Example 6 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
AssertionEffect(com.yahoo.athenz.zts.AssertionEffect)
ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ArrayList(java.util.ArrayList)
List(java.util.List)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch)
Path(java.nio.file.Path)
Assertion(com.yahoo.athenz.zts.Assertion)
TreeMap(java.util.TreeMap)
Example 7 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdater method policyUpdater.
static void policyUpdater(PolicyUpdaterConfiguration configuration, ZTSClientFactory ztsFactory) throws Exception {
try (ZTSClient zts = ztsFactory.create()) {
List<String> domainList = configuration.getDomainList();
LOG.info("policyUpdater: Number of domains to process:" + (domainList == null ? 0 : domainList.size()));
if (domainList == null) {
LOG.error("policyUpdater: no domain list to process from configuration");
throw new Exception("no configured domains to process");
}
for (String domain : domainList) {
LOG.info("Fetching signed policies for domain:" + domain);
String matchingTag = getEtagForExistingPolicy(zts, configuration, domain);
Map<String, List<String>> responseHeaders = null;
DomainSignedPolicyData domainSignedPolicyData = null;
try {
domainSignedPolicyData = zts.getDomainSignedPolicyData(domain, matchingTag, responseHeaders);
} catch (Exception exc) {
domainSignedPolicyData = null;
LOG.error("PolicyUpdater: Unable to retrieve policies from zts for domain=" + domain, exc);
}
if (domainSignedPolicyData == null) {
if (matchingTag != null && !matchingTag.isEmpty()) {
LOG.info("PolicyUpdater: Policies not updated since last fetch time");
}
} else if (validateSignedPolicies(zts, configuration, domainSignedPolicyData, domain)) {
writePolicies(configuration, domain, domainSignedPolicyData);
}
}
// now push the domain metrics files
postDomainMetrics(zts);
}
}
Also used :
ZTSClient(com.yahoo.athenz.zts.ZTSClient)
List(java.util.List)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
IOException(java.io.IOException)
ZTSClientException(com.yahoo.athenz.zts.ZTSClientException)
Example 8 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdater method getEtagForExistingPolicy.
static String getEtagForExistingPolicy(ZTSClient zts, PolicyUpdaterConfiguration configuration, String domain) {
if (domain == null) {
throw new IllegalArgumentException("getEtagForExistingPolicy: null parameters are not valid arguments");
}
String policyDir = configuration.getPolicyFileDir();
if (policyDir == null) {
throw new IllegalArgumentException("getEtagForExistingPolicy: Invalid configuration: no policy directory path");
}
String policyDirPath;
if (policyDir.length() - 1 != policyDir.lastIndexOf(File.separator)) {
policyDirPath = policyDir + File.separator;
} else {
policyDirPath = policyDir;
}
String etag = null;
String policyFile = policyDirPath + domain + POLICY_FILE_EXTENSION;
LOG.info("Decoding " + policyFile + " to retrieve eTag from policy file.");
File file = new File(policyFile);
if (file.exists() == false) {
LOG.info("Policy file not found.");
return etag;
}
DomainSignedPolicyData domainSignedPolicyData = null;
try {
domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(file.toPath()), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.info("Unable to parse domain signed policy file: " + policyFile);
return etag;
}
if (validateSignedPolicies(zts, configuration, domainSignedPolicyData, domain) == false) {
LOG.info("Unable to validate domain signed policy file: " + policyFile);
return etag;
}
// Check expiration of policies and if its less than the configured interval defined by user
// to get updated policy then return null so that the policies are updated
LOG.info("Checking expiration time for: " + domain);
long now = System.currentTimeMillis() / 1000;
Timestamp expires = domainSignedPolicyData.getSignedPolicyData().getExpires();
long startupDelayInterval = configuration.getStartupDelayIntervalInSecs();
LOG.info("Expiration time for " + domain + " is: " + (expires.millis() / 1000));
LOG.info("Startup delay: " + startupDelayInterval);
LOG.info("Current time: " + now);
if (((expires.millis() / 1000) - now) < (startupDelayInterval)) {
LOG.info("Signed policies for domain:" + domain + " are expired, returning null.");
return null;
}
if (domainSignedPolicyData.getSignedPolicyData().getModified() != null) {
// ETags are quoted-strings based on the HTTP RFC
// http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.11
// so we're going to quote our modified timestamp
etag = "\"" + domainSignedPolicyData.getSignedPolicyData().getModified().toString() + "\"";
LOG.info("ETag: " + etag);
} else {
LOG.info("No ETag found.");
}
return etag;
}
Also used :
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
File(java.io.File)
Timestamp(com.yahoo.rdl.Timestamp)
IOException(java.io.IOException)
ZTSClientException(com.yahoo.athenz.zts.ZTSClientException)
Example 9 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdaterTest method TestVerifySignature.
@Test
public void TestVerifySignature() throws Exception {
PolicyUpdaterConfiguration configuration = new PolicyUpdaterConfiguration();
configuration.init(pathToAthenzConfigFile, pathToZPUConfigFile);
SignPoliciesUtility.signPolicies("./src/test/resources/zts_private_k0.pem", "./src/test/resources/zms_private_k0.pem", "./src/test/resources/sys.auth.pol", "./src/test/resources/sys.auth.new.pol");
Path path = Paths.get("./src/test/resources/sys.auth.new.pol");
DomainSignedPolicyData domainPolicySignedData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
Assert.assertTrue(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "sys.auth.new"));
// negative test with tampered publickey - zts pubkey failure
PolicyUpdaterConfiguration confMock = Mockito.mock(PolicyUpdaterConfiguration.class);
Mockito.when(confMock.getZtsPublicKey(Mockito.any(ZTSClient.class), Mockito.<String>any())).thenReturn(null);
Assert.assertFalse(PolicyUpdater.validateSignedPolicies(null, confMock, domainPolicySignedData, "sys.auth.new"));
// negative test with tampered publickey - zms pubkey failure
confMock = Mockito.mock(PolicyUpdaterConfiguration.class);
PublicKey pKey = Crypto.loadPublicKey(Crypto.ybase64DecodeString("LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZ3d0" + "RRWUpLb1pJaHZjTkFRRUJCUUFEU3dBd1NBSkJBTHpmU09UUUpmRW0xZW00TD" + "Nza3lOVlEvYngwTU9UcQphK1J3T0gzWmNNS3lvR3hPSm85QXllUmE2RlhNbX" + "ZKSkdZczVQMzRZc3pGcG5qMnVBYmkyNG5FQ0F3RUFBUT09Ci0tLS0tRU5EIF" + "BVQkxJQyBLRVktLS0tLQo-"));
Mockito.when(confMock.getZtsPublicKey(Mockito.any(ZTSClient.class), Mockito.<String>any())).thenReturn(pKey);
Mockito.when(confMock.getZmsPublicKey(Mockito.any(ZTSClient.class), Mockito.<String>any())).thenReturn(null);
Assert.assertFalse(PolicyUpdater.validateSignedPolicies(null, confMock, domainPolicySignedData, "sys.auth.new"));
// negative test with tampered expiration - zts signature failure
path = Paths.get("./src/test/resources/sys.auth.pol.tampered.zts");
domainPolicySignedData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
Assert.assertFalse(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "sys.auth.new"));
// negative test with tampered actions - zms signature failure
path = Paths.get("./src/test/resources/sys.auth.pol.tampered.zms");
domainPolicySignedData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
Assert.assertFalse(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "sys.auth.new"));
// Test error handling for illegal arguments
boolean exceptionCaught = false;
try {
PolicyUpdater.validateSignedPolicies(null, configuration, null, "sys.auth.new");
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
exceptionCaught = false;
try {
PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, null);
} catch (IllegalArgumentException ex) {
exceptionCaught = true;
}
Assert.assertTrue(exceptionCaught);
}
Also used :
Path(java.nio.file.Path)
PublicKey(java.security.PublicKey)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ZTSClient(com.yahoo.athenz.zts.ZTSClient)
Test(org.testng.annotations.Test)
Example 10 with DomainSignedPolicyData
use of com.yahoo.athenz.zts.DomainSignedPolicyData in project athenz by yahoo.
the class PolicyUpdaterTest method TestValidateExpiredPolicies.
@Test
public void TestValidateExpiredPolicies() throws Exception {
PolicyUpdaterConfiguration configuration = new PolicyUpdaterConfiguration();
configuration.init(pathToAthenzConfigFile, pathToZPUConfigFile);
ZTSMock zts = new ZTSMock();
zts.setPublicKeyId("0");
DomainSignedPolicyData domainPolicySignedData = zts.getDomainSignedPolicyData("expiredDomain", null, null);
Assert.assertFalse(PolicyUpdater.validateSignedPolicies(null, configuration, domainPolicySignedData, "expiredDomain"));
}
Also used :
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Test(org.testng.annotations.Test)
Aggregations
DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)11
Path (java.nio.file.Path)6
SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)5
PolicyData (com.yahoo.athenz.zts.PolicyData)4
Timestamp (com.yahoo.rdl.Timestamp)4
File (java.io.File)4
Test (org.testng.annotations.Test)4
IOException (java.io.IOException)3
ArrayList (java.util.ArrayList)3
Assertion (com.yahoo.athenz.zts.Assertion)2
Policy (com.yahoo.athenz.zts.Policy)2
ZTSClient (com.yahoo.athenz.zts.ZTSClient)2
ZTSClientException (com.yahoo.athenz.zts.ZTSClientException)2
PrivateKey (java.security.PrivateKey)2
PublicKey (java.security.PublicKey)2
List (java.util.List)2
ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1
ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1
AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1
Struct (com.yahoo.rdl.Struct)1
