diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java index c7872aa1210..785a2f78f98 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java @@ -5168,7 +5168,7 @@ boolean addSolutionTemplate(ResourceContext ctx, ObjectStoreConnection con, Stri firstEntry = auditLogSeparator(auditDetails, firstEntry); auditDetails.append(" \"add-role\": "); if (!processRole(con, originalRole, domainName, roleName, templateRole, - admin, null, auditRef, true, auditDetails)) { + admin, null, auditRef, StringUtil.isEmpty(templateRole.getTrust()), auditDetails)) { return false; } @@ -5460,7 +5460,7 @@ Role updateTemplateRole(ObjectStoreConnection con, Role role, String domainName, List roleMembers = role.getRoleMembers(); List newMembers = new ArrayList<>(); - if (roleMembers != null && !roleMembers.isEmpty()) { + if (StringUtil.isEmpty(templateRoleTrust) && roleMembers != null && !roleMembers.isEmpty()) { for (RoleMember roleMember : roleMembers) { RoleMember newRoleMember = new RoleMember(); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java index d558765fc77..56b4184c049 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java @@ -4034,6 +4034,121 @@ public void testApplySolutionTemplateExistingRoles() throws ServerResourceExcept zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null); } + @Test + public void testApplySolutionTemplateRoleWithBothTrustAndMembers() throws ServerResourceException { + + String caller = "testApplySolutionTemplateRoleWithBothTrustAndMembers"; + String domainName = "solutiontemplate-withtrustrole"; + TopLevelDomain dom1 = createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", adminUser); + zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, null, dom1); + + SubDomain domSysNetwork = createSubDomainObject("network", "sys", "Test Domain", "testOrg", + adminUser, mockDomRsrcCtx.principal().getFullName()); + zms.postSubDomain(mockDomRsrcCtx, "sys", auditRef, null, domSysNetwork); + + // apply the template + + List templates = new ArrayList<>(); + templates.add("template_role_with_both_trust_and_members"); + DomainTemplate domainTemplate = new DomainTemplate().setTemplateNames(templates); + zms.dbService.executePutDomainTemplate(mockDomRsrcCtx, domainName, domainTemplate, auditRef, caller); + + DomainTemplateList domainTemplateList = zms.dbService.listDomainTemplates(domainName); + assertEquals(domainTemplateList.getTemplateNames().size(), 1); + + // verify that our role collection includes the expected roles + + List names = zms.dbService.listRoles(domainName); + assertEquals(names.size(), 2); + assertTrue(names.contains("trust-and-members")); + + // this should be our own role that we created previously + + Role role = zms.dbService.getRole(domainName, "trust-and-members", false, false, false); + assertEquals(role.getName(), domainName + ":role.trust-and-members"); + assertEquals(role.getTrust(), "sys.network"); + assertNull(role.getRoleMembers()); + + // remove the template_role_with_both_trust_and_members template + + zms.dbService.executeDeleteDomainTemplate(mockDomRsrcCtx, domainName, "template_role_with_both_trust_and_members", + auditRef, caller); + assertNull(zms.dbService.getRole(domainName, "trust-and-members", false, false, false)); + + domainTemplateList = zms.dbService.listDomainTemplates(domainName); + assertTrue(domainTemplateList.getTemplateNames().isEmpty()); + + zms.deleteSubDomain(mockDomRsrcCtx, "sys", "network", auditRef, null); + zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null); + } + + @Test + public void testApplySolutionTemplateUpdateRoleByTrustRole() throws ServerResourceException { + + String caller = "testApplySolutionTemplateUpdateRoleByTrustRole"; + String domainName = "solutiontemplate-updatetrustrole"; + TopLevelDomain dom1 = createTopLevelDomainObject(domainName, + "Test Domain1", "testOrg", adminUser); + zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, null, dom1); + + SubDomain domSysNetwork = createSubDomainObject("network", "sys", "Test Domain", "testOrg", + adminUser, mockDomRsrcCtx.principal().getFullName()); + zms.postSubDomain(mockDomRsrcCtx, "sys", auditRef, null, domSysNetwork); + + Role role1 = createRoleObject(domainName, "target-role", null, "user.joe", + "user.jane"); + zms.putRole(mockDomRsrcCtx, domainName, "target-role", auditRef, false, null, role1); + + // apply the template + + List templates = new ArrayList<>(); + templates.add("template_trust_role"); + DomainTemplate domainTemplate = new DomainTemplate().setTemplateNames(templates); + zms.dbService.executePutDomainTemplate(mockDomRsrcCtx, domainName, domainTemplate, auditRef, caller); + + DomainTemplateList domainTemplateList = zms.dbService.listDomainTemplates(domainName); + assertEquals(domainTemplateList.getTemplateNames().size(), 1); + + // verify that our role collection includes the expected roles + + List names = zms.dbService.listRoles(domainName); + assertEquals(names.size(), 2); + assertTrue(names.contains("target-role")); + + // this should be our own role that we created previously + + Role role = zms.dbService.getRole(domainName, "target-role", false, false, false); + assertEquals(role.getName(), domainName + ":role.target-role"); + assertEquals(role.getTrust(), "sys.network"); + assertNull(role.getRoleMembers()); + + // check the response from the modified_domains API + + AthenzDomain athenzDomain = zms.dbService.getAthenzDomain(domainName, true); + List roles = athenzDomain.getRoles(); + Role targetRole = roles.stream() + .filter(r -> r.getName().equals(domainName + ":role.target-role")) + .findFirst() + .orElseGet(() -> { + fail("Role not found: target-role"); + return null; + }); + assertNull(targetRole.getRoleMembers()); + + // remove the template_role_with_both_trust_and_members template + + zms.dbService.executeDeleteDomainTemplate(mockDomRsrcCtx, domainName, "template_trust_role", + auditRef, caller); + assertNull(zms.dbService.getRole(domainName, "target-role", false, false, false)); + + domainTemplateList = zms.dbService.listDomainTemplates(domainName); + assertTrue(domainTemplateList.getTemplateNames().isEmpty()); + + zms.deleteSubDomain(mockDomRsrcCtx, "sys", "network", auditRef, null); + zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null); + } + @Test public void testApplySolutionTemplateExistingGroups() throws ServerResourceException { diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index 6d0e99da2d2..af76fb1d877 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -23821,7 +23821,7 @@ public void testGetServerTemplateDetailsList() { RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); DomainTemplateDetailsList serverTemplateDetailsList = zmsImpl.getServerTemplateDetailsList(ctx); - assertEquals(serverTemplateDetailsList.getMetaData().size(), 15); + assertEquals(serverTemplateDetailsList.getMetaData().size(), 17); TemplateMetaData vipTemplateMetaData = null; for (TemplateMetaData templateMetaData : serverTemplateDetailsList.getMetaData()) { if (templateMetaData.getTemplateName().equals("vipng")) { @@ -23840,7 +23840,7 @@ public void testGetServerTemplateDetailsListSorted() { RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx(); DomainTemplateDetailsList serverTemplateDetailsList = zmsImpl.getServerTemplateDetailsList(ctx); - assertEquals(serverTemplateDetailsList.getMetaData().size(), 15); + assertEquals(serverTemplateDetailsList.getMetaData().size(), 17); List templates = serverTemplateDetailsList.getMetaData(); String previousTemplateName = ""; diff --git a/servers/zms/src/test/resources/solution_templates.json b/servers/zms/src/test/resources/solution_templates.json index 83c8fbe63ee..9d2fa7d1cfe 100644 --- a/servers/zms/src/test/resources/solution_templates.json +++ b/servers/zms/src/test/resources/solution_templates.json @@ -657,6 +657,43 @@ ], "policies": [ ] + }, + "template_role_with_both_trust_and_members": { + "metadata": + { + "latestVersion": 1, + "timestamp": "2024-02-15T00:00:00.000Z", + "description": "TemplateRoleTest", + "autoUpdate": false + }, + "roles": [ + { + "name": "_domain_:role.trust-and-members", + "description": "Role for Testing", + "trust": "sys.network", + "roleMembers": [ + { + "memberName": "sys.builder" + } + ] + } + ] + }, + "template_trust_role": { + "metadata": + { + "latestVersion": 1, + "timestamp": "2024-02-15T00:00:00.000Z", + "description": "TemplateRoleTest", + "autoUpdate": false + }, + "roles": [ + { + "name": "_domain_:role.target-role", + "description": "Role for Testing", + "trust": "sys.network" + } + ] } } }