Skip to content

Commit

Permalink
missing tags from policy/service requests (#2449)
Browse files Browse the repository at this point in the history
Signed-off-by: Henry Avetisyan <[email protected]>
Co-authored-by: Henry Avetisyan <[email protected]>
  • Loading branch information
havetisyan and havetisyan authored Dec 6, 2023
1 parent 201d1ef commit 3f551a2
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 65 deletions.
109 changes: 66 additions & 43 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
Original file line number Diff line number Diff line change
Expand Up @@ -572,6 +572,7 @@ boolean processPolicy(ObjectStoreConnection con, Policy originalPolicy, String d
if (!processPolicyTags(policy, policyName, domainName, originalPolicy, con)) {
return false;
}
auditLogTags(auditDetails, policy.getTags());

auditDetails.append('}');
return true;
Expand All @@ -582,8 +583,12 @@ private boolean processPolicyTags(Policy policy, String policyName, String domai

String policyVersion = policy.getVersion();

BiFunction<ObjectStoreConnection, Map<String, TagValueList>, Boolean> insertOp = (ObjectStoreConnection c, Map<String, TagValueList> tags) -> c.insertPolicyTags(policyName, domainName, tags, policyVersion);
BiFunction<ObjectStoreConnection, Set<String>, Boolean> deleteOp = (ObjectStoreConnection c, Set<String> tagKeys) -> c.deletePolicyTags(policyName, domainName, tagKeys, policyVersion);
BiFunction<ObjectStoreConnection, Map<String, TagValueList>, Boolean> insertOp =
(ObjectStoreConnection c, Map<String, TagValueList> tags) ->
c.insertPolicyTags(policyName, domainName, tags, policyVersion);
BiFunction<ObjectStoreConnection, Set<String>, Boolean> deleteOp =
(ObjectStoreConnection c, Set<String> tagKeys) ->
c.deletePolicyTags(policyName, domainName, tagKeys, policyVersion);

return processTags(con, policy.getTags(), (originalPolicy != null ? originalPolicy.getTags() : null) , insertOp, deleteOp);
}
Expand Down Expand Up @@ -850,8 +855,10 @@ boolean processGroup(ObjectStoreConnection con, Group originalGroup, final Strin
private boolean processGroupTags(Group group, String groupName, String domainName,
Group originalGroup, ObjectStoreConnection con) {

BiFunction<ObjectStoreConnection, Map<String, TagValueList>, Boolean> insertOp = (ObjectStoreConnection c, Map<String, TagValueList> tags) -> c.insertGroupTags(groupName, domainName, tags);
BiFunction<ObjectStoreConnection, Set<String>, Boolean> deleteOp = (ObjectStoreConnection c, Set<String> tagKeys) -> c.deleteGroupTags(groupName, domainName, tagKeys);
BiFunction<ObjectStoreConnection, Map<String, TagValueList>, Boolean> insertOp =
(ObjectStoreConnection c, Map<String, TagValueList> tags) -> c.insertGroupTags(groupName, domainName, tags);
BiFunction<ObjectStoreConnection, Set<String>, Boolean> deleteOp =
(ObjectStoreConnection c, Set<String> tagKeys) -> c.deleteGroupTags(groupName, domainName, tagKeys);

return processTags(con, group.getTags(), (originalGroup != null ? originalGroup.getTags() : null) , insertOp, deleteOp);
}
Expand Down Expand Up @@ -1178,6 +1185,7 @@ boolean processServiceIdentity(ResourceContext ctx, ObjectStoreConnection con, S
if (!processServiceIdentityTags(service, serviceName, domainName, originalService, con)) {
return false;
}
auditLogTags(auditDetails, service.getTags());

auditDetails.append('}');
return true;
Expand Down Expand Up @@ -1297,47 +1305,21 @@ public Policy executePutPolicyVersion(ResourceContext ctx, String domainName, St

// now we need process our policy assertions

List<Assertion> newAssertions = originalPolicy.getAssertions();
if (newAssertions != null) {
for (Assertion assertion : newAssertions) {

// get assertion conditions for original assertion

AssertionConditions assertionConditions = new AssertionConditions();
if (assertion.getId() != null) {
assertionConditions.setConditionsList(con.getAssertionConditions(assertion.getId()));
}

// insert assertion (and get new assertion id)

if (!con.insertAssertion(domainName, policyName, version, assertion)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put policy: " + originalPolicy.getName() +
", version: " + version + ", fail inserting assertion", caller);
}

// copy assertion conditions for new assertion id

if (assertionConditions.getConditionsList() != null && !assertionConditions.getConditionsList().isEmpty()) {
if (!con.insertAssertionConditions(assertion.getId(), assertionConditions)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put policy: " + originalPolicy.getName() +
", version: " + version + ", fail inserting assertion conditions", caller);
}
}
}
if (!processPolicyCopyAssertions(con, originalPolicy, domainName, policyName, version, auditDetails)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put policy: " + originalPolicy.getName() +
", version: " + version + ", fail copying assertions", caller);
}

// Log copied assertions and assertion conditions
// include all the tags from the original version

auditLogAssertions(auditDetails, "copied-assertions", newAssertions);
for (Assertion assertion : newAssertions) {
if (assertion.getId() != null) {
auditLogAssertionConditions(auditDetails, con.getAssertionConditions(assertion.getId()),
"copied-assertion-conditions");
}
}
if (!processPolicyTags(originalPolicy, policyName, domainName, null, con)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put policy: " + originalPolicy.getName() +
", version: " + version + ", fail copying tags", caller);
}

auditLogTags(auditDetails, originalPolicy.getTags());
auditDetails.append('}');

// update our domain time-stamp and save changes
Expand All @@ -1350,6 +1332,7 @@ public Policy executePutPolicyVersion(ResourceContext ctx, String domainName, St
policyName, auditDetails.toString());

// add domain change event

addDomainChangeMessage(ctx, domainName, policyName, DomainChangeMessage.ObjectType.POLICY);

return returnObj == Boolean.TRUE ? getPolicy(con, domainName, policyName, version) : null;
Expand All @@ -1362,6 +1345,43 @@ public Policy executePutPolicyVersion(ResourceContext ctx, String domainName, St
}
}

boolean processPolicyCopyAssertions(ObjectStoreConnection con, Policy policy, final String domainName,
final String policyName, final String version, StringBuilder auditDetails) {

List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
return true;
}

auditLogAssertions(auditDetails, "copied-assertions", assertions);
for (Assertion assertion : assertions) {

// get assertion conditions for original assertion

AssertionConditions assertionConditions = new AssertionConditions();
if (assertion.getId() != null) {
assertionConditions.setConditionsList(con.getAssertionConditions(assertion.getId()));
auditLogAssertionConditions(auditDetails, assertionConditions.getConditionsList(),
"copied-assertion-conditions");
}

// insert assertion (and get new assertion id)

if (!con.insertAssertion(domainName, policyName, version, assertion)) {
return false;
}

// copy assertion conditions for new assertion id

if (assertionConditions.getConditionsList() != null && !assertionConditions.getConditionsList().isEmpty()) {
if (!con.insertAssertionConditions(assertion.getId(), assertionConditions)) {
return false;
}
}
}
return true;
}

Policy executePutPolicy(ResourceContext ctx, String domainName, String policyName, Policy policy,
String auditRef, String caller, Boolean returnObj) {

Expand Down Expand Up @@ -6139,13 +6159,16 @@ boolean auditLogAssertionCondition(StringBuilder auditDetails, AssertionConditio
.append(", \"conditionsMap\": {");
boolean innerFirstEntry = true;
for (String key : assertionCondition.getConditionsMap().keySet()) {
innerFirstEntry = auditLogAssertionConditionData(auditDetails, assertionCondition.getConditionsMap().get(key), key, innerFirstEntry);
innerFirstEntry = auditLogAssertionConditionData(auditDetails, assertionCondition.getConditionsMap().get(key),
key, innerFirstEntry);
}
auditDetails.append("}}");
return firstEntry;
}

boolean auditLogAssertionConditionData(StringBuilder auditDetails, AssertionConditionData assertionConditionData, String conditionKey, boolean firstEntry) {
boolean auditLogAssertionConditionData(StringBuilder auditDetails, AssertionConditionData assertionConditionData,
String conditionKey, boolean firstEntry) {

firstEntry = auditLogSeparator(auditDetails, firstEntry);
auditDetails.append("\"").append(conditionKey)
.append("\": {\"operator\": \"").append(assertionConditionData.getOperator().name())
Expand Down
Loading

0 comments on commit 3f551a2

Please sign in to comment.