Add an automatic cleanup feature for delegated roles.

[gyakami]

Description

Overview

This PR adds a feature to automatically delete related assume_role assertions in tenant domains when a provider role is deleted.
#2910

Changes

1. Domain Model Extension

   • Added an autoDeleteTenantAssumeRoleAssertions flag to all domain types (Domain, DomainData, DomainMeta, SubDomain, TopLevelDomain, UserDomain).
   • The default value is false (opt-in).

2. Database Schema Update

   • Added an auto_delete_tenant_assume_role_assertions column (TINYINT(1)) to the domain table.
   • Added the update script update-20250711.sql.

3. JDBCConnection Class Extension

   • Added the deleteAssumeRoleAssertions method to find and delete assume_role assertions in a tenant domain that reference a specific provider role.

4. DBService Class Extension

   • Added the executeDeleteAssumeRoleAssertions methods.

5. ZMSImpl Class Extension

   • Added an autoDeleteTenantAssumeRoleAssertions flag (loaded from the configuration file).
   • Extended the deleteRole method to also delete tenant assume_role assertions when the conditions are met.

6. Configuration File Update

   • Added the athenz.zms.auto_delete_tenant_assume_role_assertions setting to zms.properties (default is false).

Behavior Details

1. When a provider role is deleted, the system checks for tenant domains that trust this role.
2. Automatic cleanup is performed if all of the following conditions are met:
   • The autoDeleteTenantAssumeRoleAssertions flag is set to true in the server configuration.
   • The autoDeleteTenantAssumeRoleAssertions flag is set to true for the tenant domain.
3. The system searches for assume_role assertions within the tenant domain that reference the provider role being deleted.
4. It deletes the corresponding assertions and updates the modification timestamp of the related policies.
5. The delete operation is recorded in the audit log.

Tests

• Added unit tests (JDBCConnectionTest, DBServiceTest, ZMSImplTest).
• Covers both success and failure cases.
• Includes tests for various combinations of settings (server setting ON/OFF, domain setting ON/OFF).

Impact

This change is opt-in and does not affect existing behavior. To use this new feature, both the server and the domain settings must be enabled.

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[havetisyan]

@gyakami thanks for the PR. a couple of general comments before I start looking at your PR.
a) please run mvn clean install from the top level athenz directory to make sure all test requirements pass. I see there are no test cases for the new attribute in the zms-core module so that would fail since that module has 100% coverage.
b) for the DB update, please follow the instructions in the repo on how to update the schema: https://github.com/AthenZ/athenz/blob/master/servers/zms/schema/schema_update.md

[gyakami]

@havetisyan
Thanks for your feedback.
I've addressed the two points you raised:

a) I've added test cases for the new attribute in the zms-core module and confirmed that mvn clean install now passes.
b) I've updated the DB schema by following the instructions provided in the repository.

Could you please take another look when you have a moment? Thank you.

[havetisyan]

This call will throw an exception and the delete role request will always be rejected if the role does not have a trust set.

Please add a test case where the setting is enabled but we're just deleting a regular role which would fail with the above code.

[gyakami]

I've changed the logic to only delete the role if the trust domain is empty and added a test case for it.

[havetisyan]

we typically don't access the fields directly (at some point we might move away from rdl and those may not be public) so please use the appropriate get method to get the attribute value.

[gyakami]

I modified it to use the get method.

[havetisyan]

is there any reason why we're creating an audit log entry per assertion instead of just one per policy?

[gyakami]

There was no specific reason. I've updated the code to group audit logs by policy.

[havetisyan]

I only see references to this function in the test files. Where is this used in the server?

[gyakami]

You're right, my mistake. I've deleted executeDeleteRoleWithAssumeRoleAssertions as we're now only using executeDeleteAssumeRoleAssertions.

[havetisyan]

the PR is missing the updated workbench file. Please include that as well.

[gyakami]

I've added the updated workbench file!

[havetisyan]

During the api call, the last modification timestamp for the policy was updated. However, the domain last modified timestamp must be updated as well. So when we get the data here we need to create a set to include all the domains were affected and then for every domain:

a) update the last modification timestamp
b) invalidate the domain from the local cache.

[gyakami]

Isn't it only the tenant domain that the Delegated Role trusts (the domainName in this method) that's affected?

[havetisyan]

Please use: ResourceUtils.roleResourceName(providerDomainName, providerRoleName)

[gyakami]

I have fixed it!

[havetisyan]

Please use: ResourceUtils.roleResourceName(providerDomainName, providerRoleName), and for that matter instead of calling the api twice maybe create a final string at the beginning of the method and then use it in both places

[gyakami]

I have fixed it!

[gyakami]

@havetisyan
My apologies for the delay. I have replied to all the comments and/or revised the code. Please take a look when you have a moment.

[havetisyan]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces an automatic cleanup feature for delegated roles, which is a valuable addition. The changes are extensive, touching models, database schema, and service logic. Overall, the implementation is well-structured. However, I've identified a critical bug in the database access logic that would lead to incorrect audit trails, and a broken unit test. My review includes a detailed fix for the critical bug and points out the problematic test case. Addressing these points will ensure the feature is robust and reliable.

[gemini-code-assist]

There's a critical issue in this method that will lead to incorrect audit logs. The method currently calls savePolicySettings, which in turn calls listAssertions to fetch all assertions for a policy. This means that when a policy has other assertions besides the assume_role one being deleted, the returned Policy object will contain all of them. The DBService layer then incorrectly logs all of these assertions as deleted.

Additionally, the method updates policy modification timestamps in a loop, which is inefficient as it results in multiple database round-trips.

I've provided a complete replacement for this method below that fixes the auditing bug by constructing the list of deleted assertions directly from the SELECT query's result set. It also improves performance by using batch updates for the timestamps.

Please also update the corresponding test testDeleteAssumeRoleAssertions in JDBCConnectionTest.java to verify batch execution instead of multiple executeUpdate calls.

    public List<Policy> deleteAssumeRoleAssertions(String domainName,
            String providerDomainName, String providerRoleName) throws ServerResourceException {

        final String caller = "deleteAssumeRoleAssertions";
        final String providerRoleResource =
                ResourceUtils.roleResourceName(providerDomainName, providerRoleName);

        // 1) Locate every policy in the *tenant* domain that contains an
        //    `assume_role` assertion pointing to the soon‑to‑be‑deleted provider
        //    role ({providerDomain}:role.{providerRole}).
        Map<Integer, Policy> affectedPolicies = new LinkedHashMap<>();
        try (PreparedStatement ps = con.prepareStatement(SQL_SELECT_TENANT_ASSUME_ROLE_POLICY_IDS)) {
            ps.setString(1, domainName);
            ps.setString(2, providerRoleResource);
            try (ResultSet rs = executeQuery(ps, caller)) {
                while (rs.next()) {
                    int policyId = rs.getInt(JDBCConsts.DB_COLUMN_POLICY_ID);
                    Policy policy = affectedPolicies.get(policyId);
                    if (policy == null) {
                        policy = new Policy();
                        policy.setName(rs.getString(JDBCConsts.DB_COLUMN_NAME));
                        policy.setDomain(domainName);
                        policy.setModified(rs.getTimestamp(JDBCConsts.DB_COLUMN_MODIFIED));
                        policy.setVersion(rs.getString(JDBCConsts.DB_COLUMN_VERSION));
                        policy.setActive(rs.getBoolean(JDBCConsts.DB_COLUMN_ACTIVE));
                        policy.setCaseSensitive(rs.getBoolean(JDBCConsts.DB_COLUMN_CASE_SENSITIVE));
                        policy.setAssertions(new ArrayList<>());
                        affectedPolicies.put(policyId, policy);
                    }

                    Assertion assertion = new Assertion();
                    assertion.setId(rs.getLong(JDBCConsts.DB_COLUMN_ASSERTION_ID));
                    assertion.setRole(rs.getString(JDBCConsts.DB_COLUMN_ROLE));
                    assertion.setResource(rs.getString(JDBCConsts.DB_COLUMN_RESOURCE));
                    assertion.setAction(rs.getString(JDBCConsts.DB_COLUMN_ACTION));
                    assertion.setEffect(rs.getString(JDBCConsts.DB_COLUMN_EFFECT));
                    policy.getAssertions().add(assertion);
                }
            }
        } catch (SQLException ex) {
            throw sqlError(ex, caller);
        }

        List<Policy> policies = new ArrayList<>(affectedPolicies.values());
        // Nothing to do if no matching policies were found.
        if (policies.isEmpty()) {
            return policies;
        }

        // 2) Remove the matching assume_role assertions themselves.
        try (PreparedStatement ps = con.prepareStatement(SQL_DELETE_TENANT_ASSUME_ROLE_ASSERTIONS)) {
            ps.setString(1, domainName);
            ps.setString(2, providerRoleResource);
            executeUpdate(ps, caller);
        } catch (SQLException ex) {
            throw sqlError(ex, caller);
        }

        // 3) For every policy that lost an assertion, bump its modified
        //    timestamp so that caches and signed‑domain consumers notice the
        //    change.
        try (PreparedStatement ps = con.prepareStatement(SQL_UPDATE_POLICY_MOD_TIMESTAMP)) {
            for (Integer policyId : affectedPolicies.keySet()) {
                ps.setInt(1, policyId);
                ps.addBatch();
            }
            if (!affectedPolicies.isEmpty()) {
                ps.executeBatch();
            }
        } catch (SQLException ex) {
            throw sqlError(ex, caller);
        }

        // Return the snapshot of policies that existed *before* we removed the
        // assertions – the caller uses this for auditing and notifications.
        return policies;
    }

[gyakami]

There's a critical issue in this method that will lead to incorrect audit logs. The method currently calls savePolicySettings, which in turn calls listAssertions to fetch all assertions for a policy. This means that when a policy has other assertions besides the assume_role one being deleted, the returned Policy object will contain all of them. The DBService layer then incorrectly logs all of these assertions as deleted.

This comment is incorrect. The savePolicySettings() method only sets policy metadata from the ResultSet; it does not fetch assertions, nor does it call listAssertions. Therefore, This problem will not occur.

[gyakami]

Additionally, the method updates policy modification timestamps in a loop, which is inefficient as it results in multiple database round-trips.

I've updated the code to use a single query now.

[gemini-code-assist]

This test case appears to be broken. It's attempting to call a method executeDeleteRoleWithAssumeRoleAssertions on zms.dbService, but this method does not exist in DBService.

Furthermore, the test expects a ResourceException.NOT_FOUND when no assertions are found. However, the new executeDeleteAssumeRoleAssertions method is designed to simply return without throwing an exception in this scenario, allowing the provider role deletion to proceed.

This test should either be removed or corrected to test the actual behavior of executeDeleteAssumeRoleAssertions.

[gyakami]

I'm sorry, I have deleted the test.

[gyakami]

@havetisyan
I’ve also addressed the Gemini Code Review comments, so please take a look when you have a moment.

[gyakami]

@havetisyan
When I look at the GitHub Actions logs, the following tests for athenz-zms-server are failing. However, the tests succeed on my Mac. It also seems that the number of tests is different. I'm stuck because I don't know the reason for this. Do you have any ideas what might be causing this?

PutGroupMembershipNotificationTaskTest.testGenerateAndSendPostPutGroupMembershipNotificationNotifyGroups
PutGroupMembershipNotificationTaskTest.testGenerateAndSendPostPutGroupMembershipNotificationNullOrgGroup

GitHub Actions
[ERROR] Tests run: 1589, Failures: 2, Errors: 0, Skipped: 0
Mac
[INFO] Tests run: 1588, Failures: 0, Errors: 0, Skipped: 0