Skip to content

Commit

Permalink
support principal domain filter for role/group members (#2629)
Browse files Browse the repository at this point in the history
Signed-off-by: Henry Avetisyan <[email protected]>
Co-authored-by: Henry Avetisyan <[email protected]>
  • Loading branch information
havetisyan and havetisyan authored May 30, 2024
1 parent 95c568e commit 5f6dbd7
Show file tree
Hide file tree
Showing 28 changed files with 1,089 additions and 117 deletions.
44 changes: 44 additions & 0 deletions clients/go/zms/model.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions clients/go/zms/zms_schema.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/Group.java
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ public class Group {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public ResourceGroupOwnership resourceOwnership;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String principalDomainFilter;
public String name;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
Expand Down Expand Up @@ -175,6 +178,13 @@ public Group setResourceOwnership(ResourceGroupOwnership resourceOwnership) {
public ResourceGroupOwnership getResourceOwnership() {
return resourceOwnership;
}
public Group setPrincipalDomainFilter(String principalDomainFilter) {
this.principalDomainFilter = principalDomainFilter;
return this;
}
public String getPrincipalDomainFilter() {
return principalDomainFilter;
}
public Group setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -256,6 +266,9 @@ public boolean equals(Object another) {
if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
return false;
}
if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/GroupMeta.java
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ public class GroupMeta {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public ResourceGroupOwnership resourceOwnership;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String principalDomainFilter;

public GroupMeta setSelfServe(Boolean selfServe) {
this.selfServe = selfServe;
Expand Down Expand Up @@ -165,6 +168,13 @@ public GroupMeta setResourceOwnership(ResourceGroupOwnership resourceOwnership)
public ResourceGroupOwnership getResourceOwnership() {
return resourceOwnership;
}
public GroupMeta setPrincipalDomainFilter(String principalDomainFilter) {
this.principalDomainFilter = principalDomainFilter;
return this;
}
public String getPrincipalDomainFilter() {
return principalDomainFilter;
}

@Override
public boolean equals(Object another) {
Expand Down Expand Up @@ -218,6 +228,9 @@ public boolean equals(Object another) {
if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
return false;
}
if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
return false;
}
}
return true;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/Role.java
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,9 @@ public class Role {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public ResourceRoleOwnership resourceOwnership;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String principalDomainFilter;
public String name;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
Expand Down Expand Up @@ -267,6 +270,13 @@ public Role setResourceOwnership(ResourceRoleOwnership resourceOwnership) {
public ResourceRoleOwnership getResourceOwnership() {
return resourceOwnership;
}
public Role setPrincipalDomainFilter(String principalDomainFilter) {
this.principalDomainFilter = principalDomainFilter;
return this;
}
public String getPrincipalDomainFilter() {
return principalDomainFilter;
}
public Role setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -386,6 +396,9 @@ public boolean equals(Object another) {
if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
return false;
}
if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/RoleMeta.java
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ public class RoleMeta {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public ResourceRoleOwnership resourceOwnership;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String principalDomainFilter;

public RoleMeta setSelfServe(Boolean selfServe) {
this.selfServe = selfServe;
Expand Down Expand Up @@ -245,6 +248,13 @@ public RoleMeta setResourceOwnership(ResourceRoleOwnership resourceOwnership) {
public ResourceRoleOwnership getResourceOwnership() {
return resourceOwnership;
}
public RoleMeta setPrincipalDomainFilter(String principalDomainFilter) {
this.principalDomainFilter = principalDomainFilter;
return this;
}
public String getPrincipalDomainFilter() {
return principalDomainFilter;
}

@Override
public boolean equals(Object another) {
Expand Down Expand Up @@ -322,6 +332,9 @@ public boolean equals(Object another) {
if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
return false;
}
if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
return false;
}
}
return true;
}
Expand Down
6 changes: 4 additions & 2 deletions core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,8 @@ private static Schema build() {
.field("selfRenew", "Bool", true, "Flag indicates whether to allow expired members to renew their membership")
.field("selfRenewMins", "Int32", true, "Number of minutes members can renew their membership if self review option is enabled")
.field("maxMembers", "Int32", true, "Maximum number of members allowed in the group")
.field("resourceOwnership", "ResourceRoleOwnership", true, "ownership information for the role (read-only attribute)");
.field("resourceOwnership", "ResourceRoleOwnership", true, "ownership information for the role (read-only attribute)")
.field("principalDomainFilter", "String", true, "membership filtered based on configured principal domains");

sb.structType("Role", "RoleMeta")
.comment("The representation for a Role with set of members. The members (Array<MemberName>) field is deprecated and not used in role objects since it incorrectly lists all the members in the role without taking into account if the member is expired or possibly disabled. Thus, using this attribute will result in incorrect authorization checks by the client and, thus, it's no longer being populated. All applications must use the roleMembers field and take into account all the attributes of the member.")
Expand Down Expand Up @@ -553,7 +554,8 @@ private static Schema build() {
.field("selfRenew", "Bool", true, "Flag indicates whether to allow expired members to renew their membership")
.field("selfRenewMins", "Int32", true, "Number of minutes members can renew their membership if self review option is enabled")
.field("maxMembers", "Int32", true, "Maximum number of members allowed in the group")
.field("resourceOwnership", "ResourceGroupOwnership", true, "ownership information for the group (read-only attribute)");
.field("resourceOwnership", "ResourceGroupOwnership", true, "ownership information for the group (read-only attribute)")
.field("principalDomainFilter", "String", true, "membership filtered based on configured principal domains");

sb.structType("Group", "GroupMeta")
.comment("The representation for a Group with set of members.")
Expand Down
1 change: 1 addition & 0 deletions core/zms/src/main/rdl/Group.tdl
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ type GroupMeta Struct {
Int32 selfRenewMins (optional); //Number of minutes members can renew their membership if self review option is enabled
Int32 maxMembers (optional); //Maximum number of members allowed in the group
ResourceGroupOwnership resourceOwnership (optional); //ownership information for the group (read-only attribute)
String principalDomainFilter (optional, x_allowempty="true"); //membership filtered based on configured principal domains
}

//The representation for a Group with set of members.
Expand Down
1 change: 1 addition & 0 deletions core/zms/src/main/rdl/Role.tdl
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type RoleMeta Struct {
Int32 selfRenewMins (optional); //Number of minutes members can renew their membership if self review option is enabled
Int32 maxMembers (optional); //Maximum number of members allowed in the group
ResourceRoleOwnership resourceOwnership (optional); //ownership information for the role (read-only attribute)
String principalDomainFilter (optional, x_allowempty="true"); //membership filtered based on configured principal domains
}

//The representation for a Role with set of members.
Expand Down
28 changes: 24 additions & 4 deletions core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ public void testGroupsMethod() {
.setSelfRenew(true)
.setSelfRenewMins(180)
.setMaxMembers(5)
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
.setPrincipalDomainFilter("user,+unix.test,-home");

Group r2 = new Group()
.setName("sys.auth:group.admin")
Expand All @@ -83,7 +84,8 @@ public void testGroupsMethod() {
.setSelfRenew(true)
.setSelfRenewMins(180)
.setMaxMembers(5)
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
.setPrincipalDomainFilter("user,+unix.test,-home");

assertEquals(r, r2);
assertEquals(r, r);
Expand All @@ -107,6 +109,7 @@ public void testGroupsMethod() {
assertEquals(r.getSelfRenew(), Boolean.TRUE);
assertEquals(r.getMaxMembers(), 5);
assertEquals(r.getResourceOwnership(), new ResourceGroupOwnership().setMetaOwner("TF"));
assertEquals(r.getPrincipalDomainFilter(), "user,+unix.test,-home");

r2.setLastReviewedDate(Timestamp.fromMillis(123456789124L));
assertNotEquals(r, r2);
Expand Down Expand Up @@ -206,6 +209,13 @@ public void testGroupsMethod() {
r2.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
assertEquals(r, r2);

r2.setPrincipalDomainFilter("user");
assertNotEquals(r, r2);
r2.setPrincipalDomainFilter(null);
assertNotEquals(r, r2);
r2.setPrincipalDomainFilter("user,+unix.test,-home");
assertEquals(r, r2);

r2.setAuditLog(null);
assertNotEquals(r, r2);
r2.setGroupMembers(null);
Expand Down Expand Up @@ -539,7 +549,8 @@ public void testGroupMetaMethod() {
.setSelfRenew(true)
.setSelfRenewMins(180)
.setMaxMembers(5)
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
.setPrincipalDomainFilter("user,+unix.test,-home");

assertFalse(gm1.getSelfServe());
assertEquals(gm1.getNotifyRoles(), "role1,domain:role.role2");
Expand All @@ -556,6 +567,7 @@ public void testGroupMetaMethod() {
assertEquals(gm1.getSelfRenew(), Boolean.TRUE);
assertEquals(gm1.getMaxMembers(), 5);
assertEquals(gm1.getResourceOwnership(), new ResourceGroupOwnership().setMetaOwner("TF"));
assertEquals(gm1.getPrincipalDomainFilter(), "user,+unix.test,-home");

GroupMeta gm2 = new GroupMeta()
.setSelfServe(false)
Expand All @@ -572,7 +584,8 @@ public void testGroupMetaMethod() {
.setSelfRenew(true)
.setSelfRenewMins(180)
.setMaxMembers(5)
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
.setPrincipalDomainFilter("user,+unix.test,-home");

assertEquals(gm1, gm2);
assertEquals(gm1, gm1);
Expand Down Expand Up @@ -684,6 +697,13 @@ public void testGroupMetaMethod() {
gm2.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
assertEquals(gm2, gm1);

gm2.setPrincipalDomainFilter("user");
assertNotEquals(gm2, gm1);
gm2.setPrincipalDomainFilter(null);
assertNotEquals(gm2, gm1);
gm2.setPrincipalDomainFilter("user,+unix.test,-home");
assertEquals(gm2, gm1);

Schema schema = ZMSSchema.instance();
Validator validator = new Validator(schema);
Result result = validator.validate(gm1, "GroupMeta");
Expand Down
Loading

0 comments on commit 5f6dbd7

Please sign in to comment.