Skip to content

Commit 4cf5655

Browse files
abvaidyaabvaidya
committed
consider force suffix while doing resource ownership check during delete operations
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
1 parent aebec2c commit 4cf5655

File tree

2 files changed

+41
-1
lines changed

2 files changed

+41
-1
lines changed

libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/ResourceOwnership.java

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -829,7 +829,7 @@ public static void verifyGroupMembersDeleteResourceOwnership(Group group, final
829829
verifyDeleteResourceOwnership(resourceOwner, resourceOwnership.getMembersOwner(), caller);
830830
}
831831

832-
public static void verifyDeleteResourceOwnership(final String resourceOwner, final String objectOwner,
832+
public static void verifyDeleteResourceOwnership(String resourceOwner, final String objectOwner,
833833
final String caller) throws ServerResourceException {
834834

835835
// first check if we're explicitly asked to ignore the check
@@ -839,6 +839,12 @@ public static void verifyDeleteResourceOwnership(final String resourceOwner, fin
839839
return;
840840
}
841841

842+
// if the current resource owner includes the force suffix then we need to drop it and
843+
// then do the match
844+
if (resourceOwner != null && resourceOwner.endsWith(RESOURCE_OWNER_FORCE_SUFFIX)) {
845+
resourceOwner = resourceOwner.substring(0, resourceOwner.length() - RESOURCE_OWNER_FORCE_SUFFIX.length());
846+
}
847+
842848
// at this point we have an object owner so the value must match
843849
// otherwise we'll throw a conflict error exception
844850

libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util/ResourceOwnershipTest.java

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,18 +274,52 @@ public void testVerifyDeleteResourceObjectOwnership() throws ServerResourceExcep
274274
ResourceOwnership.verifyRoleDeleteResourceOwnership(new Role(), "resourceOwner", "unit-test");
275275
ResourceOwnership.verifyRoleDeleteResourceOwnership(new Role()
276276
.setResourceOwnership(new ResourceRoleOwnership()), "resourceOwner", "unit-test");
277+
ResourceOwnership.verifyRoleDeleteResourceOwnership(new Role()
278+
.setResourceOwnership(new ResourceRoleOwnership().setObjectOwner("A")), "A:force", "unit-test");
279+
try {
280+
ResourceOwnership.verifyRoleDeleteResourceOwnership(new Role()
281+
.setResourceOwnership(new ResourceRoleOwnership().setObjectOwner("A")), "B:force", "unit-test");
282+
fail();
283+
}catch (ServerResourceException ignored) {
284+
285+
}
277286

278287
ResourceOwnership.verifyPolicyDeleteResourceOwnership(new Policy(), "resourceOwner", "unit-test");
279288
ResourceOwnership.verifyPolicyDeleteResourceOwnership(new Policy()
280289
.setResourceOwnership(new ResourcePolicyOwnership()), "resourceOwner", "unit-test");
290+
ResourceOwnership.verifyPolicyDeleteResourceOwnership(new Policy()
291+
.setResourceOwnership(new ResourcePolicyOwnership().setObjectOwner("A")), "A:force", "unit-test");
292+
try {
293+
ResourceOwnership.verifyPolicyDeleteResourceOwnership(new Policy()
294+
.setResourceOwnership(new ResourcePolicyOwnership().setObjectOwner("A")), "B:force", "unit-test");
295+
fail();
296+
} catch (ServerResourceException ignored) {
297+
}
298+
281299

282300
ResourceOwnership.verifyGroupDeleteResourceOwnership(new Group(), "resourceOwner", "unit-test");
283301
ResourceOwnership.verifyGroupDeleteResourceOwnership(new Group()
284302
.setResourceOwnership(new ResourceGroupOwnership()), "resourceOwner", "unit-test");
303+
ResourceOwnership.verifyGroupDeleteResourceOwnership(new Group()
304+
.setResourceOwnership(new ResourceGroupOwnership().setObjectOwner("A")), "A:force", "unit-test");
305+
try {
306+
ResourceOwnership.verifyGroupDeleteResourceOwnership(new Group()
307+
.setResourceOwnership(new ResourceGroupOwnership().setObjectOwner("A")), "B:force", "unit-test");
308+
fail();
309+
} catch (ServerResourceException ignored) {
310+
}
285311

286312
ResourceOwnership.verifyServiceDeleteResourceOwnership(new ServiceIdentity(), "resourceOwner", "unit-test");
287313
ResourceOwnership.verifyServiceDeleteResourceOwnership(new ServiceIdentity()
288314
.setResourceOwnership(new ResourceServiceIdentityOwnership()), "resourceOwner", "unit-test");
315+
ResourceOwnership.verifyServiceDeleteResourceOwnership(new ServiceIdentity()
316+
.setResourceOwnership(new ResourceServiceIdentityOwnership().setObjectOwner("A")), "A:force", "unit-test");
317+
try {
318+
ResourceOwnership.verifyServiceDeleteResourceOwnership(new ServiceIdentity()
319+
.setResourceOwnership(new ResourceServiceIdentityOwnership().setObjectOwner("A")), "B:force", "unit-test");
320+
fail();
321+
} catch (ServerResourceException ignored) {
322+
}
289323
}
290324

291325
@Test

0 commit comments

Comments
 (0)