add wildcard support for ServiceMemberSkipDomains (#2202)

* add wildcard support --------- Signed-off-by: Shimaoka Shuya <[email protected]> Co-authored-by: Shimaoka Shuya <[email protected]>
AthenZ · Jun 27, 2023 · a264f25 · a264f25
1 parent 092464f
commit a264f25
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties
@@ -431,6 +431,9 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema
 # that should be skipped from the service member validation
 # checks. These could include CI/CD domains, for example,
 # that include dynamic services that are not registered.
+# This property supports the use of wildcard characters for 
+# prefix matching, allowing for skipping validation checks
+# across multiple domains (e.g. coretech.api*).
 #athenz.zms.validate_service_members_skip_domains=
 
 # Boolean value indicating whether the zms server

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -182,7 +182,7 @@ public class ZMSImpl implements Authorizer, KeyStore, ZMSHandler {
     protected DynamicConfigBoolean validatePolicyAssertionRoles;
     protected DynamicConfigBoolean allowUnderscoreInServiceNames;
     protected boolean useMasterCopyForSignedDomains = false;
-    protected Set<String> validateServiceMemberSkipDomains;
+    protected List<String> validateServiceMemberSkipDomains;
     protected static Validator validator;
     protected String userDomain;
     protected String userDomainPrefix;
@@ -846,7 +846,7 @@ void loadConfigurationSettings() {
 
         final String skipDomains = System.getProperty(
                 ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS_SKIP_DOMAINS, "");
-        validateServiceMemberSkipDomains = new HashSet<>(Arrays.asList(skipDomains.split(",")));
+        validateServiceMemberSkipDomains = Arrays.asList(skipDomains.split(","));
         allowUnderscoreInServiceNames = new DynamicConfigBoolean(CONFIG_MANAGER,
                 ZMSConsts.ZMS_PROP_ALLOW_UNDERSCORE_IN_SERVICE_NAMES, Boolean.FALSE);
 
@@ -4005,11 +4005,22 @@ void validateServicePrincipal(final String memberName, final String caller) {
         // are typically domains (like for ci/cd) where services
         // are dynamic and do not need to be registered in Athenz
 
-        if (!validateServiceMemberSkipDomains.contains(domainName)) {
-            if (dbService.getServiceIdentity(domainName, serviceName, true) == null) {
-                throw ZMSUtils.requestError("Principal " + memberName + " is not a valid service", caller);
+        for (String skipDomain : validateServiceMemberSkipDomains) {
+            // first, we perform validation using wildcards
+            if (skipDomain.endsWith("*")) {
+                String skipDomainPrefix = skipDomain.substring(0, skipDomain.length() - 1);
+                if (domainName.startsWith(skipDomainPrefix)) {
+                    return;
+                }
+            } else if (skipDomain.equals(domainName)) {
+                // if skipDomain doesn't have wildcard, we conduct a perfect match search
+                return;
             }
         }
+        // if it reaches here, check if the service exists
+        if (dbService.getServiceIdentity(domainName, serviceName, true) == null) {
+            throw ZMSUtils.requestError("Principal " + memberName + " is not a valid service", caller);
+        }
     }
 
     void validateGroupPrincipal(final String memberName, final String userAuthorityFilter,

diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
@@ -24645,11 +24645,11 @@ public void testValidateRoleMemberPrincipalService() {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
-        // include coretech in the skip domain list and try
+        // include coretech and rbac in the skip domain list and try
         // the operation again
 
         System.setProperty(ZMSConsts.ZMS_PROP_VALIDATE_SERVICE_MEMBERS_SKIP_DOMAINS,
-                "unix,coretech");
+                "unix,coretech,rbac.*");
         zmsImpl.loadConfigurationSettings();
         zmsImpl.validateServiceRoleMembers = dynamicConfigBoolean;
 
@@ -24668,6 +24668,11 @@ public void testValidateRoleMemberPrincipalService() {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
+        // rbac.sre does not exists, but is accepted because rbac.* is included in skipDomains
+
+        zmsImpl.validateRoleMemberPrincipal("rbac.sre.backend", Principal.Type.SERVICE.getValue(),
+                null, null, null ,false, "unittest");
+
         // user principals by default are accepted
 
         zmsImpl.validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null, null, false, "unittest");