addl user domain list for authority valid user check (AthenZ#825)

servers/zms/conf/zms.properties

@@ -381,6 +381,12 @@ athenz.zms.read_only_mode=false
 # that might include wildcards (e.g. user.*).
 #athenz.zms.validate_user_members=false
 
+# If the athenz.zms.validate_user_members property is enabled
+# then this setting provides additional set of comma separated
+# domains that the system might be using referencing accounts
+# that can be validated with the user authority
+#athenz.zms.addl_user_check_domains=
+
 # Boolean value indicating whether or not the ZMS server should
 # verify if the given service exists in the given domain
 # before adding the service to a role. The ZMS Service will

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java

@@ -29,6 +29,8 @@ public final class ZMSConsts {
     public static final String ZMS_PROP_HTTPS_PORT        = "athenz.tls_port";
     public static final String ZMS_PROP_STATUS_PORT       = "athenz.status_port";
 
+    public static final String ZMS_PROP_ADDL_USER_CHECK_DOMAINS = "athenz.zms.addl_user_check_domains";
+
     public static final String ZMS_PROP_ROOT_DIR      = "athenz.zms.root_dir";
     public static final String ZMS_PROP_HOSTNAME      = "athenz.zms.hostname";
     public static final String ZMS_PROP_DOMAIN_ADMIN  = "athenz.zms.domain_admin";
@@ -132,7 +134,7 @@ public final class ZMSConsts {
     public static final String ZMS_PROP_QUOTA_PUBLIC_KEY   = "athenz.zms.quota_public_key";
     public static final String ZMS_PROP_QUOTA_ENTITY       = "athenz.zms.quota_entity";
     public static final String ZMS_PROP_QUOTA_SUBDOMAIN    = "athenz.zms.quota_subdomain";
-    
+
     public static final String ZMS_PRINCIPAL_AUTHORITY_CLASS  = "com.yahoo.athenz.auth.impl.PrincipalAuthority";
 
     public static final String ZMS_UNKNOWN_DOMAIN     = "unknown_domain";

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java

@@ -150,6 +150,7 @@ public class ZMSImpl implements Authorizer, KeyStore, ZMSHandler {
     protected String homeDomainPrefix;
     protected String userDomainAlias;
     protected String userDomainAliasPrefix;
+    protected List<String> addlUserCheckDomainPrefixList = null;
     protected Http.AuthorityList authorities = null;
     protected List<String> providerEndpoints = null;
     protected Set<String> reservedServiceNames = null;
@@ -504,12 +505,21 @@ void loadConfigurationSettings() {
 
         userDomain = System.getProperty(ZMSConsts.ZMS_PROP_USER_DOMAIN, ZMSConsts.USER_DOMAIN);
         userDomainPrefix = userDomain + ".";
-        
+
         userDomainAlias = System.getProperty(ZMSConsts.ZMS_PROP_USER_DOMAIN_ALIAS);
         if (userDomainAlias != null) {
             userDomainAliasPrefix = userDomainAlias + ".";
         }
-
+
+        final String addlUserCheckDomains = System.getProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS);
+        if (addlUserCheckDomains != null && !addlUserCheckDomains.isEmpty()) {
+            String[] checkDomains = addlUserCheckDomains.split(",");
+            addlUserCheckDomainPrefixList = new ArrayList<>();
+            for (String checkDomain : checkDomains) {
+                addlUserCheckDomainPrefixList.add(checkDomain + ".");
+            }
+        }
+
         homeDomain = System.getProperty(ZMSConsts.ZMS_PROP_HOME_DOMAIN, userDomain);
         homeDomainPrefix = homeDomain + ".";
 
@@ -2792,9 +2802,26 @@ void validateRoleMemberPrincipals(final Role role, final String caller) {
         }
     }
 
+    boolean isUserDomainPrincipal(final String memberName) {
+
+        if (memberName.startsWith(userDomainPrefix)) {
+            return true;
+        }
+
+        if (addlUserCheckDomainPrefixList != null) {
+            for (String prefix : addlUserCheckDomainPrefixList) {
+                if (memberName.startsWith(prefix)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     void validateRoleMemberPrincipal(final String memberName, final String caller) {
 
-        boolean bUser = memberName.startsWith(userDomainPrefix);
+        boolean bUser = isUserDomainPrincipal(memberName);
         boolean bValidPrincipal = true;
         if (bUser) {
 

servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java

@@ -16875,4 +16875,45 @@ public void testRemoveMatchedAssertionNoMatch() {
         checkAssertion.setEffect(AssertionEffect.ALLOW);
         assertTrue(zms.dbService.removeMatchedAssertion(checkAssertion, assertions, matchedAssertions));
     }
+
+    @Test
+    public void testIsUserDomainPrincipal() {
+
+        // default no additional user domains
+
+        ZMSImpl zmsImpl = zmsInit();
+        assertTrue(zmsImpl.isUserDomainPrincipal("user.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("unix.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("ldap.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("x509.joe"));
+
+        // now let's set the addls to empty - no changes
+
+        System.setProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS, "");
+        zmsImpl = zmsInit();
+        assertTrue(zmsImpl.isUserDomainPrincipal("user.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("unix.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("ldap.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("x509.joe"));
+
+        // now let's add one of the domains to the list
+
+        System.setProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS, "unix");
+        zmsImpl = zmsInit();
+        assertTrue(zmsImpl.isUserDomainPrincipal("user.joe"));
+        assertTrue(zmsImpl.isUserDomainPrincipal("unix.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("ldap.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("x509.joe"));
+
+        // now let's set two domains in the list
+
+        System.setProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS, "unix,ldap");
+        zmsImpl = zmsInit();
+        assertTrue(zmsImpl.isUserDomainPrincipal("user.joe"));
+        assertTrue(zmsImpl.isUserDomainPrincipal("unix.joe"));
+        assertTrue(zmsImpl.isUserDomainPrincipal("ldap.joe"));
+        assertFalse(zmsImpl.isUserDomainPrincipal("x509.joe"));
+
+        System.clearProperty(ZMSConsts.ZMS_PROP_ADDL_USER_CHECK_DOMAINS);
+    }
 }