auto purge expired role/group members based on server/domain config (#…

…1941) Signed-off-by: mshneorson <[email protected]> Co-authored-by: mshneorson <[email protected]>
AthenZ · Sep 5, 2022 · ab7284c · ab7284c
1 parent 0eace95
commit ab7284c
Show file tree

Hide file tree

Showing 26 changed files with 2,042 additions and 15 deletions.
diff --git a/clients/go/zms/client.go b/clients/go/zms/client.go
@@ -827,6 +827,44 @@ func (client ZMSClient) GetAuthHistoryDependencies(domainName DomainName) (*Auth
 	}
 }
 
+func (client ZMSClient) DeleteExpiredMembers(purgeResources *int32, auditRef string, returnObj *bool) (*ExpiredMembers, error) {
+	var data *ExpiredMembers
+	headers := map[string]string{
+		"Athenz-Return-Object": strconv.FormatBool(*returnObj),
+		"Y-Audit-Ref":          auditRef,
+	}
+	url := client.URL + "/expired-members" + encodeParams(encodeOptionalInt32Param("purgeResources", purgeResources))
+	resp, err := client.httpDelete(url, headers)
+	if err != nil {
+		return data, err
+	}
+	defer resp.Body.Close()
+	switch resp.StatusCode {
+	case 204, 200:
+		if 204 != resp.StatusCode {
+			err = json.NewDecoder(resp.Body).Decode(&data)
+			if err != nil {
+				return data, err
+			}
+		}
+		return data, nil
+	default:
+		var errobj rdl.ResourceError
+		contentBytes, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return data, err
+		}
+		json.Unmarshal(contentBytes, &errobj)
+		if errobj.Code == 0 {
+			errobj.Code = resp.StatusCode
+		}
+		if errobj.Message == "" {
+			errobj.Message = string(contentBytes)
+		}
+		return data, errobj
+	}
+}
+
 func (client ZMSClient) GetDomainDataCheck(domainName DomainName) (*DomainDataCheck, error) {
 	var data *DomainDataCheck
 	url := client.URL + "/domain/" + fmt.Sprint(domainName) + "/check"

diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
diff --git a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java
@@ -3594,4 +3594,27 @@ public DomainList getDependentDomainList(String service) {
         }
     }
 
+    /**
+     * Delete expired members from roles and groups.
+     *
+     * @param purgeResources indicates which resource will be purged. possible values are:
+     *                       0 - none of them will be purged
+     *                       1 - only roles will be purged
+     *                       2 - only groups will be purged
+     *                       default/3 - both of them will be purged
+     * @param auditRef string containing audit specification or ticket number
+     * @param returnObj Boolean returns all expired members deleted from roles and groups
+     * @throws ZMSClientException in case of failure
+     */
+    public ExpiredMembers deleteExpiredMembers(Integer purgeResources, String auditRef, Boolean returnObj) {
+        updatePrincipal();
+        try {
+            return client.deleteExpiredMembers(purgeResources, auditRef, returnObj);
+        } catch (ResourceException ex) {
+            throw new ZMSClientException(ex.getCode(), ex.getData());
+        } catch (Exception ex) {
+            throw new ZMSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
+        }
+    }
+
 }
diff --git a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSRDLGeneratedClient.java b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSRDLGeneratedClient.java
@@ -659,6 +659,46 @@ public AuthHistoryDependencies getAuthHistoryDependencies(String domainName) thr
         }
     }
 
+    public ExpiredMembers deleteExpiredMembers(Integer purgeResources, String auditRef, Boolean returnObj) throws URISyntaxException, IOException {
+        UriTemplateBuilder uriTemplateBuilder = new UriTemplateBuilder(baseUrl, "/expired-members");
+        URIBuilder uriBuilder = new URIBuilder(uriTemplateBuilder.getUri());
+        if (purgeResources != null) {
+            uriBuilder.setParameter("purgeResources", String.valueOf(purgeResources));
+        }
+        HttpUriRequest httpUriRequest = RequestBuilder.delete()
+            .setUri(uriBuilder.build())
+            .build();
+        if (credsHeader != null) {
+            httpUriRequest.addHeader(credsHeader, credsToken);
+        }
+        if (auditRef != null) {
+            httpUriRequest.addHeader("Y-Audit-Ref", auditRef);
+        }
+        if (returnObj != null) {
+            httpUriRequest.addHeader("Athenz-Return-Object", String.valueOf(returnObj));
+        }
+        HttpEntity httpResponseEntity = null;
+        try (CloseableHttpResponse httpResponse = client.execute(httpUriRequest, httpContext)) {
+            int code = httpResponse.getStatusLine().getStatusCode();
+            httpResponseEntity = httpResponse.getEntity();
+            switch (code) {
+            case 204:
+            case 200:
+                if (code == 204) {
+                    return null;
+                }
+                return jsonMapper.readValue(httpResponseEntity.getContent(), ExpiredMembers.class);
+            default:
+                final String errorData = (httpResponseEntity == null) ? null : EntityUtils.toString(httpResponseEntity);
+                throw (errorData != null && !errorData.isEmpty())
+                    ? new ResourceException(code, jsonMapper.readValue(errorData, ResourceError.class))
+                    : new ResourceException(code);
+            }
+        } finally {
+            EntityUtils.consumeQuietly(httpResponseEntity);
+        }
+    }
+
     public DomainDataCheck getDomainDataCheck(String domainName) throws URISyntaxException, IOException {
         UriTemplateBuilder uriTemplateBuilder = new UriTemplateBuilder(baseUrl, "/domain/{domainName}/check")
             .resolveTemplate("domainName", domainName);

diff --git a/clients/java/zms/src/test/java/com/yahoo/athenz/zms/ZMSClientTest.java b/clients/java/zms/src/test/java/com/yahoo/athenz/zms/ZMSClientTest.java
@@ -4744,4 +4744,35 @@ public void testGetDependentDomainList() throws URISyntaxException, IOException
         Mockito.when(c.getDependentDomainList(service + "2")).thenReturn(new DomainList());
         client.getDependentDomainList(service + "2");
     }
+
+    @Test
+    public void testDeleteExpiredMembers() throws URISyntaxException, IOException {
+
+        ZMSClient client = createClient(systemAdminUser);
+        ZMSRDLGeneratedClient c = Mockito.mock(ZMSRDLGeneratedClient.class);
+        client.setZMSRDLGeneratedClient(c);
+        ExpiredMembers expiredMembers = Mockito.mock(ExpiredMembers.class);
+
+        Mockito.when(c.deleteExpiredMembers(null, AUDIT_REF, false)).thenReturn(expiredMembers);
+        client.deleteExpiredMembers(null, AUDIT_REF, false);
+
+        Mockito.when(c.deleteExpiredMembers(3, AUDIT_REF, false))
+                .thenReturn(expiredMembers)
+                .thenThrow(new NullPointerException())
+                .thenThrow(new ResourceException(401));
+
+        client.deleteExpiredMembers(3, AUDIT_REF, false);
+        try {
+            client.deleteExpiredMembers(3, AUDIT_REF, false);
+            fail();
+        } catch  (ResourceException ex) {
+            assertTrue(true);
+        }
+        try {
+            client.deleteExpiredMembers(3, AUDIT_REF, false);
+            fail();
+        } catch (Exception ex) {
+        }
+
+    }
 }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ExpiredMembers.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ExpiredMembers.java
@@ -0,0 +1,49 @@
+//
+// This file generated by rdl 1.5.2. Do not modify!
+//
+
+package com.yahoo.athenz.zms;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import java.util.List;
+import com.yahoo.rdl.*;
+
+//
+// ExpiredMembers -
+//
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ExpiredMembers {
+    public List<ExpiryMember> expiredRoleMembers;
+    public List<ExpiryMember> expiredGroupMembers;
+
+    public ExpiredMembers setExpiredRoleMembers(List<ExpiryMember> expiredRoleMembers) {
+        this.expiredRoleMembers = expiredRoleMembers;
+        return this;
+    }
+    public List<ExpiryMember> getExpiredRoleMembers() {
+        return expiredRoleMembers;
+    }
+    public ExpiredMembers setExpiredGroupMembers(List<ExpiryMember> expiredGroupMembers) {
+        this.expiredGroupMembers = expiredGroupMembers;
+        return this;
+    }
+    public List<ExpiryMember> getExpiredGroupMembers() {
+        return expiredGroupMembers;
+    }
+
+    @Override
+    public boolean equals(Object another) {
+        if (this != another) {
+            if (another == null || another.getClass() != ExpiredMembers.class) {
+                return false;
+            }
+            ExpiredMembers a = (ExpiredMembers) another;
+            if (expiredRoleMembers == null ? a.expiredRoleMembers != null : !expiredRoleMembers.equals(a.expiredRoleMembers)) {
+                return false;
+            }
+            if (expiredGroupMembers == null ? a.expiredGroupMembers != null : !expiredGroupMembers.equals(a.expiredGroupMembers)) {
+                return false;
+            }
+        }
+        return true;
+    }
+}