diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties index 125bd2af732..ab2773dc3aa 100644 --- a/servers/zms/conf/zms.properties +++ b/servers/zms/conf/zms.properties @@ -577,3 +577,10 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema # of results returned to the specified value. The default value is 100. This prevents # the server from returning a large number of results when the search criteria is too broad. #athenz.zms.search_service_limit=100 + +# This property specifies the maximum expiry duration in days for user/service/group. +# The value must be an integer, and the default value is 0. +# If set to 0, it indicates that there is no expiry limit. +#athenz.zms.default_max_user_expiry_days=0 +#athenz.zms.default_max_service_expiry_days=0 +#athenz.zms.default_max_group_expiry_days=0 diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java index eea4d3a4254..d245e0898dc 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java @@ -78,6 +78,10 @@ public final class ZMSConsts { public static final String ZMS_PROP_DOMAIN_ENVIRONMENTS = "athenz.zms.domain_environments"; public static final String ZMS_DEFAULT_DOMAIN_ENVIRONMENTS = "production,integration,staging,sandbox,qa,development"; + public static final String ZMS_PROP_DEFAULT_MAX_USER_EXPIRY = "athenz.zms.default_max_user_expiry_days"; + public static final String ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY = "athenz.zms.default_max_service_expiry_days"; + public static final String ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY = "athenz.zms.default_max_group_expiry_days"; + public static final String ZMS_PROP_VALIDATE_USER_MEMBERS = "athenz.zms.validate_user_members"; public static final String ZMS_PROP_VALIDATE_SERVICE_MEMBERS = "athenz.zms.validate_service_members"; public static final String ZMS_PROP_VALIDATE_ASSERTION_ROLES = "athenz.zms.validate_policy_assertion_roles"; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java index 59e170b8bbe..7bc5d79681a 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java @@ -4820,6 +4820,9 @@ public DomainRoleMembers getOverdueReview(ResourceContext ctx, String domainName } Timestamp getMemberDueDate(long cfgDueDateMillis, Timestamp memberDueDate) { + if (cfgDueDateMillis == 0) { + return memberDueDate; + } if (memberDueDate == null) { return Timestamp.fromMillis(cfgDueDateMillis); } else if (memberDueDate.millis() > cfgDueDateMillis) { @@ -4893,23 +4896,6 @@ private void updateMemberDueDate(MemberDueDays memberDueDays, } } - Timestamp memberDueDateTimestamp(Integer domainDueDateDays, Integer roleDueDateDays, Timestamp memberDueDate) { - - long cfgExpiryMillis = ZMSUtils.configuredDueDateMillis(domainDueDateDays, roleDueDateDays); - - // if we have no value configured then return - // the membership expiration as is - - if (cfgExpiryMillis == 0) { - return memberDueDate; - } - - // otherwise compare the configured expiry days with the specified - // membership value and choose the smallest expiration value - - return getMemberDueDate(cfgExpiryMillis, memberDueDate); - } - @Override public Response putMembership(ResourceContext ctx, String domainName, String roleName, String memberName, String auditRef, Boolean returnObj, String resourceOwner, Membership membership) { @@ -5066,6 +5052,7 @@ Timestamp getUserAuthorityExpiry(final String userName, final String expiryAttrV void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final RoleMember roleMember, final Membership membership, final String caller) { + MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), role, MemberDueDays.Type.EXPIRY); switch (Principal.Type.getType(roleMember.getPrincipalType())) { case USER: @@ -5077,22 +5064,19 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R Timestamp userAuthorityExpiry = getUserAuthorityExpiry(roleMember.memberName, role.getUserAuthorityExpiration(), caller); - Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(), - role.getMemberExpiryDays(), membership.getExpiration()); + Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration()); roleMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry)); break; case SERVICE: case USER_HEADLESS: - roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(), - role.getServiceExpiryDays(), membership.getExpiration())); + roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration())); break; case GROUP: - roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getGroupExpiryDays(), - role.getGroupExpiryDays(), membership.getExpiration())); + roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getGroupDueDateMillis(), membership.getExpiration())); break; } } @@ -5100,21 +5084,19 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R void setRoleMemberReview(final Role role, final RoleMember roleMember, final Membership membership) { + MemberDueDays memberReminderDueDays = new MemberDueDays(null, role, MemberDueDays.Type.REMINDER); switch (Principal.Type.getType(roleMember.getPrincipalType())) { case USER: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getMemberReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getUserDueDateMillis(), membership.getReviewReminder())); break; case SERVICE: case USER_HEADLESS: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getServiceReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getServiceDueDateMillis(), membership.getReviewReminder())); break; case GROUP: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getGroupReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getGroupDueDateMillis(), membership.getReviewReminder())); break; } } @@ -11164,22 +11146,21 @@ public GroupMembership getGroupMembership(ResourceContext ctx, String domainName void setGroupMemberExpiration(final AthenzDomain domain, final Group group, final GroupMember groupMember, final GroupMembership membership, final String caller) { + MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), group); switch (Principal.Type.getType(groupMember.getPrincipalType())) { case USER: Timestamp userAuthorityExpiry = getUserAuthorityExpiry(groupMember.memberName, group.getUserAuthorityExpiration(), caller); - Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(), - group.getMemberExpiryDays(), membership.getExpiration()); + Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration()); groupMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry)); break; case SERVICE: case USER_HEADLESS: - groupMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(), - group.getServiceExpiryDays(), membership.getExpiration())); + groupMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration())); break; case GROUP: diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java index 5d93943b020..bb8b51b3e6c 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java @@ -19,9 +19,14 @@ import com.yahoo.athenz.zms.Group; import com.yahoo.athenz.zms.Role; import com.yahoo.athenz.zms.utils.ZMSUtils; +import com.yahoo.athenz.zms.ZMSConsts; public class MemberDueDays { + private static final int DEFAULT_MAX_USER_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_USER_EXPIRY, "0")); + private static final int DEFAULT_MAX_SERVICE_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY, "0")); + private static final int DEFAULT_MAX_GROUP_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY, "0")); + final long userDueDateMillis; final long serviceDueDateMillis; final long groupDueDateMillis; @@ -59,9 +64,9 @@ public MemberDueDays(Domain domain, Role role, Type type) { roleGroupDays = role.getGroupReviewDays(); } - userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, roleUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, roleServiceDays); - groupDueDateMillis = ZMSUtils.configuredDueDateMillis(domainGroupDays, roleGroupDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, roleUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, roleServiceDays); + groupDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_GROUP_EXPIRY, domainGroupDays, roleGroupDays); } public MemberDueDays(Domain domain, Group group) { @@ -74,8 +79,8 @@ public MemberDueDays(Domain domain, Group group) { Integer groupUserDays = group.getMemberExpiryDays(); Integer groupServiceDays = group.getServiceExpiryDays(); - userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, groupUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, groupServiceDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, groupUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, groupServiceDays); groupDueDateMillis = 0; } diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java index c3529af1863..9da52ca6ab8 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java @@ -449,7 +449,7 @@ public static boolean metaValueChanged(Object domainValue, Object metaValue) { return metaValue != null && !metaValue.equals(domainValue); } - public static long configuredDueDateMillis(Integer domainDueDateDays, Integer roleDueDateDays) { + public static long configuredDueDateMillis(int serverDefaultMaxDueDateDays, Integer domainDueDateDays, Integer roleDueDateDays) { // the role expiry days settings overrides the domain one if one configured @@ -459,6 +459,13 @@ public static long configuredDueDateMillis(Integer domainDueDateDays, Integer ro } else if (domainDueDateDays != null && domainDueDateDays > 0) { expiryDays = domainDueDateDays; } + + if (serverDefaultMaxDueDateDays > 0) { + if (expiryDays == 0 || expiryDays > serverDefaultMaxDueDateDays) { + expiryDays = serverDefaultMaxDueDateDays; + } + } + return expiryDays == 0 ? 0 : System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(expiryDays, TimeUnit.DAYS); } diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index e7e3d4d7cc8..548ef243126 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -22953,28 +22953,11 @@ public void testCreateMembershipApprovalNotification() { public void testGetMemberDueDate() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); assertEquals(zmsImpl.getMemberDueDate(100, null), Timestamp.fromMillis(100)); + assertEquals(zmsImpl.getMemberDueDate(0, Timestamp.fromMillis(50)), Timestamp.fromMillis(50)); assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(50)), Timestamp.fromMillis(50)); assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(150)), Timestamp.fromMillis(100)); } - @Test - public void testMemberDueDateTimestamp() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - assertEquals(zmsImpl.memberDueDateTimestamp(null, null, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - assertEquals(zmsImpl.memberDueDateTimestamp(-1, 0, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - assertEquals(zmsImpl.memberDueDateTimestamp(-3, -2, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - - long ext50Millis = TimeUnit.MILLISECONDS.convert(50, TimeUnit.DAYS); - long ext75Millis = TimeUnit.MILLISECONDS.convert(75, TimeUnit.DAYS); - long ext100Millis = TimeUnit.MILLISECONDS.convert(100, TimeUnit.DAYS); - - Timestamp stamp = zmsImpl.memberDueDateTimestamp(100, 50, Timestamp.fromMillis(System.currentTimeMillis() + ext75Millis)); - assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext50Millis)); - - stamp = zmsImpl.memberDueDateTimestamp(75, null, Timestamp.fromMillis(System.currentTimeMillis() + ext100Millis)); - assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext75Millis)); - } - @Test public void testUpdateRoleMemberReview() { @@ -24545,11 +24528,15 @@ public void testSetGroupMemberExpiration() { public void testSetGroupMemberExpirationGroupRejected() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + AthenzDomain domain = new AthenzDomain("coretech"); + domain.setDomain(new Domain()); + + Group group = zmsTestInitializer.createGroupObject(domain.getName(), "group1", "user.joe", "user.jane"); GroupMember groupMember = new GroupMember().setMemberName("dev-group") .setPrincipalType(Principal.Type.GROUP.getValue()); try { - zmsImpl.setGroupMemberExpiration(null, null, groupMember, null, "unit-test"); + zmsImpl.setGroupMemberExpiration(domain, group, groupMember, null, "unit-test"); fail(); } catch (ResourceException ex) { assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java index 529ebcbf9e7..36709ab8e56 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java @@ -408,33 +408,48 @@ public void testMetaValueChanged() { @Test public void testConfiguredExpiryMillis() { - assertEquals(ZMSUtils.configuredDueDateMillis(null, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(null, -3), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(null, 0), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(-3, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(0, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(-3, -3), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(0, 0), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, -3), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, 0), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, -3), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, 0), 0); long extMillis = TimeUnit.MILLISECONDS.convert(10, TimeUnit.DAYS); - long millis = ZMSUtils.configuredDueDateMillis(null, 10); + long millis = ZMSUtils.configuredDueDateMillis(0, null, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(null, 10); + millis = ZMSUtils.configuredDueDateMillis(0, null, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(-1, 10); + millis = ZMSUtils.configuredDueDateMillis(0, -1, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(0, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 0, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(5, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 5, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(20, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 20, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, null); + millis = ZMSUtils.configuredDueDateMillis(0, 10, null); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, -1); + millis = ZMSUtils.configuredDueDateMillis(0, 10, -1); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, 0); + millis = ZMSUtils.configuredDueDateMillis(0, 10, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + + millis = ZMSUtils.configuredDueDateMillis(10, 0, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(20, 10, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 100, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 100, 20); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(20, 0, 10); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 0, 100); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 20, 100); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); }