Search in sources :

Example 1 with AssertionEffect

use of com.yahoo.athenz.zts.AssertionEffect in project athenz by yahoo.

the class ZpeUpdPolLoader method loadFile.

/**
 * Loads and parses the given file. It will create the domain assertion
 * list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
 */
private void loadFile(File polFile) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: file(" + polFile.getName() + ")");
    }
    Path path = Paths.get(polDirName + File.separator + polFile.getName());
    DomainSignedPolicyData spols = null;
    try {
        spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
    } catch (Exception ex) {
        LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
    }
    if (spols == null) {
        LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
    String signature = spols.getSignature();
    String keyId = spols.getKeyId();
    // first let's verify the ZTS signature for our policy file
    boolean verified = false;
    if (signedPolicyData != null) {
        java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
        verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
    }
    PolicyData policyData = null;
    if (verified) {
        // now let's verify that the ZMS signature for our policy file
        policyData = signedPolicyData.getPolicyData();
        signature = signedPolicyData.getZmsSignature();
        keyId = signedPolicyData.getZmsKeyId();
        if (policyData != null) {
            java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
            verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
        }
    }
    if (verified == false) {
        LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    // HAVE: valid policy file
    String domainName = policyData.getDomain();
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
    }
    // Process the policies into assertions, process the assertions: action, resource, role
    // If there is a wildcard in the action or resource, compile the
    // regexpr and place it into the assertion Struct.
    // This is a performance enhancement for AuthZpeClient when it
    // performs the authorization checks.
    Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
    List<Policy> policies = policyData.getPolicies();
    for (Policy policy : policies) {
        String pname = policy.getName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
        }
        List<Assertion> assertions = policy.getAssertions();
        if (assertions == null) {
            continue;
        }
        for (Assertion assertion : assertions) {
            com.yahoo.rdl.Struct strAssert = new Struct();
            strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
            String passertAction = assertion.getAction();
            ZpeMatch matchStruct = getMatchObject(passertAction);
            strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
            String passertResource = assertion.getResource();
            String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
            strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
            matchStruct = getMatchObject(rsrc);
            strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
            String passertRole = assertion.getRole();
            String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
            // strip the prefix "role." too
            pRoleName = pRoleName.replaceFirst("^role.", "");
            strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
            // based on the effect and role name determine what
            // map we're going to use
            Map<String, List<Struct>> roleMap = null;
            AssertionEffect passertEffect = assertion.getEffect();
            matchStruct = getMatchObject(pRoleName);
            strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
            if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardDenyMap;
                } else {
                    roleMap = roleWildcardDenyMap;
                }
            } else {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardAllowMap;
                } else {
                    roleMap = roleWildcardAllowMap;
                }
            }
            List<Struct> assertList = roleMap.get(pRoleName);
            if (assertList == null) {
                assertList = new ArrayList<Struct>();
                roleMap.put(pRoleName, assertList);
            }
            assertList.add(strAssert);
        }
    }
    Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
    ZpeFileStatus fstat = fsmap.get(polFile.getName());
    if (fstat != null) {
        fstat.validPolFile = true;
        fstat.domain = domainName;
    }
    domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
    domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
    domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
    domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used : Policy(com.yahoo.athenz.zts.Policy) AssertionEffect(com.yahoo.athenz.zts.AssertionEffect) ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual) Struct(com.yahoo.rdl.Struct) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) PolicyData(com.yahoo.athenz.zts.PolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) ArrayList(java.util.ArrayList) List(java.util.List) Struct(com.yahoo.rdl.Struct) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch) Path(java.nio.file.Path) Assertion(com.yahoo.athenz.zts.Assertion) TreeMap(java.util.TreeMap)

Aggregations

ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1 ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1 Assertion (com.yahoo.athenz.zts.Assertion)1 AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1 DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)1 Policy (com.yahoo.athenz.zts.Policy)1 PolicyData (com.yahoo.athenz.zts.PolicyData)1 SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)1 Struct (com.yahoo.rdl.Struct)1 Path (java.nio.file.Path)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 TreeMap (java.util.TreeMap)1