From fa30018ecb2e8aa7624c0d46343cfa1c56718a1d Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Tue, 21 Jan 2025 17:07:49 -0800 Subject: [PATCH] remove duplicate ResourceOwnership class form zms server (#2859) Signed-off-by: Henry Avetisyan --- libs/java/server_common/pom.xml | 2 +- .../server/util}/ResourceOwnershipTest.java | 45 +- .../java/com/yahoo/athenz/zms/ZMSImpl.java | 191 +++- .../athenz/zms/utils/ResourceOwnership.java | 825 ------------------ .../com/yahoo/athenz/zms/ZMSImplTest.java | 215 ++++- 5 files changed, 393 insertions(+), 885 deletions(-) rename {servers/zms/src/test/java/com/yahoo/athenz/zms/utils => libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util}/ResourceOwnershipTest.java (92%) delete mode 100644 servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ResourceOwnership.java diff --git a/libs/java/server_common/pom.xml b/libs/java/server_common/pom.xml index aae1df2174a..c64ce8c7eff 100644 --- a/libs/java/server_common/pom.xml +++ b/libs/java/server_common/pom.xml @@ -27,7 +27,7 @@ jar - 0.9063 + 0.9159 diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ResourceOwnershipTest.java b/libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util/ResourceOwnershipTest.java similarity index 92% rename from servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ResourceOwnershipTest.java rename to libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util/ResourceOwnershipTest.java index 5f5000d1f7b..5bce3d1280c 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ResourceOwnershipTest.java +++ b/libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util/ResourceOwnershipTest.java @@ -13,10 +13,12 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package com.yahoo.athenz.zms.utils; +package com.yahoo.athenz.common.server.util; +import com.yahoo.athenz.common.server.ServerResourceException; import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean; import com.yahoo.athenz.zms.*; +import org.testng.Assert; import org.testng.annotations.Test; import static org.testng.Assert.*; @@ -141,14 +143,17 @@ public void testGetResourcePolicyOwnership() { ResourcePolicyOwnership resourceOwnership = ResourceOwnership.getResourcePolicyOwnership("object:object-owner,assertions:assertions-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getAssertionsOwner(), "assertions-owner"); resourceOwnership = ResourceOwnership.getResourcePolicyOwnership("object:object-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getAssertionsOwner()); resourceOwnership = ResourceOwnership.getResourcePolicyOwnership("object:object-owner,unknown:test"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getAssertionsOwner()); } @@ -160,16 +165,19 @@ public void testGetResourceRoleOwnership() { ResourceRoleOwnership resourceOwnership = ResourceOwnership.getResourceRoleOwnership("object:object-owner,meta:meta-owner,members:members-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertEquals(resourceOwnership.getMembersOwner(), "members-owner"); resourceOwnership = ResourceOwnership.getResourceRoleOwnership("object:object-owner,meta:meta-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertNull(resourceOwnership.getMembersOwner()); resourceOwnership = ResourceOwnership.getResourceRoleOwnership("object:object-owner,meta:meta-owner,unknown:test"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertNull(resourceOwnership.getMembersOwner()); @@ -182,16 +190,19 @@ public void testGetResourceGroupOwnership() { ResourceGroupOwnership resourceOwnership = ResourceOwnership.getResourceGroupOwnership("object:object-owner,meta:meta-owner,members:members-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertEquals(resourceOwnership.getMembersOwner(), "members-owner"); resourceOwnership = ResourceOwnership.getResourceGroupOwnership("object:object-owner,meta:meta-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertNull(resourceOwnership.getMembersOwner()); resourceOwnership = ResourceOwnership.getResourceGroupOwnership("object:object-owner,meta:meta-owner,unknown:test"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); assertNull(resourceOwnership.getMembersOwner()); @@ -204,14 +215,17 @@ public void testGetResourceServiceIdentityOwnership() { ResourceServiceIdentityOwnership resourceOwnership = ResourceOwnership.getResourceServiceOwnership("object:object-owner,publickeys:publickeys-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getPublicKeysOwner(), "publickeys-owner"); resourceOwnership = ResourceOwnership.getResourceServiceOwnership("object:object-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getPublicKeysOwner()); resourceOwnership = ResourceOwnership.getResourceServiceOwnership("object:object-owner,unknown:test"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getPublicKeysOwner()); } @@ -223,14 +237,17 @@ public void testGetResourceDomainOwnership() { ResourceDomainOwnership resourceOwnership = ResourceOwnership.getResourceDomainOwnership("object:object-owner,meta:meta-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertEquals(resourceOwnership.getMetaOwner(), "meta-owner"); resourceOwnership = ResourceOwnership.getResourceDomainOwnership("object:object-owner"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getMetaOwner()); resourceOwnership = ResourceOwnership.getResourceDomainOwnership("object:object-owner,unknown:test"); + assertNotNull(resourceOwnership); assertEquals(resourceOwnership.getObjectOwner(), "object-owner"); assertNull(resourceOwnership.getMetaOwner()); } @@ -248,7 +265,7 @@ public void testOwnershipCheckFailure() { } @Test - public void testVerifyDeleteResourceObjectOwnership() { + public void testVerifyDeleteResourceObjectOwnership() throws ServerResourceException { // for all objects verify that if the object doesn't have // resource ownership or no object owner then we return right @@ -287,7 +304,7 @@ public void testSkipEnforceResourceOwnership() { } @Test - public void testVerifyRoleMembersDeleteResourceOwnership() { + public void testVerifyRoleMembersDeleteResourceOwnership() throws ServerResourceException { ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(new Role(), "resourceOwner", "unit-test"); ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(new Role() @@ -297,20 +314,20 @@ public void testVerifyRoleMembersDeleteResourceOwnership() { try { ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(memberOwnerRole, "resourceOwner", "unit-test"); fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), 409); + } catch (ServerResourceException ex) { + Assert.assertEquals(ex.getCode(), 409); } Role objectOwnerRole = new Role().setResourceOwnership(new ResourceRoleOwnership().setObjectOwner("object-owner")); try { ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(objectOwnerRole, "resourceOwner", "unit-test"); - } catch (ResourceException ex) { + } catch (ServerResourceException ex) { fail(); } } @Test - public void testVerifyGroupMembersDeleteResourceOwnership() { + public void testVerifyGroupMembersDeleteResourceOwnership() throws ServerResourceException { ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(new Group(), "resourceOwner", "unit-test"); ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(new Group() @@ -320,20 +337,20 @@ public void testVerifyGroupMembersDeleteResourceOwnership() { try { ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(memberOwnerGroup, "resourceOwner", "unit-test"); fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), 409); + } catch (ServerResourceException ex) { + Assert.assertEquals(ex.getCode(), 409); } Group objectOwnerGroup = new Group().setResourceOwnership(new ResourceGroupOwnership().setObjectOwner("object-owner")); try { ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(objectOwnerGroup, "resourceOwner", "unit-test"); - } catch (ResourceException ex) { + } catch (ServerResourceException ex) { fail(); } } @Test - public void testVerifyPolicyAssertionsDeleteResourceOwnership() { + public void testVerifyPolicyAssertionsDeleteResourceOwnership() throws ServerResourceException { ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(new Policy(), "resourceOwner", "unit-test"); ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(new Policy() @@ -343,14 +360,14 @@ public void testVerifyPolicyAssertionsDeleteResourceOwnership() { try { ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(assertionsOwnerPolicy, "resourceOwner", "unit-test"); fail(); - } catch (ResourceException ex) { - assertEquals(ex.getCode(), 409); + } catch (ServerResourceException ex) { + Assert.assertEquals(ex.getCode(), 409); } Policy objectOwnerPolicy = new Policy().setResourceOwnership(new ResourcePolicyOwnership().setObjectOwner("object-owner")); try { ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(objectOwnerPolicy, "resourceOwner", "unit-test"); - } catch (ResourceException ex) { + } catch (ServerResourceException ex) { fail(); } } diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java index e33872095ba..12316190445 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java @@ -58,7 +58,6 @@ import com.yahoo.athenz.zms.provider.ServiceProviderManager; import com.yahoo.athenz.zms.purge.PurgeResourcesEnum; import com.yahoo.athenz.zms.utils.PrincipalDomainFilter; -import com.yahoo.athenz.zms.utils.ResourceOwnership; import com.yahoo.athenz.zms.utils.ZMSUtils; import com.yahoo.rdl.UUID; import com.yahoo.rdl.*; @@ -1724,7 +1723,11 @@ void deleteDomain(ResourceContext ctx, final String auditRef, final String domai // verify resource ownership to make sure we should allow this operation - ResourceOwnership.verifyDomainDeleteResourceOwnership(domain.getDomain(), resourceOwner, caller); + try { + ResourceOwnership.verifyDomainDeleteResourceOwnership(domain.getDomain(), resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } for (Group group : domain.getGroups()) { groupMemberConsistencyCheck(domainName, group.getName(), true, caller); @@ -2351,8 +2354,12 @@ public void putDomainMeta(ResourceContext ctx, String domainName, String auditRe // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceDomainOwnership resourceOwnership = ResourceOwnership.verifyDomainMetaResourceOwnership(domain, - resourceOwner, caller); + ResourceDomainOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyDomainMetaResourceOwnership(domain, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // if any of our meta values has changed we need to validate // them against the meta store @@ -4286,8 +4293,13 @@ public Response putRole(ResourceContext ctx, String domainName, String roleName, // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceRoleOwnership resourceOwnership = ResourceOwnership.verifyRoleResourceOwnership( - originalRole, !ZMSUtils.isCollectionEmpty(role.getRoleMembers()), resourceOwner, caller); + ResourceRoleOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyRoleResourceOwnership(originalRole, + !ZMSUtils.isCollectionEmpty(role.getRoleMembers()), resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // validate role and trust settings are as expected @@ -4782,7 +4794,11 @@ public void deleteRole(ResourceContext ctx, String domainName, String roleName, throw ZMSUtils.notFoundError("Role does not exist", caller); } - ResourceOwnership.verifyRoleDeleteResourceOwnership(role, resourceOwner, caller); + try { + ResourceOwnership.verifyRoleDeleteResourceOwnership(role, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeleteRole(ctx, domainName, roleName, auditRef, caller); } @@ -4998,8 +5014,12 @@ public Response putMembership(ResourceContext ctx, String domainName, String rol // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceRoleOwnership resourceOwnership = ResourceOwnership.verifyRoleMembersResourceOwnership( - role, resourceOwner, caller); + ResourceRoleOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyRoleMembersResourceOwnership(role, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // create and normalize the role member object @@ -5341,7 +5361,11 @@ public void deleteMembership(ResourceContext ctx, String domainName, String role } } - ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(role, resourceOwner, caller); + try { + ResourceOwnership.verifyRoleMembersDeleteResourceOwnership(role, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeleteMembership(ctx, domainName, roleName, normalizedMember, auditRef, caller); } @@ -5714,7 +5738,11 @@ public void deletePolicyVersion(ResourceContext ctx, String domainName, String p throw ZMSUtils.notFoundError("Policy does not exist", caller); } - ResourceOwnership.verifyPolicyDeleteResourceOwnership(policy, resourceOwner, caller); + try { + ResourceOwnership.verifyPolicyDeleteResourceOwnership(policy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeletePolicyVersion(ctx, domainName, policyName, version, auditRef, caller); } @@ -5922,8 +5950,12 @@ public Assertion putAssertion(ResourceContext ctx, String domainName, String pol // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourcePolicyOwnership resourceOwnership = ResourceOwnership.verifyPolicyAssertionsResourceOwnership( - dbPolicy, resourceOwner, caller); + ResourcePolicyOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executePutAssertion(ctx, domainName, policyName, null, assertion, auditRef, caller); @@ -5986,8 +6018,12 @@ public Assertion putAssertionPolicyVersion(ResourceContext ctx, String domainNam // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourcePolicyOwnership resourceOwnership = ResourceOwnership.verifyPolicyAssertionsResourceOwnership( - dbPolicy, resourceOwner, caller); + ResourcePolicyOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // validate to make sure we have expected values for assertion fields // - and also to make sure that the associated role exists @@ -6056,7 +6092,11 @@ public void deleteAssertion(ResourceContext ctx, String domainName, String polic throw ZMSUtils.notFoundError("Invalid policy name specified", caller); } - ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(policy, resourceOwner, caller); + try { + ResourceOwnership.verifyPolicyAssertionsDeleteResourceOwnership(policy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeleteAssertion(ctx, domainName, policyName, null, assertionId, auditRef, caller); } @@ -6232,8 +6272,13 @@ public Response putPolicy(ResourceContext ctx, String domainName, String policyN // with the given resource ownership details Policy originalPolicy = dbService.getPolicy(domainName, policyName, policy.getVersion()); - ResourcePolicyOwnership resourceOwnership = ResourceOwnership.verifyPolicyResourceOwnership( - originalPolicy, !ZMSUtils.isCollectionEmpty(policy.getAssertions()), resourceOwner, caller); + ResourcePolicyOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyPolicyResourceOwnership(originalPolicy, + !ZMSUtils.isCollectionEmpty(policy.getAssertions()), resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } Policy dbPolicy = dbService.executePutPolicy(ctx, domainName, policyName, policy, originalPolicy, auditRef, caller, returnObj); @@ -6307,7 +6352,11 @@ public void deletePolicy(ResourceContext ctx, String domainName, String policyNa throw ZMSUtils.notFoundError("Policy does not exist", caller); } - ResourceOwnership.verifyPolicyDeleteResourceOwnership(policy, resourceOwner, caller); + try { + ResourceOwnership.verifyPolicyDeleteResourceOwnership(policy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeletePolicy(ctx, domainName, policyName, auditRef, caller); } @@ -6664,9 +6713,14 @@ public Response putServiceIdentity(ResourceContext ctx, String domainName, Strin ServiceIdentity originalService = dbService.getServiceIdentity(domainName, serviceName, false); - ResourceServiceIdentityOwnership resourceOwnership = ResourceOwnership.verifyServiceResourceOwnership( - originalService, !ZMSUtils.isCollectionEmpty(service.getPublicKeys()), - !ZMSUtils.isCollectionEmpty(service.getHosts()), resourceOwner, caller); + ResourceServiceIdentityOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyServiceResourceOwnership(originalService, + !ZMSUtils.isCollectionEmpty(service.getPublicKeys()), + !ZMSUtils.isCollectionEmpty(service.getHosts()), resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } ServiceIdentity dbServiceIdentity = dbService.executePutServiceIdentity(ctx, domainName, serviceName, service, originalService, auditRef, caller, returnObj); @@ -6827,7 +6881,11 @@ public void deleteServiceIdentity(ResourceContext ctx, String domainName, String throw ZMSUtils.notFoundError("Service does not exist", caller); } - ResourceOwnership.verifyServiceDeleteResourceOwnership(service, resourceOwner, caller); + try { + ResourceOwnership.verifyServiceDeleteResourceOwnership(service, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeleteServiceIdentity(ctx, domainName, serviceName, auditRef, caller); } @@ -7046,8 +7104,12 @@ public void putPublicKeyEntry(ResourceContext ctx, String domainName, String ser // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceServiceIdentityOwnership resourceOwnership = - ResourceOwnership.verifyServicePublicKeysResourceOwnership(service, resourceOwner, caller); + ResourceServiceIdentityOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyServicePublicKeysResourceOwnership(service, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executePutPublicKeyEntry(ctx, domainName, serviceName, keyEntry, auditRef, caller); @@ -10022,8 +10084,12 @@ public void putRoleMeta(ResourceContext ctx, String domainName, String roleName, // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceRoleOwnership resourceOwnership = ResourceOwnership.verifyRoleMetaResourceOwnership( - role, resourceOwner, caller); + ResourceRoleOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyRoleMetaResourceOwnership(role, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // we need to validate that if the role contains groups then the // group members must have the same filters otherwise we will not @@ -10621,8 +10687,12 @@ public Response putRoleReview(ResourceContext ctx, String domainName, String rol // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceRoleOwnership resourceOwnership = ResourceOwnership.verifyRoleMembersResourceOwnership( - dbRole, resourceOwner, caller); + ResourceRoleOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyRoleMembersResourceOwnership(dbRole, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // normalize and remove duplicate members @@ -10951,8 +11021,13 @@ public Response putGroup(ResourceContext ctx, String domainName, String groupNam // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceGroupOwnership resourceOwnership = ResourceOwnership.verifyGroupResourceOwnership( - originalGroup, !ZMSUtils.isCollectionEmpty(group.getGroupMembers()), resourceOwner, caller); + ResourceGroupOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyGroupResourceOwnership(originalGroup, + !ZMSUtils.isCollectionEmpty(group.getGroupMembers()), resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // normalize and remove duplicate members @@ -11118,7 +11193,11 @@ public void deleteGroup(ResourceContext ctx, String domainName, String groupName throw ZMSUtils.notFoundError("Group does not exist", caller); } - ResourceOwnership.verifyGroupDeleteResourceOwnership(group, resourceOwner, caller); + try { + ResourceOwnership.verifyGroupDeleteResourceOwnership(group, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // everything is ok, so we should go ahead and delete the group @@ -11376,8 +11455,12 @@ public Response putGroupMembership(ResourceContext ctx, String domainName, Strin // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceGroupOwnership resourceOwnership = ResourceOwnership.verifyGroupMembersResourceOwnership( - group, resourceOwner, caller); + ResourceGroupOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyGroupMembersResourceOwnership(group, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // create and normalize the role member object @@ -11476,7 +11559,11 @@ public void deleteGroupMembership(ResourceContext ctx, String domainName, String throw ZMSUtils.forbiddenError("deleteGroupMembership: principal is not authorized to delete members", caller); } - ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(group, resourceOwner, caller); + try { + ResourceOwnership.verifyGroupMembersDeleteResourceOwnership(group, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executeDeleteGroupMembership(ctx, domainName, groupName, normalizedMember, auditRef); } @@ -11673,8 +11760,12 @@ public void putGroupMeta(ResourceContext ctx, String domainName, String groupNam // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceGroupOwnership resourceOwnership = ResourceOwnership.verifyGroupMetaResourceOwnership( - group, resourceOwner, caller); + ResourceGroupOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyGroupMetaResourceOwnership(group, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executePutGroupMeta(ctx, domainName, groupName, group, meta, auditRef); @@ -11859,8 +11950,12 @@ public Response putGroupReview(ResourceContext ctx, String domainName, String gr // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourceGroupOwnership resourceOwnership = ResourceOwnership.verifyGroupMembersResourceOwnership( - dbGroup, resourceOwner, caller); + ResourceGroupOwnership resourceOwnership; + try { + resourceOwnership = ResourceOwnership.verifyGroupMembersResourceOwnership(dbGroup, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } // normalize and remove duplicate members @@ -12025,8 +12120,13 @@ public AssertionConditions putAssertionConditions(ResourceContext ctx, String do // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourcePolicyOwnership resourceOwnership = dbPolicy == null ? null : - ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + ResourcePolicyOwnership resourceOwnership; + try { + resourceOwnership = dbPolicy == null ? null : + ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executePutAssertionConditions(ctx, domainName, policyName, assertionId, assertionConditions, auditRef, caller); @@ -12088,8 +12188,13 @@ public AssertionCondition putAssertionCondition(ResourceContext ctx, String doma // is not null then it indicates that the object must be modified // with the given resource ownership details - ResourcePolicyOwnership resourceOwnership = dbPolicy == null ? null : - ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + ResourcePolicyOwnership resourceOwnership; + try { + resourceOwnership = dbPolicy == null ? null : + ResourceOwnership.verifyPolicyAssertionsResourceOwnership(dbPolicy, resourceOwner, caller); + } catch (ServerResourceException ex) { + throw ZMSUtils.error(ex); + } dbService.executePutAssertionCondition(ctx, domainName, policyName, assertionId, assertionCondition, auditRef, caller); diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ResourceOwnership.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ResourceOwnership.java deleted file mode 100644 index 5358c310e94..00000000000 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ResourceOwnership.java +++ /dev/null @@ -1,825 +0,0 @@ -/* - * Copyright The Athenz Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.yahoo.athenz.zms.utils; - -import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean; -import com.yahoo.athenz.zms.*; -import org.eclipse.jetty.util.StringUtil; - -import static com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton.CONFIG_MANAGER; - -public class ResourceOwnership { - - public static final String RESOURCE_OWNER_IGNORE = - System.getProperty(ZMSConsts.ZMS_PROP_RESOURCE_OWNER_IGNORE_VALUE, "ignore"); - - protected static DynamicConfigBoolean ENFORCE_RESOURCE_OWNERSHIP = new DynamicConfigBoolean(CONFIG_MANAGER, - ZMSConsts.ZMS_PROP_ENFORCE_RESOURCE_OWNERSHIP, Boolean.TRUE); - - static void addResourceOwnerComp(final String compName, final String compValue, StringBuilder resourceOwner) { - if (StringUtil.isEmpty(compValue)) { - return; - } - if (resourceOwner.length() > 0) { - resourceOwner.append(","); - } - resourceOwner.append(compName).append(":").append(compValue); - } - - public static String generateResourceOwnerString(ResourceDomainOwnership resourceOwner) { - StringBuilder resourceOwnerString = new StringBuilder(); - addResourceOwnerComp("object", resourceOwner.getObjectOwner(), resourceOwnerString); - addResourceOwnerComp("meta", resourceOwner.getMetaOwner(), resourceOwnerString); - return resourceOwnerString.toString(); - } - - public static String generateResourceOwnerString(ResourceServiceIdentityOwnership resourceOwner) { - StringBuilder resourceOwnerString = new StringBuilder(); - addResourceOwnerComp("object", resourceOwner.getObjectOwner(), resourceOwnerString); - addResourceOwnerComp("publickeys", resourceOwner.getPublicKeysOwner(), resourceOwnerString); - addResourceOwnerComp("hosts", resourceOwner.getHostsOwner(), resourceOwnerString); - return resourceOwnerString.toString(); - } - - public static String generateResourceOwnerString(ResourcePolicyOwnership resourceOwner) { - StringBuilder resourceOwnerString = new StringBuilder(); - addResourceOwnerComp("object", resourceOwner.getObjectOwner(), resourceOwnerString); - addResourceOwnerComp("assertions", resourceOwner.getAssertionsOwner(), resourceOwnerString); - return resourceOwnerString.toString(); - } - - public static String generateResourceOwnerString(ResourceGroupOwnership resourceOwner) { - StringBuilder resourceOwnerString = new StringBuilder(); - addResourceOwnerComp("object", resourceOwner.getObjectOwner(), resourceOwnerString); - addResourceOwnerComp("meta", resourceOwner.getMetaOwner(), resourceOwnerString); - addResourceOwnerComp("members", resourceOwner.getMembersOwner(), resourceOwnerString); - return resourceOwnerString.toString(); - } - - public static String generateResourceOwnerString(ResourceRoleOwnership resourceOwner) { - StringBuilder resourceOwnerString = new StringBuilder(); - addResourceOwnerComp("object", resourceOwner.getObjectOwner(), resourceOwnerString); - addResourceOwnerComp("meta", resourceOwner.getMetaOwner(), resourceOwnerString); - addResourceOwnerComp("members", resourceOwner.getMembersOwner(), resourceOwnerString); - return resourceOwnerString.toString(); - } - - public static ResourceRoleOwnership getResourceRoleOwnership(final String resourceOwner) { - if (StringUtil.isEmpty(resourceOwner)) { - return null; - } - ResourceRoleOwnership resourceOwnership = new ResourceRoleOwnership(); - for (String item : resourceOwner.split(",")) { - if (item.startsWith("object:")) { - resourceOwnership.setObjectOwner(item.substring(7)); - } else if (item.startsWith("meta:")) { - resourceOwnership.setMetaOwner(item.substring(5)); - } else if (item.startsWith("members:")) { - resourceOwnership.setMembersOwner(item.substring(8)); - } - } - return resourceOwnership; - } - - public static ResourceGroupOwnership getResourceGroupOwnership(final String resourceOwner) { - if (StringUtil.isEmpty(resourceOwner)) { - return null; - } - ResourceGroupOwnership resourceOwnership = new ResourceGroupOwnership(); - for (String item : resourceOwner.split(",")) { - if (item.startsWith("object:")) { - resourceOwnership.setObjectOwner(item.substring(7)); - } else if (item.startsWith("meta:")) { - resourceOwnership.setMetaOwner(item.substring(5)); - } else if (item.startsWith("members:")) { - resourceOwnership.setMembersOwner(item.substring(8)); - } - } - return resourceOwnership; - } - - public static ResourcePolicyOwnership getResourcePolicyOwnership(final String resourceOwner) { - if (StringUtil.isEmpty(resourceOwner)) { - return null; - } - ResourcePolicyOwnership resourceOwnership = new ResourcePolicyOwnership(); - for (String item : resourceOwner.split(",")) { - if (item.startsWith("object:")) { - resourceOwnership.setObjectOwner(item.substring(7)); - } else if (item.startsWith("assertions:")) { - resourceOwnership.setAssertionsOwner(item.substring(11)); - } - } - return resourceOwnership; - } - - public static ResourceServiceIdentityOwnership getResourceServiceOwnership(final String resourceOwner) { - if (StringUtil.isEmpty(resourceOwner)) { - return null; - } - ResourceServiceIdentityOwnership resourceOwnership = new ResourceServiceIdentityOwnership(); - for (String item : resourceOwner.split(",")) { - if (item.startsWith("object:")) { - resourceOwnership.setObjectOwner(item.substring(7)); - } else if (item.startsWith("publickeys:")) { - resourceOwnership.setPublicKeysOwner(item.substring(11)); - } else if (item.startsWith("hosts:")) { - resourceOwnership.setHostsOwner(item.substring(6)); - } - } - return resourceOwnership; - } - - public static ResourceDomainOwnership getResourceDomainOwnership(final String resourceOwner) { - if (StringUtil.isEmpty(resourceOwner)) { - return null; - } - ResourceDomainOwnership resourceOwnership = new ResourceDomainOwnership(); - for (String item : resourceOwner.split(",")) { - if (item.startsWith("object:")) { - resourceOwnership.setObjectOwner(item.substring(7)); - } else if (item.startsWith("meta:")) { - resourceOwnership.setMetaOwner(item.substring(5)); - } - } - return resourceOwnership; - } - - public static void verifyDomainDeleteResourceOwnership(Domain domain, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourceDomainOwnership resourceOwnership = domain.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getObjectOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getObjectOwner(), caller); - } - - public static ResourceDomainOwnership verifyDomainMetaResourceOwnership(Domain domain, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceDomainOwnership requestOwnership = bOwnerSpecified ? - new ResourceDomainOwnership().setMetaOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceDomainOwnership resourceOwnership = domain.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String metaOwner = resourceOwnership.getMetaOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(metaOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has meta owner then we reject the request - throw ZMSUtils.conflictError("Domain has a resource owner: " + metaOwner, caller); - } else if (StringUtil.isEmpty(metaOwner)) { - // if the object has no meta owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(metaOwner)) { - throw ZMSUtils.conflictError("Invalid resource owner for domain: " + domain.getName() - + ", " + metaOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourceRoleOwnership verifyRoleResourceOwnership(Role role, boolean roleMembersPresent, - final String resourceOwner, final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceRoleOwnership requestOwnership = bOwnerSpecified ? - new ResourceRoleOwnership().setObjectOwner(resourceOwner).setMetaOwner(resourceOwner) - .setMembersOwner(resourceOwner) : null; - - // if the original object is null then we need to update ownership - // set accordingly - if the roleMembersPresent is false, we won't set - // membership ownership since it's not present in the original object - - if (role == null || role.getResourceOwnership() == null) { - if (!bOwnerSpecified) { - return null; - } - if (!roleMembersPresent) { - requestOwnership.setMembersOwner(null); - } - return requestOwnership; - } - - // we need to verify all components in the resource ownership - - ResourceRoleOwnership resourceOwnership = role.getResourceOwnership(); - boolean bUpdateRequired = false; - if (resourceOwnership.getObjectOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getObjectOwner())) { - throw ZMSUtils.conflictError("Invalid resource owner for role: " + role.getName() - + ", " + resourceOwnership.getObjectOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getMembersOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getMembersOwner())) { - throw ZMSUtils.conflictError("Invalid members owner for role: " + role.getName() - + ", " + resourceOwnership.getMembersOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getMetaOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getMetaOwner())) { - throw ZMSUtils.conflictError("Invalid meta owner for role: " + role.getName() - + ", " + resourceOwnership.getMetaOwner() + " vs. " + resourceOwner, caller); - } - - return bUpdateRequired ? requestOwnership : null; - } - - public static void verifyRoleDeleteResourceOwnership(Role role, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourceRoleOwnership resourceOwnership = role.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getObjectOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getObjectOwner(), caller); - } - - public static void verifyRoleMembersDeleteResourceOwnership(Role role, final String resourceOwner, - final String caller) { - - // if the role member has no owner then we're good for the enforcement check - ResourceRoleOwnership resourceOwnership = role.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getMembersOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getMembersOwner(), caller); - } - - public static ResourceRoleOwnership verifyRoleMetaResourceOwnership(Role role, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceRoleOwnership requestOwnership = bOwnerSpecified ? - new ResourceRoleOwnership().setMetaOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceRoleOwnership resourceOwnership = role.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String metaOwner = resourceOwnership.getMetaOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(metaOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has meta owner then we reject the request - throw ZMSUtils.conflictError("Role has a resource owner: " + metaOwner, caller); - } else if (StringUtil.isEmpty(metaOwner)) { - // if the object has no meta owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - requestOwnership.setMembersOwner(resourceOwnership.getMembersOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(metaOwner)) { - throw ZMSUtils.conflictError("Invalid resource meta owner for role: " + role.getName() - + ", " + metaOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourceRoleOwnership verifyRoleMembersResourceOwnership(Role role, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceRoleOwnership requestOwnership = bOwnerSpecified ? - new ResourceRoleOwnership().setMembersOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceRoleOwnership resourceOwnership = role.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String membersOwner = resourceOwnership.getMembersOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(membersOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has members owner then we reject the request - throw ZMSUtils.conflictError("Role has a resource owner: " + membersOwner, caller); - } else if (StringUtil.isEmpty(membersOwner)) { - // if the object has no members owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - requestOwnership.setMetaOwner(resourceOwnership.getMetaOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(membersOwner)) { - throw ZMSUtils.conflictError("Invalid resource member owner for role: " + role.getName() - + ", " + membersOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourceGroupOwnership verifyGroupResourceOwnership(Group group, boolean groupMembersPresent, - final String resourceOwner, final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceGroupOwnership requestOwnership = bOwnerSpecified ? - new ResourceGroupOwnership().setObjectOwner(resourceOwner).setMetaOwner(resourceOwner) - .setMembersOwner(resourceOwner) : null; - - // if the original object is null then we need to update ownership - // set accordingly - if the groupMembersPresent is false, we won't set - // membership ownership since it's not present in the original object - - if (group == null || group.getResourceOwnership() == null) { - if (!bOwnerSpecified) { - return null; - } - if (!groupMembersPresent) { - requestOwnership.setMembersOwner(null); - } - return requestOwnership; - } - - // we need to verify all components in the resource ownership - - ResourceGroupOwnership resourceOwnership = group.getResourceOwnership(); - boolean bUpdateRequired = false; - if (resourceOwnership.getObjectOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getObjectOwner())) { - throw ZMSUtils.conflictError("Invalid resource owner for group: " + group.getName() - + ", " + resourceOwnership.getObjectOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getMembersOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getMembersOwner())) { - throw ZMSUtils.conflictError("Invalid members owner for group: " + group.getName() - + ", " + resourceOwnership.getMembersOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getMetaOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getMetaOwner())) { - throw ZMSUtils.conflictError("Invalid meta owner for group: " + group.getName() - + ", " + resourceOwnership.getMetaOwner() + " vs. " + resourceOwner, caller); - } - - return bUpdateRequired ? requestOwnership : null; - } - - public static void verifyGroupDeleteResourceOwnership(Group group, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourceGroupOwnership resourceOwnership = group.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getObjectOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getObjectOwner(), caller); - } - - public static ResourceGroupOwnership verifyGroupMetaResourceOwnership(Group group, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceGroupOwnership requestOwnership = bOwnerSpecified ? - new ResourceGroupOwnership().setMetaOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceGroupOwnership resourceOwnership = group.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - // if the current object has no meta owner then we need to update - // the resource ownership to set it to the caller - - final String metaOwner = resourceOwnership.getMetaOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(metaOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has members owner then we reject the request - throw ZMSUtils.conflictError("Group has a resource owner: " + metaOwner, caller); - } else if (StringUtil.isEmpty(metaOwner)) { - // if the object has no meta owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - requestOwnership.setMembersOwner(resourceOwnership.getMembersOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(metaOwner)) { - throw ZMSUtils.conflictError("Invalid resource meta owner for group: " + group.getName() - + ", " + metaOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourceGroupOwnership verifyGroupMembersResourceOwnership(Group group, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceGroupOwnership requestOwnership = bOwnerSpecified ? - new ResourceGroupOwnership().setMembersOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceGroupOwnership resourceOwnership = group.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String membersOwner = resourceOwnership.getMembersOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(membersOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has members owner then we reject the request - throw ZMSUtils.conflictError("Group has a resource owner: " + membersOwner, caller); - } else if (StringUtil.isEmpty(membersOwner)) { - // if the object has no members owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - requestOwnership.setMetaOwner(resourceOwnership.getMetaOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(membersOwner)) { - throw ZMSUtils.conflictError("Invalid resource member owner for group: " + group.getName() - + ", " + membersOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourcePolicyOwnership verifyPolicyResourceOwnership(Policy policy, boolean assertionsPresent, - final String resourceOwner, final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourcePolicyOwnership requestOwnership = bOwnerSpecified ? - new ResourcePolicyOwnership().setObjectOwner(resourceOwner).setAssertionsOwner(resourceOwner) : null; - - // if the original object is null then we need to update ownership - // set accordingly - if the assertionsPresent is false, we won't set - // assertions ownership since it's not present in the original object - - if (policy == null || policy.getResourceOwnership() == null) { - if (!bOwnerSpecified) { - return null; - } - if (!assertionsPresent) { - requestOwnership.setAssertionsOwner(null); - } - return requestOwnership; - } - - // we need to verify all components in the resource ownership - - ResourcePolicyOwnership resourceOwnership = policy.getResourceOwnership(); - boolean bUpdateRequired = false; - if (resourceOwnership.getObjectOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getObjectOwner())) { - throw ZMSUtils.conflictError("Invalid resource owner for policy: " + policy.getName() - + ", " + resourceOwnership.getObjectOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getAssertionsOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getAssertionsOwner())) { - throw ZMSUtils.conflictError("Invalid assertions owner for policy: " + policy.getName() - + ", " + resourceOwnership.getAssertionsOwner() + " vs. " + resourceOwner, caller); - } - - return bUpdateRequired ? requestOwnership : null; - } - - public static void verifyPolicyDeleteResourceOwnership(Policy policy, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourcePolicyOwnership resourceOwnership = policy.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getObjectOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getObjectOwner(), caller); - } - - public static ResourcePolicyOwnership verifyPolicyAssertionsResourceOwnership(Policy policy, final String resourceOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourcePolicyOwnership requestOwnership = bOwnerSpecified ? - new ResourcePolicyOwnership().setAssertionsOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourcePolicyOwnership resourceOwnership = policy.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String assertionsOwner = resourceOwnership.getAssertionsOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(assertionsOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has assertions owner then we reject the request - throw ZMSUtils.conflictError("Policy has a resource owner: " + assertionsOwner, caller); - } else if (StringUtil.isEmpty(assertionsOwner)) { - // if the object has no assertions owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(assertionsOwner)) { - throw ZMSUtils.conflictError("Invalid resource member owner for policy: " + policy.getName() - + ", " + assertionsOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static ResourceServiceIdentityOwnership verifyServiceResourceOwnership(ServiceIdentity service, - boolean publicKeysPresent, boolean hostsPresent, final String resourceOwner, final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceServiceIdentityOwnership requestOwnership = bOwnerSpecified ? - new ResourceServiceIdentityOwnership().setObjectOwner(resourceOwner) - .setPublicKeysOwner(resourceOwner).setHostsOwner(resourceOwner) : null; - - // if the original object is null then we need to update ownership - // set accordingly - if the publicKeysPresent or hostsPresent is false, - // we won't set the corresponding ownership since it's not present in the original object - - if (service == null || service.getResourceOwnership() == null) { - if (!bOwnerSpecified) { - return null; - } - if (!publicKeysPresent) { - requestOwnership.setPublicKeysOwner(null); - } - if (!hostsPresent) { - requestOwnership.setHostsOwner(null); - } - return requestOwnership; - } - - // we need to verify all components in the resource ownership - - ResourceServiceIdentityOwnership resourceOwnership = service.getResourceOwnership(); - boolean bUpdateRequired = false; - if (resourceOwnership.getObjectOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getObjectOwner())) { - throw ZMSUtils.conflictError("Invalid resource owner for service: " + service.getName() - + ", " + resourceOwnership.getObjectOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getPublicKeysOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getPublicKeysOwner())) { - throw ZMSUtils.conflictError("Invalid public-keys owner for service: " + service.getName() - + ", " + resourceOwnership.getPublicKeysOwner() + " vs. " + resourceOwner, caller); - } - - if (resourceOwnership.getHostsOwner() == null) { - bUpdateRequired = true; - } else if (ownershipCheckFailure(bOwnerSpecified, resourceOwner, resourceOwnership.getHostsOwner())) { - throw ZMSUtils.conflictError("Invalid hosts owner for service: " + service.getName() - + ", " + resourceOwnership.getHostsOwner() + " vs. " + resourceOwner, caller); - } - - return bUpdateRequired ? requestOwnership : null; - } - - public static void verifyServiceDeleteResourceOwnership(ServiceIdentity service, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourceServiceIdentityOwnership resourceOwnership = service.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getObjectOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getObjectOwner(), caller); - } - - public static ResourceServiceIdentityOwnership verifyServicePublicKeysResourceOwnership(ServiceIdentity service, - final String resourceOwner, final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return null; - } - - boolean bOwnerSpecified = !StringUtil.isEmpty(resourceOwner); - ResourceServiceIdentityOwnership requestOwnership = bOwnerSpecified ? - new ResourceServiceIdentityOwnership().setPublicKeysOwner(resourceOwner) : null; - - // if the object has no owner then we're good for the enforcement - // part, but we need to return the request ownership object (in case - // it was specified) so the resource is updated accordingly - - ResourceServiceIdentityOwnership resourceOwnership = service.getResourceOwnership(); - if (resourceOwnership == null) { - return requestOwnership; - } - - final String publicKeysOwner = resourceOwnership.getPublicKeysOwner(); - if (!bOwnerSpecified && StringUtil.isEmpty(publicKeysOwner)) { - // if both values are not present then no changes are necessary - return null; - } else if (!bOwnerSpecified) { - // if the object has public keys owner then we reject the request - throw ZMSUtils.conflictError("Service has a resource owner: " + publicKeysOwner, caller); - } else if (StringUtil.isEmpty(publicKeysOwner)) { - // if the object has no public keys owner then we need to set it - requestOwnership.setObjectOwner(resourceOwnership.getObjectOwner()); - requestOwnership.setHostsOwner(resourceOwnership.getHostsOwner()); - return requestOwnership; - } else if (!resourceOwner.equalsIgnoreCase(publicKeysOwner)) { - throw ZMSUtils.conflictError("Invalid resource member owner for service: " + service.getName() - + ", " + publicKeysOwner + " vs. " + resourceOwner, caller); - } else { - // no changes needed - return null; - } - } - - public static boolean ownershipCheckFailure(boolean bOwnerSpecified, final String resourceOwner, - final String objectOwner) { - return ((bOwnerSpecified && !resourceOwner.equalsIgnoreCase(objectOwner)) || - (!bOwnerSpecified && !StringUtil.isEmpty(objectOwner))); - } - - public static void verifyPolicyAssertionsDeleteResourceOwnership(Policy policy, final String resourceOwner, - final String caller) { - - // if the object has no owner then we're good for the enforcement check - - ResourcePolicyOwnership resourceOwnership = policy.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getAssertionsOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getAssertionsOwner(), caller); - } - - public static void verifyGroupMembersDeleteResourceOwnership(Group group, final String resourceOwner, - final String caller) { - - // if the group member has no owner then we're good for the enforcement check - - ResourceGroupOwnership resourceOwnership = group.getResourceOwnership(); - if (resourceOwnership == null || resourceOwnership.getMembersOwner() == null) { - return; - } - - verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getMembersOwner(), caller); - } - - public static void verifyDeleteResourceOwnership(final String resourceOwner, final String objectOwner, - final String caller) { - - // first check if we're explicitly asked to ignore the check - // by either using the ignore value or the feature being disabled - - if (skipEnforceResourceOwnership(resourceOwner)) { - return; - } - - // at this point we have an object owner so the value must match - // otherwise we'll throw a conflict error exception - - if (!objectOwner.equalsIgnoreCase(resourceOwner)) { - throw ZMSUtils.conflictError("Invalid resource owner for object: " + - objectOwner + " vs. " + resourceOwner, caller); - } - } - - public static boolean skipEnforceResourceOwnership(final String resourceOwner) { - return ENFORCE_RESOURCE_OWNERSHIP.get() == Boolean.FALSE || RESOURCE_OWNER_IGNORE.equalsIgnoreCase(resourceOwner); - } -} diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index 39ab3995927..636e95cd114 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -4447,8 +4447,10 @@ public void testPutPolicyVersionCopyAssertionConditions() { } catch (ResourceException ex) { assertEquals(ex.getCode(), 400); assertTrue(ex.getMessage().contains("does not exist")); - } + } + // add the doesn't exist role - now the addition should be successful + addRoleNeededForTest(domainName,"Role1"); zmsImpl.putAssertionPolicyVersion(ctx, domainName, policyName, newVersion, auditRef, null, assertion); @@ -5526,7 +5528,24 @@ public void testDeletePolicyVersion() { assertEquals(ex.getMessage(), "ResourceException (400): {code: 400, message: \"deletepolicyversion: admin policy version cannot be deleted\"}"); } + // create a policy with resource ownership + + final String resourceVersion = "ResourceOwnerVersion1"; + zmsImpl.putPolicyVersion(ctx, domainName, policyName, new PolicyOptions().setVersion(resourceVersion), + auditRef, false, "unittest"); + + try { + zmsImpl.deletePolicyVersion(ctx, domainName, policyName, resourceVersion, auditRef, null); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Invalid resource owner for object")); + } + + zmsImpl.deletePolicyVersion(ctx, domainName, policyName, resourceVersion, auditRef, "unittest"); + zmsImpl.putResourcePolicyOwnership(ctx, domainName, policyName, auditRef, new ResourcePolicyOwnership()); + // Delete entire policy, verify all versions are gone + zmsImpl.deletePolicy(ctx, domainName, policyName, auditRef, null); List versions = Arrays.asList("0", "New-Version1", "New-Version2"); for (String version : versions) { @@ -5621,6 +5640,52 @@ public void testDeletePolicyMissingAuditRef() { } } + @Test + public void testPutAssertionPolicyVersionFailures() { + + TestAuditLogger alogger = new TestAuditLogger(); + ZMSImpl zmsImpl = zmsTestInitializer.getZmsImpl(alogger); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + final String domainName = "put-policy-assertion-version"; + final String policyName = "policy1"; + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser()); + when(ctx.getApiName()).thenReturn("posttopleveldomain").thenReturn("putpolicy") + .thenReturn("putpolicyversion").thenReturn("putassertion") + .thenReturn("putpolicyversion").thenReturn("deletepolicyversion"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + createPolicyWithVersions(zmsImpl, domainName, policyName); + + // adding with an invalid policy name + + Assertion assertion = new Assertion().setAction("put").setResource("resource").setRole("admin"); + try { + zmsImpl.putAssertionPolicyVersion(ctx, domainName, "invalid-policy", "0", auditRef, null, assertion); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Unable to retrieve policy")); + } + + // create a policy with resource ownership + + final String resourceVersion = "ResourceOwnerVersion1"; + zmsImpl.putPolicyVersion(ctx, domainName, policyName, new PolicyOptions().setVersion(resourceVersion), + auditRef, false, "unittest"); + + try { + zmsImpl.putAssertionPolicyVersion(ctx, domainName, policyName, resourceVersion, auditRef, null, assertion); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Policy has a resource owner")); + } + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + @Test public void testCreateServiceIdentity() { @@ -11737,13 +11802,25 @@ public void testIsValidUserTokenRequestNoAuthority() { } @Test - public void testIsValidUserTokenRequestNotuserAuthority() { + public void testIsValidUserTokenRequestNotUserAuthority() { Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority(); Principal principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", 0, principalAuthority); ZMSImpl zmsImpl = zmsTestInitializer.getZms(); assertFalse(zmsImpl.isValidUserTokenRequest(principal, "user1")); + + Authority savedAuthority = zmsImpl.userAuthority; + UserAuthority userAuthority = Mockito.mock(UserAuthority.class); + when(userAuthority.allowAuthorization()).thenReturn(false); + when(userAuthority.getDomain()).thenReturn(null).thenReturn("athenz-domain"); + principal = SimplePrincipal.create("user", "user1", "v=U1;d=user;n=user1;s=signature", + 0, userAuthority); + zmsImpl.userAuthority = userAuthority; + + assertFalse(zmsImpl.isValidUserTokenRequest(principal, "user1")); // auth domain null + assertFalse(zmsImpl.isValidUserTokenRequest(principal, "user1")); // auth domain not user domain + zmsImpl.userAuthority = savedAuthority; } @Test @@ -15295,6 +15372,10 @@ public void testVerifyProviderEndpoint() { // other null and empty test cases assertTrue(zmsImpl.verifyProviderEndpoint(null)); assertTrue(zmsImpl.verifyProviderEndpoint("")); + + assertFalse(zmsImpl.verifyProviderEndpoint("some-invalid-<>")); + assertFalse(zmsImpl.verifyProviderEndpoint("noscheme")); + assertFalse(zmsImpl.verifyProviderEndpoint("https://")); } @Test @@ -23403,6 +23484,72 @@ public void testPutRoleReviewEnabledMembers() { zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); } + @Test + public void testPutRoleReviewResourceOwnership() { + + final String domainName = "role-review-resource-exc"; + final String roleName = "role1"; + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Role review Test Domain1", "testOrg", "user.user1"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Role role1 = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane"); + zmsImpl.putRole(ctx, domainName, roleName, auditRef, false, "unittest", role1); + + // now execute role review without resource ownership + + Role roleReview = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane"); + try { + zmsImpl.putRoleReview(ctx, domainName, roleName, auditRef, null, null, roleReview); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Role has a resource owner: unittest")); + } + + // with the same owner value, it should succeed + + zmsImpl.putRoleReview(ctx, domainName, roleName, auditRef, null, "unittest", roleReview); + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + + @Test + public void testPutGroupReviewResourceOwnership() { + + final String domainName = "role-review-resource-exc"; + final String groupName = "group1"; + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, + "Role review Test Domain1", "testOrg", "user.user1"); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName, "user.joe", "user.jane"); + zmsImpl.putGroup(ctx, domainName, groupName, auditRef, false, "unittest", group1); + + // now execute group review without resource ownership + + Group groupReview = zmsTestInitializer.createGroupObject(domainName, groupName, "user.joe", "user.jane"); + try { + zmsImpl.putGroupReview(ctx, domainName, groupName, auditRef, null, null, groupReview); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Group has a resource owner: unittest")); + } + + // with the same owner value, it should succeed + + zmsImpl.putGroupReview(ctx, domainName, groupName, auditRef, null, "unittest", groupReview); + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + @Test public void testLoadServerPrivateKey() { @@ -29194,6 +29341,69 @@ public void testPutAssertionConditions() { zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); } + @Test + public void testPutAssertionConditionsResourceOwnership() { + + ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); + final String auditRef = zmsTestInitializer.getAuditRef(); + + String domainName = "put-assertion-conditions-resource-ownership"; + String roleName = "role1"; + String policyName = "policy1"; + + TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,"Test Domain1", "testOrg", + zmsTestInitializer.getAdminUser()); + zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1); + + Role role = zmsTestInitializer.createRoleObject(domainName, roleName, null, "user.john", "user.jane"); + Policy policy = zmsTestInitializer.createPolicyObject(domainName, policyName, roleName, "action1", + domainName + ":resource1", AssertionEffect.ALLOW); + zmsImpl.putRole(ctx, domainName, roleName, auditRef, false, null, role); + zmsImpl.putPolicy(ctx, domainName, policyName, auditRef, false, "unittest", policy); + + Policy policyResp = zmsImpl.getPolicy(ctx, domainName, policyName); + + AssertionConditions acs = new AssertionConditions().setConditionsList(new ArrayList<>()); + AssertionCondition ac1 = createAssertionConditionObject(1, "instances", "host,host2"); + acs.getConditionsList().add(ac1); + + // without resource ownership it should fail + + try { + zmsImpl.putAssertionConditions(ctx, domainName, policyName, policyResp.getAssertions().get(0).getId(), + auditRef, null, acs); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Policy has a resource owner: unittest")); + } + + // with resource ownership it should work + + zmsImpl.putAssertionConditions(ctx, domainName, policyName, policyResp.getAssertions().get(0).getId(), + auditRef, "unittest", acs); + + policyResp = zmsImpl.getPolicy(ctx, domainName, policyName); + AssertionCondition ac2 = createAssertionConditionObject(1, "workloads", "job1"); + + // without resource ownership it should fail + + try { + zmsImpl.putAssertionCondition(ctx, domainName, policyName, policyResp.getAssertions().get(0).getId(), + auditRef, null, ac2); + fail(); + } catch (ResourceException ex) { + assertTrue(ex.getMessage().contains("Policy has a resource owner: unittest")); + } + + // with resource ownership it should work + + zmsImpl.putAssertionCondition(ctx, domainName, policyName, policyResp.getAssertions().get(0).getId(), + auditRef, "unittest", ac2); + + zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null); + } + @Test public void testPutAssertionCondition() { @@ -30671,6 +30881,7 @@ public void testValidateAllEmptyOrPresent() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + assertTrue(zmsImpl.validateAllEmptyOrPresent(null)); assertTrue(zmsImpl.validateAllEmptyOrPresent("", "")); assertTrue(zmsImpl.validateAllEmptyOrPresent(null, "")); assertTrue(zmsImpl.validateAllEmptyOrPresent("", null));