Provide interface for external validation checks before adding princi…

…pals to roles and groups (#2852) Signed-off-by: Henry Avetisyan <[email protected]>
AthenZ · Jan 10, 2025 · 73e1106 · 73e1106
1 parent 167965a
commit 73e1106
Show file tree

Hide file tree

Showing 11 changed files with 555 additions and 92 deletions.
diff --git a/...a/server_common/src/main/java/com/yahoo/athenz/common/server/store/ResourceValidator.java b/...a/server_common/src/main/java/com/yahoo/athenz/common/server/store/ResourceValidator.java
@@ -0,0 +1,41 @@
+/*
+ *  Copyright The Athenz Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package com.yahoo.athenz.common.server.store;
+
+/**
+ * External validator for resources managed by Athenz
+ */
+public interface ResourceValidator {
+
+    /**
+     * Validate the member for the given role and/or group
+     * @param domainName domain name
+     * @param roleName role name
+     * @param memberName member name
+     * @return true if the member is valid, false otherwise
+     */
+    boolean validateRoleMember(String domainName, String roleName, String memberName);
+
+    /**
+     * Validate the member for the given group
+     * @param domainName domain name
+     * @param groupName group name
+     * @param memberName member name
+     * @return true if the member is valid, false otherwise
+     */
+    boolean validateGroupMember(String domainName, String groupName, String memberName);
+}
diff --git a/...r_common/src/main/java/com/yahoo/athenz/common/server/store/ResourceValidatorFactory.java b/...r_common/src/main/java/com/yahoo/athenz/common/server/store/ResourceValidatorFactory.java
@@ -0,0 +1,29 @@
+/*
+ *  Copyright The Athenz Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package com.yahoo.athenz.common.server.store;
+
+import com.yahoo.athenz.common.server.ServerResourceException;
+
+public interface ResourceValidatorFactory {
+
+    /**
+     * Create a resource validator instance
+     * @return ResourceValidator instance
+     * @throws ServerResourceException in case of any errors
+     */
+    ResourceValidator create() throws ServerResourceException;
+}
diff --git a/...common/src/main/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidator.java b/...common/src/main/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidator.java
@@ -0,0 +1,36 @@
+/*
+ *  Copyright The Athenz Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package com.yahoo.athenz.common.server.store.impl;
+
+import com.yahoo.athenz.common.server.store.ResourceValidator;
+
+/**
+ * NoOpResourceValidator is a no-op implementation of the ResourceValidator interface.
+ * It returns true for all validation requests.
+ */
+public class NoOpResourceValidator implements ResourceValidator {
+
+    @Override
+    public boolean validateRoleMember(String domainName, String roleName, String memberName) {
+        return true;
+    }
+
+    @Override
+    public boolean validateGroupMember(String domainName, String groupName, String memberName) {
+        return true;
+    }
+}
diff --git a/...src/main/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidatorFactory.java b/...src/main/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidatorFactory.java
@@ -0,0 +1,32 @@
+/*
+ *  Copyright The Athenz Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package com.yahoo.athenz.common.server.store.impl;
+
+import com.yahoo.athenz.common.server.store.ResourceValidator;
+import com.yahoo.athenz.common.server.store.ResourceValidatorFactory;
+
+/**
+ * NoOpResourceValidatorFactory is a no-op implementation of the ResourceValidatorFactory interface.
+ * It creates a NoOpResourceValidator that returns true for all validation requests.
+ */
+public class NoOpResourceValidatorFactory implements ResourceValidatorFactory {
+
+    @Override
+    public ResourceValidator create() {
+        return new NoOpResourceValidator();
+    }
+}
diff --git a/...test/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidatorFactoryTest.java b/...test/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidatorFactoryTest.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.common.server.store.impl;
+
+import com.yahoo.athenz.common.server.store.ResourceValidator;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertNotNull;
+import static org.testng.Assert.assertTrue;
+
+public class NoOpResourceValidatorFactoryTest {
+
+    @Test
+    public void testCreate() {
+        NoOpResourceValidatorFactory factory = new NoOpResourceValidatorFactory();
+        ResourceValidator validator = factory.create();
+        assertNotNull(validator);
+
+        // validate some members - we should always return true
+
+        assertTrue(validator.validateRoleMember("domain", "role", "user"));
+        assertTrue(validator.validateGroupMember("domain", "group", "user"));
+    }
+}
diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties
@@ -584,3 +584,9 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema
 #athenz.zms.default_max_user_expiry_days=0
 #athenz.zms.default_max_service_expiry_days=0
 #athenz.zms.default_max_group_expiry_days=0
+
+# Specifies the factory class that implements the ResourceValidator interface
+# used by the ZMS Server to carry out resource validation checks. Currently supported
+# validations include adding principals to roles and groups. The default implementation
+# is a no-op validator that does not perform any validation checks.
+#athenz.zms.resource_validator_factory_class=com.yahoo.athenz.common.server.store.impl.NoOpResourceValidatorFactory
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
@@ -230,7 +230,10 @@ public final class ZMSConsts {
 
     public static final String ZMS_PROP_STATUS_CHECKER_FACTORY_CLASS = "athenz.zms.status_checker_factory_class";
 
-    public static final String ZMS_PROP_ENABLE_PRINCIPAL_STATE_UPDATER        = "athenz.zms.enable_principal_state_updater";
+    public static final String ZMS_PROP_RESOURCE_VALIDATOR_FACTORY_CLASS = "athenz.zms.resource_validator_factory_class";
+    public static final String ZMS_PROP_RESOURCE_VALIDATOR_FACTORY_CLASS_DEFAULT = "com.yahoo.athenz.common.server.store.impl.NoOpResourceValidatorFactory";
+
+    public static final String ZMS_PROP_ENABLE_PRINCIPAL_STATE_UPDATER = "athenz.zms.enable_principal_state_updater";
     public static final String ZMS_PROP_PRINCIPAL_STATE_UPDATER_FREQUENCY = "athenz.zms.principal_state_updater_frequency";
     public static final String ZMS_PROP_PRINCIPAL_STATE_UPDATER_FREQUENCY_DEFAULT = "30"; // in minutes
     public static final String ZMS_PROP_PRINCIPAL_STATE_UPDATER_DISABLE_TIMER = "athenz.zms.disable_principal_state_updater_timer_task";