Skip to content

Commit

Permalink
If there is only one admin role member, the member cannot be deleted. (
Browse files Browse the repository at this point in the history
…#2810)

Signed-off-by: takumats <[email protected]>
  • Loading branch information
TakuyaMatsu authored Nov 28, 2024
1 parent 42c7884 commit fdb2f06
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 0 deletions.
13 changes: 13 additions & 0 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
Original file line number Diff line number Diff line change
Expand Up @@ -2201,6 +2201,19 @@ public void deleteDomainRoleMember(ResourceContext ctx, String domainName, Strin
setRequestDomain(ctx, domainName);
memberName = memberName.toLowerCase();

// if this is the admin role then we need to make sure
// the admin is not himself who happens to be the last
// member in the role
AthenzDomain domain = getAthenzDomain(domainName, false);
Role adminRole = getRoleFromDomain(ZMSConsts.ADMIN_ROLE_NAME, domain);
if (adminRole == null) {
throw ZMSUtils.notFoundError("Invalid domain name specified", caller);
}
List<RoleMember> members = adminRole.getRoleMembers();
if (members.size() == 1 && members.get(0).getMemberName().equals(memberName)) {
throw ZMSUtils.forbiddenError("deleteDomainRoleMember: Cannot delete last member of 'admin' role", caller);
}

// verify that request is properly authenticated for this request

verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -860,6 +860,39 @@ public void testDeleteDomainRoleMember() {
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteDomainRoleMemberWhenSingleAdmin() {

String domainName = "deletedomainrolemember3";
ZMSImpl zmsImpl = zmsTestInitializer.getZms();
RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
final String auditRef = zmsTestInitializer.getAuditRef();

TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
"Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);

Role adminRole = zmsTestInitializer.createRoleObject(domainName, "admin", null,
"user.jack", null);
zmsImpl.putRole(ctx, domainName, "admin", auditRef, false, null, adminRole);

DomainRoleMembers domainRoleMembers = zmsImpl.getDomainRoleMembers(ctx, domainName);
assertEquals(domainName, domainRoleMembers.getDomainName());

List<DomainRoleMember> members = domainRoleMembers.getMembers();
assertNotNull(members);
assertEquals(members.size(), 1);
ZMSTestUtils.verifyDomainRoleMember(members, "user.jack", "admin");

try {
zmsImpl.deleteDomainRoleMember(ctx, domainName, "user.jack", auditRef);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.FORBIDDEN);
}
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteUserDomainNull() {
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
Expand Down

0 comments on commit fdb2f06

Please sign in to comment.