Example 1 with Assertion
use of com.yahoo.athenz.zts.Assertion in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
AssertionEffect(com.yahoo.athenz.zts.AssertionEffect)
ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ArrayList(java.util.ArrayList)
List(java.util.List)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch)
Path(java.nio.file.Path)
Assertion(com.yahoo.athenz.zts.Assertion)
TreeMap(java.util.TreeMap)
Example 2 with Assertion
use of com.yahoo.athenz.zts.Assertion in project athenz by yahoo.
the class ZTSMock method getDomainSignedPolicyData.
@Override
public DomainSignedPolicyData getDomainSignedPolicyData(String domainName, String matchingTag, Map<String, List<String>> responseHeaders) {
DomainSignedPolicyData result = null;
if (!domainName.equals("sports") && !domainName.equals("sys.auth") && !domainName.equals("expiredDomain")) {
return result;
}
SignedPolicyData signedPolicyData = new SignedPolicyData();
Timestamp expires;
if (domainName.equals("expiredDomain")) {
expires = Timestamp.fromMillis(System.currentTimeMillis() - (1000L * 60));
} else {
expires = Timestamp.fromMillis(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 7));
}
signedPolicyData.setExpires(expires);
Timestamp modified = Timestamp.fromMillis(System.currentTimeMillis());
signedPolicyData.setModified(modified);
String policyName = domainName + ":policy." + "admin";
Policy policy = new Policy();
policy.setName(policyName);
Assertion assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*");
String roleName = domainName + ":role." + "admin";
assertion.setRole(roleName);
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion);
assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.DENY);
assertion.setResource("*");
roleName = domainName + ":role." + "non-admin";
assertion.setRole(roleName);
assertList.add(assertion);
policy.setAssertions(assertList);
List<Policy> listOfPolicies = new ArrayList<Policy>();
listOfPolicies.add(policy);
PolicyData policyData = new PolicyData();
policyData.setPolicies(listOfPolicies);
policyData.setDomain(domainName);
signedPolicyData.setPolicyData(policyData);
signedPolicyData.setZmsKeyId("0");
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKeyK0));
DomainSignedPolicyData domainSignedPolicyData = new DomainSignedPolicyData();
domainSignedPolicyData.setSignedPolicyData(signedPolicyData);
PrivateKey ztsKey = null;
if ("0".equals(keyId)) {
ztsKey = ztsPrivateKeyK0;
} else if ("1".equals(keyId)) {
ztsKey = ztsPrivateKeyK1;
}
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsKey);
domainSignedPolicyData.setKeyId(keyId);
domainSignedPolicyData.setSignature(signature);
return domainSignedPolicyData;
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
PrivateKey(java.security.PrivateKey)
Assertion(com.yahoo.athenz.zts.Assertion)
ArrayList(java.util.ArrayList)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
Aggregations
Assertion (com.yahoo.athenz.zts.Assertion)2
DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)2
Policy (com.yahoo.athenz.zts.Policy)2
PolicyData (com.yahoo.athenz.zts.PolicyData)2
SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)2
ArrayList (java.util.ArrayList)2
ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1
ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1
AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1
Struct (com.yahoo.rdl.Struct)1
Timestamp (com.yahoo.rdl.Timestamp)1
Path (java.nio.file.Path)1
PrivateKey (java.security.PrivateKey)1
List (java.util.List)1
TreeMap (java.util.TreeMap)1
