From ed2c6e9bbec5117512cc6cf2151d6ff23b2cb444 Mon Sep 17 00:00:00 2001 From: takumats Date: Thu, 26 Dec 2024 16:47:22 +0900 Subject: [PATCH 1/3] [feat] Allow setting of server default values for member expiry days Signed-off-by: takumats --- .../java/com/yahoo/athenz/zms/ZMSConsts.java | 4 ++ .../java/com/yahoo/athenz/zms/ZMSImpl.java | 47 ++++++------------ .../athenz/zms/config/MemberDueDays.java | 19 +++++--- .../com/yahoo/athenz/zms/utils/ZMSUtils.java | 9 +++- .../com/yahoo/athenz/zms/ZMSImplTest.java | 22 ++------- .../yahoo/athenz/zms/utils/ZMSUtilsTest.java | 48 ++++++++++++------- 6 files changed, 73 insertions(+), 76 deletions(-) diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java index eea4d3a4254..04625b9780d 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java @@ -78,6 +78,10 @@ public final class ZMSConsts { public static final String ZMS_PROP_DOMAIN_ENVIRONMENTS = "athenz.zms.domain_environments"; public static final String ZMS_DEFAULT_DOMAIN_ENVIRONMENTS = "production,integration,staging,sandbox,qa,development"; + public static final String ZMS_PROP_DEFAULT_USER_EXPIRY = "athenz.zms.default_user_expiry_days"; + public static final String ZMS_PROP_DEFAULT_SERVICE_EXPIRY = "athenz.zms.default_service_expiry_days"; + public static final String ZMS_PROP_DEFAULT_GROUP_EXPIRY = "athenz.zms.default_group_expiry_days"; + public static final String ZMS_PROP_VALIDATE_USER_MEMBERS = "athenz.zms.validate_user_members"; public static final String ZMS_PROP_VALIDATE_SERVICE_MEMBERS = "athenz.zms.validate_service_members"; public static final String ZMS_PROP_VALIDATE_ASSERTION_ROLES = "athenz.zms.validate_policy_assertion_roles"; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java index 59e170b8bbe..7bc5d79681a 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java @@ -4820,6 +4820,9 @@ public DomainRoleMembers getOverdueReview(ResourceContext ctx, String domainName } Timestamp getMemberDueDate(long cfgDueDateMillis, Timestamp memberDueDate) { + if (cfgDueDateMillis == 0) { + return memberDueDate; + } if (memberDueDate == null) { return Timestamp.fromMillis(cfgDueDateMillis); } else if (memberDueDate.millis() > cfgDueDateMillis) { @@ -4893,23 +4896,6 @@ private void updateMemberDueDate(MemberDueDays memberDueDays, } } - Timestamp memberDueDateTimestamp(Integer domainDueDateDays, Integer roleDueDateDays, Timestamp memberDueDate) { - - long cfgExpiryMillis = ZMSUtils.configuredDueDateMillis(domainDueDateDays, roleDueDateDays); - - // if we have no value configured then return - // the membership expiration as is - - if (cfgExpiryMillis == 0) { - return memberDueDate; - } - - // otherwise compare the configured expiry days with the specified - // membership value and choose the smallest expiration value - - return getMemberDueDate(cfgExpiryMillis, memberDueDate); - } - @Override public Response putMembership(ResourceContext ctx, String domainName, String roleName, String memberName, String auditRef, Boolean returnObj, String resourceOwner, Membership membership) { @@ -5066,6 +5052,7 @@ Timestamp getUserAuthorityExpiry(final String userName, final String expiryAttrV void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final RoleMember roleMember, final Membership membership, final String caller) { + MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), role, MemberDueDays.Type.EXPIRY); switch (Principal.Type.getType(roleMember.getPrincipalType())) { case USER: @@ -5077,22 +5064,19 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R Timestamp userAuthorityExpiry = getUserAuthorityExpiry(roleMember.memberName, role.getUserAuthorityExpiration(), caller); - Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(), - role.getMemberExpiryDays(), membership.getExpiration()); + Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration()); roleMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry)); break; case SERVICE: case USER_HEADLESS: - roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(), - role.getServiceExpiryDays(), membership.getExpiration())); + roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration())); break; case GROUP: - roleMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getGroupExpiryDays(), - role.getGroupExpiryDays(), membership.getExpiration())); + roleMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getGroupDueDateMillis(), membership.getExpiration())); break; } } @@ -5100,21 +5084,19 @@ void setRoleMemberExpiration(final AthenzDomain domain, final Role role, final R void setRoleMemberReview(final Role role, final RoleMember roleMember, final Membership membership) { + MemberDueDays memberReminderDueDays = new MemberDueDays(null, role, MemberDueDays.Type.REMINDER); switch (Principal.Type.getType(roleMember.getPrincipalType())) { case USER: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getMemberReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getUserDueDateMillis(), membership.getReviewReminder())); break; case SERVICE: case USER_HEADLESS: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getServiceReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getServiceDueDateMillis(), membership.getReviewReminder())); break; case GROUP: - roleMember.setReviewReminder(memberDueDateTimestamp(null, - role.getGroupReviewDays(), membership.getReviewReminder())); + roleMember.setReviewReminder(getMemberDueDate(memberReminderDueDays.getGroupDueDateMillis(), membership.getReviewReminder())); break; } } @@ -11164,22 +11146,21 @@ public GroupMembership getGroupMembership(ResourceContext ctx, String domainName void setGroupMemberExpiration(final AthenzDomain domain, final Group group, final GroupMember groupMember, final GroupMembership membership, final String caller) { + MemberDueDays memberExpiryDueDays = new MemberDueDays(domain.getDomain(), group); switch (Principal.Type.getType(groupMember.getPrincipalType())) { case USER: Timestamp userAuthorityExpiry = getUserAuthorityExpiry(groupMember.memberName, group.getUserAuthorityExpiration(), caller); - Timestamp memberExpiry = memberDueDateTimestamp(domain.getDomain().getMemberExpiryDays(), - group.getMemberExpiryDays(), membership.getExpiration()); + Timestamp memberExpiry = getMemberDueDate(memberExpiryDueDays.getUserDueDateMillis(), membership.getExpiration()); groupMember.setExpiration(ZMSUtils.smallestExpiry(memberExpiry, userAuthorityExpiry)); break; case SERVICE: case USER_HEADLESS: - groupMember.setExpiration(memberDueDateTimestamp(domain.getDomain().getServiceExpiryDays(), - group.getServiceExpiryDays(), membership.getExpiration())); + groupMember.setExpiration(getMemberDueDate(memberExpiryDueDays.getServiceDueDateMillis(), membership.getExpiration())); break; case GROUP: diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java index 5d93943b020..84edcb0395a 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java @@ -19,9 +19,14 @@ import com.yahoo.athenz.zms.Group; import com.yahoo.athenz.zms.Role; import com.yahoo.athenz.zms.utils.ZMSUtils; +import com.yahoo.athenz.zms.ZMSConsts; public class MemberDueDays { + private static final int DEFAULT_USER_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_USER_EXPIRY, "0")); + private static final int DEFAULT_SERVICE_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_SERVICE_EXPIRY, "0")); + private static final int DEFAULT_GROUP_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_GROUP_EXPIRY, "0")); + final long userDueDateMillis; final long serviceDueDateMillis; final long groupDueDateMillis; @@ -59,9 +64,9 @@ public MemberDueDays(Domain domain, Role role, Type type) { roleGroupDays = role.getGroupReviewDays(); } - userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, roleUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, roleServiceDays); - groupDueDateMillis = ZMSUtils.configuredDueDateMillis(domainGroupDays, roleGroupDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_USER_EXPIRY, domainUserDays, roleUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_SERVICE_EXPIRY, domainServiceDays, roleServiceDays); + groupDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_GROUP_EXPIRY, domainGroupDays, roleGroupDays); } public MemberDueDays(Domain domain, Group group) { @@ -69,13 +74,13 @@ public MemberDueDays(Domain domain, Group group) { // for groups we only have user and service members // groups cannot include other groups - Integer domainUserDays = domain.getMemberExpiryDays(); - Integer domainServiceDays = domain.getServiceExpiryDays(); + Integer domainUserDays = null; + Integer domainServiceDays = null; Integer groupUserDays = group.getMemberExpiryDays(); Integer groupServiceDays = group.getServiceExpiryDays(); - userDueDateMillis = ZMSUtils.configuredDueDateMillis(domainUserDays, groupUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(domainServiceDays, groupServiceDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_USER_EXPIRY, domainUserDays, groupUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_SERVICE_EXPIRY, domainServiceDays, groupServiceDays); groupDueDateMillis = 0; } diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java index c3529af1863..4684eac534a 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java @@ -449,7 +449,7 @@ public static boolean metaValueChanged(Object domainValue, Object metaValue) { return metaValue != null && !metaValue.equals(domainValue); } - public static long configuredDueDateMillis(Integer domainDueDateDays, Integer roleDueDateDays) { + public static long configuredDueDateMillis(Integer serverDefaultDueDateDays, Integer domainDueDateDays, Integer roleDueDateDays) { // the role expiry days settings overrides the domain one if one configured @@ -459,6 +459,13 @@ public static long configuredDueDateMillis(Integer domainDueDateDays, Integer ro } else if (domainDueDateDays != null && domainDueDateDays > 0) { expiryDays = domainDueDateDays; } + + if (serverDefaultDueDateDays != null && serverDefaultDueDateDays > 0) { + if (expiryDays == 0 || expiryDays > serverDefaultDueDateDays) { + expiryDays = serverDefaultDueDateDays; + } + } + return expiryDays == 0 ? 0 : System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(expiryDays, TimeUnit.DAYS); } diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index e7e3d4d7cc8..b5393395f63 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -22957,24 +22957,6 @@ public void testGetMemberDueDate() { assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(150)), Timestamp.fromMillis(100)); } - @Test - public void testMemberDueDateTimestamp() { - ZMSImpl zmsImpl = zmsTestInitializer.getZms(); - assertEquals(zmsImpl.memberDueDateTimestamp(null, null, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - assertEquals(zmsImpl.memberDueDateTimestamp(-1, 0, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - assertEquals(zmsImpl.memberDueDateTimestamp(-3, -2, Timestamp.fromMillis(100)), Timestamp.fromMillis(100)); - - long ext50Millis = TimeUnit.MILLISECONDS.convert(50, TimeUnit.DAYS); - long ext75Millis = TimeUnit.MILLISECONDS.convert(75, TimeUnit.DAYS); - long ext100Millis = TimeUnit.MILLISECONDS.convert(100, TimeUnit.DAYS); - - Timestamp stamp = zmsImpl.memberDueDateTimestamp(100, 50, Timestamp.fromMillis(System.currentTimeMillis() + ext75Millis)); - assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext50Millis)); - - stamp = zmsImpl.memberDueDateTimestamp(75, null, Timestamp.fromMillis(System.currentTimeMillis() + ext100Millis)); - assertTrue(ZMSTestUtils.validateDueDate(stamp.millis(), ext75Millis)); - } - @Test public void testUpdateRoleMemberReview() { @@ -24545,11 +24527,13 @@ public void testSetGroupMemberExpiration() { public void testSetGroupMemberExpirationGroupRejected() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); + AthenzDomain domain = new AthenzDomain("coretech"); + Group group = zmsTestInitializer.createGroupObject(domain.getName(), "group1", "user.joe", "user.jane"); GroupMember groupMember = new GroupMember().setMemberName("dev-group") .setPrincipalType(Principal.Type.GROUP.getValue()); try { - zmsImpl.setGroupMemberExpiration(null, null, groupMember, null, "unit-test"); + zmsImpl.setGroupMemberExpiration(domain, group, groupMember, null, "unit-test"); fail(); } catch (ResourceException ex) { assertEquals(ex.getCode(), ResourceException.BAD_REQUEST); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java index 529ebcbf9e7..0a6ae5da2cf 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java @@ -408,33 +408,49 @@ public void testMetaValueChanged() { @Test public void testConfiguredExpiryMillis() { - assertEquals(ZMSUtils.configuredDueDateMillis(null, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(null, -3), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(null, 0), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(-3, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(0, null), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(-3, -3), 0); - assertEquals(ZMSUtils.configuredDueDateMillis(0, 0), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(null, null, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, -3), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, null, 0), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, null), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, -3, -3), 0); + assertEquals(ZMSUtils.configuredDueDateMillis(0, 0, 0), 0); long extMillis = TimeUnit.MILLISECONDS.convert(10, TimeUnit.DAYS); - long millis = ZMSUtils.configuredDueDateMillis(null, 10); + long millis = ZMSUtils.configuredDueDateMillis(0, null, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(null, 10); + millis = ZMSUtils.configuredDueDateMillis(0, null, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(-1, 10); + millis = ZMSUtils.configuredDueDateMillis(0, -1, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(0, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 0, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(5, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 5, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(20, 10); + millis = ZMSUtils.configuredDueDateMillis(0, 20, 10); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, null); + millis = ZMSUtils.configuredDueDateMillis(0, 10, null); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, -1); + millis = ZMSUtils.configuredDueDateMillis(0, 10, -1); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); - millis = ZMSUtils.configuredDueDateMillis(10, 0); + millis = ZMSUtils.configuredDueDateMillis(0, 10, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + + millis = ZMSUtils.configuredDueDateMillis(10, 0, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(20, 10, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 100, 0); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 100, 20); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(20, 0, 10); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 0, 100); + assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); + millis = ZMSUtils.configuredDueDateMillis(10, 20, 100); assertTrue(ZMSTestUtils.validateDueDate(millis, extMillis)); } From de5eb4f76564f87fff3bb45849a9222e34db4842 Mon Sep 17 00:00:00 2001 From: takumats Date: Thu, 26 Dec 2024 16:55:47 +0900 Subject: [PATCH 2/3] add config Signed-off-by: takumats --- servers/zms/conf/zms.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties index 125bd2af732..1e881b37f5f 100644 --- a/servers/zms/conf/zms.properties +++ b/servers/zms/conf/zms.properties @@ -577,3 +577,10 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema # of results returned to the specified value. The default value is 100. This prevents # the server from returning a large number of results when the search criteria is too broad. #athenz.zms.search_service_limit=100 + +# This property specifies the maximum expiry duration in days for user/service/group. +# The value must be an integer, and the default value is 0. +# If set to 0, it indicates that there is no expiry limit. +#athenz.zms.default_user_expiry_days=0 +#athenz.zms.default_service_expiry_days=0 +#athenz.zms.default_group_expiry_days=0 From e0f8fa7410595fb64f450f7acc8e5d147c4947f3 Mon Sep 17 00:00:00 2001 From: Takuya Matsumoto Date: Mon, 6 Jan 2025 15:04:26 +0900 Subject: [PATCH 3/3] Addressed review feedback Signed-off-by: Takuya Matsumoto --- servers/zms/conf/zms.properties | 6 +++--- .../java/com/yahoo/athenz/zms/ZMSConsts.java | 6 +++--- .../athenz/zms/config/MemberDueDays.java | 20 +++++++++---------- .../com/yahoo/athenz/zms/utils/ZMSUtils.java | 8 ++++---- .../com/yahoo/athenz/zms/ZMSImplTest.java | 3 +++ .../yahoo/athenz/zms/utils/ZMSUtilsTest.java | 1 - 6 files changed, 23 insertions(+), 21 deletions(-) diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties index 1e881b37f5f..ab2773dc3aa 100644 --- a/servers/zms/conf/zms.properties +++ b/servers/zms/conf/zms.properties @@ -581,6 +581,6 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema # This property specifies the maximum expiry duration in days for user/service/group. # The value must be an integer, and the default value is 0. # If set to 0, it indicates that there is no expiry limit. -#athenz.zms.default_user_expiry_days=0 -#athenz.zms.default_service_expiry_days=0 -#athenz.zms.default_group_expiry_days=0 +#athenz.zms.default_max_user_expiry_days=0 +#athenz.zms.default_max_service_expiry_days=0 +#athenz.zms.default_max_group_expiry_days=0 diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java index 04625b9780d..d245e0898dc 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java @@ -78,9 +78,9 @@ public final class ZMSConsts { public static final String ZMS_PROP_DOMAIN_ENVIRONMENTS = "athenz.zms.domain_environments"; public static final String ZMS_DEFAULT_DOMAIN_ENVIRONMENTS = "production,integration,staging,sandbox,qa,development"; - public static final String ZMS_PROP_DEFAULT_USER_EXPIRY = "athenz.zms.default_user_expiry_days"; - public static final String ZMS_PROP_DEFAULT_SERVICE_EXPIRY = "athenz.zms.default_service_expiry_days"; - public static final String ZMS_PROP_DEFAULT_GROUP_EXPIRY = "athenz.zms.default_group_expiry_days"; + public static final String ZMS_PROP_DEFAULT_MAX_USER_EXPIRY = "athenz.zms.default_max_user_expiry_days"; + public static final String ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY = "athenz.zms.default_max_service_expiry_days"; + public static final String ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY = "athenz.zms.default_max_group_expiry_days"; public static final String ZMS_PROP_VALIDATE_USER_MEMBERS = "athenz.zms.validate_user_members"; public static final String ZMS_PROP_VALIDATE_SERVICE_MEMBERS = "athenz.zms.validate_service_members"; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java index 84edcb0395a..bb8b51b3e6c 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/config/MemberDueDays.java @@ -23,9 +23,9 @@ public class MemberDueDays { - private static final int DEFAULT_USER_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_USER_EXPIRY, "0")); - private static final int DEFAULT_SERVICE_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_SERVICE_EXPIRY, "0")); - private static final int DEFAULT_GROUP_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_GROUP_EXPIRY, "0")); + private static final int DEFAULT_MAX_USER_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_USER_EXPIRY, "0")); + private static final int DEFAULT_MAX_SERVICE_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_SERVICE_EXPIRY, "0")); + private static final int DEFAULT_MAX_GROUP_EXPIRY = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_DEFAULT_MAX_GROUP_EXPIRY, "0")); final long userDueDateMillis; final long serviceDueDateMillis; @@ -64,9 +64,9 @@ public MemberDueDays(Domain domain, Role role, Type type) { roleGroupDays = role.getGroupReviewDays(); } - userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_USER_EXPIRY, domainUserDays, roleUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_SERVICE_EXPIRY, domainServiceDays, roleServiceDays); - groupDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_GROUP_EXPIRY, domainGroupDays, roleGroupDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, roleUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, roleServiceDays); + groupDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_GROUP_EXPIRY, domainGroupDays, roleGroupDays); } public MemberDueDays(Domain domain, Group group) { @@ -74,13 +74,13 @@ public MemberDueDays(Domain domain, Group group) { // for groups we only have user and service members // groups cannot include other groups - Integer domainUserDays = null; - Integer domainServiceDays = null; + Integer domainUserDays = domain.getMemberExpiryDays(); + Integer domainServiceDays = domain.getServiceExpiryDays(); Integer groupUserDays = group.getMemberExpiryDays(); Integer groupServiceDays = group.getServiceExpiryDays(); - userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_USER_EXPIRY, domainUserDays, groupUserDays); - serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_SERVICE_EXPIRY, domainServiceDays, groupServiceDays); + userDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_USER_EXPIRY, domainUserDays, groupUserDays); + serviceDueDateMillis = ZMSUtils.configuredDueDateMillis(DEFAULT_MAX_SERVICE_EXPIRY, domainServiceDays, groupServiceDays); groupDueDateMillis = 0; } diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java index 4684eac534a..9da52ca6ab8 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java @@ -449,7 +449,7 @@ public static boolean metaValueChanged(Object domainValue, Object metaValue) { return metaValue != null && !metaValue.equals(domainValue); } - public static long configuredDueDateMillis(Integer serverDefaultDueDateDays, Integer domainDueDateDays, Integer roleDueDateDays) { + public static long configuredDueDateMillis(int serverDefaultMaxDueDateDays, Integer domainDueDateDays, Integer roleDueDateDays) { // the role expiry days settings overrides the domain one if one configured @@ -460,9 +460,9 @@ public static long configuredDueDateMillis(Integer serverDefaultDueDateDays, Int expiryDays = domainDueDateDays; } - if (serverDefaultDueDateDays != null && serverDefaultDueDateDays > 0) { - if (expiryDays == 0 || expiryDays > serverDefaultDueDateDays) { - expiryDays = serverDefaultDueDateDays; + if (serverDefaultMaxDueDateDays > 0) { + if (expiryDays == 0 || expiryDays > serverDefaultMaxDueDateDays) { + expiryDays = serverDefaultMaxDueDateDays; } } diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java index b5393395f63..548ef243126 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java @@ -22953,6 +22953,7 @@ public void testCreateMembershipApprovalNotification() { public void testGetMemberDueDate() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); assertEquals(zmsImpl.getMemberDueDate(100, null), Timestamp.fromMillis(100)); + assertEquals(zmsImpl.getMemberDueDate(0, Timestamp.fromMillis(50)), Timestamp.fromMillis(50)); assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(50)), Timestamp.fromMillis(50)); assertEquals(zmsImpl.getMemberDueDate(100, Timestamp.fromMillis(150)), Timestamp.fromMillis(100)); } @@ -24528,6 +24529,8 @@ public void testSetGroupMemberExpirationGroupRejected() { ZMSImpl zmsImpl = zmsTestInitializer.getZms(); AthenzDomain domain = new AthenzDomain("coretech"); + domain.setDomain(new Domain()); + Group group = zmsTestInitializer.createGroupObject(domain.getName(), "group1", "user.joe", "user.jane"); GroupMember groupMember = new GroupMember().setMemberName("dev-group") diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java index 0a6ae5da2cf..36709ab8e56 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/ZMSUtilsTest.java @@ -408,7 +408,6 @@ public void testMetaValueChanged() { @Test public void testConfiguredExpiryMillis() { - assertEquals(ZMSUtils.configuredDueDateMillis(null, null, null), 0); assertEquals(ZMSUtils.configuredDueDateMillis(0, null, null), 0); assertEquals(ZMSUtils.configuredDueDateMillis(0, null, -3), 0); assertEquals(ZMSUtils.configuredDueDateMillis(0, null, 0), 0);