Examples with ZpeMatchEqual com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual used on opensource projects

Example 1 with ZpeMatchEqual

use of com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual in project athenz by yahoo.

the class ZpeUpdPolLoader method getMatchObject.

ZpeMatch getMatchObject(String value) {
    ZpeMatch match = null;
    if ("*".equals(value)) {
        match = new ZpeMatchAll();
    } else {
        int anyCharMatch = value.indexOf('*');
        int singleCharMatch = value.indexOf('?');
        if (anyCharMatch == -1 && singleCharMatch == -1) {
            match = new ZpeMatchEqual(value);
        } else if (anyCharMatch == value.length() - 1 && singleCharMatch == -1) {
            match = new ZpeMatchStartsWith(value.substring(0, value.length() - 1));
        } else {
            match = new ZpeMatchRegex(value);
        }
    }
    return match;
}

Example 2 with ZpeMatchEqual

use of com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual in project athenz by yahoo.

the class TestZpeMatch method testGetMatchEqual.

@Test
public void testGetMatchEqual() {
    try (ZpeUpdPolLoader loader = new ZpeUpdPolLoader(null)) {
        ZpeMatch matchObject = loader.getMatchObject("coretech");
        assertTrue(matchObject instanceof ZpeMatchEqual);
        assertTrue(matchObject.matches("coretech"));
        // failures
        // random data
        assertFalse(matchObject.matches("whatever"));
        // extra A
        assertFalse(matchObject.matches("coretechA"));
        // missing h
        assertFalse(matchObject.matches("coretec"));
    }
}

Example 3 with ZpeMatchEqual

use of com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual in project athenz by yahoo.

the class TestZpeUpdPolLoader method testGetMatchObject.

@Test
public void testGetMatchObject() {
    try (ZpeUpdPolLoader loader = new ZpeUpdPolLoader(null)) {
        ZpeMatch matchObject = loader.getMatchObject("*");
        assertTrue(matchObject instanceof ZpeMatchAll);
        matchObject = loader.getMatchObject("**");
        assertTrue(matchObject instanceof ZpeMatchRegex);
        matchObject = loader.getMatchObject("?*");
        assertTrue(matchObject instanceof ZpeMatchRegex);
        matchObject = loader.getMatchObject("?");
        assertTrue(matchObject instanceof ZpeMatchRegex);
        matchObject = loader.getMatchObject("test?again*");
        assertTrue(matchObject instanceof ZpeMatchRegex);
        matchObject = loader.getMatchObject("*test");
        assertTrue(matchObject instanceof ZpeMatchRegex);
        matchObject = loader.getMatchObject("test");
        assertTrue(matchObject instanceof ZpeMatchEqual);
        matchObject = loader.getMatchObject("(test|again)");
        assertTrue(matchObject instanceof ZpeMatchEqual);
        matchObject = loader.getMatchObject("test*");
        assertTrue(matchObject instanceof ZpeMatchStartsWith);
    }
}

Example 4 with ZpeMatchEqual

use of com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual in project athenz by yahoo.

the class ZpeUpdPolLoader method loadFile.

/**
 * Loads and parses the given file. It will create the domain assertion
 * list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
 */
private void loadFile(File polFile) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: file(" + polFile.getName() + ")");
    }
    Path path = Paths.get(polDirName + File.separator + polFile.getName());
    DomainSignedPolicyData spols = null;
    try {
        spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
    } catch (Exception ex) {
        LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
    }
    if (spols == null) {
        LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
    String signature = spols.getSignature();
    String keyId = spols.getKeyId();
    // first let's verify the ZTS signature for our policy file
    boolean verified = false;
    if (signedPolicyData != null) {
        java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
        verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
    }
    PolicyData policyData = null;
    if (verified) {
        // now let's verify that the ZMS signature for our policy file
        policyData = signedPolicyData.getPolicyData();
        signature = signedPolicyData.getZmsSignature();
        keyId = signedPolicyData.getZmsKeyId();
        if (policyData != null) {
            java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
            verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
        }
    }
    if (verified == false) {
        LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    // HAVE: valid policy file
    String domainName = policyData.getDomain();
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
    }
    // Process the policies into assertions, process the assertions: action, resource, role
    // If there is a wildcard in the action or resource, compile the
    // regexpr and place it into the assertion Struct.
    // This is a performance enhancement for AuthZpeClient when it
    // performs the authorization checks.
    Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
    List<Policy> policies = policyData.getPolicies();
    for (Policy policy : policies) {
        String pname = policy.getName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
        }
        List<Assertion> assertions = policy.getAssertions();
        if (assertions == null) {
            continue;
        }
        for (Assertion assertion : assertions) {
            com.yahoo.rdl.Struct strAssert = new Struct();
            strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
            String passertAction = assertion.getAction();
            ZpeMatch matchStruct = getMatchObject(passertAction);
            strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
            String passertResource = assertion.getResource();
            String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
            strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
            matchStruct = getMatchObject(rsrc);
            strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
            String passertRole = assertion.getRole();
            String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
            // strip the prefix "role." too
            pRoleName = pRoleName.replaceFirst("^role.", "");
            strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
            // based on the effect and role name determine what
            // map we're going to use
            Map<String, List<Struct>> roleMap = null;
            AssertionEffect passertEffect = assertion.getEffect();
            matchStruct = getMatchObject(pRoleName);
            strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
            if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardDenyMap;
                } else {
                    roleMap = roleWildcardDenyMap;
                }
            } else {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardAllowMap;
                } else {
                    roleMap = roleWildcardAllowMap;
                }
            }
            List<Struct> assertList = roleMap.get(pRoleName);
            if (assertList == null) {
                assertList = new ArrayList<Struct>();
                roleMap.put(pRoleName, assertList);
            }
            assertList.add(strAssert);
        }
    }
    Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
    ZpeFileStatus fstat = fsmap.get(polFile.getName());
    if (fstat != null) {
        fstat.validPolFile = true;
        fstat.domain = domainName;
    }
    domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
    domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
    domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
    domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}