Example 1 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdater method validateSignedPolicies.
static boolean validateSignedPolicies(ZTSClient zts, PolicyUpdaterConfiguration configuration, DomainSignedPolicyData domainSignedPolicyData, String domain) {
if (domainSignedPolicyData == null || domain == null) {
throw new IllegalArgumentException("null parameters are not valid arguments");
}
LOG.info("Checking expiration time for:" + domain);
Timestamp expires = domainSignedPolicyData.getSignedPolicyData().getExpires();
if (System.currentTimeMillis() > expires.millis()) {
LOG.error("Signed policy for domain:" + domain + " was expired.");
return false;
}
// first we're going to verify the ZTS signature for the data
LOG.info("Verifying ZTS signature for: " + domain);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
LOG.debug("Policies retrieved from the ZTS server: " + signedPolicyData);
String signature = domainSignedPolicyData.getSignature();
String keyId = domainSignedPolicyData.getKeyId();
LOG.debug("validateSignedPolicies: domain=" + domain + " zts key id=" + keyId + " Digital ZTS signature=" + signature);
PublicKey ztsPublicKey = configuration.getZtsPublicKey(zts, keyId);
if (ztsPublicKey == null) {
LOG.error("validateSignedPolicies: Missing ZTS Public key for id: " + keyId);
return false;
}
boolean verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), ztsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZTS signature verification.");
LOG.error("ZTS Signature: " + signature + ". Policies data returned from ZTS: " + signedPolicyData);
return false;
}
// then we're going to verify the ZMS signature for the policy data
LOG.info("Verifying ZMS signature for: " + domain);
PolicyData policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
LOG.debug("Digital ZMS signature: " + signature);
keyId = signedPolicyData.getZmsKeyId();
LOG.debug("Digital ZMS signature key Id: " + keyId);
PublicKey zmsPublicKey = configuration.getZmsPublicKey(zts, keyId);
if (zmsPublicKey == null) {
LOG.error("Missing ZMS Public key with id: " + keyId);
return false;
}
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), zmsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZMS signature verification.");
LOG.error("ZMS Signature: " + signature + ". Policies data returned from ZTS: " + policyData);
}
return verified;
}
Also used :
PublicKey(java.security.PublicKey)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
Example 2 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdaterTest method TestPolicyUpdater.
@Test
public void TestPolicyUpdater() throws Exception {
PolicyUpdaterConfiguration configuration = new PolicyUpdaterConfiguration();
configuration.init(pathToAthenzConfigFile, pathToZPUTestConfigFile);
configuration.setPolicyFileDir(configuration.getRootDir() + TEST_POLICY_DIR);
configuration.setPolicyFileTmpDir(configuration.getRootDir() + TEST_POLICY_TEMP_DIR);
DebugZTSClientFactory ztsFactory = new DebugZTSClientFactory();
ztsFactory.setPublicKeyId("0");
PolicyUpdater.policyUpdater(configuration, ztsFactory);
Path path = Paths.get(configuration.getRootDir() + TEST_POLICY_DIR + File.separator + "sports.pol");
DomainSignedPolicyData domainPolicySignedData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
// Validate that the SignedPolicy written to target/classes is correct,
// return value is true when policies are correctly validated
Assert.assertTrue(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "sports"));
Files.delete(path);
path = Paths.get(configuration.getRootDir() + TEST_POLICY_DIR + File.separator + "sys.auth.pol");
domainPolicySignedData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
// Validate that the SignedPolicy written to target/classes is correct,
// return value is true when policies are correctly validated
Assert.assertTrue(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "sys.auth.pol"));
Files.delete(path);
}
Also used :
Path(java.nio.file.Path)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Test(org.testng.annotations.Test)
Example 3 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdaterTest method TestWritePolicies.
@Test
public void TestWritePolicies() throws Exception {
Path path = Paths.get("./src/test/resources/sys.auth.pol");
DomainSignedPolicyData domainPolicySignedDataInput = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
PolicyUpdater.writePolicies(pupConfig, "sys.auth", domainPolicySignedDataInput);
path = Paths.get(pupConfig.getRootDir() + TEST_POLICY_DIR + "/sys.auth.pol");
JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
// test handling of missing tmp dir
//
Path sysauthPath = Paths.get(pupConfig.getRootDir() + TEST_POLICY_TEMP_DIR + "/tmp/sys.auth");
Files.deleteIfExists(sysauthPath);
sysauthPath = Paths.get(pupConfig.getRootDir() + TEST_POLICY_TEMP_DIR + "/tmp");
Files.deleteIfExists(sysauthPath);
java.io.File polFile = path.toFile();
long flen = polFile.length();
long fmod = polFile.lastModified();
Thread.sleep(1000);
PolicyUpdaterConfiguration config = new PolicyUpdaterConfiguration();
config.init(pathToAthenzConfigFile, pathToZPUConfigFile);
config.setPolicyFileTmpDir(pupConfig.getRootDir() + TEST_POLICY_TEMP_DIR + "/tmp");
config.setPolicyFileDir(pupConfig.getRootDir() + TEST_POLICY_DIR);
PolicyUpdater.writePolicies(config, "sys.auth", domainPolicySignedDataInput);
long flen2 = polFile.length();
long fmod2 = polFile.lastModified();
Assert.assertTrue(flen == flen2);
Assert.assertTrue(fmod < fmod2);
// Test error handling for illegal arguments
boolean exceptionCaught = false;
try {
PolicyUpdater.writePolicies(null, "sys.auth", domainPolicySignedDataInput);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
exceptionCaught = false;
try {
config.setPolicyFileTmpDir(null);
PolicyUpdater.writePolicies(config, "sys.auth", domainPolicySignedDataInput);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
exceptionCaught = false;
try {
config.setPolicyFileTmpDir(TEST_POLICY_TEMP_DIR);
config.setPolicyFileDir(null);
PolicyUpdater.writePolicies(config, "sys.auth", domainPolicySignedDataInput);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
try {
config.setPolicyFileDir(TEST_POLICY_DIR);
PolicyUpdater.writePolicies(config, null, domainPolicySignedDataInput);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
try {
PolicyUpdater.writePolicies(config, "sys.auth", null);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
Files.delete(path);
}
Also used :
Path(java.nio.file.Path)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
File(java.io.File)
Test(org.testng.annotations.Test)
Example 4 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class SignPoliciesUtility method signPolicies.
static String signPolicies(String ztsPrivateKeyPath, String zmsPrivateKeyPath, String signedPolicyFile, String newPolicyFile) {
String etag = null;
try {
Path path = Paths.get(ztsPrivateKeyPath);
PrivateKey ztsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(zmsPrivateKeyPath);
PrivateKey zmsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(signedPolicyFile);
DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
PolicyData policyData = signedPolicyData.getPolicyData();
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKey));
signedPolicyData.setZmsKeyId("0");
long curTime = System.currentTimeMillis();
Timestamp modified = Timestamp.fromMillis(curTime);
signedPolicyData.setModified(modified);
Timestamp expires = Timestamp.fromMillis(curTime + (1000L * 60 * 60 * 24 * 7));
signedPolicyData.setExpires(expires);
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKey);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
File file = new File(newPolicyFile);
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
etag = "\"" + modified.toString() + "\"";
} catch (IOException e) {
System.out.println("Exception: " + e.getMessage());
System.exit(-1);
}
System.out.println("Signed " + newPolicyFile + " policy file");
return etag;
}
Also used :
Path(java.nio.file.Path)
PrivateKey(java.security.PrivateKey)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
IOException(java.io.IOException)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
File(java.io.File)
Example 5 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class TestAuthZpe method beforeClass.
@BeforeClass
public void beforeClass() throws IOException {
Path path = Paths.get("./src/test/resources/zts_private_k0.pem");
ztsPrivateKeyK0 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zms_private_k0.pem");
zmsPrivateKeyK0 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k1.pem");
ztsPrivateKeyK1 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k17.pem");
ztsPrivateKeyK17 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k99.pem");
ztsPrivateKeyK99 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
List<String> roles = new ArrayList<String>();
roles.add("public");
rToken0AnglerPublic = createRoleToken("angler", roles, "0");
rToken0AnglerExpirePublic = createRoleToken("angler", roles, "0", 3);
rToken0CoreTechPublic = createRoleToken("coretech", roles, "0");
rToken0EmptyPublic = createRoleToken("empty", roles, "0");
roles = new ArrayList<String>();
roles.add("admin");
rToken0AnglerAdmin = createRoleToken("angler", roles, "0");
rToken0SportsAdmin = createRoleToken("sports", roles, "0");
rToken1SportsAdmin = createRoleToken("sports", roles, "1");
roles = new ArrayList<String>();
roles.add("pachinko");
rToken0AnglerPachinko = createRoleToken("angler", roles, "0");
roles = new ArrayList<String>();
roles.add("full_regex");
roles.add("matchall");
roles.add("matchstarts");
roles.add("matchcompare");
roles.add("matchregex");
rToken0AnglerRegex = createRoleToken("angler", roles, "0");
// NOTE: we will create file with different suffix so as not to confuse
// ZPE update-load thread due to possible timing issue.
// Then rename it with ".pol" suffix afterwards.
// Issue: file is created, but file is empty because it has not
// been written out yet - thus zpe thinks its a bad file and will
// wait for it to get updated before trying to reload.
// Ouch, but the file doesnt get a change in modified timestamp so zpe
// never reloads.
path = Paths.get("./src/test/resources/angler.pol");
DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK0);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
File file = new File("./src/test/resources/pol_dir/angler.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
File renamedFile = new File("./src/test/resources/pol_dir/angler.pol");
file.renameTo(renamedFile);
path = Paths.get("./src/test/resources/sports.pol");
domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK1);
domainSignedPolicyData.setSignature(signature).setKeyId("1");
file = new File("./src/test/resources/pol_dir/sports.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
renamedFile = new File("./src/test/resources/pol_dir/sports.pol");
file.renameTo(renamedFile);
path = Paths.get("./src/test/resources/empty.pol");
domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK0);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
file = new File("./src/test/resources/pol_dir/empty.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
renamedFile = new File("./src/test/resources/pol_dir/empty.pol");
file.renameTo(renamedFile);
String issuers = "C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain2, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler.test:role.public";
System.setProperty(ZpeConsts.ZPE_PROP_X509_CA_ISSUERS, issuers);
}
Also used :
Path(java.nio.file.Path)
ArrayList(java.util.ArrayList)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
File(java.io.File)
BeforeClass(org.testng.annotations.BeforeClass)
Aggregations
DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)11
Path (java.nio.file.Path)6
SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)5
PolicyData (com.yahoo.athenz.zts.PolicyData)4
Timestamp (com.yahoo.rdl.Timestamp)4
File (java.io.File)4
Test (org.testng.annotations.Test)4
IOException (java.io.IOException)3
ArrayList (java.util.ArrayList)3
Assertion (com.yahoo.athenz.zts.Assertion)2
Policy (com.yahoo.athenz.zts.Policy)2
ZTSClient (com.yahoo.athenz.zts.ZTSClient)2
ZTSClientException (com.yahoo.athenz.zts.ZTSClientException)2
PrivateKey (java.security.PrivateKey)2
PublicKey (java.security.PublicKey)2
List (java.util.List)2
ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1
ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1
AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1
Struct (com.yahoo.rdl.Struct)1
