optional" yaml:",omitempty"` + + // + // requested ssh cert signer key id (system attribute) + // + SshCertSignerKeyId string `json:"sshCertSignerKeyId" rdl:"optional" yaml:",omitempty"` + // // name of the domain // @@ -7581,6 +7701,18 @@ func (self *DomainData) Validate() error { return fmt.Errorf("DomainData.environment does not contain a valid String (%v)", val.Error) } } + if self.X509CertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.X509CertSignerKeyId) + if !val.Valid { + return fmt.Errorf("DomainData.x509CertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } + if self.SshCertSignerKeyId != "" { + val := rdl.Validate(ZMSSchema(), "String", self.SshCertSignerKeyId) + if !val.Valid { + return fmt.Errorf("DomainData.sshCertSignerKeyId does not contain a valid String (%v)", val.Error) + } + } if self.Name == "" { return fmt.Errorf("DomainData.name is missing but is a required field") } else { diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go index e106b77834e..7e5aca7ec65 100644 --- a/clients/go/zms/zms_schema.go +++ b/clients/go/zms/zms_schema.go @@ -176,6 +176,8 @@ func init() { tDomainMeta.MapField("contacts", "SimpleName", "String", true, "list of domain contacts (PE-Owner, Product-Owner, etc), each type can have a single value") tDomainMeta.Field("environment", "String", true, nil, "domain environment e.g. production, staging, etc") tDomainMeta.Field("resourceOwnership", "ResourceDomainOwnership", true, nil, "ownership information for the domain (read-only attribute)") + tDomainMeta.Field("x509CertSignerKeyId", "String", true, nil, "requested x509 cert signer key id (system attribute)") + tDomainMeta.Field("sshCertSignerKeyId", "String", true, nil, "requested ssh cert signer key id (system attribute)") sb.AddType(tDomainMeta.Build()) tDomain := rdl.NewStructTypeBuilder("DomainMeta", "Domain") diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/Domain.java b/core/zms/src/main/java/com/yahoo/athenz/zms/Domain.java index 0f9abfc40a2..1da7e6fc7f0 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/Domain.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/Domain.java @@ -105,6 +105,12 @@ public class Domain { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public String name; @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) @@ -316,6 +322,20 @@ public Domain setResourceOwnership(ResourceDomainOwnership resourceOwnership) { public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public Domain setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public Domain setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } public Domain setName(String name) { this.name = name; return this; @@ -432,6 +452,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } if (name == null ? a.name != null : !name.equals(a.name)) { return false; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/DomainData.java b/core/zms/src/main/java/com/yahoo/athenz/zms/DomainData.java index 7f8aca4388e..fa6aebbe614 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/DomainData.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/DomainData.java @@ -101,6 +101,12 @@ public class DomainData { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public String name; public List roles; public SignedPolicies policies; @@ -312,6 +318,20 @@ public DomainData setResourceOwnership(ResourceDomainOwnership resourceOwnership public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public DomainData setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public DomainData setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } public DomainData setName(String name) { this.name = name; return this; @@ -456,6 +476,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } if (name == null ? a.name != null : !name.equals(a.name)) { return false; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/DomainMeta.java b/core/zms/src/main/java/com/yahoo/athenz/zms/DomainMeta.java index af6e69fc531..5e77b7c4a51 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/DomainMeta.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/DomainMeta.java @@ -101,6 +101,12 @@ public class DomainMeta { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public DomainMeta setDescription(String description) { this.description = description; @@ -305,6 +311,20 @@ public DomainMeta setResourceOwnership(ResourceDomainOwnership resourceOwnership public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public DomainMeta setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public DomainMeta setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } @Override public boolean equals(Object another) { @@ -400,6 +420,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } } return true; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/SubDomain.java b/core/zms/src/main/java/com/yahoo/athenz/zms/SubDomain.java index aba61aecbaf..69c785fab49 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/SubDomain.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/SubDomain.java @@ -101,6 +101,12 @@ public class SubDomain { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public String name; public List adminUsers; @RdlOptional @@ -311,6 +317,20 @@ public SubDomain setResourceOwnership(ResourceDomainOwnership resourceOwnership) public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public SubDomain setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public SubDomain setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } public SubDomain setName(String name) { this.name = name; return this; @@ -434,6 +454,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } if (name == null ? a.name != null : !name.equals(a.name)) { return false; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/TopLevelDomain.java b/core/zms/src/main/java/com/yahoo/athenz/zms/TopLevelDomain.java index 71d8284c5e3..68233a4bbc7 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/TopLevelDomain.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/TopLevelDomain.java @@ -102,6 +102,12 @@ public class TopLevelDomain { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public String name; public List adminUsers; @RdlOptional @@ -311,6 +317,20 @@ public TopLevelDomain setResourceOwnership(ResourceDomainOwnership resourceOwner public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public TopLevelDomain setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public TopLevelDomain setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } public TopLevelDomain setName(String name) { this.name = name; return this; @@ -427,6 +447,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } if (name == null ? a.name != null : !name.equals(a.name)) { return false; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/UserDomain.java b/core/zms/src/main/java/com/yahoo/athenz/zms/UserDomain.java index 3f1190dc8b8..636395c9aec 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/UserDomain.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/UserDomain.java @@ -101,6 +101,12 @@ public class UserDomain { @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public ResourceDomainOwnership resourceOwnership; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String x509CertSignerKeyId; + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_NULL) + public String sshCertSignerKeyId; public String name; @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) @@ -309,6 +315,20 @@ public UserDomain setResourceOwnership(ResourceDomainOwnership resourceOwnership public ResourceDomainOwnership getResourceOwnership() { return resourceOwnership; } + public UserDomain setX509CertSignerKeyId(String x509CertSignerKeyId) { + this.x509CertSignerKeyId = x509CertSignerKeyId; + return this; + } + public String getX509CertSignerKeyId() { + return x509CertSignerKeyId; + } + public UserDomain setSshCertSignerKeyId(String sshCertSignerKeyId) { + this.sshCertSignerKeyId = sshCertSignerKeyId; + return this; + } + public String getSshCertSignerKeyId() { + return sshCertSignerKeyId; + } public UserDomain setName(String name) { this.name = name; return this; @@ -418,6 +438,12 @@ public boolean equals(Object another) { if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) { return false; } + if (x509CertSignerKeyId == null ? a.x509CertSignerKeyId != null : !x509CertSignerKeyId.equals(a.x509CertSignerKeyId)) { + return false; + } + if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) { + return false; + } if (name == null ? a.name != null : !name.equals(a.name)) { return false; } diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java index 4cdf030b98d..9e69804bc86 100644 --- a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java +++ b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java @@ -150,7 +150,9 @@ private static Schema build() { .field("featureFlags", "Int32", true, "features enabled per domain (system attribute)") .mapField("contacts", "SimpleName", "String", true, "list of domain contacts (PE-Owner, Product-Owner, etc), each type can have a single value") .field("environment", "String", true, "domain environment e.g. production, staging, etc") - .field("resourceOwnership", "ResourceDomainOwnership", true, "ownership information for the domain (read-only attribute)"); + .field("resourceOwnership", "ResourceDomainOwnership", true, "ownership information for the domain (read-only attribute)") + .field("x509CertSignerKeyId", "String", true, "requested x509 cert signer key id (system attribute)") + .field("sshCertSignerKeyId", "String", true, "requested ssh cert signer key id (system attribute)"); sb.structType("Domain", "DomainMeta") .comment("A domain is an independent partition of users, roles, and resources. Its name represents the definition of a namespace; the only way a new namespace can be created, from the top, is by creating Domains. Administration of a domain is governed by the parent domain (using reverse-DNS namespaces). The top level domains are governed by the special \"sys.auth\" domain.") diff --git a/core/zms/src/main/rdl/Domain.tdl b/core/zms/src/main/rdl/Domain.tdl index 32170d6772d..eb3ea4574c2 100644 --- a/core/zms/src/main/rdl/Domain.tdl +++ b/core/zms/src/main/rdl/Domain.tdl @@ -41,6 +41,8 @@ type DomainMeta Struct { Map contacts (optional); //list of domain contacts (PE-Owner, Product-Owner, etc), each type can have a single value String environment (optional, x_allowempty="true"); //domain environment e.g. production, staging, etc ResourceDomainOwnership resourceOwnership (optional); //ownership information for the domain (read-only attribute) + String x509CertSignerKeyId (optional, x_allowempty="true"); //requested x509 cert signer key id (system attribute) + String sshCertSignerKeyId (optional, x_allowempty="true"); //requested ssh cert signer key id (system attribute) } //A domain is an independent partition of users, roles, and resources. diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/DomainTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/DomainTest.java index f7141a2e190..5aedf6518dd 100644 --- a/core/zms/src/test/java/com/yahoo/athenz/zms/DomainTest.java +++ b/core/zms/src/test/java/com/yahoo/athenz/zms/DomainTest.java @@ -87,7 +87,8 @@ public void testDomainMetaMethod() { .setTags(Collections.singletonMap("tagKey", new TagValueList().setList(Collections.singletonList("tagValue")))) .setMemberPurgeExpiryDays(10).setGcpProjectNumber("1240").setProductId("abcd-1234") .setFeatureFlags(3).setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); Validator.Result result = validator.validate(dm, "DomainMeta"); assertTrue(result.valid); @@ -121,6 +122,8 @@ public void testDomainMetaMethod() { assertEquals(dm.getFeatureFlags(), 3); assertEquals(dm.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(dm.getEnvironment(), "production"); + assertEquals(dm.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(dm.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(dm.getResourceOwnership(), new ResourceDomainOwnership().setMetaOwner("TF")); DomainMeta dm2 = new DomainMeta().init(); @@ -134,11 +137,26 @@ public void testDomainMetaMethod() { .setTags(Collections.singletonMap("tagKey", new TagValueList().setList(Collections.singletonList("tagValue")))) .setMemberPurgeExpiryDays(10).setGcpProjectNumber("1240").setProductId("abcd-1234") .setFeatureFlags(3).setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(dm, dm2); assertEquals(dm, dm); + dm2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(dm, dm2); + dm2.setX509CertSignerKeyId(null); + assertNotEquals(dm, dm2); + dm2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(dm, dm2); + + dm2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(dm, dm2); + dm2.setSshCertSignerKeyId(null); + assertNotEquals(dm, dm2); + dm2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(dm, dm2); + dm2.setEnvironment("staging"); assertNotEquals(dm, dm2); dm2.setEnvironment(null); @@ -350,7 +368,8 @@ public void testTopLevelDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1242").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); result = validator.validate(tld, "TopLevelDomain"); assertTrue(result.valid); @@ -387,6 +406,8 @@ public void testTopLevelDomainMethod() { assertEquals(tld.getFeatureFlags(), 3); assertEquals(tld.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(tld.getEnvironment(), "production"); + assertEquals(tld.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(tld.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(tld.getResourceOwnership(), new ResourceDomainOwnership().setMetaOwner("TF")); TopLevelDomain tld2 = new TopLevelDomain().setDescription("domain desc").setOrg("org:test").setEnabled(true) @@ -399,7 +420,8 @@ public void testTopLevelDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1242").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(tld, tld2); assertEquals(tld, tld); @@ -411,6 +433,20 @@ public void testTopLevelDomainMethod() { tld2.setEnvironment("production"); assertEquals(tld, tld2); + tld2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(tld, tld2); + tld2.setX509CertSignerKeyId(null); + assertNotEquals(tld, tld2); + tld2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(tld, tld2); + + tld2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(tld, tld2); + tld2.setSshCertSignerKeyId(null); + assertNotEquals(tld, tld2); + tld2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(tld, tld2); + tld2.setContacts(Map.of("product-owner", "user.test")); assertNotEquals(tld, tld2); tld2.setContacts(null); @@ -603,7 +639,8 @@ public void testSubDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1244").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); Validator.Result result = validator.validate(sd, "SubDomain"); assertTrue(result.valid, result.error); @@ -641,6 +678,8 @@ public void testSubDomainMethod() { assertEquals(sd.getFeatureFlags(), 3); assertEquals(sd.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(sd.getEnvironment(), "production"); + assertEquals(sd.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(sd.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(sd.getResourceOwnership(), new ResourceDomainOwnership().setMetaOwner("TF")); SubDomain sd2 = new SubDomain().setDescription("domain desc").setOrg("org:test").setEnabled(true) @@ -655,7 +694,8 @@ public void testSubDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1244").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(sd, sd2); assertEquals(sd, sd); @@ -668,6 +708,20 @@ public void testSubDomainMethod() { sd2.setEnvironment("production"); assertEquals(sd, sd2); + sd2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(sd, sd2); + sd2.setX509CertSignerKeyId(null); + assertNotEquals(sd, sd2); + sd2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(sd, sd2); + + sd2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(sd, sd2); + sd2.setSshCertSignerKeyId(null); + assertNotEquals(sd, sd2); + sd2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(sd, sd2); + sd2.setContacts(Map.of("product-owner", "user.test")); assertNotEquals(sd, sd2); sd2.setContacts(null); @@ -858,7 +912,8 @@ public void testUserDomainMethod() { .setTags(Collections.singletonMap("tagKey", new TagValueList().setList(Collections.singletonList("tagValue")))) .setMemberPurgeExpiryDays(10).setGcpProject("gcp").setGcpProjectNumber("1246") .setProductId("abcd-1234").setFeatureFlags(3).setContacts(Map.of("pe-owner", "user.test")) - .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); Validator.Result result = validator.validate(ud, "UserDomain"); assertTrue(result.valid); @@ -894,6 +949,8 @@ public void testUserDomainMethod() { assertEquals(ud.getFeatureFlags(), 3); assertEquals(ud.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(ud.getEnvironment(), "production"); + assertEquals(ud.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(ud.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(ud.getResourceOwnership(), new ResourceDomainOwnership().setMetaOwner("TF")); UserDomain ud2 = new UserDomain().setDescription("domain desc").setOrg("org:test").setEnabled(true) @@ -907,7 +964,8 @@ public void testUserDomainMethod() { .setTags(Collections.singletonMap("tagKey", new TagValueList().setList(Collections.singletonList("tagValue")))) .setMemberPurgeExpiryDays(10).setGcpProject("gcp").setGcpProjectNumber("1246") .setProductId("abcd-1234").setFeatureFlags(3).setContacts(Map.of("pe-owner", "user.test")) - .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(ud, ud2); assertEquals(ud, ud); @@ -919,6 +977,20 @@ public void testUserDomainMethod() { ud2.setEnvironment("production"); assertEquals(ud, ud2); + ud2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(ud, ud2); + ud2.setX509CertSignerKeyId(null); + assertNotEquals(ud, ud2); + ud2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(ud, ud2); + + ud2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(ud, ud2); + ud2.setSshCertSignerKeyId(null); + assertNotEquals(ud, ud2); + ud2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(ud, ud2); + ud2.setContacts(Map.of("product-owner", "user.test")); assertNotEquals(ud, ud2); ud2.setContacts(null); @@ -1129,7 +1201,8 @@ public void testDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1237").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); Validator.Result result = validator.validate(d, "Domain"); assertTrue(result.valid); @@ -1166,6 +1239,8 @@ public void testDomainMethod() { assertEquals(d.getFeatureFlags(), 3); assertEquals(d.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(d.getEnvironment(), "production"); + assertEquals(d.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(d.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(d.getResourceOwnership(), new ResourceDomainOwnership().setMetaOwner("TF")); Domain d2 = new Domain(); @@ -1180,7 +1255,8 @@ public void testDomainMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1237").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setMetaOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(d, d2); assertEquals(d, d); @@ -1192,6 +1268,20 @@ public void testDomainMethod() { d2.setEnvironment("production"); assertEquals(d, d2); + d2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(d, d2); + d2.setX509CertSignerKeyId(null); + assertNotEquals(d, d2); + d2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(d, d2); + + d2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(d, d2); + d2.setSshCertSignerKeyId(null); + assertNotEquals(d, d2); + d2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(d, d2); + d2.setContacts(Map.of("product-owner", "user.test")); assertNotEquals(d, d2); d2.setContacts(null); diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java index f93d1e0e547..e95443cfc94 100644 --- a/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java +++ b/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java @@ -590,7 +590,8 @@ public void testSignedDomainsMethod() { .setTags(Collections.singletonMap("tagKey", new TagValueList().setList(Collections.singletonList("tagValue")))) .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp").setGcpProjectNumber("1235") .setProductId("abcd-1234").setFeatureFlags(3).setContacts(Map.of("pe-owner", "user.test")) - .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setObjectOwner("TF")); + .setEnvironment("production").setResourceOwnership(new ResourceDomainOwnership().setObjectOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); result = validator.validate(dd, "DomainData"); assertTrue(result.valid, result.error); @@ -631,6 +632,8 @@ public void testSignedDomainsMethod() { assertEquals(dd.getFeatureFlags(), 3); assertEquals(dd.getContacts(), Map.of("pe-owner", "user.test")); assertEquals(dd.getEnvironment(), "production"); + assertEquals(dd.getX509CertSignerKeyId(), "x509-keyid"); + assertEquals(dd.getSshCertSignerKeyId(), "ssh-keyid"); assertEquals(dd.getResourceOwnership(), new ResourceDomainOwnership().setObjectOwner("TF")); DomainData dd2 = new DomainData().setName("test.domain").setAccount("aws").setYpmId(1).setRoles(rl) @@ -644,7 +647,8 @@ public void testSignedDomainsMethod() { .setBusinessService("business-service").setMemberPurgeExpiryDays(10).setGcpProject("gcp") .setGcpProjectNumber("1235").setProductId("abcd-1234").setFeatureFlags(3) .setContacts(Map.of("pe-owner", "user.test")).setEnvironment("production") - .setResourceOwnership(new ResourceDomainOwnership().setObjectOwner("TF")); + .setResourceOwnership(new ResourceDomainOwnership().setObjectOwner("TF")) + .setX509CertSignerKeyId("x509-keyid").setSshCertSignerKeyId("ssh-keyid"); assertEquals(dd2, dd); assertNotEquals(dd, null); @@ -666,6 +670,20 @@ public void testSignedDomainsMethod() { dd2.setEnvironment("production"); assertEquals(dd, dd2); + dd2.setX509CertSignerKeyId("x509-keyid2"); + assertNotEquals(dd, dd2); + dd2.setX509CertSignerKeyId(null); + assertNotEquals(dd, dd2); + dd2.setX509CertSignerKeyId("x509-keyid"); + assertEquals(dd, dd2); + + dd2.setSshCertSignerKeyId("ssh-keyid2"); + assertNotEquals(dd, dd2); + dd2.setSshCertSignerKeyId(null); + assertNotEquals(dd, dd2); + dd2.setSshCertSignerKeyId("ssh-keyid"); + assertEquals(dd, dd2); + dd2.setContacts(Map.of("product-owner", "user.test")); assertNotEquals(dd, dd2); dd2.setContacts(null); diff --git a/libs/go/zmscli/cli.go b/libs/go/zmscli/cli.go index 330ddf16eb3..cf15d47603e 100644 --- a/libs/go/zmscli/cli.go +++ b/libs/go/zmscli/cli.go @@ -951,6 +951,14 @@ func (cli Zms) EvalCommand(params []string) (*string, error) { if argc == 1 { return cli.SetDomainUserAuthorityFilter(dn, args[0]) } + case "set-domain-x509-cert-signer-keyid": + if argc == 1 { + return cli.SetDomainX509CertSignerKeyId(dn, args[0]) + } + case "set-domain-ssh-cert-signer-keyid": + if argc == 1 { + return cli.SetDomainSshCertSignerKeyId(dn, args[0]) + } case "set-domain-environment": if argc == 1 { return cli.SetDomainEnvironment(dn, args[0]) @@ -1585,6 +1593,26 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string { buf.WriteString(" filter : comma separated list of user authority filters\n") buf.WriteString(" examples:\n") buf.WriteString(" " + domainExample + " set-domain-user-authority-filter OnShore-US\n") + case "set-domain-x509-cert-signer-keyid": + buf.WriteString(" syntax:\n") + buf.WriteString(" [-o json] " + domainParam + " set-domain-x509-cert-signer-keyid key-id\n") + buf.WriteString(" parameters:\n") + if !interactive { + buf.WriteString(" domain : name of the domain being updated\n") + } + buf.WriteString(" key-id : certificate signer key id\n") + buf.WriteString(" examples:\n") + buf.WriteString(" " + domainExample + " set-domain-x509-cert-signer-keyid keyid1\n") + case "set-domain-ssh-cert-signer-keyid": + buf.WriteString(" syntax:\n") + buf.WriteString(" [-o json] " + domainParam + " set-domain-ssh-cert-signer-keyid key-id\n") + buf.WriteString(" parameters:\n") + if !interactive { + buf.WriteString(" domain : name of the domain being updated\n") + } + buf.WriteString(" key-id : certificate signer key id\n") + buf.WriteString(" examples:\n") + buf.WriteString(" " + domainExample + " set-domain-ssh-cert-signer-keyid keyid1\n") case "set-domain-environment": buf.WriteString(" syntax:\n") buf.WriteString(" [-o json] " + domainParam + " set-domain-environment environment\n") @@ -3571,6 +3599,8 @@ func (cli Zms) HelpListCommand() string { buf.WriteString(" set-domain-role-cert-expiry-mins cert-expiry-mins\n") buf.WriteString(" set-domain-token-sign-algorithm algorithm\n") buf.WriteString(" set-domain-user-authority-filter filter\n") + buf.WriteString(" set-domain-x509-cert-signer-keyid key-id\n") + buf.WriteString(" set-domain-ssh-cert-signer-keyid key-id\n") buf.WriteString(" set-domain-environment environment\n") buf.WriteString(" set-domain-feature-flags flags\n") buf.WriteString(" set-domain-contact type user\n") diff --git a/libs/go/zmscli/domain.go b/libs/go/zmscli/domain.go index 65f2763b440..a857de39d95 100644 --- a/libs/go/zmscli/domain.go +++ b/libs/go/zmscli/domain.go @@ -770,6 +770,40 @@ func (cli Zms) SetDomainAuditEnabled(dn string, auditEnabled bool) (*string, err return cli.dumpByFormat(message, cli.buildYAMLOutput) } +func (cli Zms) SetDomainX509CertSignerKeyId(dn, keyId string) (*string, error) { + meta := zms.DomainMeta{ + X509CertSignerKeyId: keyId, + } + err := cli.Zms.PutDomainSystemMeta(zms.DomainName(dn), "x509certsignerkeyid", cli.AuditRef, &meta) + if err != nil { + return nil, err + } + s := "[domain " + dn + " metadata successfully updated]\n" + message := SuccessMessage{ + Status: 200, + Message: s, + } + + return cli.dumpByFormat(message, cli.buildYAMLOutput) +} + +func (cli Zms) SetDomainSshCertSignerKeyId(dn, keyId string) (*string, error) { + meta := zms.DomainMeta{ + SshCertSignerKeyId: keyId, + } + err := cli.Zms.PutDomainSystemMeta(zms.DomainName(dn), "sshcertsignerkeyid", cli.AuditRef, &meta) + if err != nil { + return nil, err + } + s := "[domain " + dn + " metadata successfully updated]\n" + message := SuccessMessage{ + Status: 200, + Message: s, + } + + return cli.dumpByFormat(message, cli.buildYAMLOutput) +} + func (cli Zms) SetDomainUserAuthorityFilter(dn, filter string) (*string, error) { meta := zms.DomainMeta{ UserAuthorityFilter: filter, diff --git a/servers/zms/schema/updates/update-20240708.sql b/servers/zms/schema/updates/update-20240708.sql new file mode 100644 index 00000000000..f3cd8374c69 --- /dev/null +++ b/servers/zms/schema/updates/update-20240708.sql @@ -0,0 +1,2 @@ +ALTER TABLE `zms_server`.`domain` ADD `x509_cert_signer_keyid` VARCHAR(64) NOT NULL DEFAULT ''; +ALTER TABLE `zms_server`.`domain` ADD `ssh_cert_signer_keyid` VARCHAR(64) NOT NULL DEFAULT ''; diff --git a/servers/zms/schema/zms_server.mwb b/servers/zms/schema/zms_server.mwb index 14ca71ead9e..8add9312cd8 100644 Binary files a/servers/zms/schema/zms_server.mwb and b/servers/zms/schema/zms_server.mwb differ diff --git a/servers/zms/schema/zms_server.sql b/servers/zms/schema/zms_server.sql index 17220b07442..9ac6b36c840 100644 --- a/servers/zms/schema/zms_server.sql +++ b/servers/zms/schema/zms_server.sql @@ -1,5 +1,5 @@ -- MySQL Script generated by MySQL Workbench --- Fri May 24 13:53:41 2024 +-- Mon Jul 8 11:11:29 2024 -- Model: New Model Version: 1.0 -- MySQL Workbench Forward Engineering @@ -53,6 +53,8 @@ CREATE TABLE IF NOT EXISTS `zms_server`.`domain` ( `resource_owner` VARCHAR(256) NOT NULL DEFAULT '', `azure_tenant` VARCHAR(128) NOT NULL DEFAULT '', `azure_client` VARCHAR(128) NOT NULL DEFAULT '', + `x509_cert_signer_keyid` VARCHAR(64) NOT NULL DEFAULT '', + `ssh_cert_signer_keyid` VARCHAR(64) NOT NULL DEFAULT '', PRIMARY KEY (`domain_id`), UNIQUE INDEX `uq_name` (`name` ASC), INDEX `idx_modified` (`modified` ASC), diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java index f208a87450e..bf02541b682 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java @@ -4226,7 +4226,9 @@ void executePutDomainMeta(ResourceContext ctx, Domain domain, DomainMeta meta, .setMemberPurgeExpiryDays(domain.getMemberPurgeExpiryDays()) .setFeatureFlags(domain.getFeatureFlags()) .setContacts(domain.getContacts()) - .setEnvironment(domain.getEnvironment()); + .setEnvironment(domain.getEnvironment()) + .setX509CertSignerKeyId(domain.getX509CertSignerKeyId()) + .setSshCertSignerKeyId(domain.getSshCertSignerKeyId()); // then we're going to apply the updated fields // from the given object @@ -4672,6 +4674,18 @@ void updateSystemMetaFields(Domain domain, final String attribute, boolean delet } domain.setOrg(meta.getOrg()); break; + case ZMSConsts.SYSTEM_META_X509_CERT_SIGNER_KEYID: + if (!isDeleteSystemMetaAllowed(deleteAllowed, domain.getX509CertSignerKeyId(), meta.getX509CertSignerKeyId())) { + throw ZMSUtils.forbiddenError("unauthorized to reset system meta attribute: " + attribute, caller); + } + domain.setX509CertSignerKeyId(meta.getX509CertSignerKeyId()); + break; + case ZMSConsts.SYSTEM_META_SSH_CERT_SIGNER_KEYID: + if (!isDeleteSystemMetaAllowed(deleteAllowed, domain.getSshCertSignerKeyId(), meta.getSshCertSignerKeyId())) { + throw ZMSUtils.forbiddenError("unauthorized to reset system meta attribute: " + attribute, caller); + } + domain.setSshCertSignerKeyId(meta.getSshCertSignerKeyId()); + break; case ZMSConsts.SYSTEM_META_AUDIT_ENABLED: domain.setAuditEnabled(meta.getAuditEnabled()); break; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java index 56be910af15..2e7053abcc3 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java @@ -298,6 +298,8 @@ public final class ZMSConsts { public static final String DB_COLUMN_PRINCIPAL_GROUP = "principal_group"; public static final String DB_COLUMN_PRINCIPAL_GROUP_MEMBER = "principal_group_member"; public static final String DB_COLUMN_MEMBER_PURGE_EXPIRY_DAYS = "member_purge_expiry_days"; + public static final String DB_COLUMN_X509_CERT_SIGNER_KEYID = "x509_cert_signer_keyid"; + public static final String DB_COLUMN_SSH_CERT_SIGNER_KEYID = "ssh_cert_signer_keyid"; public static final String DB_COLUMN_USER_AUTHORITY_FILTER = "user_authority_filter"; public static final String DB_COLUMN_USER_AUTHORITY_EXPIRATION = "user_authority_expiration"; @@ -342,6 +344,9 @@ public final class ZMSConsts { public static final String SYSTEM_META_FEATURE_FLAGS = "featureflags"; public static final String SYSTEM_META_ATTR_ALL = "all"; + public static final String SYSTEM_META_X509_CERT_SIGNER_KEYID = "x509certsignerkeyid"; + public static final String SYSTEM_META_SSH_CERT_SIGNER_KEYID = "sshcertsignerkeyid"; + // HTTP operation types used in metrics public static final String HTTP_GET = "GET"; public static final String HTTP_PUT = "PUT"; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java index 3dde9dd436a..83e320fd7a2 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java @@ -1622,7 +1622,9 @@ public Domain postTopLevelDomain(ResourceContext ctx, String auditRef, String re .setCertDnsDomain(detail.getCertDnsDomain()) .setFeatureFlags(detail.getFeatureFlags()) .setContacts(detail.getContacts()) - .setEnvironment(detail.getEnvironment()); + .setEnvironment(detail.getEnvironment()) + .setX509CertSignerKeyId(detail.getX509CertSignerKeyId()) + .setSshCertSignerKeyId(detail.getSshCertSignerKeyId()); // before processing validate the fields @@ -1966,12 +1968,14 @@ public Domain postSubDomain(ResourceContext ctx, String parent, String auditRef, throw ZMSUtils.notFoundError("Invalid parent domain: " + parent, caller); } - // inherit audit_enabled flag, organization and user authority settings - // from the parent domain + // inherit audit_enabled flag, organization, user authority, + // x509 and ssh cert signer key id settings from the parent domain detail.setAuditEnabled(parentDomain.getDomain().getAuditEnabled()); detail.setOrg(parentDomain.getDomain().getOrg()); detail.setUserAuthorityFilter(parentDomain.getDomain().getUserAuthorityFilter()); + detail.setX509CertSignerKeyId(parentDomain.getDomain().getX509CertSignerKeyId()); + detail.setSshCertSignerKeyId(parentDomain.getDomain().getSshCertSignerKeyId()); // generate and verify admin users @@ -1996,7 +2000,9 @@ public Domain postSubDomain(ResourceContext ctx, String parent, String auditRef, .setTags(detail.getTags()) .setBusinessService(detail.getBusinessService()) .setContacts(detail.getContacts()) - .setEnvironment(detail.getEnvironment()); + .setEnvironment(detail.getEnvironment()) + .setX509CertSignerKeyId(detail.getX509CertSignerKeyId()) + .setSshCertSignerKeyId(detail.getSshCertSignerKeyId()); // before processing validate the fields @@ -2396,6 +2402,8 @@ void validateDomainValues(Domain domain) { validateString(domain.getGcpProject(), TYPE_COMPOUND_NAME, caller); validateString(domain.getGcpProjectNumber(), TYPE_COMPOUND_NAME, caller); validateString(domain.getUserAuthorityFilter(), TYPE_AUTHORITY_KEYWORDS, caller); + validateString(domain.getX509CertSignerKeyId(), TYPE_COMPOUND_NAME, caller); + validateString(domain.getSshCertSignerKeyId(), TYPE_COMPOUND_NAME, caller); // we're going to check the meta values for our new domain // requests against our meta store @@ -2553,6 +2561,8 @@ void validateDomainMetaValues(DomainMeta meta) { validateString(meta.getApplicationId(), TYPE_COMPOUND_NAME, caller); validateString(meta.getAccount(), TYPE_COMPOUND_NAME, caller); + validateString(meta.getX509CertSignerKeyId(), TYPE_COMPOUND_NAME, caller); + validateString(meta.getSshCertSignerKeyId(), TYPE_COMPOUND_NAME, caller); // validate the domain contacts types and names diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java index 5ae8b19ccbf..465a87fca31 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java @@ -81,15 +81,15 @@ public class JDBCConnection implements ObjectStoreConnection { + " member_expiry_days, token_expiry_mins, service_cert_expiry_mins, role_cert_expiry_mins, sign_algorithm," + " service_expiry_days, user_authority_filter, group_expiry_days, azure_subscription, business_service," + " member_purge_expiry_days, gcp_project, gcp_project_number, product_id, feature_flags, environment," - + " azure_tenant, azure_client)" - + " VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);"; + + " azure_tenant, azure_client, x509_cert_signer_keyid, ssh_cert_signer_keyid)" + + " VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);"; private static final String SQL_UPDATE_DOMAIN = "UPDATE domain " + "SET description=?, org=?, uuid=?, enabled=?, audit_enabled=?, account=?, ypm_id=?, application_id=?," + " cert_dns_domain=?, member_expiry_days=?, token_expiry_mins=?, service_cert_expiry_mins=?," + " role_cert_expiry_mins=?, sign_algorithm=?, service_expiry_days=?, user_authority_filter=?," + " group_expiry_days=?, azure_subscription=?, business_service=?, member_purge_expiry_days=?," + " gcp_project=?, gcp_project_number=?, product_id=?, feature_flags=?, environment=?," - + " azure_tenant=?, azure_client=? WHERE name=?;"; + + " azure_tenant=?, azure_client=?, x509_cert_signer_keyid=?, ssh_cert_signer_keyid=? WHERE name=?;"; private static final String SQL_UPDATE_DOMAIN_MOD_TIMESTAMP = "UPDATE domain " + "SET modified=CURRENT_TIMESTAMP(3) WHERE name=?;"; private static final String SQL_GET_DOMAIN_MOD_TIMESTAMP = "SELECT modified FROM domain WHERE name=?;"; @@ -887,7 +887,9 @@ Domain saveDomainSettings(String domainName, ResultSet rs, boolean fetchAddlDeta .setMemberPurgeExpiryDays(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_MEMBER_PURGE_EXPIRY_DAYS), 0)) .setFeatureFlags(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_FEATURE_FLAGS), 0)) .setEnvironment(saveValue(rs.getString(ZMSConsts.DB_COLUMN_ENVIRONMENT))) - .setResourceOwnership(ResourceOwnership.getResourceDomainOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER))); + .setResourceOwnership(ResourceOwnership.getResourceDomainOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER))) + .setX509CertSignerKeyId(saveValue(rs.getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID))) + .setSshCertSignerKeyId(saveValue(rs.getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID))); if (fetchAddlDetails) { int domainId = rs.getInt(ZMSConsts.DB_COLUMN_DOMAIN_ID); domain.setTags(getDomainTags(domainId)); @@ -959,6 +961,8 @@ public boolean insertDomain(Domain domain) { ps.setString(26, processInsertValue(domain.getEnvironment())); ps.setString(27, processInsertValue(domain.getAzureTenant())); ps.setString(28, processInsertValue(domain.getAzureClient())); + ps.setString(29, processInsertValue(domain.getX509CertSignerKeyId())); + ps.setString(30, processInsertValue(domain.getSshCertSignerKeyId())); affectedRows = executeUpdate(ps, caller); } catch (SQLException ex) { throw sqlError(ex, caller); @@ -1105,7 +1109,9 @@ public boolean updateDomain(Domain domain) { ps.setString(25, processInsertValue(domain.getEnvironment())); ps.setString(26, processInsertValue(domain.getAzureTenant())); ps.setString(27, processInsertValue(domain.getAzureClient())); - ps.setString(28, domain.getName()); + ps.setString(28, processInsertValue(domain.getX509CertSignerKeyId())); + ps.setString(29, processInsertValue(domain.getSshCertSignerKeyId())); + ps.setString(30, domain.getName()); affectedRows = executeUpdate(ps, caller); } catch (SQLException ex) { throw sqlError(ex, caller); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index 71053f43f20..dc4acdb5466 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -1359,526 +1359,6 @@ public void testCreateSubdomainOnceOnly() { zmsImpl.deleteTopLevelDomain(ctx, "AddOnceSubDom1", auditRef, null); } - @Test - public void testPutDomainMetaThrowException() { - - TestAuditLogger alogger = new TestAuditLogger(); - ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - String domName = "wrongDomainName"; - DomainMeta meta = new DomainMeta(); - meta.setYpmId(ZMSTestInitializer.getRandomProductId()); - try { - zmsImpl.putDomainMeta(ctx, domName, auditRef, null, meta); - fail("notfounderror not thrown."); - } catch (ResourceException e) { - assertEquals(404, e.getCode()); - } - } - - @Test - public void testPutDomainMeta() { - - final String domainName = "domain-meta-test"; - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain resDom1 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom1); - assertEquals(resDom1.getDescription(), "Test Domain1"); - assertEquals(resDom1.getOrg(), "testorg"); - assertTrue(resDom1.getEnabled()); - assertFalse(resDom1.getAuditEnabled()); - assertNull(resDom1.getServiceCertExpiryMins()); - assertNull(resDom1.getRoleCertExpiryMins()); - assertNull(resDom1.getMemberExpiryDays()); - assertNull(resDom1.getServiceExpiryDays()); - assertNull(resDom1.getGroupExpiryDays()); - assertNull(resDom1.getTokenExpiryMins()); - assertNull(resDom1.getMemberPurgeExpiryDays()); - assertNull(resDom1.getProductId()); - - DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", - true, true, "12345", 1001); - meta.setCertDnsDomain("YAHOO.cloud"); - meta.setServiceCertExpiryMins(100); - meta.setRoleCertExpiryMins(200); - meta.setMemberPurgeExpiryDays(90); - meta.setSignAlgorithm("ec"); - meta.setProductId("abcd-1234"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "auditenabled", auditRef, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "account", auditRef, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "certdnsdomain", auditRef, meta); - - zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsImpl, ctx.principal().getFullName(), - domainName, "domain", "productid", "org", "certdnsdomain"); - zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); - - Domain resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getDescription(), "Test2 Domain"); - assertEquals(resDom3.getOrg(), "neworg"); - assertTrue(resDom3.getEnabled()); - assertTrue(resDom3.getAuditEnabled()); - assertEquals(resDom3.getAccount(), "12345"); - assertEquals(Integer.valueOf(1001), resDom3.getYpmId()); - assertEquals(resDom3.getProductId(), "abcd-1234"); - assertEquals(resDom3.getCertDnsDomain(), "yahoo.cloud"); - assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(100)); - assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(90)); - assertEquals(resDom3.getRoleCertExpiryMins(), Integer.valueOf(200)); - assertNull(resDom3.getMemberExpiryDays()); - assertNull(resDom3.getServiceExpiryDays()); - assertNull(resDom3.getGroupExpiryDays()); - assertNull(resDom3.getTokenExpiryMins()); - assertEquals(resDom3.getSignAlgorithm(), "ec"); - - // put the metadata using same product id - - meta = zmsTestInitializer.createDomainMetaObject("just a new desc", "organs", - true, true, "12345", 1001); - meta.setMemberExpiryDays(300); - meta.setServiceExpiryDays(350); - meta.setGroupExpiryDays(375); - meta.setTokenExpiryMins(400); - meta.setProductId("abcd-1234"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getDescription(), "just a new desc"); - //org is system attr. so it won't be changed by putdomainmeta call - assertEquals(resDom3.getOrg(), "neworg"); - assertTrue(resDom3.getEnabled()); - assertTrue(resDom3.getAuditEnabled()); - assertEquals(resDom3.getAccount(), "12345"); - assertEquals(resDom3.getProductId(), "abcd-1234"); - assertEquals(Integer.valueOf(1001), resDom3.getYpmId()); - assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(100)); - assertEquals(resDom3.getRoleCertExpiryMins(), Integer.valueOf(200)); - assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(300)); - assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(350)); - assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(375)); - assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(400)); - assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(90)); - - zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getOrg(), "organs"); - - // put the metadata using new product - meta = zmsTestInitializer.createDomainMetaObject("just a new desc", "organs", - true, true, "12345", 1001); - Integer newProductId = ZMSTestInitializer.getRandomProductId(); - meta.setYpmId(newProductId); - meta.setProductId("abcd-1234-5678"); - meta.setServiceCertExpiryMins(5); - meta.setRoleCertExpiryMins(0); - meta.setMemberExpiryDays(15); - meta.setServiceExpiryDays(17); - meta.setGroupExpiryDays(18); - meta.setTokenExpiryMins(20); - meta.setMemberPurgeExpiryDays(120); - meta.setSignAlgorithm("rsa"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); - - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getDescription(), "just a new desc"); - assertEquals(resDom3.getOrg(), "organs"); - assertTrue(resDom3.getEnabled()); - assertTrue(resDom3.getAuditEnabled()); - assertEquals(resDom3.getAccount(), "12345"); - assertEquals(resDom3.getProductId(), "abcd-1234-5678"); - assertEquals(newProductId, resDom3.getYpmId()); - assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(5)); - assertNull(resDom3.getRoleCertExpiryMins()); - assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(15)); - assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(17)); - assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(18)); - assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(20)); - assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(120)); - assertEquals(resDom3.getSignAlgorithm(), "rsa"); - assertNull(resDom3.getFeatureFlags()); - - // put new feature flags for the domain - - meta.setFeatureFlags(3); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - zmsImpl.putDomainSystemMeta(ctx, domainName, "featureflags", auditRef, meta); - - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getDescription(), "just a new desc"); - assertEquals(resDom3.getOrg(), "organs"); - assertTrue(resDom3.getEnabled()); - assertTrue(resDom3.getAuditEnabled()); - assertEquals(resDom3.getAccount(), "12345"); - assertEquals(resDom3.getProductId(), "abcd-1234-5678"); - assertEquals(newProductId, resDom3.getYpmId()); - assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(5)); - assertNull(resDom3.getRoleCertExpiryMins()); - assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(15)); - assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(17)); - assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(18)); - assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(20)); - assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(120)); - assertEquals(resDom3.getSignAlgorithm(), "rsa"); - assertEquals(resDom3.getFeatureFlags().intValue(), 3); - - // update the feature flags value - - meta.setFeatureFlags(7); - zmsImpl.putDomainSystemMeta(ctx, domainName, "featureflags", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertEquals(resDom3.getFeatureFlags().intValue(), 7); - - zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsImpl, "domain"); - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - } - - @Test - public void testPutDomainSystemMetaModifiedTimestamp() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "metadomainmodified"; - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain resDom1 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom1); - long domMod1 = resDom1.getModified().millis(); - - ZMSTestUtils.sleep(1); - - DomainMeta meta = new DomainMeta(); - zmsImpl.putDomainSystemMeta(ctx, domainName, "modified", auditRef, meta); - - Domain resDom2 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom2); - long domMod2 = resDom2.getModified().millis(); - - assertTrue(domMod2 > domMod1); - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - } - - @Test - public void testPutDomainMetaInvalid() { - - // enable product id support - - System.setProperty(ZMSConsts.ZMS_PROP_PRODUCT_ID_SUPPORT, "true"); - ZMSImpl zmsImpl = zmsTestInitializer.zmsInit(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "MetaDomProductid"; - TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); - - Domain resDom = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom); - assertEquals(resDom.getDescription(), "Test Domain"); - assertEquals(resDom.getOrg(), "testorg"); - assertTrue(resDom.getEnabled()); - assertFalse(resDom.getAuditEnabled()); - Integer productId = resDom.getYpmId(); - - zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsImpl, ctx.principal().getFullName(), - domainName, "domain", "productid"); - DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", - true, true, "12345", null); - try { - zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); - fail("bad request exc not thrown"); - } catch (ResourceException exc) { - assertEquals(400, exc.getCode()); - assertTrue(exc.getMessage().contains("Unique Product Id must be specified for top level domain")); - } - - // put metadata using another domains productId - dom = zmsTestInitializer.createTopLevelDomainObject("MetaDomProductid2", - "Test Domain", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); - - resDom = zmsImpl.getDomain(ctx, "MetaDomProductid2"); - Integer productId2 = resDom.getYpmId(); - assertNotEquals(productId, productId2); - - meta = zmsTestInitializer.createDomainMetaObject("Test3 Domain", "NewOrg", - true, true, "12345", productId2); - try { - zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); - fail("bad request exc not thrown"); - } catch (ResourceException exc) { - assertEquals(400, exc.getCode()); - assertTrue(exc.getMessage().contains("is already assigned to domain")); - } - - // test negative values - - meta = new DomainMeta().setServiceExpiryDays(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - meta = new DomainMeta().setGroupExpiryDays(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - meta = new DomainMeta().setMemberExpiryDays(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - meta = new DomainMeta().setRoleCertExpiryMins(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - meta = new DomainMeta().setServiceCertExpiryMins(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - meta = new DomainMeta().setTokenExpiryMins(-10); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); - } - - zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsImpl, "domain"); - zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid", auditRef, null); - zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid2", auditRef, null); - System.clearProperty(ZMSConsts.ZMS_PROP_PRODUCT_ID_SUPPORT); - zmsImpl.objectStore.clearConnections(); - } - - @Test - public void testPutDomainMetaDefaults() { - - final String domainName = "meta-dom-values"; - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, null, null, - zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain resDom1 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom1); - assertNull(resDom1.getDescription()); - assertNull(resDom1.getOrg()); - assertTrue(resDom1.getEnabled()); - assertFalse(resDom1.getAuditEnabled()); - - DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", true, false, null, 0); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - - zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); - - Domain resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getDescription(), "Test2 Domain"); - assertEquals(resDom3.getOrg(), "neworg"); - assertTrue(resDom3.getEnabled()); - assertFalse(resDom3.getAuditEnabled()); - assertNull(resDom3.getAccount()); - assertNull(resDom3.getAzureSubscription()); - assertNull(resDom3.getGcpProject()); - assertNull(resDom3.getBusinessService()); - assertEquals(Integer.valueOf(0), resDom3.getYpmId()); - - meta.setAccount("aws"); - zmsImpl.putDomainSystemMeta(ctx, domainName, "account", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getOrg(), "neworg"); - assertEquals(resDom3.getAccount(), "aws"); - assertNull(resDom3.getAzureSubscription()); - assertNull(resDom3.getGcpProject()); - assertNull(resDom3.getBusinessService()); - - meta.setAzureSubscription("azure"); - meta.setAzureTenant("tenant"); - meta.setAzureClient("client"); - zmsImpl.putDomainSystemMeta(ctx, domainName, "azuresubscription", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getOrg(), "neworg"); - assertEquals(resDom3.getAccount(), "aws"); - assertEquals(resDom3.getAzureSubscription(), "azure"); - assertEquals(resDom3.getAzureTenant(), "tenant"); - assertEquals(resDom3.getAzureClient(), "client"); - assertNull(resDom3.getGcpProject()); - assertNull(resDom3.getGcpProjectNumber()); - assertNull(resDom3.getBusinessService()); - - meta.setGcpProject("gcp"); - meta.setGcpProjectNumber("1239"); - zmsImpl.putDomainSystemMeta(ctx, domainName, "gcpproject", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getOrg(), "neworg"); - assertEquals(resDom3.getAccount(), "aws"); - assertEquals(resDom3.getAzureSubscription(), "azure"); - assertEquals(resDom3.getAzureTenant(), "tenant"); - assertEquals(resDom3.getAzureClient(), "client"); - assertEquals(resDom3.getGcpProject(), "gcp"); - assertEquals(resDom3.getGcpProjectNumber(), "1239"); - assertNull(resDom3.getBusinessService()); - - meta.setBusinessService("123:business service"); - zmsImpl.putDomainSystemMeta(ctx, domainName, "businessservice", auditRef, meta); - resDom3 = zmsImpl.getDomain(ctx, domainName); - assertNotNull(resDom3); - assertEquals(resDom3.getOrg(), "neworg"); - assertEquals(resDom3.getAccount(), "aws"); - assertEquals(resDom3.getAzureSubscription(), "azure"); - assertEquals(resDom3.getAzureTenant(), "tenant"); - assertEquals(resDom3.getAzureClient(), "client"); - assertEquals(resDom3.getGcpProject(), "gcp"); - assertEquals(resDom3.getGcpProjectNumber(), "1239"); - assertEquals(resDom3.getBusinessService(), "123:business service"); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - } - - @Test - public void testPutDomainMetaMissingAuditRef() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - String domain = "testSetDomainMetaMissingAuditRef"; - TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject( - domain, "Test1 Domain", "testOrg", zmsTestInitializer.getAdminUser()); - dom.setAuditEnabled(true); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); - - Domain resDom = zmsImpl.getDomain(ctx, domain); - assertNotNull(resDom); - assertEquals(resDom.getDescription(), "Test1 Domain"); - assertEquals(resDom.getOrg(), "testorg"); - assertTrue(resDom.getAuditEnabled()); - - DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", false, true, null, 0); - try { - zmsImpl.putDomainMeta(ctx, domain, null, null, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), 400); - assertTrue(ex.getMessage().contains("Audit reference required")); - } finally { - zmsImpl.deleteTopLevelDomain(ctx, domain, auditRef, null); - } - } - - @Test - public void testPutDomainMetaSubDomain() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - try { - TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject("MetaDomProductid", - "Test Domain", "testOrg", zmsTestInitializer.getAdminUser(), ctx.principal().getFullName()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); - } catch (ResourceException rexc) { - assertEquals(400, rexc.getCode()); - } - - SubDomain subDom = zmsTestInitializer.createSubDomainObject("metaSubDom", "MetaDomProductid", - "sub Domain", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postSubDomain(ctx, "MetaDomProductid", auditRef, null, subDom); - - // put metadata with null productId - DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test sub Domain", "NewOrg", - true, true, "12345", null); - zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); - - // put metadata with a productId - meta = zmsTestInitializer.createDomainMetaObject("Test sub Domain", "NewOrg", - true, true, "12345", ZMSTestInitializer.getRandomProductId()); - zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); - - // set the expiry days to 30 - - meta.setMemberExpiryDays(30); - meta.setServiceExpiryDays(25); - meta.setGroupExpiryDays(35); - zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); - Domain domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); - assertEquals(domain.getMemberExpiryDays(), Integer.valueOf(30)); - assertEquals(domain.getServiceExpiryDays(), Integer.valueOf(25)); - assertEquals(domain.getGroupExpiryDays(), Integer.valueOf(35)); - - // if value is null we're not going to change it - - meta.setMemberExpiryDays(null); - meta.setServiceExpiryDays(null); - meta.setGroupExpiryDays(null); - meta.setDescription("test1"); - zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); - domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); - assertEquals(domain.getMemberExpiryDays(), Integer.valueOf(30)); - assertEquals(domain.getServiceExpiryDays(), Integer.valueOf(25)); - assertEquals(domain.getGroupExpiryDays(), Integer.valueOf(35)); - assertEquals(domain.getDescription(), "test1"); - - // setting is to 0 - - meta.setMemberExpiryDays(0); - meta.setServiceExpiryDays(0); - meta.setGroupExpiryDays(0); - meta.setDescription("test2"); - zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); - domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); - assertNull(domain.getMemberExpiryDays()); - assertNull(domain.getServiceExpiryDays()); - assertNull(domain.getGroupExpiryDays()); - assertEquals(domain.getDescription(), "test2"); - - zmsImpl.deleteSubDomain(ctx, "MetaDomProductid", "metaSubDom", auditRef, null); - zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid", auditRef, null); - } - @Test public void testGetRoleList() { @@ -29380,641 +28860,6 @@ public void testGetAthenzDomainWithEntities() { zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); } - @Test - public void testPutDomainMetaBusinessService() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "athenz-domain-with-business-service"; - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertNull(domain.getBusinessService()); - - // set the business service - - DomainMeta dm = new DomainMeta().setBusinessService("service1"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "service1"); - - // update the business service - - dm.setBusinessService("service2"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "service2"); - - // update different meta attribute - - dm = new DomainMeta().setDescription("new description"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "service2"); - assertEquals(domain.getDescription(), "new description"); - - // remove the business service - - dm = new DomainMeta().setBusinessService("").setDescription("new description"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertNull(domain.getBusinessService()); - assertEquals(domain.getDescription(), "new description"); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - } - - @Test - public void testPutDomainMetaEnvironment() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "athenz-domain-with-environment"; - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertNull(domain.getEnvironment()); - - // set the environment - - DomainMeta dm = new DomainMeta().setEnvironment("production"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getEnvironment(), "production"); - - // update the environment - - dm.setEnvironment("staging"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getEnvironment(), "staging"); - - // set an invalid value and verify failure - - dm = new DomainMeta().setEnvironment("unknown"); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid environment for domain")); - } - - // remove the environment - - dm = new DomainMeta().setEnvironment(""); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertNull(domain.getEnvironment()); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - } - - @Test - public void testPostDomainInvalidDomainMetaStoreValues() { - - final String domainName = "athenz-domain-with-invalid-details"; - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - - try { - dom1.setBusinessService("invalid-business-service"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid business service name")); - } - - try { - dom1.setBusinessService("valid-business-service"); - dom1.setAccount("invalid-aws-account"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid aws account")); - } - - try { - dom1.setAccount("valid-aws-account"); - dom1.setAzureSubscription("invalid-azure-subscription"); - dom1.setAzureTenant("tenant"); - dom1.setAzureClient("client"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure subscription")); - } - - try { - dom1.setAzureSubscription("valid-azure-subscription"); - dom1.setGcpProject("invalid-gcp-project"); - dom1.setGcpProjectNumber("1200"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid gcp project")); - } - - zmsImpl.productIdSupport = true; - try { - dom1.setGcpProject("valid-gcp-project"); - dom1.setGcpProjectNumber("1200"); - dom1.setYpmId(100); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid product id")); - } - - try { - dom1.setYpmId(101); - dom1.setProductId("invalid-product-id"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid product id")); - } - - // specify azure subscription but no tenant - - try { - dom1.setProductId("valid-product-id"); - dom1.setAzureTenant(null); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure details")); - } - - // specify azure tenant but no client - - try { - dom1.setAzureTenant("tenant"); - dom1.setAzureClient(null); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure details")); - } - - // specify gcp project but no project number - - try { - dom1.setAzureClient("client"); - dom1.setGcpProjectNumber(null); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid gcp project")); - } - - dom1.setGcpProjectNumber("1200"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "valid-business-service"); - assertEquals(domain.getAccount(), "valid-aws-account"); - assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); - assertEquals(domain.getAzureTenant(), "tenant"); - assertEquals(domain.getAzureClient(), "client"); - assertEquals(domain.getGcpProject(), "valid-gcp-project"); - assertEquals(domain.getGcpProjectNumber(), "1200"); - assertEquals(domain.getYpmId().intValue(), 101); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - zmsImpl.domainMetaStore = savedMetaStore; - zmsImpl.productIdSupport = false; - } - - @Test - public void testPutDomainMetaInvalidDomainMetaStoreValues() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "athenz-domain-meta-with-invalid-details"; - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - DomainMeta meta = new DomainMeta().setBusinessService("invalid-business-service"); - try { - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid business service name")); - } - - meta.setBusinessService("valid-business-service"); - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - - // second time no-op since value not changed - - zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "valid-business-service"); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - zmsImpl.domainMetaStore = savedMetaStore; - } - - @Test - public void testPutDomainSystemMetaInvalidDomainMetaStoreValues() { - - final String domainName = "athenz-domain-system-meta-with-invalid-details"; - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - // first aws account - - DomainMeta meta = new DomainMeta().setAccount("invalid-aws-account"); - try { - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid aws account")); - } - - meta.setAccount("valid-aws-account"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getAccount(), "valid-aws-account"); - - // second time no-op since nothing has changed - - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); - - // next invalid azure subscription - - try { - meta.setAzureSubscription("invalid-azure-subscription"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure details")); - } - - // next azure subscription without azure tenant - - try { - meta.setAzureSubscription("valid-azure-subscription"); - meta.setAzureTenant(null); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure details")); - } - - // next azure subscription and tenant without client - - try { - meta.setAzureTenant("tenant"); - meta.setAzureClient(null); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid azure details")); - } - - meta.setAzureClient("client"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); - assertEquals(domain.getAzureTenant(), "tenant"); - assertEquals(domain.getAzureClient(), "client"); - - // now keep the azure subscription but update the azure tenant - meta.setAzureTenant("tenant2"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); - assertEquals(domain.getAzureTenant(), "tenant2"); - assertEquals(domain.getAzureClient(), "client"); - - // second time no-op since nothing has changed - - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - - // now keep the azure tenant but update the azure client - meta.setAzureClient("client2"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); - assertEquals(domain.getAzureTenant(), "tenant2"); - assertEquals(domain.getAzureClient(), "client2"); - - // second time no-op since nothing has changed - - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); - - // next gcp project - - try { - meta.setGcpProject("invalid-gcp-project"); - meta.setGcpProjectNumber("1200"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid gcp project")); - } - - // next gcp project without project number - - try { - meta.setGcpProject("valid-gcp-project"); - meta.setGcpProjectNumber(null); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid gcp project")); - } - - meta.setGcpProject("valid-gcp-project"); - meta.setGcpProjectNumber("1200"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getGcpProject(), "valid-gcp-project"); - assertEquals(domain.getGcpProjectNumber(), "1200"); - - // now keep the gcp project but update the project number - - meta.setGcpProject("valid-gcp-project"); - meta.setGcpProjectNumber("1201"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getGcpProject(), "valid-gcp-project"); - assertEquals(domain.getGcpProjectNumber(), "1201"); - - // second time no-op since nothing has changed - - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); - - // next product id - - zmsImpl.productIdSupport = true; - try { - meta.setYpmId(100); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid product id")); - } - - meta.setYpmId(101); - try { - meta.setProductId("invalid-product-id"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid product id")); - } - - meta.setProductId("valid-product-id"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getYpmId().intValue(), 101); - - // final business service - - try { - meta.setBusinessService("invalid-business-service"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertTrue(ex.getMessage().contains("invalid business service")); - } - - meta.setBusinessService("valid-business-service"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "valid-business-service"); - - // second time no-op since nothing has changed - - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - zmsImpl.domainMetaStore = savedMetaStore; - zmsImpl.productIdSupport = false; - } - - @Test - public void testPutDomainMetaIDomainMetaStoreException() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "athenz-domain-meta-with-exception"; - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - - // value with exc- will throw an exception but we should - // not reject the request - - TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, - "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); - dom1.setBusinessService("exc-business-service"); - zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); - - Domain domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getBusinessService(), "exc-business-service"); - - // try with system attribute now as well - - DomainMeta meta = new DomainMeta().setAccount("exc-aws-account"); - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); - - domain = zmsImpl.getDomain(ctx, domainName); - assertNotNull(domain); - assertEquals(domain.getAccount(), "exc-aws-account"); - assertEquals(domain.getBusinessService(), "exc-business-service"); - - zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); - zmsImpl.domainMetaStore = savedMetaStore; - } - - @Test - public void testPutDomainSystemMetaInvalidDomain() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - final String auditRef = zmsTestInitializer.getAuditRef(); - - final String domainName = "athenz-domain-system-meta-not-found"; - - DomainMeta meta = new DomainMeta().setAccount("aws-account"); - try { - zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), ResourceException.NOT_FOUND); - } - } - - @Test - public void testGetDomainMetaStoreValidValuesList() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - DomainMetaStore mockDomainMetaStore = Mockito.mock(DomainMetaStore.class); - List awsAccountsList = Collections.singletonList("awsAcc"); - when(mockDomainMetaStore.getValidAWSAccounts(isNull())).thenReturn(awsAccountsList); - List businessServicesList = Collections.singletonList("bservice"); - when(mockDomainMetaStore.getValidBusinessServices(isNull())).thenReturn(businessServicesList); - List azureList = Collections.singletonList("azureSub"); - when(mockDomainMetaStore.getValidAzureSubscriptions(isNull())).thenReturn(azureList); - List gcpList = Collections.singletonList("gcpProject"); - when(mockDomainMetaStore.getValidGcpProjects(isNull())).thenReturn(gcpList); - List productIdList = Collections.singletonList("product"); - when(mockDomainMetaStore.getValidProductIds(isNull())).thenReturn(productIdList); - zmsImpl.domainMetaStore = mockDomainMetaStore; - assertEquals("bservice", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", null).getValidValues().get(0)); - assertEquals("awsAcc", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "awsAccount", null).getValidValues().get(0)); - assertEquals("azureSub", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "azureSubscription", null).getValidValues().get(0)); - assertEquals("gcpProject", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "gcpProject", null).getValidValues().get(0)); - assertEquals("product", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productId", null).getValidValues().get(0)); - assertEquals("product", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productNumber", null).getValidValues().get(0)); - zmsImpl.domainMetaStore = savedMetaStore; - } - - @Test - public void testGetDomainMetaStoreValidValuesListEmpty() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - DomainMetaStoreValidValuesList emptyValidValuesList = new DomainMetaStoreValidValuesList(); - emptyValidValuesList.setValidValues(new ArrayList<>()); - assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", null)); - assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "awsAccount", null)); - assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "azureSubscription", null)); - assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "gcpProject", null)); - assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productId", null)); - zmsImpl.domainMetaStore = savedMetaStore; - } - - @Test - public void testGetDomainMetaStoreValidValuesListBadAttribute() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - try { - zmsImpl.getDomainMetaStoreValidValuesList(ctx, "badAttribute", null); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"Invalid attribute: badAttribute\"}"); - } finally { - zmsImpl.domainMetaStore = savedMetaStore; - } - } - - @Test - public void testGetDomainMetaStoreValidValuesListMissingAttribute() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - zmsImpl.domainMetaStore = new TestDomainMetaStore(); - try { - zmsImpl.getDomainMetaStoreValidValuesList(ctx, null, null); - fail(); - } catch (ResourceException ex) { - assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"attributeName is mandatory\"}"); - } finally { - zmsImpl.domainMetaStore = savedMetaStore; - } - } - - @Test - public void testGetDomainMetaStoreValidValuesUsernameLowered() { - - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); - - DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; - DomainMetaStore mockDomainMetaStore = Mockito.mock(DomainMetaStore.class); - List businessServicesList = Collections.singletonList("bservice"); - when(mockDomainMetaStore.getValidBusinessServices(anyString())).thenReturn(businessServicesList); - - zmsImpl.domainMetaStore = mockDomainMetaStore; - ArgumentCaptor userCapture = ArgumentCaptor.forClass(String.class); - zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", "TestUser"); - verify(mockDomainMetaStore, times(1)).getValidBusinessServices(userCapture.capture()); - - assertEquals(userCapture.getValue(), "testuser"); - zmsImpl.domainMetaStore = savedMetaStore; - } - @Test public void testGetUserAuthorityAttributeMap() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSMetaAttributeTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSMetaAttributeTest.java new file mode 100644 index 00000000000..ef530ed1e23 --- /dev/null +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSMetaAttributeTest.java @@ -0,0 +1,1426 @@ +/* + * Copyright The Athenz Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.yahoo.athenz.zms; + +import com.yahoo.athenz.common.server.metastore.DomainMetaStore; +import org.mockito.ArgumentCaptor; +import org.mockito.Mockito; +import org.mockito.MockitoAnnotations; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.isNull; +import static org.mockito.Mockito.*; +import static org.testng.Assert.*; + +public class ZMSMetaAttributeTest { + + private final ZMSTestInitializer zmsTestInitializer = new ZMSTestInitializer(); + + @BeforeClass + public void startMemoryMySQL() { + zmsTestInitializer.startMemoryMySQL(); + } + + @AfterClass + public void stopMemoryMySQL() { + zmsTestInitializer.stopMemoryMySQL(); + } + + @BeforeMethod + public void setUp() throws Exception { + MockitoAnnotations.openMocks(this); + zmsTestInitializer.setUp(); + } + + @Test + public void testPutDomainMetaBusinessService() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-with-business-service"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getBusinessService()); + + // set the business service + + DomainMeta dm = new DomainMeta().setBusinessService("service1"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "service1"); + + // update the business service + + dm.setBusinessService("service2"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "service2"); + + // update different meta attribute + + dm = new DomainMeta().setDescription("new description"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "service2"); + assertEquals(domain.getDescription(), "new description"); + + // remove the business service + + dm = new DomainMeta().setBusinessService("").setDescription("new description"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getBusinessService()); + assertEquals(domain.getDescription(), "new description"); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutDomainMetaEnvironment() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-with-environment"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getEnvironment()); + + // set the environment + + DomainMeta dm = new DomainMeta().setEnvironment("production"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getEnvironment(), "production"); + + // update the environment + + dm.setEnvironment("staging"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getEnvironment(), "staging"); + + // set an invalid value and verify failure + + dm = new DomainMeta().setEnvironment("unknown"); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid environment for domain")); + } + + // remove the environment + + dm = new DomainMeta().setEnvironment(""); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getEnvironment()); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPostDomainInvalidDomainMetaStoreValues() { + + final String domainName = "athenz-domain-with-invalid-details"; + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + + try { + dom1.setBusinessService("invalid-business-service"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid business service name")); + } + + try { + dom1.setBusinessService("valid-business-service"); + dom1.setAccount("invalid-aws-account"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid aws account")); + } + + try { + dom1.setAccount("valid-aws-account"); + dom1.setAzureSubscription("invalid-azure-subscription"); + dom1.setAzureTenant("tenant"); + dom1.setAzureClient("client"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure subscription")); + } + + try { + dom1.setAzureSubscription("valid-azure-subscription"); + dom1.setGcpProject("invalid-gcp-project"); + dom1.setGcpProjectNumber("1200"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid gcp project")); + } + + zmsImpl.productIdSupport = true; + try { + dom1.setGcpProject("valid-gcp-project"); + dom1.setGcpProjectNumber("1200"); + dom1.setYpmId(100); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid product id")); + } + + try { + dom1.setYpmId(101); + dom1.setProductId("invalid-product-id"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid product id")); + } + + // specify azure subscription but no tenant + + try { + dom1.setProductId("valid-product-id"); + dom1.setAzureTenant(null); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure details")); + } + + // specify azure tenant but no client + + try { + dom1.setAzureTenant("tenant"); + dom1.setAzureClient(null); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure details")); + } + + // specify gcp project but no project number + + try { + dom1.setAzureClient("client"); + dom1.setGcpProjectNumber(null); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid gcp project")); + } + + dom1.setGcpProjectNumber("1200"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "valid-business-service"); + assertEquals(domain.getAccount(), "valid-aws-account"); + assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); + assertEquals(domain.getAzureTenant(), "tenant"); + assertEquals(domain.getAzureClient(), "client"); + assertEquals(domain.getGcpProject(), "valid-gcp-project"); + assertEquals(domain.getGcpProjectNumber(), "1200"); + assertEquals(domain.getYpmId().intValue(), 101); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + zmsImpl.domainMetaStore = savedMetaStore; + zmsImpl.productIdSupport = false; + } + + @Test + public void testPutDomainMetaInvalidDomainMetaStoreValues() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-meta-with-invalid-details"; + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + DomainMeta meta = new DomainMeta().setBusinessService("invalid-business-service"); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid business service name")); + } + + meta.setBusinessService("valid-business-service"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + + // second time no-op since value not changed + + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "valid-business-service"); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + zmsImpl.domainMetaStore = savedMetaStore; + } + + @Test + public void testPutDomainSystemMetaInvalidDomainMetaStoreValues() { + + final String domainName = "athenz-domain-system-meta-with-invalid-details"; + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + // first aws account + + DomainMeta meta = new DomainMeta().setAccount("invalid-aws-account"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid aws account")); + } + + meta.setAccount("valid-aws-account"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getAccount(), "valid-aws-account"); + + // second time no-op since nothing has changed + + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); + + // next invalid azure subscription + + try { + meta.setAzureSubscription("invalid-azure-subscription"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure details")); + } + + // next azure subscription without azure tenant + + try { + meta.setAzureSubscription("valid-azure-subscription"); + meta.setAzureTenant(null); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure details")); + } + + // next azure subscription and tenant without client + + try { + meta.setAzureTenant("tenant"); + meta.setAzureClient(null); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid azure details")); + } + + meta.setAzureClient("client"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); + assertEquals(domain.getAzureTenant(), "tenant"); + assertEquals(domain.getAzureClient(), "client"); + + // now keep the azure subscription but update the azure tenant + meta.setAzureTenant("tenant2"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); + assertEquals(domain.getAzureTenant(), "tenant2"); + assertEquals(domain.getAzureClient(), "client"); + + // second time no-op since nothing has changed + + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + + // now keep the azure tenant but update the azure client + meta.setAzureClient("client2"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getAzureSubscription(), "valid-azure-subscription"); + assertEquals(domain.getAzureTenant(), "tenant2"); + assertEquals(domain.getAzureClient(), "client2"); + + // second time no-op since nothing has changed + + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_AZURE_SUBSCRIPTION, auditRef, meta); + + // next gcp project + + try { + meta.setGcpProject("invalid-gcp-project"); + meta.setGcpProjectNumber("1200"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid gcp project")); + } + + // next gcp project without project number + + try { + meta.setGcpProject("valid-gcp-project"); + meta.setGcpProjectNumber(null); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid gcp project")); + } + + meta.setGcpProject("valid-gcp-project"); + meta.setGcpProjectNumber("1200"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getGcpProject(), "valid-gcp-project"); + assertEquals(domain.getGcpProjectNumber(), "1200"); + + // now keep the gcp project but update the project number + + meta.setGcpProject("valid-gcp-project"); + meta.setGcpProjectNumber("1201"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getGcpProject(), "valid-gcp-project"); + assertEquals(domain.getGcpProjectNumber(), "1201"); + + // second time no-op since nothing has changed + + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_GCP_PROJECT, auditRef, meta); + + // next product id + + zmsImpl.productIdSupport = true; + try { + meta.setYpmId(100); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid product id")); + } + + meta.setYpmId(101); + try { + meta.setProductId("invalid-product-id"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid product id")); + } + + meta.setProductId("valid-product-id"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_PRODUCT_ID, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getYpmId().intValue(), 101); + + // final business service + + try { + meta.setBusinessService("invalid-business-service"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("invalid business service")); + } + + meta.setBusinessService("valid-business-service"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "valid-business-service"); + + // second time no-op since nothing has changed + + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_BUSINESS_SERVICE, auditRef, meta); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + zmsImpl.domainMetaStore = savedMetaStore; + zmsImpl.productIdSupport = false; + } + + @Test + public void testPutDomainMetaIDomainMetaStoreException() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-meta-with-exception"; + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + + // value with exc- will throw an exception but we should + // not reject the request + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + dom1.setBusinessService("exc-business-service"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getBusinessService(), "exc-business-service"); + + // try with system attribute now as well + + DomainMeta meta = new DomainMeta().setAccount("exc-aws-account"); + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getAccount(), "exc-aws-account"); + assertEquals(domain.getBusinessService(), "exc-business-service"); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + zmsImpl.domainMetaStore = savedMetaStore; + } + + @Test + public void testPutDomainSystemMetaInvalidDomain() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-system-meta-not-found"; + + DomainMeta meta = new DomainMeta().setAccount("aws-account"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, ZMSConsts.SYSTEM_META_ACCOUNT, auditRef, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.NOT_FOUND); + } + } + + @Test + public void testGetDomainMetaStoreValidValuesList() { + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + DomainMetaStore mockDomainMetaStore = Mockito.mock(DomainMetaStore.class); + List awsAccountsList = Collections.singletonList("awsAcc"); + when(mockDomainMetaStore.getValidAWSAccounts(isNull())).thenReturn(awsAccountsList); + List businessServicesList = Collections.singletonList("bservice"); + when(mockDomainMetaStore.getValidBusinessServices(isNull())).thenReturn(businessServicesList); + List azureList = Collections.singletonList("azureSub"); + when(mockDomainMetaStore.getValidAzureSubscriptions(isNull())).thenReturn(azureList); + List gcpList = Collections.singletonList("gcpProject"); + when(mockDomainMetaStore.getValidGcpProjects(isNull())).thenReturn(gcpList); + List productIdList = Collections.singletonList("product"); + when(mockDomainMetaStore.getValidProductIds(isNull())).thenReturn(productIdList); + zmsImpl.domainMetaStore = mockDomainMetaStore; + assertEquals("bservice", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", null).getValidValues().get(0)); + assertEquals("awsAcc", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "awsAccount", null).getValidValues().get(0)); + assertEquals("azureSub", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "azureSubscription", null).getValidValues().get(0)); + assertEquals("gcpProject", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "gcpProject", null).getValidValues().get(0)); + assertEquals("product", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productId", null).getValidValues().get(0)); + assertEquals("product", zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productNumber", null).getValidValues().get(0)); + zmsImpl.domainMetaStore = savedMetaStore; + } + + @Test + public void testGetDomainMetaStoreValidValuesListEmpty() { + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + DomainMetaStoreValidValuesList emptyValidValuesList = new DomainMetaStoreValidValuesList(); + emptyValidValuesList.setValidValues(new ArrayList<>()); + assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", null)); + assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "awsAccount", null)); + assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "azureSubscription", null)); + assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "gcpProject", null)); + assertEquals(emptyValidValuesList, zmsImpl.getDomainMetaStoreValidValuesList(ctx, "productId", null)); + zmsImpl.domainMetaStore = savedMetaStore; + } + + @Test + public void testGetDomainMetaStoreValidValuesListBadAttribute() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + try { + zmsImpl.getDomainMetaStoreValidValuesList(ctx, "badAttribute", null); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"Invalid attribute: badAttribute\"}"); + } finally { + zmsImpl.domainMetaStore = savedMetaStore; + } + } + + @Test + public void testGetDomainMetaStoreValidValuesListMissingAttribute() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + zmsImpl.domainMetaStore = new TestDomainMetaStore(); + try { + zmsImpl.getDomainMetaStoreValidValuesList(ctx, null, null); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"attributeName is mandatory\"}"); + } finally { + zmsImpl.domainMetaStore = savedMetaStore; + } + } + + @Test + public void testGetDomainMetaStoreValidValuesUsernameLowered() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + + DomainMetaStore savedMetaStore = zmsImpl.domainMetaStore; + DomainMetaStore mockDomainMetaStore = Mockito.mock(DomainMetaStore.class); + List businessServicesList = Collections.singletonList("bservice"); + when(mockDomainMetaStore.getValidBusinessServices(anyString())).thenReturn(businessServicesList); + + zmsImpl.domainMetaStore = mockDomainMetaStore; + ArgumentCaptor userCapture = ArgumentCaptor.forClass(String.class); + zmsImpl.getDomainMetaStoreValidValuesList(ctx, "businessService", "TestUser"); + verify(mockDomainMetaStore, times(1)).getValidBusinessServices(userCapture.capture()); + + assertEquals(userCapture.getValue(), "testuser"); + zmsImpl.domainMetaStore = savedMetaStore; + } + + @Test + public void testPutDomainMetaThrowException() { + + ZMSImplTest.TestAuditLogger alogger = new ZMSImplTest.TestAuditLogger(); + ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + String domName = "wrongDomainName"; + DomainMeta meta = new DomainMeta(); + meta.setYpmId(ZMSTestInitializer.getRandomProductId()); + try { + zmsImpl.putDomainMeta(ctx, domName, auditRef, null, meta); + fail("notfounderror not thrown."); + } catch (ResourceException e) { + assertEquals(404, e.getCode()); + } + } + + @Test + public void testPutDomainMeta() { + + final String domainName = "domain-meta-test"; + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain resDom1 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom1); + assertEquals(resDom1.getDescription(), "Test Domain1"); + assertEquals(resDom1.getOrg(), "testorg"); + assertTrue(resDom1.getEnabled()); + assertFalse(resDom1.getAuditEnabled()); + assertNull(resDom1.getServiceCertExpiryMins()); + assertNull(resDom1.getRoleCertExpiryMins()); + assertNull(resDom1.getMemberExpiryDays()); + assertNull(resDom1.getServiceExpiryDays()); + assertNull(resDom1.getGroupExpiryDays()); + assertNull(resDom1.getTokenExpiryMins()); + assertNull(resDom1.getMemberPurgeExpiryDays()); + assertNull(resDom1.getProductId()); + + DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", + true, true, "12345", 1001); + meta.setCertDnsDomain("YAHOO.cloud"); + meta.setServiceCertExpiryMins(100); + meta.setRoleCertExpiryMins(200); + meta.setMemberPurgeExpiryDays(90); + meta.setSignAlgorithm("ec"); + meta.setProductId("abcd-1234"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "auditenabled", auditRef, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "account", auditRef, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "certdnsdomain", auditRef, meta); + + zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsImpl, ctx.principal().getFullName(), + domainName, "domain", "productid", "org", "certdnsdomain"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); + + Domain resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getDescription(), "Test2 Domain"); + assertEquals(resDom3.getOrg(), "neworg"); + assertTrue(resDom3.getEnabled()); + assertTrue(resDom3.getAuditEnabled()); + assertEquals(resDom3.getAccount(), "12345"); + assertEquals(Integer.valueOf(1001), resDom3.getYpmId()); + assertEquals(resDom3.getProductId(), "abcd-1234"); + assertEquals(resDom3.getCertDnsDomain(), "yahoo.cloud"); + assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(100)); + assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(90)); + assertEquals(resDom3.getRoleCertExpiryMins(), Integer.valueOf(200)); + assertNull(resDom3.getMemberExpiryDays()); + assertNull(resDom3.getServiceExpiryDays()); + assertNull(resDom3.getGroupExpiryDays()); + assertNull(resDom3.getTokenExpiryMins()); + assertEquals(resDom3.getSignAlgorithm(), "ec"); + + // put the metadata using same product id + + meta = zmsTestInitializer.createDomainMetaObject("just a new desc", "organs", + true, true, "12345", 1001); + meta.setMemberExpiryDays(300); + meta.setServiceExpiryDays(350); + meta.setGroupExpiryDays(375); + meta.setTokenExpiryMins(400); + meta.setProductId("abcd-1234"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getDescription(), "just a new desc"); + //org is system attr. so it won't be changed by putdomainmeta call + assertEquals(resDom3.getOrg(), "neworg"); + assertTrue(resDom3.getEnabled()); + assertTrue(resDom3.getAuditEnabled()); + assertEquals(resDom3.getAccount(), "12345"); + assertEquals(resDom3.getProductId(), "abcd-1234"); + assertEquals(Integer.valueOf(1001), resDom3.getYpmId()); + assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(100)); + assertEquals(resDom3.getRoleCertExpiryMins(), Integer.valueOf(200)); + assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(300)); + assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(350)); + assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(375)); + assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(400)); + assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(90)); + + zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getOrg(), "organs"); + + // put the metadata using new product + meta = zmsTestInitializer.createDomainMetaObject("just a new desc", "organs", + true, true, "12345", 1001); + Integer newProductId = ZMSTestInitializer.getRandomProductId(); + meta.setYpmId(newProductId); + meta.setProductId("abcd-1234-5678"); + meta.setServiceCertExpiryMins(5); + meta.setRoleCertExpiryMins(0); + meta.setMemberExpiryDays(15); + meta.setServiceExpiryDays(17); + meta.setGroupExpiryDays(18); + meta.setTokenExpiryMins(20); + meta.setMemberPurgeExpiryDays(120); + meta.setSignAlgorithm("rsa"); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); + + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getDescription(), "just a new desc"); + assertEquals(resDom3.getOrg(), "organs"); + assertTrue(resDom3.getEnabled()); + assertTrue(resDom3.getAuditEnabled()); + assertEquals(resDom3.getAccount(), "12345"); + assertEquals(resDom3.getProductId(), "abcd-1234-5678"); + assertEquals(newProductId, resDom3.getYpmId()); + assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(5)); + assertNull(resDom3.getRoleCertExpiryMins()); + assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(15)); + assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(17)); + assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(18)); + assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(20)); + assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(120)); + assertEquals(resDom3.getSignAlgorithm(), "rsa"); + assertNull(resDom3.getFeatureFlags()); + + // put new feature flags for the domain + + meta.setFeatureFlags(3); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + zmsImpl.putDomainSystemMeta(ctx, domainName, "featureflags", auditRef, meta); + + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getDescription(), "just a new desc"); + assertEquals(resDom3.getOrg(), "organs"); + assertTrue(resDom3.getEnabled()); + assertTrue(resDom3.getAuditEnabled()); + assertEquals(resDom3.getAccount(), "12345"); + assertEquals(resDom3.getProductId(), "abcd-1234-5678"); + assertEquals(newProductId, resDom3.getYpmId()); + assertEquals(resDom3.getServiceCertExpiryMins(), Integer.valueOf(5)); + assertNull(resDom3.getRoleCertExpiryMins()); + assertEquals(resDom3.getMemberExpiryDays(), Integer.valueOf(15)); + assertEquals(resDom3.getServiceExpiryDays(), Integer.valueOf(17)); + assertEquals(resDom3.getGroupExpiryDays(), Integer.valueOf(18)); + assertEquals(resDom3.getTokenExpiryMins(), Integer.valueOf(20)); + assertEquals(resDom3.getMemberPurgeExpiryDays(), Integer.valueOf(120)); + assertEquals(resDom3.getSignAlgorithm(), "rsa"); + assertEquals(resDom3.getFeatureFlags().intValue(), 3); + + // update the feature flags value + + meta.setFeatureFlags(7); + zmsImpl.putDomainSystemMeta(ctx, domainName, "featureflags", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertEquals(resDom3.getFeatureFlags().intValue(), 7); + + zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsImpl, "domain"); + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutDomainSystemMetaModifiedTimestamp() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "metadomainmodified"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain resDom1 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom1); + long domMod1 = resDom1.getModified().millis(); + + ZMSTestUtils.sleep(1); + + DomainMeta meta = new DomainMeta(); + zmsImpl.putDomainSystemMeta(ctx, domainName, "modified", auditRef, meta); + + Domain resDom2 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom2); + long domMod2 = resDom2.getModified().millis(); + + assertTrue(domMod2 > domMod1); + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutDomainMetaInvalid() { + + // enable product id support + + System.setProperty(ZMSConsts.ZMS_PROP_PRODUCT_ID_SUPPORT, "true"); + ZMSImpl zmsImpl = zmsTestInitializer.zmsInit(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "MetaDomProductid"; + TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); + + Domain resDom = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom); + assertEquals(resDom.getDescription(), "Test Domain"); + assertEquals(resDom.getOrg(), "testorg"); + assertTrue(resDom.getEnabled()); + assertFalse(resDom.getAuditEnabled()); + Integer productId = resDom.getYpmId(); + + zmsTestInitializer.setupPrincipalSystemMetaDelete(zmsImpl, ctx.principal().getFullName(), + domainName, "domain", "productid"); + DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", + true, true, "12345", null); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); + fail("bad request exc not thrown"); + } catch (ResourceException exc) { + assertEquals(400, exc.getCode()); + assertTrue(exc.getMessage().contains("Unique Product Id must be specified for top level domain")); + } + + // put metadata using another domains productId + dom = zmsTestInitializer.createTopLevelDomainObject("MetaDomProductid2", + "Test Domain", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); + + resDom = zmsImpl.getDomain(ctx, "MetaDomProductid2"); + Integer productId2 = resDom.getYpmId(); + assertNotEquals(productId, productId2); + + meta = zmsTestInitializer.createDomainMetaObject("Test3 Domain", "NewOrg", + true, true, "12345", productId2); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "productid", auditRef, meta); + fail("bad request exc not thrown"); + } catch (ResourceException exc) { + assertEquals(400, exc.getCode()); + assertTrue(exc.getMessage().contains("is already assigned to domain")); + } + + // test negative values + + meta = new DomainMeta().setServiceExpiryDays(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + meta = new DomainMeta().setGroupExpiryDays(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + meta = new DomainMeta().setMemberExpiryDays(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + meta = new DomainMeta().setRoleCertExpiryMins(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + meta = new DomainMeta().setServiceCertExpiryMins(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + meta = new DomainMeta().setTokenExpiryMins(-10); + try { + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); + } + + zmsTestInitializer.cleanupPrincipalSystemMetaDelete(zmsImpl, "domain"); + zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid", auditRef, null); + zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid2", auditRef, null); + System.clearProperty(ZMSConsts.ZMS_PROP_PRODUCT_ID_SUPPORT); + zmsImpl.objectStore.clearConnections(); + } + + @Test + public void testPutDomainMetaDefaults() { + + final String domainName = "meta-dom-values"; + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, null, null, + zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain resDom1 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom1); + assertNull(resDom1.getDescription()); + assertNull(resDom1.getOrg()); + assertTrue(resDom1.getEnabled()); + assertFalse(resDom1.getAuditEnabled()); + + DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", true, false, null, 0); + zmsImpl.putDomainMeta(ctx, domainName, auditRef, null, meta); + + zmsImpl.putDomainSystemMeta(ctx, domainName, "org", auditRef, meta); + + Domain resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getDescription(), "Test2 Domain"); + assertEquals(resDom3.getOrg(), "neworg"); + assertTrue(resDom3.getEnabled()); + assertFalse(resDom3.getAuditEnabled()); + assertNull(resDom3.getAccount()); + assertNull(resDom3.getAzureSubscription()); + assertNull(resDom3.getGcpProject()); + assertNull(resDom3.getBusinessService()); + assertEquals(Integer.valueOf(0), resDom3.getYpmId()); + + meta.setAccount("aws"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "account", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getOrg(), "neworg"); + assertEquals(resDom3.getAccount(), "aws"); + assertNull(resDom3.getAzureSubscription()); + assertNull(resDom3.getGcpProject()); + assertNull(resDom3.getBusinessService()); + + meta.setAzureSubscription("azure"); + meta.setAzureTenant("tenant"); + meta.setAzureClient("client"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "azuresubscription", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getOrg(), "neworg"); + assertEquals(resDom3.getAccount(), "aws"); + assertEquals(resDom3.getAzureSubscription(), "azure"); + assertEquals(resDom3.getAzureTenant(), "tenant"); + assertEquals(resDom3.getAzureClient(), "client"); + assertNull(resDom3.getGcpProject()); + assertNull(resDom3.getGcpProjectNumber()); + assertNull(resDom3.getBusinessService()); + + meta.setGcpProject("gcp"); + meta.setGcpProjectNumber("1239"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "gcpproject", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getOrg(), "neworg"); + assertEquals(resDom3.getAccount(), "aws"); + assertEquals(resDom3.getAzureSubscription(), "azure"); + assertEquals(resDom3.getAzureTenant(), "tenant"); + assertEquals(resDom3.getAzureClient(), "client"); + assertEquals(resDom3.getGcpProject(), "gcp"); + assertEquals(resDom3.getGcpProjectNumber(), "1239"); + assertNull(resDom3.getBusinessService()); + + meta.setBusinessService("123:business service"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "businessservice", auditRef, meta); + resDom3 = zmsImpl.getDomain(ctx, domainName); + assertNotNull(resDom3); + assertEquals(resDom3.getOrg(), "neworg"); + assertEquals(resDom3.getAccount(), "aws"); + assertEquals(resDom3.getAzureSubscription(), "azure"); + assertEquals(resDom3.getAzureTenant(), "tenant"); + assertEquals(resDom3.getAzureClient(), "client"); + assertEquals(resDom3.getGcpProject(), "gcp"); + assertEquals(resDom3.getGcpProjectNumber(), "1239"); + assertEquals(resDom3.getBusinessService(), "123:business service"); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutDomainMetaMissingAuditRef() { + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + String domain = "testSetDomainMetaMissingAuditRef"; + TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject( + domain, "Test1 Domain", "testOrg", zmsTestInitializer.getAdminUser()); + dom.setAuditEnabled(true); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); + + Domain resDom = zmsImpl.getDomain(ctx, domain); + assertNotNull(resDom); + assertEquals(resDom.getDescription(), "Test1 Domain"); + assertEquals(resDom.getOrg(), "testorg"); + assertTrue(resDom.getAuditEnabled()); + + DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test2 Domain", "NewOrg", false, true, null, 0); + try { + zmsImpl.putDomainMeta(ctx, domain, null, null, meta); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 400); + assertTrue(ex.getMessage().contains("Audit reference required")); + } finally { + zmsImpl.deleteTopLevelDomain(ctx, domain, auditRef, null); + } + } + + @Test + public void testPutDomainMetaSubDomain() { + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + try { + TopLevelDomain dom = zmsTestInitializer.createTopLevelDomainObject("MetaDomProductid", + "Test Domain", "testOrg", zmsTestInitializer.getAdminUser(), ctx.principal().getFullName()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom); + } catch (ResourceException rexc) { + assertEquals(400, rexc.getCode()); + } + + SubDomain subDom = zmsTestInitializer.createSubDomainObject("metaSubDom", "MetaDomProductid", + "sub Domain", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postSubDomain(ctx, "MetaDomProductid", auditRef, null, subDom); + + // put metadata with null productId + DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Test sub Domain", "NewOrg", + true, true, "12345", null); + zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); + + // put metadata with a productId + meta = zmsTestInitializer.createDomainMetaObject("Test sub Domain", "NewOrg", + true, true, "12345", ZMSTestInitializer.getRandomProductId()); + zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); + + // set the expiry days to 30 + + meta.setMemberExpiryDays(30); + meta.setServiceExpiryDays(25); + meta.setGroupExpiryDays(35); + zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); + Domain domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); + assertEquals(domain.getMemberExpiryDays(), Integer.valueOf(30)); + assertEquals(domain.getServiceExpiryDays(), Integer.valueOf(25)); + assertEquals(domain.getGroupExpiryDays(), Integer.valueOf(35)); + + // if value is null we're not going to change it + + meta.setMemberExpiryDays(null); + meta.setServiceExpiryDays(null); + meta.setGroupExpiryDays(null); + meta.setDescription("test1"); + zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); + domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); + assertEquals(domain.getMemberExpiryDays(), Integer.valueOf(30)); + assertEquals(domain.getServiceExpiryDays(), Integer.valueOf(25)); + assertEquals(domain.getGroupExpiryDays(), Integer.valueOf(35)); + assertEquals(domain.getDescription(), "test1"); + + // setting is to 0 + + meta.setMemberExpiryDays(0); + meta.setServiceExpiryDays(0); + meta.setGroupExpiryDays(0); + meta.setDescription("test2"); + zmsImpl.putDomainMeta(ctx, "MetaDomProductid.metaSubDom", auditRef, null, meta); + domain = zmsImpl.getDomain(ctx, "MetaDomProductid.metaSubDom"); + assertNull(domain.getMemberExpiryDays()); + assertNull(domain.getServiceExpiryDays()); + assertNull(domain.getGroupExpiryDays()); + assertEquals(domain.getDescription(), "test2"); + + zmsImpl.deleteSubDomain(ctx, "MetaDomProductid", "metaSubDom", auditRef, null); + zmsImpl.deleteTopLevelDomain(ctx, "MetaDomProductid", auditRef, null); + } + + @Test + public void testPutDomainSystemMetaX509CertSignerKeyId() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-with-x509-cert-signer-key-id"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getX509CertSignerKeyId()); + + // set the x509 cert signer key id + + DomainMeta dm = new DomainMeta().setX509CertSignerKeyId("x509-keyid"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getX509CertSignerKeyId(), "x509-keyid"); + + // update the x509 cert signer key id + // first we're going to be rejected with invalid authorization + + dm.setX509CertSignerKeyId("x509-keyid-2"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 403); + assertTrue(ex.getMessage().contains("unauthorized to reset system meta attribute: x509certsignerkeyid")); + } + + // let's create the role and policy to allow this operation + + Role role1 = zmsTestInitializer.createRoleObject("sys.auth", "meta-cert-signer-keyid", null, "user.user1", + zmsTestInitializer.getAdminUser()); + zmsImpl.putRole(ctx, "sys.auth", "meta-cert-signer-keyid", auditRef, false, null, role1); + + Policy policy1 = zmsTestInitializer.createPolicyObject("sys.auth", "meta-cert-signer-keyid", + "meta-cert-signer-keyid", "delete", "sys.auth:meta.domain.x509certsignerkeyid.*", + AssertionEffect.ALLOW); + zmsImpl.putPolicy(ctx, "sys.auth", "meta-cert-signer-keyid", auditRef, false, null, policy1); + + // now our operation should succeed + + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getX509CertSignerKeyId(), "x509-keyid-2"); + + // set an invalid value and verify failure + + dm = new DomainMeta().setX509CertSignerKeyId("invalid key id"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Invalid CompoundName error")); + } + + // remove the x509 cert signer key id + + dm = new DomainMeta().setX509CertSignerKeyId(""); + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getX509CertSignerKeyId()); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutDomainSystemMetaSshCertSignerKeyId() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-with-ssh-cert-signer-key-id"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getSshCertSignerKeyId()); + + // set the ssh cert signer key id + + DomainMeta dm = new DomainMeta().setSshCertSignerKeyId("ssh-keyid"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getSshCertSignerKeyId(), "ssh-keyid"); + + // update the ssh cert signer key id + // first we're going to be rejected with invalid authorization + + dm.setSshCertSignerKeyId("ssh-keyid-2"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 403); + assertTrue(ex.getMessage().contains("unauthorized to reset system meta attribute: sshcertsignerkeyid")); + } + + // let's create the role and policy to allow this operation + + Role role1 = zmsTestInitializer.createRoleObject("sys.auth", "meta-cert-signer-keyid", null, "user.user1", + zmsTestInitializer.getAdminUser()); + zmsImpl.putRole(ctx, "sys.auth", "meta-cert-signer-keyid", auditRef, false, null, role1); + + Policy policy1 = zmsTestInitializer.createPolicyObject("sys.auth", "meta-cert-signer-keyid", + "meta-cert-signer-keyid", "delete", "sys.auth:meta.domain.sshcertsignerkeyid.*", + AssertionEffect.ALLOW); + zmsImpl.putPolicy(ctx, "sys.auth", "meta-cert-signer-keyid", auditRef, false, null, policy1); + + // now our operation should succeed + + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertEquals(domain.getSshCertSignerKeyId(), "ssh-keyid-2"); + + // set an invalid value and verify failure + + dm = new DomainMeta().setSshCertSignerKeyId("invalid key id"); + try { + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Invalid CompoundName error")); + } + + // remove the ssh cert signer key id + + dm = new DomainMeta().setSshCertSignerKeyId(""); + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + + domain = zmsImpl.getDomain(ctx, domainName); + assertNotNull(domain); + assertNull(domain.getX509CertSignerKeyId()); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testSubDomainSignerKeyIdInherit() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "athenz-domain-inherit-signer-key"; + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + // create subdomain and verify no signer key ids + + SubDomain subDom1 = zmsTestInitializer.createSubDomainObject("sub1", domainName, + "sub Domain", "testOrg", zmsTestInitializer.getAdminUser(), "user.user1"); + zmsImpl.postSubDomain(ctx, domainName, auditRef, null, subDom1); + + Domain domain = zmsImpl.getDomain(ctx, domainName + ".sub1"); + assertNotNull(domain); + assertNull(domain.getX509CertSignerKeyId()); + assertNull(domain.getSshCertSignerKeyId()); + + // now set the x509 and ssh cert signer key ids + + DomainMeta dm = new DomainMeta().setSshCertSignerKeyId("ssh-keyid") + .setX509CertSignerKeyId("x509-keyid"); + zmsImpl.putDomainSystemMeta(ctx, domainName, "sshcertsignerkeyid", auditRef, dm); + zmsImpl.putDomainSystemMeta(ctx, domainName, "x509certsignerkeyid", auditRef, dm); + + // create a new subdomain and verify the key ids are inherited + + SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("sub2", domainName, + "sub Domain", "testOrg", zmsTestInitializer.getAdminUser(), "user.user1"); + zmsImpl.postSubDomain(ctx, domainName, auditRef, null, subDom2); + + domain = zmsImpl.getDomain(ctx, domainName + ".sub2"); + assertNotNull(domain); + assertEquals(domain.getSshCertSignerKeyId(), "ssh-keyid"); + assertEquals(domain.getX509CertSignerKeyId(), "x509-keyid"); + + // create another subdomain for the subdomain and verify the key ids are inherited + + SubDomain subDom3 = zmsTestInitializer.createSubDomainObject("sub3", domainName + ".sub2", + "sub Domain", "testOrg", zmsTestInitializer.getAdminUser(), "user.user1"); + zmsImpl.postSubDomain(ctx, domainName + ".sub2", auditRef, null, subDom3); + + domain = zmsImpl.getDomain(ctx, domainName + ".sub2.sub3"); + assertNotNull(domain); + assertEquals(domain.getSshCertSignerKeyId(), "ssh-keyid"); + assertEquals(domain.getX509CertSignerKeyId(), "x509-keyid"); + + zmsImpl.deleteSubDomain(ctx, domainName + ".sub2", "sub3", auditRef, null); + zmsImpl.deleteSubDomain(ctx, domainName, "sub2", auditRef, null); + zmsImpl.deleteSubDomain(ctx, domainName, "sub1", auditRef, null); + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } +} diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java index d00c23d52d2..ad49aaecd41 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java @@ -88,6 +88,8 @@ public void testGetDomain() throws Exception { Mockito.doReturn("abcd-1234").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRODUCT_ID); Mockito.doReturn("production").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_ENVIRONMENT); Mockito.doReturn(3).when(mockResultSet).getInt(ZMSConsts.DB_COLUMN_FEATURE_FLAGS); + Mockito.doReturn("x509").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID); + Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID); JDBCConnection jdbcConn = new JDBCConnection(mockConn, true); Domain domain = jdbcConn.getDomain("my-domain"); @@ -105,6 +107,8 @@ public void testGetDomain() throws Exception { assertEquals(domain.getTags(), Collections.singletonMap("tag-key", new TagValueList().setList(Collections.singletonList("tag-val")))); assertEquals(domain.getFeatureFlags(), 3); assertEquals(domain.getEnvironment(), "production"); + assertEquals(domain.getX509CertSignerKeyId(), "x509"); + assertNull(domain.getSshCertSignerKeyId()); jdbcConn.close(); } @@ -136,6 +140,8 @@ public void testGetDomainWithAuditEnabled() throws Exception { Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRODUCT_ID); Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_ENVIRONMENT); Mockito.doReturn(0).when(mockResultSet).getInt(ZMSConsts.DB_COLUMN_FEATURE_FLAGS); + Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID); + Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID); JDBCConnection jdbcConn = new JDBCConnection(mockConn, true); Domain domain = jdbcConn.getDomain("my-domain"); @@ -423,6 +429,8 @@ public void testGetDomainAllFields() throws Exception { Mockito.doReturn("tag-val").when(mockResultSet).getString(2); Mockito.doReturn("abcd-1234").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRODUCT_ID); Mockito.doReturn("production").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_ENVIRONMENT); + Mockito.doReturn("x509").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID); + Mockito.doReturn("ssh").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID); Mockito.doReturn(1).when(mockResultSet).getInt(ZMSConsts.DB_COLUMN_FEATURE_FLAGS); JDBCConnection jdbcConn = new JDBCConnection(mockConn, true); @@ -439,7 +447,8 @@ public void testGetDomainAllFields() throws Exception { assertEquals(domain.getTags(), Collections.singletonMap("tag-key", new TagValueList().setList(Collections.singletonList("tag-val")))); assertEquals(domain.getFeatureFlags(), 1); assertEquals(domain.getEnvironment(), "production"); - + assertEquals(domain.getX509CertSignerKeyId(), "x509"); + assertEquals(domain.getSshCertSignerKeyId(), "ssh"); jdbcConn.close(); } @@ -662,7 +671,9 @@ public void testUpdateDomain() throws Exception { .setGcpProjectNumber("1235") .setProductId("abcd-1234") .setFeatureFlags(3) - .setEnvironment("production"); + .setEnvironment("production") + .setSshCertSignerKeyId("ssh") + .setX509CertSignerKeyId("x509"); Mockito.doReturn(1).when(mockPrepStmt).executeUpdate(); boolean requestSuccess = jdbcConn.updateDomain(domain); @@ -695,7 +706,9 @@ public void testUpdateDomain() throws Exception { Mockito.verify(mockPrepStmt, times(1)).setString(25, "production"); Mockito.verify(mockPrepStmt, times(1)).setString(26, "tenant"); Mockito.verify(mockPrepStmt, times(1)).setString(27, "client"); - Mockito.verify(mockPrepStmt, times(1)).setString(28, "my-domain"); + Mockito.verify(mockPrepStmt, times(1)).setString(28, "x509"); + Mockito.verify(mockPrepStmt, times(1)).setString(29, "ssh"); + Mockito.verify(mockPrepStmt, times(1)).setString(30, "my-domain"); jdbcConn.close(); } @@ -739,7 +752,9 @@ public void testUpdateDomainNullFields() throws Exception { Mockito.verify(mockPrepStmt, times(1)).setString(25, ""); Mockito.verify(mockPrepStmt, times(1)).setString(26, ""); Mockito.verify(mockPrepStmt, times(1)).setString(27, ""); - Mockito.verify(mockPrepStmt, times(1)).setString(28, "my-domain"); + Mockito.verify(mockPrepStmt, times(1)).setString(28, ""); + Mockito.verify(mockPrepStmt, times(1)).setString(29, ""); + Mockito.verify(mockPrepStmt, times(1)).setString(30, "my-domain"); jdbcConn.close(); } @@ -6469,6 +6484,8 @@ public void testListModifiedDomains() throws Exception { Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_BUSINESS_SERVICE)).thenReturn(""); Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_PRODUCT_ID)).thenReturn(""); Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ENVIRONMENT)).thenReturn(""); + Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID)).thenReturn(""); + Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID)).thenReturn(""); DomainMetaList list = jdbcConn.listModifiedDomains(1454358900); @@ -6629,6 +6646,8 @@ public void testGetAthenzDomain() throws Exception { Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_PRODUCT_ID)).thenReturn(""); Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ENVIRONMENT)).thenReturn(""); Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER)).thenReturn(""); + Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_X509_CERT_SIGNER_KEYID)).thenReturn(""); + Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_SSH_CERT_SIGNER_KEYID)).thenReturn(""); AthenzDomain athenzDomain = jdbcConn.getAthenzDomain("my-domain"); assertNotNull(athenzDomain);