Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolved the issue where a NullPointer occurs when the admin role is a trust role #2857

Merged
merged 2 commits into from
Jan 18, 2025
Merged

Resolved the issue where a NullPointer occurs when the admin role is a trust role #2857

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a0205f
Resolved the issue where a NullPointer occurs when the admin role is …
TakuyaMatsu Jan 16, 2025
6de3adf
Ensure deleteMembership returns a 403 error when the admin role is a …
TakuyaMatsu Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2234,8 +2234,11 @@ public void deleteDomainRoleMember(ResourceContext ctx, String domainName, Strin
throw ZMSUtils.notFoundError("Invalid domain name specified", caller);
}
List<RoleMember> members = adminRole.getRoleMembers();
if (members.size() == 1 && members.get(0).getMemberName().equals(memberName)) {
throw ZMSUtils.forbiddenError("deleteDomainRoleMember: Cannot delete last member of 'admin' role", caller);
// If adminRole is a Trust Role, the member will be null.
if (members != null) {
if (members.size() == 1 && members.get(0).getMemberName().equals(memberName)) {
throw ZMSUtils.forbiddenError("deleteDomainRoleMember: Cannot delete last member of 'admin' role", caller);
}
}

// verify that request is properly authenticated for this request
Expand Down Expand Up @@ -5329,6 +5332,10 @@ public void deleteMembership(ResourceContext ctx, String domainName, String role

if (ZMSConsts.ADMIN_ROLE_NAME.equals(roleName)) {
List<RoleMember> members = role.getRoleMembers();
// If adminRole is a Trust Role, the member will be null.
if (members == null) {
throw ZMSUtils.forbiddenError("deleteMembership: Cannot delete because the admin role member is null", caller);
}
if (members.size() == 1 && members.get(0).getMemberName().equals(normalizedMember)) {
throw ZMSUtils.forbiddenError("deleteMembership: Cannot delete last member of 'admin' role", caller);
}
Expand Down
52 changes: 52 additions & 0 deletions servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSDeleteDomainTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -893,6 +893,58 @@ public void testDeleteDomainRoleMemberWhenSingleAdmin() {
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteDomainRoleMemberWhenTrustAdmin() {

String domainName = "deletedomainrolemember4";
ZMSImpl zmsImpl = zmsTestInitializer.getZms();
RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
final String auditRef = zmsTestInitializer.getAuditRef();

TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
"Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);

String trustedDomainName = "trusted-domain";
TopLevelDomain trustedDomain = zmsTestInitializer.createTopLevelDomainObject(trustedDomainName,
"Trusted Domain", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postTopLevelDomain(ctx, auditRef, null, trustedDomain);

Role adminRole = zmsTestInitializer.createRoleObject(domainName, "admin", "trusted-domain",
null, null);
zmsImpl.putRole(ctx, domainName, "admin", auditRef, false, null, adminRole);

Role role1 = zmsTestInitializer.createRoleObject(domainName, "role1", null,
"user.jack", "user.janie");
zmsImpl.putRole(ctx, domainName, "role1", auditRef, false, null, role1);

Role role2 = zmsTestInitializer.createRoleObject(domainName, "role2", null,
"user.jack", "user.jane");
zmsImpl.putRole(ctx, domainName, "role2", auditRef, false, null, role2);

DomainRoleMembers domainRoleMembers = zmsImpl.getDomainRoleMembers(ctx, domainName);
assertEquals(domainRoleMembers.getDomainName(), domainName);

List<DomainRoleMember> members = domainRoleMembers.getMembers();
assertNotNull(members);
assertEquals(members.size(), 3);
ZMSTestUtils.verifyDomainRoleMember(members, "user.jack", "role1", "role2");
ZMSTestUtils.verifyDomainRoleMember(members, "user.janie", "role1");
ZMSTestUtils.verifyDomainRoleMember(members, "user.jane", "role2");

zmsImpl.deleteDomainRoleMember(ctx, domainName, "user.jack", auditRef);

domainRoleMembers = zmsImpl.getDomainRoleMembers(ctx, domainName);
members = domainRoleMembers.getMembers();
assertNotNull(members);
assertEquals(members.size(), 2);
ZMSTestUtils.verifyDomainRoleMember(members, "user.janie", "role1");
ZMSTestUtils.verifyDomainRoleMember(members, "user.jane", "role2");

zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
zmsImpl.deleteTopLevelDomain(ctx, trustedDomainName, auditRef, null);
}

@Test
public void testDeleteUserDomainNull() {
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
Expand Down
33 changes: 33 additions & 0 deletions servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3502,6 +3502,39 @@ public void testDeleteMembershipInvalidDomain() {
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteMembershipTrustAdminRole() {
ZMSImpl zmsImpl = zmsTestInitializer.getZms();
RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
final String auditRef = zmsTestInitializer.getAuditRef();

final String domainName = "mbr-del-dom";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
"Test Domain1", "testOrg", "user.user1");
zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);

final String trustedDomainName = "trusted-domain";
TopLevelDomain trustedDomain = zmsTestInitializer.createTopLevelDomainObject(trustedDomainName,
"Test Domain1", "testOrg", "user.user1");
zmsImpl.postTopLevelDomain(ctx, auditRef, null, trustedDomain);

Role role1 = zmsTestInitializer.createRoleObject(domainName, "admin", trustedDomainName,
null, null);
zmsImpl.putRole(ctx, domainName, "admin", auditRef, false, null, role1);
Role role = zmsImpl.getRole(ctx, domainName, "admin", false, false, false);
assertNotNull(role);

try {
zmsImpl.deleteMembership(ctx, domainName, "admin", "user.joe", auditRef, null);
fail();
} catch (ResourceException e){
assertEquals(e.getCode(), 403);
}

zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
zmsImpl.deleteTopLevelDomain(ctx, trustedDomainName, auditRef, null);
}

@Test
public void testDeleteMembershipInvalidRoleCollection() {
String domainName = "MbrGetRoleDom1";
Expand Down
Loading