AthenZ · abvaidya · May 24, 2024 · May 24, 2024
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/PrincipalRole.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/PrincipalRole.java
@@ -20,6 +20,7 @@ public class PrincipalRole {
     private String domainName;
     private String roleName;
     private String domainUserAuthorityFilter;
+    private int domainMemberExpiryDays;
 
     public String getDomainName() {
         return domainName;
@@ -44,4 +45,12 @@ public String getDomainUserAuthorityFilter() {
     public void setDomainUserAuthorityFilter(String domainUserAuthorityFilter) {
         this.domainUserAuthorityFilter = domainUserAuthorityFilter;
     }
+
+    public int getDomainMemberExpiryDays() {
+        return domainMemberExpiryDays;
+    }
+
+    public void setDomainMemberExpiryDays(int domainMemberExpiryDays) {
+        this.domainMemberExpiryDays = domainMemberExpiryDays;
+    }
 }
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -4299,7 +4299,11 @@ void updateRoleMemberUserAuthorityExpiry(final Role role, final String caller) {
                     throw ZMSUtils.requestError("Invalid member: " + roleMember.getMemberName() +
                             ". No expiry date attribute specified in user authority", caller);
                 }
-                roleMember.setExpiration(Timestamp.fromDate(expiry));
+
+                // otherwise only update the value is current expiry date
+                // is greater than the authority expiry date
+
+                roleMember.setExpiration(ZMSUtils.smallestExpiry(roleMember.getExpiration(), Timestamp.fromDate(expiry)));
             }
         }
     }
@@ -4834,13 +4838,16 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R
 
             case USER:
 
-                Timestamp userAuthorityExpiry = getUserAuthorityExpiry(roleMember.memberName, role.getUserAuthorityExpiration(), caller);
-                if (userAuthorityExpiry != null) {
-                    roleMember.setExpiration(userAuthorityExpiry);
-                } else {
-                    roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
-                            role.getMemberExpiryDays(), membership.getExpiration()));
-                }
+                // first check if we have a user authority expiry configured
+                // which will automatically reject the request if the user
+                // doesn't have it, and then we'll check the role/domain expiry
+                // and use the smallest value as the user's expiry
+
+                Timestamp userAuthorityExpiry = getUserAuthorityExpiry(roleMember.memberName,
+                        role.getUserAuthorityExpiration(), caller);
+                Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
+                        role.getMemberExpiryDays(), membership.getExpiration());
+                roleMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry));
                 break;
 
             case SERVICE:
@@ -4892,7 +4899,8 @@ void sendMembershipApprovalNotification(final String domain, final String org, f
             LOG.debug("Sending Membership Approval notification after putMembership");
         }
 
-        List<Notification> notifications = new PutRoleMembershipNotificationTask(domain, org, role, details, dbService, userDomainPrefix, notificationToEmailConverterCommon).getNotifications();
+        List<Notification> notifications = new PutRoleMembershipNotificationTask(domain, org, role, details,
+                dbService, userDomainPrefix, notificationToEmailConverterCommon).getNotifications();
         notificationManager.sendNotifications(notifications);
     }
 
@@ -4909,7 +4917,8 @@ void sendGroupMembershipApprovalNotification(final String domain, final String o
             LOG.debug("Sending Group Membership Approval notification after putGroupMembership");
         }
 
-        List<Notification> notifications = new PutGroupMembershipNotificationTask(domain, org, group, details, dbService, userDomainPrefix, notificationToEmailConverterCommon).getNotifications();
+        List<Notification> notifications = new PutGroupMembershipNotificationTask(domain, org, group, details,
+                dbService, userDomainPrefix, notificationToEmailConverterCommon).getNotifications();
         notificationManager.sendNotifications(notifications);
     }
 
@@ -10494,7 +10503,11 @@ void updateGroupMemberUserAuthorityExpiry(final Group group, final String caller
                     throw ZMSUtils.requestError("Invalid member: " + groupMember.getMemberName() +
                             ". No expiry date attribute specified in user authority", caller);
                 }
-                groupMember.setExpiration(Timestamp.fromDate(expiry));
+
+                // only update the expiry if the current expiry is greater
+                // than the user authority expiry
+
+                groupMember.setExpiration(ZMSUtils.smallestExpiry(groupMember.getExpiration(), Timestamp.fromDate(expiry)));
             }
         }
     }
@@ -10780,13 +10793,11 @@ void setGroupMemberExpiration(final AthenzDomain domain, final Group group, fina
 
             case USER:
 
-                Timestamp userAuthorityExpiry = getUserAuthorityExpiry(groupMember.memberName, group.getUserAuthorityExpiration(), caller);
-                if (userAuthorityExpiry != null) {
-                    groupMember.setExpiration(userAuthorityExpiry);
-                } else {
-                    groupMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
-                            group.getMemberExpiryDays(), membership.getExpiration()));
-                }
+                Timestamp userAuthorityExpiry = getUserAuthorityExpiry(groupMember.memberName,
+                        group.getUserAuthorityExpiration(), caller);
+                Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
+                        group.getMemberExpiryDays(), membership.getExpiration());
+                groupMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry));
                 break;
 
             case SERVICE:

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java
@@ -403,8 +403,8 @@ public class JDBCConnection implements ObjectStoreConnection {
             + "WHERE role_member.review_last_notified_time=? AND role_member.review_server=?;";
     private static final String SQL_UPDATE_ROLE_REVIEW_TIMESTAMP = "UPDATE role SET last_reviewed_time=CURRENT_TIMESTAMP(3) WHERE role_id=?;";
     private static final String SQL_LIST_ROLES_WITH_RESTRICTIONS = "SELECT domain.name as domain_name, "
-            + "role.name as role_name, domain.user_authority_filter as domain_user_authority_filter FROM role "
-            + "JOIN domain ON role.domain_id=domain.domain_id WHERE role.user_authority_filter!='' "
+            + "role.name as role_name, domain.user_authority_filter as domain_user_authority_filter, domain.member_expiry_days "
+            + "FROM role JOIN domain ON role.domain_id=domain.domain_id WHERE role.user_authority_filter!='' "
             + "OR role.user_authority_expiration!='' OR domain.user_authority_filter!='';";
     private static final String SQL_GET_GROUP = "SELECT * FROM principal_group "
             + "JOIN domain ON domain.domain_id=principal_group.domain_id "
@@ -6000,6 +6000,7 @@ public List<PrincipalRole> listRolesWithUserAuthorityRestrictions() {
                     prRole.setDomainName(rs.getString(ZMSConsts.DB_COLUMN_AS_DOMAIN_NAME));
                     prRole.setRoleName(rs.getString(ZMSConsts.DB_COLUMN_AS_ROLE_NAME));
                     prRole.setDomainUserAuthorityFilter(rs.getString(ZMSConsts.DB_COLUMN_AS_DOMAIN_USER_AUTHORITY_FILTER));
+                    prRole.setDomainMemberExpiryDays(rs.getInt(ZMSConsts.DB_COLUMN_MEMBER_EXPIRY_DAYS));
                     roles.add(prRole);
                 }
             }

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java
@@ -25,6 +25,7 @@
 import com.yahoo.athenz.common.server.util.ResourceUtils;
 import com.yahoo.athenz.common.server.util.ServletRequestUtil;
 import com.yahoo.athenz.zms.*;
+import com.yahoo.rdl.Timestamp;
 import com.yahoo.rdl.Validator;
 import jakarta.ws.rs.core.Response;
 import org.eclipse.jetty.util.StringUtil;
@@ -521,4 +522,24 @@ public static void validatePolicyAssertion(Validator validator, Assertion assert
         }
     }
 
+    public static Timestamp smallestExpiry(Timestamp memberExpiry, Timestamp userAuthorityExpiry) {
+
+        // if we have no user authority expiry then we'll use the member expiry
+
+        if (userAuthorityExpiry == null) {
+            return memberExpiry;
+        }
+
+        // if we have no member expiry then we'll use the user authority expiry
+
+        if (memberExpiry == null) {
+            return userAuthorityExpiry;
+        }
+
+        if (memberExpiry.millis() < userAuthorityExpiry.millis()) {
+            return memberExpiry;
+        } else {
+            return userAuthorityExpiry;
+        }
+    }
 }