use of com.yahoo.athenz.zts.AssertionEffect in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Aggregations