Allow setting of server default values for member expiry days (#2840)

* [feat] Allow setting of server default values for member expiry days

Signed-off-by: Takuya Matsumoto <[email protected]>

servers/zms/conf/zms.properties

@@ -577,3 +577,10 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema
 # of results returned to the specified value. The default value is 100. This prevents
 # the server from returning a large number of results when the search criteria is too broad.
 #athenz.zms.search_service_limit=100
+
+# This property specifies the maximum expiry duration in days for user/service/group.
+# The value must be an integer, and the default value is 0.
+# If set to 0, it indicates that there is no expiry limit.
+#athenz.zms.default_max_user_expiry_days=0
+#athenz.zms.default_max_service_expiry_days=0
+#athenz.zms.default_max_group_expiry_days=0

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java

@@ -78,6 +78,10 @@ public final class ZMSConsts {
     public static final String ZMS_PROP_DOMAIN_ENVIRONMENTS     = "athenz.zms.domain_environments";
     public static final String ZMS_DEFAULT_DOMAIN_ENVIRONMENTS  = "production,integration,staging,sandbox,qa,development";
 
+    public static final String ZMS_PROP_DEFAULT_MAX_USER_EXPIRY  = "athenz.zms.default_max_user_expiry_days";
+    public static final String ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY  = "athenz.zms.default_max_service_expiry_days";
+    public static final String ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY  = "athenz.zms.default_max_group_expiry_days";
+
     public static final String ZMS_PROP_VALIDATE_USER_MEMBERS    = "athenz.zms.validate_user_members";
     public static final String ZMS_PROP_VALIDATE_SERVICE_MEMBERS = "athenz.zms.validate_service_members";
     public static final String ZMS_PROP_VALIDATE_ASSERTION_ROLES = "athenz.zms.validate_policy_assertion_roles";

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java

@@ -4820,6 +4820,9 @@ public DomainRoleMembers getOverdueReview(ResourceContext ctx, String domainName
     }
 
     Timestamp getMemberDueDate(long cfgDueDateMillis, Timestamp memberDueDate) {
+        if (cfgDueDateMillis == 0) {
+            return memberDueDate;
+        }
         if (memberDueDate == null) {
             return Timestamp.fromMillis(cfgDueDateMillis);
         } else if (memberDueDate.millis() > cfgDueDateMillis) {
@@ -4893,23 +4896,6 @@ private <T> void updateMemberDueDate(MemberDueDays memberDueDays,
         }
     }
 
-    Timestamp memberDueDateTimestamp(Integer domainDueDateDays, Integer roleDueDateDays, Timestamp memberDueDate) {
-
-        long cfgExpiryMillis = ZMSUtils.configuredDueDateMillis(domainDueDateDays, roleDueDateDays);
-
-        // if we have no value configured then return
-        // the membership expiration as is
-
-        if (cfgExpiryMillis == 0) {
-            return memberDueDate;
-        }
-
-        // otherwise compare the configured expiry days with the specified
-        // membership value and choose the smallest expiration value
-
-        return getMemberDueDate(cfgExpiryMillis, memberDueDate);
-    }
-
     @Override
     public Response putMembership(ResourceContext ctx, String domainName, String roleName,
             String memberName, String auditRef, Boolean returnObj, String resourceOwner, Membership membership) {
@@ -5066,6 +5052,7 @@ Timestamp getUserAuthorityExpiry(final String userName, final String expiryAttrV
     void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final RoleMember roleMember,
             final Membership membership, final String caller) {
 
+        MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), role, MemberDueDays.Type.EXPIRY);
         switch (Principal.Type.getType(roleMember.getPrincipalType())) {
 
             case USER:
@@ -5077,44 +5064,39 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R
 
                 Timestamp userAuthorityExpiry = getUserAuthorityExpiry(roleMember.memberName,
                         role.getUserAuthorityExpiration(), caller);
-                Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
-                        role.getMemberExpiryDays(), membership.getExpiration());
+                Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration());
                 roleMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry));
                 break;
 
             case SERVICE:
             case USER_HEADLESS:
 
-                roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(),
-                        role.getServiceExpiryDays(), membership.getExpiration()));
+                roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration()));
                 break;
 
             case GROUP:
 
-                roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getGroupExpiryDays(),
-                        role.getGroupExpiryDays(), membership.getExpiration()));
+                roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getGroupDueDateMillis(), membership.getExpiration()));
                 break;
         }
     }
 
     void setRoleMemberReview(final Role role, final RoleMember roleMember,
                                  final Membership membership) {
 
+        MemberDueDays memberReminderDueDays = new MemberDueDays(null, role, MemberDueDays.Type.REMINDER);
         switch (Principal.Type.getType(roleMember.getPrincipalType())) {
             case USER:
-                roleMember.setReviewReminder(memberDueDateTimestamp(null,
-                        role.getMemberReviewDays(), membership.getReviewReminder()));
+                roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getUserDueDateMillis(), membership.getReviewReminder()));
                 break;
 
             case SERVICE:
             case USER_HEADLESS:
-                roleMember.setReviewReminder(memberDueDateTimestamp(null,
-                        role.getServiceReviewDays(), membership.getReviewReminder()));
+                roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getServiceDueDateMillis(), membership.getReviewReminder()));
                 break;
 
             case GROUP:
-                roleMember.setReviewReminder(memberDueDateTimestamp(null,
-                        role.getGroupReviewDays(), membership.getReviewReminder()));
+                roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getGroupDueDateMillis(), membership.getReviewReminder()));
                 break;
         }
     }
@@ -11164,22 +11146,21 @@ public GroupMembership getGroupMembership(ResourceContext ctx, String domainName
     void setGroupMemberExpiration(final AthenzDomain domain, final Group group, final GroupMember groupMember,
                                   final GroupMembership membership, final String caller) {
 
+        MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), group);
         switch (Principal.Type.getType(groupMember.getPrincipalType())) {
 
             case USER:
 
                 Timestamp userAuthorityExpiry = getUserAuthorityExpiry(groupMember.memberName,
                         group.getUserAuthorityExpiration(), caller);
-                Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(),
-                        group.getMemberExpiryDays(), membership.getExpiration());
+                Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration());
                 groupMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry));
                 break;
 
             case SERVICE:
             case USER_HEADLESS:
 
-                groupMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(),
-                        group.getServiceExpiryDays(), membership.getExpiration()));
+                groupMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration()));
                 break;
 
             case GROUP:

servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java

@@ -19,9 +19,14 @@
 import com.yahoo.athenz.zms.Group;
 import com.yahoo.athenz.zms.Role;
 import com.yahoo.athenz.zms.utils.ZMSUtils;
+import com.yahoo.athenz.zms.ZMSConsts;
 
 public class MemberDueDays {
 
+    private static final int DEFAULT_MAX_USER_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_USER_EXPIRY, "0"));
+    private static final int DEFAULT_MAX_SERVICE_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY, "0"));
+    private static final int DEFAULT_MAX_GROUP_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY, "0"));
+
     final long userDueDateMillis;
     final long serviceDueDateMillis;
     final long groupDueDateMillis;
@@ -59,9 +64,9 @@ public MemberDueDays(Domain domain, Role role, Type type) {
             roleGroupDays = role.getGroupReviewDays();
         }
 
-        userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, roleUserDays);
-        serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, roleServiceDays);
-        groupDueDateMillis = ZMSUtils.configuredDueDateMillis(domainGroupDays, roleGroupDays);
+        userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, roleUserDays);
+        serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, roleServiceDays);
+        groupDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_GROUP_EXPIRY, domainGroupDays, roleGroupDays);
     }
 
     public MemberDueDays(Domain domain, Group group) {
@@ -74,8 +79,8 @@ public MemberDueDays(Domain domain, Group group) {
         Integer groupUserDays = group.getMemberExpiryDays();
         Integer groupServiceDays = group.getServiceExpiryDays();
 
-        userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, groupUserDays);
-        serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, groupServiceDays);
+        userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, groupUserDays);
+        serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, groupServiceDays);
         groupDueDateMillis = 0;
     }
 

servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java

@@ -449,7 +449,7 @@ public static boolean metaValueChanged(Object domainValue, Object metaValue) {
         return metaValue != null && !metaValue.equals(domainValue);
     }
 
-    public static long configuredDueDateMillis(Integer domainDueDateDays, Integer roleDueDateDays) {
+    public static long configuredDueDateMillis(int serverDefaultMaxDueDateDays, Integer domainDueDateDays, Integer roleDueDateDays) {
 
         // the role expiry days settings overrides the domain one if one configured
 
@@ -459,6 +459,13 @@ public static long configuredDueDateMillis(Integer domainDueDateDays, Integer ro
         } else if (domainDueDateDays != null && domainDueDateDays > 0) {
             expiryDays = domainDueDateDays;
         }
+
+        if (serverDefaultMaxDueDateDays > 0) {
+            if (expiryDays == 0 || expiryDays > serverDefaultMaxDueDateDays) {
+                expiryDays = serverDefaultMaxDueDateDays;
+            }
+        }
+
         return expiryDays == 0 ? 0 : System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(expiryDays, TimeUnit.DAYS);
     }
 

servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java

@@ -22953,28 +22953,11 @@ public void testCreateMembershipApprovalNotification() {
     public void testGetMemberDueDate() {
         ZMSImpl zmsImpl = zmsTestInitializer.getZms();
         assertEquals(zmsImpl.getMemberDueDate(100, null), Timestamp.fromMillis(100));
+        assertEquals(zmsImpl.getMemberDueDate(0, Timestamp.fromMillis(50)), Timestamp.fromMillis(50));
         assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(50)), Timestamp.fromMillis(50));
         assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(150)), Timestamp.fromMillis(100));
     }
 
-    @Test
-    public void testMemberDueDateTimestamp() {
-        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
-        assertEquals(zmsImpl.memberDueDateTimestamp(null, null, Timestamp.fromMillis(100)), Timestamp.fromMillis(100));
-        assertEquals(zmsImpl.memberDueDateTimestamp(-1, 0, Timestamp.fromMillis(100)), Timestamp.fromMillis(100));
-        assertEquals(zmsImpl.memberDueDateTimestamp(-3, -2, Timestamp.fromMillis(100)), Timestamp.fromMillis(100));
-
-        long ext50Millis = TimeUnit.MILLISECONDS.convert(50, TimeUnit.DAYS);
-        long ext75Millis = TimeUnit.MILLISECONDS.convert(75, TimeUnit.DAYS);
-        long ext100Millis = TimeUnit.MILLISECONDS.convert(100, TimeUnit.DAYS);
-
-        Timestamp stamp = zmsImpl.memberDueDateTimestamp(100, 50, Timestamp.fromMillis(System.currentTimeMillis() + ext75Millis));
-        assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext50Millis));
-
-        stamp = zmsImpl.memberDueDateTimestamp(75, null, Timestamp.fromMillis(System.currentTimeMillis() + ext100Millis));
-        assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext75Millis));
-    }
-
     @Test
     public void testUpdateRoleMemberReview() {
 
@@ -24545,11 +24528,15 @@ public void testSetGroupMemberExpiration() {
     public void testSetGroupMemberExpirationGroupRejected() {
 
         ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        AthenzDomain domain = new AthenzDomain("coretech");
+        domain.setDomain(new Domain());
+
+        Group group = zmsTestInitializer.createGroupObject(domain.getName(), "group1", "user.joe", "user.jane");
 
         GroupMember groupMember = new GroupMember().setMemberName("dev-group")
                 .setPrincipalType(Principal.Type.GROUP.getValue());
         try {
-            zmsImpl.setGroupMemberExpiration(null, null, groupMember, null, "unit-test");
+            zmsImpl.setGroupMemberExpiration(domain, group, groupMember, null, "unit-test");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);

servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java

@@ -408,33 +408,48 @@ public void testMetaValueChanged() {
     @Test
     public void testConfiguredExpiryMillis() {
 
-        assertEquals(ZMSUtils.configuredDueDateMillis(null, null), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(null, -3), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(null, 0), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(-3, null), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(0, null), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(-3, -3), 0);
-        assertEquals(ZMSUtils.configuredDueDateMillis(0, 0), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, null, null), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, null, -3), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, null, 0), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, null), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, null), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, -3), 0);
+        assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, 0), 0);
 
         long extMillis = TimeUnit.MILLISECONDS.convert(10, TimeUnit.DAYS);
-        long millis = ZMSUtils.configuredDueDateMillis(null, 10);
+        long millis = ZMSUtils.configuredDueDateMillis(0, null, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(null, 10);
+        millis = ZMSUtils.configuredDueDateMillis(0, null, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(-1, 10);
+        millis = ZMSUtils.configuredDueDateMillis(0, -1, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(0, 10);
+        millis = ZMSUtils.configuredDueDateMillis(0, 0, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(5, 10);
+        millis = ZMSUtils.configuredDueDateMillis(0, 5, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(20, 10);
+        millis = ZMSUtils.configuredDueDateMillis(0, 20, 10);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
 
-        millis = ZMSUtils.configuredDueDateMillis(10, null);
+        millis = ZMSUtils.configuredDueDateMillis(0, 10, null);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(10, -1);
+        millis = ZMSUtils.configuredDueDateMillis(0, 10, -1);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
-        millis = ZMSUtils.configuredDueDateMillis(10, 0);
+        millis = ZMSUtils.configuredDueDateMillis(0, 10, 0);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+
+        millis = ZMSUtils.configuredDueDateMillis(10, 0, 0);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(20, 10, 0);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(10, 100, 0);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(10, 100, 20);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(20, 0, 10);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(10, 0, 100);
+        assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
+        millis = ZMSUtils.configuredDueDateMillis(10, 20, 100);
         assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis));
     }