diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java index 0f7a1b2d2c0..22c214f0e66 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java @@ -4097,7 +4097,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta if (metaOnly != null) { if (LOG.isDebugEnabled()) { - LOG.debug("getSignedDomains: metaonly: " + metaOnly, caller); + LOG.debug("getSignedDomains: metaonly: {}", metaOnly); } setMetaDataOnly = Boolean.parseBoolean(metaOnly.trim()); @@ -4109,7 +4109,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta // to use the master copy instead of read-only slaves Principal principal = ((RsrcCtxWrapper) ctx).principal(); - boolean masterCopy = principal.getFullName().startsWith("sys."); + boolean systemPrincipal = principal.getFullName().startsWith("sys."); // if we're given a specific domain then we don't need to // retrieve the list of modified domains @@ -4121,7 +4121,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta Domain domain = null; try { - domain = dbService.getDomain(domainName, masterCopy); + domain = dbService.getDomain(domainName, systemPrincipal); } catch (ResourceException ex) { // in case the domain does not exist we're just @@ -4137,7 +4137,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta if (timestamp != 0 && youngestDomMod <= timestamp) { EntityTag eTag = new EntityTag(domain.getModified().toString()); - result.done(304, eTag.toString()); + result.done(ResourceException.NOT_MODIFIED, eTag.toString()); } // generate our signed domain object @@ -4153,7 +4153,16 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta } } else { - + + // if we don't have a domain name then the meta flag must + // be set to true otherwise it's expensive to fetch all + // domains and sign all domains into a single response + // unless the request is from a system service + + if (!setMetaDataOnly && !systemPrincipal) { + result.done(ResourceException.BAD_REQUEST); + } + // we should get our matching tag before calling get modified list // in case we get a domain added/updated right after an empty domain list // was returned and before the matchingTag was set to a value @@ -4166,7 +4175,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta DomainModifiedList dmlist = dbService.listModifiedDomains(timestamp); List modlist = dmlist.getNameModList(); if (modlist == null || modlist.size() == 0) { - result.done(304, matchingTag); + result.done(ResourceException.NOT_MODIFIED, matchingTag); } // now we can iterate through our list and retrieve each domain @@ -4206,7 +4215,7 @@ public void getSignedDomains(ResourceContext ctx, String domainName, String meta EntityTag eTag = new EntityTag(youngest.toString()); metric.stopTiming(timerMetric); - result.done(200, sdoms, eTag.toString()); + result.done(ResourceException.OK, sdoms, eTag.toString()); } List getPolicyListWithoutAssertionId(List policies) { diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index 502d4d80dad..e5ef5be5e12 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -5326,10 +5326,14 @@ public void testGetSignedDomains() { zms.privateKeyId = "0"; zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKey)); - GetSignedDomainsResult result = new GetSignedDomainsResult(mockDomRsrcCtx); + Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority(); + Principal sysPrincipal = principalAuthority.authenticate("v=U1;d=sys;n=zts;s=signature", + "10.11.12.13", "GET", null); + ResourceContext rsrcCtx = createResourceContext(sysPrincipal); + GetSignedDomainsResult result = new GetSignedDomainsResult(rsrcCtx); SignedDomains sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, null, result); + zms.getSignedDomains(rsrcCtx, null, null, null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5362,10 +5366,10 @@ public void testGetSignedDomains() { zms.privateKeyId = "1"; zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKeyK1)); - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, null, result); + zms.getSignedDomains(rsrcCtx, null, null, null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5392,10 +5396,10 @@ public void testGetSignedDomains() { zms.privateKeyId = "2"; zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKeyK2)); - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, null, result); + zms.getSignedDomains(rsrcCtx, null, null, null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5416,10 +5420,10 @@ public void testGetSignedDomains() { // test metaonly=true // - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, "tRuE", null, result); + zms.getSignedDomains(rsrcCtx, null, "tRuE", null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5447,10 +5451,10 @@ public void testGetSignedDomains() { // test metaonly=garbage // - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, "garbage", null, result); + zms.getSignedDomains(rsrcCtx, null, "garbage", null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5475,10 +5479,10 @@ public void testGetSignedDomains() { // test metaonly=false // - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, "fAlSe", null, result); + zms.getSignedDomains(rsrcCtx, null, "fAlSe", null, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5505,9 +5509,9 @@ public void testGetSignedDomains() { // String eTag = "I am not good"; String eTag2 = null; - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, eTag, result); + zms.getSignedDomains(rsrcCtx, null, null, eTag, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5527,11 +5531,11 @@ public void testGetSignedDomains() { Policy policy1 = createPolicyObject("SignedDom1", "Policy1"); zms.putPolicy(mockDomRsrcCtx, "SignedDom1", "Policy1", auditRef, policy1); - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); sdoms = null; eTag = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, eTag2, result); + zms.getSignedDomains(rsrcCtx, null, null, eTag2, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { Object obj = getWebAppExcEntity(wexc); @@ -5546,10 +5550,10 @@ public void testGetSignedDomains() { assertNotNull(list); assertEquals(1, list.size()); - result = new GetSignedDomainsResult(mockDomRsrcCtx); + result = new GetSignedDomainsResult(rsrcCtx); eTag2 = null; try { - zms.getSignedDomains(mockDomRsrcCtx, null, null, eTag, result); + zms.getSignedDomains(rsrcCtx, null, null, eTag, result); fail("webappexc not thrown by getSignedDomains"); } catch (javax.ws.rs.WebApplicationException wexc) { assertEquals(304, wexc.getResponse().getStatus()); @@ -5656,7 +5660,30 @@ public void testGetSignedDomainsFiltered() { zms.deleteTopLevelDomain(mockDomRsrcCtx, "signeddom1filtered", auditRef); zms.deleteTopLevelDomain(mockDomRsrcCtx, "signeddom2filtered", auditRef); } - + + @Test + public void testGetSignedDomainsNotSystemPrincipal() { + + // create multiple top level domains + TopLevelDomain dom1 = createTopLevelDomainObject("SignedDom1", + "Test Domain1", "testOrg", adminUser); + zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, dom1); + + GetSignedDomainsResult result = new GetSignedDomainsResult(mockDomRsrcCtx); + ResourceError error = null; + try { + zms.getSignedDomains(mockDomRsrcCtx, null, null, null, result); + fail("webappexc not thrown by getSignedDomains"); + } catch (javax.ws.rs.WebApplicationException wexc) { + Object obj = getWebAppExcEntity(wexc); + error = (ResourceError) obj; + } + assertNotNull(error); + assertEquals(error.code, ResourceException.BAD_REQUEST); + + zms.deleteTopLevelDomain(mockDomRsrcCtx, "SignedDom1", auditRef); + } + @Test public void testGetAccess() {