Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If there is only one admin role member, the member cannot be deleted. #2810

Merged
merged 1 commit into from
Nov 28, 2024
Merged

If there is only one admin role member, the member cannot be deleted. #2810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2201,6 +2201,19 @@ public void deleteDomainRoleMember(ResourceContext ctx, String domainName, Strin
setRequestDomain(ctx, domainName);
memberName = memberName.toLowerCase();

// if this is the admin role then we need to make sure
// the admin is not himself who happens to be the last
// member in the role
AthenzDomain domain = getAthenzDomain(domainName, false);
Role adminRole = getRoleFromDomain(ZMSConsts.ADMIN_ROLE_NAME, domain);
if (adminRole == null) {
throw ZMSUtils.notFoundError("Invalid domain name specified", caller);
}
List<RoleMember> members = adminRole.getRoleMembers();
if (members.size() == 1 && members.get(0).getMemberName().equals(memberName)) {
throw ZMSUtils.forbiddenError("deleteDomainRoleMember: Cannot delete last member of 'admin' role", caller);
}

// verify that request is properly authenticated for this request

verifyAuthorizedServiceOperation(((RsrcCtxWrapper) ctx).principal().getAuthorizedService(), caller);
Expand Down
33 changes: 33 additions & 0 deletions servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSDeleteDomainTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -860,6 +860,39 @@ public void testDeleteDomainRoleMember() {
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteDomainRoleMemberWhenSingleAdmin() {

String domainName = "deletedomainrolemember3";
ZMSImpl zmsImpl = zmsTestInitializer.getZms();
RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
final String auditRef = zmsTestInitializer.getAuditRef();

TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
"Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);

Role adminRole = zmsTestInitializer.createRoleObject(domainName, "admin", null,
"user.jack", null);
zmsImpl.putRole(ctx, domainName, "admin", auditRef, false, null, adminRole);

DomainRoleMembers domainRoleMembers = zmsImpl.getDomainRoleMembers(ctx, domainName);
assertEquals(domainName, domainRoleMembers.getDomainName());

List<DomainRoleMember> members = domainRoleMembers.getMembers();
assertNotNull(members);
assertEquals(members.size(), 1);
ZMSTestUtils.verifyDomainRoleMember(members, "user.jack", "admin");

try {
zmsImpl.deleteDomainRoleMember(ctx, domainName, "user.jack", auditRef);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.FORBIDDEN);
}
zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
}

@Test
public void testDeleteUserDomainNull() {
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
Expand Down