Example 6 with ZpeMatch
use of com.yahoo.athenz.zpe.match.ZpeMatch in project athenz by yahoo.
the class TestZpeUpdPolLoader method testGetMatchObject.
@Test
public void testGetMatchObject() {
try (ZpeUpdPolLoader loader = new ZpeUpdPolLoader(null)) {
ZpeMatch matchObject = loader.getMatchObject("*");
assertTrue(matchObject instanceof ZpeMatchAll);
matchObject = loader.getMatchObject("**");
assertTrue(matchObject instanceof ZpeMatchRegex);
matchObject = loader.getMatchObject("?*");
assertTrue(matchObject instanceof ZpeMatchRegex);
matchObject = loader.getMatchObject("?");
assertTrue(matchObject instanceof ZpeMatchRegex);
matchObject = loader.getMatchObject("test?again*");
assertTrue(matchObject instanceof ZpeMatchRegex);
matchObject = loader.getMatchObject("*test");
assertTrue(matchObject instanceof ZpeMatchRegex);
matchObject = loader.getMatchObject("test");
assertTrue(matchObject instanceof ZpeMatchEqual);
matchObject = loader.getMatchObject("(test|again)");
assertTrue(matchObject instanceof ZpeMatchEqual);
matchObject = loader.getMatchObject("test*");
assertTrue(matchObject instanceof ZpeMatchStartsWith);
}
}
Also used :
ZpeMatchRegex(com.yahoo.athenz.zpe.match.impl.ZpeMatchRegex)
ZpeMatchStartsWith(com.yahoo.athenz.zpe.match.impl.ZpeMatchStartsWith)
ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)
ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch)
ZpeMatchAll(com.yahoo.athenz.zpe.match.impl.ZpeMatchAll)
Test(org.testng.annotations.Test)
Example 7 with ZpeMatch
use of com.yahoo.athenz.zpe.match.ZpeMatch in project athenz by yahoo.
the class AuthZpeClient method actionByWildCardRole.
static boolean actionByWildCardRole(String action, String domain, String angResource, List<String> roles, Map<String, List<Struct>> roleMap, StringBuilder matchRoleName) {
String msgPrefix = null;
if (LOG.isDebugEnabled()) {
StringBuilder sb = new StringBuilder("allowActionByWildCardRole: domain(");
sb.append(domain).append(") action(").append(action).append(") resource(").append(angResource).append(")");
msgPrefix = sb.toString();
}
// find policy matching resource and action
// get assertions for given domain+role
// then cycle thru those assertions looking for matching action and resource
// we will visit each of the wildcard roles
//
Set<String> keys = roleMap.keySet();
for (String role : roles) {
if (LOG.isDebugEnabled()) {
LOG.debug(msgPrefix + ": Process role (" + role + ")");
}
for (String roleName : keys) {
List<Struct> asserts = roleMap.get(roleName);
if (asserts == null || asserts.isEmpty()) {
if (LOG.isDebugEnabled()) {
LOG.debug(msgPrefix + ": No policy assertions in domain=" + domain + " for role=" + role + " so access denied");
}
continue;
}
Struct structAssert = asserts.get(0);
ZpeMatch matchStruct = (ZpeMatch) structAssert.get(ZpeConsts.ZPE_ROLE_MATCH_STRUCT);
if (!matchStruct.matches(role)) {
if (LOG.isDebugEnabled()) {
String polName = structAssert.getString(ZpeConsts.ZPE_FIELD_POLICY_NAME);
LOG.debug(msgPrefix + ": policy(" + polName + ") regexpr-match: FAILed: assert-role(" + roleName + ") doesnt match role(" + role + ")");
}
continue;
}
if (matchAssertions(asserts, roleName, action, angResource, matchRoleName, msgPrefix)) {
return true;
}
}
}
return false;
}Example 8 with ZpeMatch
use of com.yahoo.athenz.zpe.match.ZpeMatch in project athenz by yahoo.
the class AuthZpeClient method matchAssertions.
static boolean matchAssertions(List<Struct> asserts, String role, String action, String resource, StringBuilder matchRoleName, String msgPrefix) {
ZpeMatch matchStruct = null;
String passertAction = null;
String passertResource = null;
String passertRole = null;
String polName = null;
for (Struct strAssert : asserts) {
if (LOG.isDebugEnabled()) {
// this strings are only used for debug statements so we'll
// only retrieve them if debug option is enabled
passertAction = strAssert.getString(ZpeConsts.ZPE_FIELD_ACTION);
passertResource = strAssert.getString(ZpeConsts.ZPE_FIELD_RESOURCE);
passertRole = strAssert.getString(ZpeConsts.ZPE_FIELD_ROLE);
polName = strAssert.getString(ZpeConsts.ZPE_FIELD_POLICY_NAME);
LOG.debug(msgPrefix + ": Process Assertion: policy(" + polName + ") assert-action=" + passertAction + " assert-resource=" + passertResource + " assert-role=" + passertRole);
}
// ex: "mod*
matchStruct = (ZpeMatch) strAssert.get(ZpeConsts.ZPE_ACTION_MATCH_STRUCT);
if (!matchStruct.matches(action)) {
if (LOG.isDebugEnabled()) {
LOG.debug(msgPrefix + ": policy(" + polName + ") regexpr-match: FAILed: assert-action(" + passertAction + ") doesn't match action(" + action + ")");
}
continue;
}
// ex: "weather:service.storage.tenant.sports.*"
matchStruct = (ZpeMatch) strAssert.get(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT);
if (!matchStruct.matches(resource)) {
if (LOG.isDebugEnabled()) {
LOG.debug(msgPrefix + ": policy(" + polName + ") regexpr-match: FAILed: assert-resource(" + passertResource + ") doesn't match resource(" + resource + ")");
}
continue;
}
// update the match role name
matchRoleName.setLength(0);
matchRoleName.append(role);
return true;
}
return false;
}Example 9 with ZpeMatch
use of com.yahoo.athenz.zpe.match.ZpeMatch in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
AssertionEffect(com.yahoo.athenz.zts.AssertionEffect)
ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ArrayList(java.util.ArrayList)
List(java.util.List)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch)
Path(java.nio.file.Path)
Assertion(com.yahoo.athenz.zts.Assertion)
TreeMap(java.util.TreeMap)
Aggregations
ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)9
Test (org.testng.annotations.Test)5
ZpeUpdPolLoader (com.yahoo.athenz.zpe.ZpeUpdPolLoader)4
ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)4
ZpeMatchAll (com.yahoo.athenz.zpe.match.impl.ZpeMatchAll)3
ZpeMatchRegex (com.yahoo.athenz.zpe.match.impl.ZpeMatchRegex)3
ZpeMatchStartsWith (com.yahoo.athenz.zpe.match.impl.ZpeMatchStartsWith)3
Struct (com.yahoo.rdl.Struct)3
Assertion (com.yahoo.athenz.zts.Assertion)1
AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1
DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)1
Policy (com.yahoo.athenz.zts.Policy)1
PolicyData (com.yahoo.athenz.zts.PolicyData)1
SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)1
Path (java.nio.file.Path)1
ArrayList (java.util.ArrayList)1
List (java.util.List)1
TreeMap (java.util.TreeMap)1
