Example 46 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZTSImpl method postInstanceRefreshRequest.
@Override
public Identity postInstanceRefreshRequest(ResourceContext ctx, String domain, String service, InstanceRefreshRequest req) {
final String caller = "postinstancerefreshrequest";
final String callerTiming = "postinstancerefreshrequest_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domain, TYPE_DOMAIN_NAME, caller);
validate(service, TYPE_SIMPLE_NAME, caller);
validate(req, TYPE_INSTANCE_REFRESH_REQUEST, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// make sure the credentials match to whatever the request is
Principal principal = ((RsrcCtxWrapper) ctx).principal();
String fullServiceName = domain + "." + service;
final String principalName = principal.getFullName();
boolean userRequest = false;
if (!fullServiceName.equals(principalName)) {
try {
userRequest = authorizer.access("update", domain + ":service", principal, null);
} catch (ResourceException ex) {
LOGGER.error("postInstanceRefreshRequest: access check failure for {}: {}", principalName, ex.getMessage());
}
if (!userRequest) {
throw requestError("Principal mismatch: " + fullServiceName + " vs. " + principalName, caller, domain);
}
}
if (userDomain.equalsIgnoreCase(domain)) {
throw requestError("TLS Certificates require ServiceTokens: " + fullServiceName, caller, domain);
}
// determine if this is a refresh or initial request
final Authority authority = principal.getAuthority();
boolean refreshOperation = (!userRequest && (authority instanceof CertificateAuthority));
// retrieve the public key for the request for verification
final String keyId = userRequest || refreshOperation ? req.getKeyId() : principal.getKeyId();
String publicKey = getPublicKey(domain, service, keyId);
if (publicKey == null) {
throw requestError("Unable to retrieve public key for " + fullServiceName + " with key id: " + keyId, caller, domain);
}
// validate that the cn and public key match to the provided details
X509CertRequest x509CertReq = null;
try {
x509CertReq = new X509CertRequest(req.getCsr());
} catch (CryptoException ex) {
throw requestError("Unable to parse PKCS10 certificate request", caller, domain);
}
final PKCS10CertificationRequest certReq = x509CertReq.getCertReq();
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
throw requestError("Invalid CSR - data mismatch", caller, domain);
}
if (!x509CertReq.comparePublicKeys(publicKey)) {
throw requestError("Invalid CSR - public key mismatch", caller, domain);
}
if (refreshOperation) {
final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request());
ServiceX509RefreshRequestStatus status = validateServiceX509RefreshRequest(principal, x509CertReq, ipAddress);
if (status == ServiceX509RefreshRequestStatus.IP_NOT_ALLOWED) {
throw forbiddenError("IP not allowed for refresh: " + ipAddress, caller, domain);
}
if (status != ServiceX509RefreshRequestStatus.SUCCESS) {
throw requestError("Request valiation failed: " + status, caller, domain);
}
}
// generate identity with the certificate
int expiryTime = req.getExpiryTime() != null ? req.getExpiryTime() : 0;
Identity identity = ZTSUtils.generateIdentity(certSigner, req.getCsr(), fullServiceName, null, expiryTime);
if (identity == null) {
throw serverError("Unable to generate identity", caller, domain);
}
// create our audit log entry
AuditLogMsgBuilder msgBldr = getAuditLogMsgBuilder(ctx, domain, caller, HTTP_POST);
msgBldr.whatEntity(fullServiceName);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
StringBuilder auditLogDetails = new StringBuilder(512);
auditLogDetails.append("Provider: ").append(ZTSConsts.ZTS_SERVICE).append(" Domain: ").append(domain).append(" Service: ").append(service).append(" Serial: ").append(newCert.getSerialNumber().toString()).append(" Principal: ").append(principalName).append(" Type: x509");
msgBldr.whatDetails(auditLogDetails.toString());
auditLogger.log(msgBldr);
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)
Authority(com.yahoo.athenz.auth.Authority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
X509Certificate(java.security.cert.X509Certificate)
X509CertRequest(com.yahoo.athenz.zts.cert.X509CertRequest)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 47 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZTSImpl method getAuthority.
Authority getAuthority(String className) {
LOGGER.debug("Loading authority {}...", className);
Authority authority = null;
try {
authority = (Authority) Class.forName(className).newInstance();
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
LOGGER.error("Invalid Authority class: " + className + " error: " + e.getMessage());
return null;
}
return authority;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
Example 48 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetResourceAccessList.
@Test
public void testGetResourceAccessList() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx1 = createResourceContext(principal1);
try {
zms.getResourceAccessList(rsrcCtx1, "principal", "UPDATE");
} catch (Exception ex) {
assertTrue(true);
}
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
WebApplicationException(javax.ws.rs.WebApplicationException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IOException(java.io.IOException)
Example 49 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testGetAccess.
@Test
public void testGetAccess() {
TopLevelDomain dom1 = createTopLevelDomainObject("AccessDom1", "Test Domain1", "testOrg", adminUser);
zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, dom1);
Role role1 = createRoleObject("AccessDom1", "Role1", null, "user.user1", "user.user3");
zms.putRole(mockDomRsrcCtx, "AccessDom1", "Role1", auditRef, role1);
Role role2 = createRoleObject("AccessDom1", "Role2", null, "user.user2", "user.user3");
zms.putRole(mockDomRsrcCtx, "AccessDom1", "Role2", auditRef, role2);
Policy policy1 = createPolicyObject("AccessDom1", "Policy1", "Role1", "UPDATE", "AccessDom1:resource1", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy1", auditRef, policy1);
Policy policy2 = createPolicyObject("AccessDom1", "Policy2", "Role2", "CREATE", "AccessDom1:resource2", AssertionEffect.DENY);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy2", auditRef, policy2);
Policy policy3 = createPolicyObject("AccessDom1", "Policy3", "Role2", "*", "AccessDom1:resource3", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy3", auditRef, policy3);
Policy policy4 = createPolicyObject("AccessDom1", "Policy4", "Role2", "DELETE", "accessdom1:*", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy4", auditRef, policy4);
Policy policy5 = createPolicyObject("AccessDom1", "Policy5", "Role1", "READ", "accessdom1:*", AssertionEffect.ALLOW);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy5", auditRef, policy5);
Policy policy6 = createPolicyObject("AccessDom1", "Policy6", "Role1", "READ", "AccessDom1:resource6", AssertionEffect.DENY);
zms.putPolicy(mockDomRsrcCtx, "AccessDom1", "Policy6", auditRef, policy6);
// user1 and user3 have access to UPDATE/resource1
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx1 = createResourceContext(principal1);
Principal principal2 = principalAuthority.authenticate("v=U1;d=user;n=user2;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx2 = createResourceContext(principal2);
Principal principal3 = principalAuthority.authenticate("v=U1;d=user;n=user3;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx3 = createResourceContext(principal3);
Access access = zms.getAccess(rsrcCtx1, "UPDATE", "AccessDom1:resource1", "AccessDom1", null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx2, "UPDATE", "AccessDom1:resource1", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "UPDATE", "AccessDom1:resource1", "AccessDom1", null);
assertTrue(access.getGranted());
// same set as before with no trust domain field
access = zms.getAccess(rsrcCtx1, "UPDATE", "AccessDom1:resource1", null, null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx2, "UPDATE", "AccessDom1:resource1", null, null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "UPDATE", "AccessDom1:resource1", null, null);
assertTrue(access.getGranted());
// all three have no access to CREATE action on resource1
access = zms.getAccess(rsrcCtx1, "CREATE", "AccessDom1:resource1", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "CREATE", "AccessDom1:resource1", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "CREATE", "AccessDom1:resource1", "AccessDom1", null);
assertFalse(access.getGranted());
// all three have no access to invalid domain name on resource 1
access = zms.getAccess(rsrcCtx1, "CREATE", "AccessDom1:resource1", "AccessDom2", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "CREATE", "AccessDom1:resource1", "AccessDom2", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "CREATE", "AccessDom1:resource1", "AccessDom2", null);
assertFalse(access.getGranted());
// same as before with no trust domain field
access = zms.getAccess(rsrcCtx1, "CREATE", "AccessDom1:resource1", null, null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "CREATE", "AccessDom1:resource1", null, null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "CREATE", "AccessDom1:resource1", null, null);
assertFalse(access.getGranted());
// all three should have deny access to resource 2
access = zms.getAccess(rsrcCtx1, "CREATE", "AccessDom1:resource2", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "CREATE", "AccessDom1:resource2", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx3, "CREATE", "AccessDom1:resource2", "AccessDom1", null);
assertFalse(access.getGranted());
// user2 and user3 have access to CREATE(*)/resource 3
access = zms.getAccess(rsrcCtx1, "CREATE", "AccessDom1:resource3", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "CREATE", "AccessDom1:resource3", "AccessDom1", null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx3, "CREATE", "AccessDom1:resource3", "AccessDom1", null);
assertTrue(access.getGranted());
// user2 and user3 have access to UPDATE(*)/resource 3
access = zms.getAccess(rsrcCtx1, "UPDATE", "AccessDom1:resource3", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "UPDATE", "AccessDom1:resource3", "AccessDom1", null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx3, "UPDATE", "AccessDom1:resource3", "AccessDom1", null);
assertTrue(access.getGranted());
// user2 and user3 have access to DELETE/resource 4 (*)
access = zms.getAccess(rsrcCtx1, "DELETE", "AccessDom1:resource4", "AccessDom1", null);
assertFalse(access.getGranted());
access = zms.getAccess(rsrcCtx2, "DELETE", "AccessDom1:resource4", "AccessDom1", null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx3, "DELETE", "AccessDom1:resource4", "AccessDom1", null);
assertTrue(access.getGranted());
// user1 should be able to read resource 5(*) but not resource 6
// (explicit DENY)
access = zms.getAccess(rsrcCtx1, "READ", "AccessDom1:resource5", "AccessDom1", null);
assertTrue(access.getGranted());
access = zms.getAccess(rsrcCtx1, "READ", "AccessDom1:resource6", "AccessDom1", null);
assertFalse(access.getGranted());
try {
zms.access("READ", "AccessDom1:resource5", principal1, "AccessDom1");
} catch (ResourceException ex) {
assertTrue(ex.getCode() == 400);
}
zms.deleteTopLevelDomain(mockDomRsrcCtx, "AccessDom1", auditRef);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 50 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method testIsAllowedResourceLookForAllUsers.
@Test
public void testIsAllowedResourceLookForAllUsers() {
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal principal1 = principalAuthority.authenticate("v=U1;d=user;n=user1;s=signature", "10.11.12.13", "GET", null);
try {
zms.isAllowedResourceLookForAllUsers(principal1);
} catch (Exception ex) {
assertTrue(true);
}
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
WebApplicationException(javax.ws.rs.WebApplicationException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IOException(java.io.IOException)
Aggregations
Authority (com.yahoo.athenz.auth.Authority)78
Principal (com.yahoo.athenz.auth.Principal)66
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)61
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)49
Test (org.testng.annotations.Test)18
IOException (java.io.IOException)9
UnsupportedEncodingException (java.io.UnsupportedEncodingException)9
WebApplicationException (javax.ws.rs.WebApplicationException)9
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)7
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)7
ArrayList (java.util.ArrayList)5
UserAuthority (com.yahoo.athenz.auth.impl.UserAuthority)4
AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)4
File (java.io.File)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)3
Struct (com.yahoo.rdl.Struct)3
X509Certificate (java.security.cert.X509Certificate)3
Authorizer (com.yahoo.athenz.auth.Authorizer)2
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)2
