extend resource validator to check policy assertions

[havetisyan]

Description

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to Athenz's policy management by allowing external validation of policy assertions. By extending the ResourceValidator interface, it provides a hook for custom logic to verify the integrity and compliance of assertions before they are applied. This change improves the flexibility and security posture of policy definitions within Athenz, ensuring that all assertions can meet specific external requirements.

Highlights

• ResourceValidator Extension: The ResourceValidator interface has been extended with a new default method, validatePolicyAssertion, allowing external systems to provide custom validation logic for policy assertions.
• NoOp Implementation Update: The NoOpResourceValidator now explicitly implements the new validatePolicyAssertion method, ensuring backward compatibility and a default 'allow all' behavior.
• ZMS Integration: The ZMS (Athenz Management Service) implementation (ZMSImpl) has been updated to incorporate the new validatePolicyAssertion call during the creation and modification of policies and assertions, enabling external validation checks.
• Test Coverage: New test cases have been added and existing ones updated in NoOpResourceValidatorFactoryTest to cover the new assertion validation logic, and additional tests for AthenzDomain, ObjectStore, ChangeLogStore, and PrincipalRole have been included.

Changelog

• libs/java/server_common/pom.xml
  • Updated the minimum code coverage percentage.
• libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/ResourceValidator.java
  • Added import com.yahoo.athenz.zms.Assertion;.
  • Introduced a new default method boolean validatePolicyAssertion(String domainName, String policyName, Assertion assertion).
• libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidator.java
  • Added import com.yahoo.athenz.zms.Assertion;.
  • Implemented the validatePolicyAssertion method with a default return of true.
• libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/store/impl/AthenzDomainTest.java
  • Added import com.yahoo.athenz.auth.Principal; and import java.util.Arrays;.
  • Added numerous test cases for setRoleMemberPrincipalTypes covering various scenarios including null/empty roles/members, different principal types (user, headless, group, service), and multiple prefixes/members/roles.
• libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/store/impl/JDBCObjectStoreTest.java
  • Added import com.yahoo.athenz.common.server.store.ObjectStore;.
  • Added testObjectStoreInterface to verify default method implementations of the ObjectStore interface.
• libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/store/impl/NoOpResourceValidatorFactoryTest.java
  • Added import com.yahoo.athenz.zms.Assertion; and import com.yahoo.athenz.zms.AssertionEffect;.
  • Updated assertions to include validatePolicyAssertion calls.
  • Added testCustomResourceValidator to test a custom ResourceValidator implementation and its interaction with the default validatePolicyAssertion.
• libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/store/impl/PrincipalRoleTest.java
  • Added a new test file PrincipalRoleTest.java to test the PrincipalRole class getters and setters.
• libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/store/impl/ZMSFileMTLSChangeLogStoreTest.java
  • Added import com.yahoo.athenz.common.server.store.ChangeLogStore;.
  • Added testChangeLogInterface to verify default method implementations of the ChangeLogStore interface.
• servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
  • Modified putAssertion and putAssertionPolicyVersion methods to pass policyName to validatePolicyAssertion.
  • Updated validatePolicyAssertions method signature to include policyName.
  • Modified validatePolicyAssertion method signature to include policyName.
  • Integrated a call to resourceValidator.validatePolicyAssertion within validatePolicyAssertion to perform external validation.
  • Modified putPolicy method to pass policyName to validatePolicyAssertions.

Activity

• No specific human activity (comments, reviews, etc.) has been recorded for this pull request beyond its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively extends the ResourceValidator to check policy assertions. The changes are well-structured, introducing a new default method validatePolicyAssertion to the ResourceValidator interface, ensuring backward compatibility. The NoOpResourceValidator is correctly updated. In ZMSImpl, the policyName is correctly propagated through the call chain to be available for the new validation logic. The addition of comprehensive tests, including those for existing functionality to improve code coverage, is a great contribution to the codebase's quality and stability. Overall, this is a high-quality submission with no issues found.