fix

Signed-off-by: Takuya Matsumoto <takumats@lycorp.co.jp>

Author: TakuyaMatsu

clients/go/zms/zms_schema.go

@@ -2264,7 +2264,7 @@ private static Schema build() {
 ;
 
         sb.resource("Assertion", "DELETE", "/domain/{domainName}/policy/{policyName}/assertion/{assertionId}")
-            .comment("Delete the specified policy assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned).")
+            .comment("Delete the specified policy assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned). The required authorization includes three options: 1. (\"update\", \"{domainName}:policy.{policyName}\") 2. (\"delete\", \"{domainName}:policy.{policyName}.assertion.{assertionId}\")")
             .pathParam("domainName", "DomainName", "name of the domain")
             .pathParam("policyName", "EntityName", "name of the policy")
             .pathParam("assertionId", "Int64", "assertion id")
@@ -2286,7 +2286,7 @@ private static Schema build() {
 ;
 
         sb.resource("Assertion", "DELETE", "/domain/{domainName}/policy/{policyName}/version/{version}/assertion/{assertionId}")
-            .comment("Delete the specified policy version assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned).")
+            .comment("Delete the specified policy version assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned). The required authorization includes three options: 1. (\"update\", \"{domainName}:policy.{policyName}\") 2. (\"delete\", \"{domainName}:policy.{policyName}.assertion.{assertionId}\")")
             .name("deleteAssertionPolicyVersion")
             .pathParam("domainName", "DomainName", "name of the domain")
             .pathParam("policyName", "EntityName", "name of the policy")

core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java

@@ -152,7 +152,9 @@ resource Assertion PUT "/domain/{domainName}/policy/{policyName}/version/{versio
 
 //Delete the specified policy assertion. Upon successful completion of this delete
 //request, the server will return NO_CONTENT status code without any data (no
-//object will be returned).
+//object will be returned). The required authorization includes three options:
+// 1. ("update", "{domainName}:policy.{policyName}")
+// 2. ("delete", "{domainName}:policy.{policyName}.assertion.{assertionId}")
 resource Assertion DELETE "/domain/{domainName}/policy/{policyName}/assertion/{assertionId}" {
     DomainName domainName; //name of the domain
     EntityName policyName; //name of the policy
@@ -173,7 +175,9 @@ resource Assertion DELETE "/domain/{domainName}/policy/{policyName}/assertion/{a
 
 //Delete the specified policy version assertion. Upon successful completion of this delete
 //request, the server will return NO_CONTENT status code without any data (no
-//object will be returned).
+//object will be returned). The required authorization includes three options:
+// 1. ("update", "{domainName}:policy.{policyName}")
+// 2. ("delete", "{domainName}:policy.{policyName}.assertion.{assertionId}")
 resource Assertion DELETE "/domain/{domainName}/policy/{policyName}/version/{version}/assertion/{assertionId}" (name=deleteAssertionPolicyVersion) {
     DomainName domainName; //name of the domain
     EntityName policyName; //name of the policy

core/zms/src/main/rdl/Policy.rdli

@@ -21,6 +21,7 @@ public final class ServerCommonConsts {
     public static final String OBJECT_ROLE      = "role";
     public static final String OBJECT_GROUP     = "group";
     public static final String OBJECT_POLICY    = "policy";
+    public static final String OBJECT_ASSERTION = "assertion";
     public static final String OBJECT_ENTITY    = "entity";
     public static final String USER_DOMAIN      = "user";
 

libs/java/server_common/src/main/java/com/yahoo/athenz/common/ServerCommonConsts.java

@@ -43,6 +43,10 @@ public static String policyResourceName(String domainName, String policyName) {
         return generateResourceName(domainName, policyName, ServerCommonConsts.OBJECT_POLICY);
     }
 
+    public static String assertionResourceName(String domainName, String policyName, Long assertionId) {
+        return domainName + ":" + ServerCommonConsts.OBJECT_POLICY + "." + policyName + "." + ServerCommonConsts.OBJECT_ASSERTION + "." + assertionId;
+    }
+
     public static String entityResourceName(String domainName, String entityName) {
         return generateResourceName(domainName, entityName, ServerCommonConsts.OBJECT_ENTITY);
     }

libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/ResourceUtils.java

@@ -50,4 +50,10 @@ public void testPolicyResourceName() {
         assertEquals(ResourceUtils.policyResourceName("athenz", "policy1"), "athenz:policy.policy1");
         assertEquals(ResourceUtils.policyResourceName("athenz.api", "policy1"), "athenz.api:policy.policy1");
     }
+
+    @Test
+    public void testAssertionResourceName() {
+        assertEquals(ResourceUtils.assertionResourceName("athenz", "policy1", 123l), "athenz:policy.policy1.assertion.123");
+        assertEquals(ResourceUtils.assertionResourceName("athenz.api", "policy1", 123l), "athenz.api:policy.policy1.assertion.123");
+    }
 }

libs/java/server_common/src/test/java/com/yahoo/athenz/common/server/util/ResourceUtilsTest.java

@@ -10608,10 +10608,10 @@ boolean isAllowedDeletePendingMembership(Principal principal, final String domai
     }
 
     boolean isAllowedDeleteAssertion(Principal principal, final AthenzDomain domain, final String policyName, final Long assertionId) {
-          if (hasAccess(domain, "update", String.format("%s:%s%s", domain.getName(), POLICY_PREFIX, policyName), principal, null) == AccessStatus.ALLOWED) {
+          if (hasAccess(domain, "update", ResourceUtils.policyResourceName(domain.getName(), policyName), principal, null) == AccessStatus.ALLOWED) {
               return true;
           }
-          if (hasAccess(domain, "delete", String.format("%s:%s%d", domain.getName(), ASSERTION_PREFIX, assertionId), principal, null) == AccessStatus.ALLOWED) {
+          if (hasAccess(domain, "delete", ResourceUtils.assertionResourceName(domain.getName(), policyName, assertionId), principal, null) == AccessStatus.ALLOWED) {
               return true;
           }
           return false;

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java

@@ -2514,7 +2514,7 @@ public Assertion putAssertionPolicyVersion(
     @DELETE
     @Path("/domain/{domainName}/policy/{policyName}/assertion/{assertionId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @Operation(description = "Delete the specified policy assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned).")
+    @Operation(description = "Delete the specified policy assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned). The required authorization includes three options: 1. (\"update\", \"{domainName}:policy.{policyName}\") 2. (\"delete\", \"{domainName}:policy.{policyName}.assertion.{assertionId}\")")
     public void deleteAssertion(
         @Parameter(description = "name of the domain", required = true) @PathParam("domainName") String domainName,
         @Parameter(description = "name of the policy", required = true) @PathParam("policyName") String policyName,
@@ -2555,7 +2555,7 @@ public void deleteAssertion(
     @DELETE
     @Path("/domain/{domainName}/policy/{policyName}/version/{version}/assertion/{assertionId}")
     @Produces(MediaType.APPLICATION_JSON)
-    @Operation(description = "Delete the specified policy version assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned).")
+    @Operation(description = "Delete the specified policy version assertion. Upon successful completion of this delete request, the server will return NO_CONTENT status code without any data (no object will be returned). The required authorization includes three options: 1. (\"update\", \"{domainName}:policy.{policyName}\") 2. (\"delete\", \"{domainName}:policy.{policyName}.assertion.{assertionId}\")")
     public void deleteAssertionPolicyVersion(
         @Parameter(description = "name of the domain", required = true) @PathParam("domainName") String domainName,
         @Parameter(description = "name of the policy", required = true) @PathParam("policyName") String policyName,

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSResources.java

@@ -18255,7 +18255,7 @@ public void testDeleteAssertionAuthority() {
         Assertion assertion = new Assertion();
         assertion.setAction("delete");
         assertion.setEffect(AssertionEffect.ALLOW);
-        assertion.setResource(domainName + ":assertion." + assertionId);
+        assertion.setResource(domainName + ":policy.policy1.assertion." + assertionId);
         assertion.setRole(ResourceUtils.roleResourceName(domainName, "delete-assertion-role"));
         zmsImpl.putAssertion(ctx, domainName, "policy1", auditRef, null, assertion);