Search in sources :

Example 1 with PolicyData

use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.

the class PolicyUpdater method validateSignedPolicies.

static boolean validateSignedPolicies(ZTSClient zts, PolicyUpdaterConfiguration configuration, DomainSignedPolicyData domainSignedPolicyData, String domain) {
    if (domainSignedPolicyData == null || domain == null) {
        throw new IllegalArgumentException("null parameters are not valid arguments");
    }
    LOG.info("Checking expiration time for:" + domain);
    Timestamp expires = domainSignedPolicyData.getSignedPolicyData().getExpires();
    if (System.currentTimeMillis() > expires.millis()) {
        LOG.error("Signed policy for domain:" + domain + " was expired.");
        return false;
    }
    // first we're going to verify the ZTS signature for the data
    LOG.info("Verifying ZTS signature for: " + domain);
    SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
    LOG.debug("Policies retrieved from the ZTS server: " + signedPolicyData);
    String signature = domainSignedPolicyData.getSignature();
    String keyId = domainSignedPolicyData.getKeyId();
    LOG.debug("validateSignedPolicies: domain=" + domain + " zts key id=" + keyId + " Digital ZTS signature=" + signature);
    PublicKey ztsPublicKey = configuration.getZtsPublicKey(zts, keyId);
    if (ztsPublicKey == null) {
        LOG.error("validateSignedPolicies: Missing ZTS Public key for id: " + keyId);
        return false;
    }
    boolean verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), ztsPublicKey, signature);
    if (verified == false) {
        LOG.error("Signed policy for domain:" + domain + " failed ZTS signature verification.");
        LOG.error("ZTS Signature: " + signature + ". Policies data returned from ZTS: " + signedPolicyData);
        return false;
    }
    // then we're going to verify the ZMS signature for the policy data
    LOG.info("Verifying ZMS signature for: " + domain);
    PolicyData policyData = signedPolicyData.getPolicyData();
    signature = signedPolicyData.getZmsSignature();
    LOG.debug("Digital ZMS signature: " + signature);
    keyId = signedPolicyData.getZmsKeyId();
    LOG.debug("Digital ZMS signature key Id: " + keyId);
    PublicKey zmsPublicKey = configuration.getZmsPublicKey(zts, keyId);
    if (zmsPublicKey == null) {
        LOG.error("Missing ZMS Public key with id: " + keyId);
        return false;
    }
    verified = Crypto.verify(SignUtils.asCanonicalString(policyData), zmsPublicKey, signature);
    if (verified == false) {
        LOG.error("Signed policy for domain:" + domain + " failed ZMS signature verification.");
        LOG.error("ZMS Signature: " + signature + ". Policies data returned from ZTS: " + policyData);
    }
    return verified;
}
Also used : PublicKey(java.security.PublicKey) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) PolicyData(com.yahoo.athenz.zts.PolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) Timestamp(com.yahoo.rdl.Timestamp)

Example 2 with PolicyData

use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.

the class SignPoliciesUtility method signPolicies.

static String signPolicies(String ztsPrivateKeyPath, String zmsPrivateKeyPath, String signedPolicyFile, String newPolicyFile) {
    String etag = null;
    try {
        Path path = Paths.get(ztsPrivateKeyPath);
        PrivateKey ztsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
        path = Paths.get(zmsPrivateKeyPath);
        PrivateKey zmsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
        path = Paths.get(signedPolicyFile);
        DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
        SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
        PolicyData policyData = signedPolicyData.getPolicyData();
        signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKey));
        signedPolicyData.setZmsKeyId("0");
        long curTime = System.currentTimeMillis();
        Timestamp modified = Timestamp.fromMillis(curTime);
        signedPolicyData.setModified(modified);
        Timestamp expires = Timestamp.fromMillis(curTime + (1000L * 60 * 60 * 24 * 7));
        signedPolicyData.setExpires(expires);
        String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKey);
        domainSignedPolicyData.setSignature(signature).setKeyId("0");
        File file = new File(newPolicyFile);
        file.createNewFile();
        Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
        etag = "\"" + modified.toString() + "\"";
    } catch (IOException e) {
        System.out.println("Exception: " + e.getMessage());
        System.exit(-1);
    }
    System.out.println("Signed " + newPolicyFile + " policy file");
    return etag;
}
Also used : Path(java.nio.file.Path) PrivateKey(java.security.PrivateKey) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) PolicyData(com.yahoo.athenz.zts.PolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) IOException(java.io.IOException) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) Timestamp(com.yahoo.rdl.Timestamp) File(java.io.File)

Example 3 with PolicyData

use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.

the class ZpeUpdPolLoader method loadFile.

/**
 * Loads and parses the given file. It will create the domain assertion
 * list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
 */
private void loadFile(File polFile) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: file(" + polFile.getName() + ")");
    }
    Path path = Paths.get(polDirName + File.separator + polFile.getName());
    DomainSignedPolicyData spols = null;
    try {
        spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
    } catch (Exception ex) {
        LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
    }
    if (spols == null) {
        LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
    String signature = spols.getSignature();
    String keyId = spols.getKeyId();
    // first let's verify the ZTS signature for our policy file
    boolean verified = false;
    if (signedPolicyData != null) {
        java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
        verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
    }
    PolicyData policyData = null;
    if (verified) {
        // now let's verify that the ZMS signature for our policy file
        policyData = signedPolicyData.getPolicyData();
        signature = signedPolicyData.getZmsSignature();
        keyId = signedPolicyData.getZmsKeyId();
        if (policyData != null) {
            java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
            verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
        }
    }
    if (verified == false) {
        LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
        // mark this as an invalid file
        Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
        ZpeFileStatus fstat = fsmap.get(polFile.getName());
        if (fstat != null) {
            fstat.validPolFile = false;
        }
        return;
    }
    // HAVE: valid policy file
    String domainName = policyData.getDomain();
    if (LOG.isDebugEnabled()) {
        LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
    }
    // Process the policies into assertions, process the assertions: action, resource, role
    // If there is a wildcard in the action or resource, compile the
    // regexpr and place it into the assertion Struct.
    // This is a performance enhancement for AuthZpeClient when it
    // performs the authorization checks.
    Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
    Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
    List<Policy> policies = policyData.getPolicies();
    for (Policy policy : policies) {
        String pname = policy.getName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
        }
        List<Assertion> assertions = policy.getAssertions();
        if (assertions == null) {
            continue;
        }
        for (Assertion assertion : assertions) {
            com.yahoo.rdl.Struct strAssert = new Struct();
            strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
            String passertAction = assertion.getAction();
            ZpeMatch matchStruct = getMatchObject(passertAction);
            strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
            String passertResource = assertion.getResource();
            String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
            strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
            matchStruct = getMatchObject(rsrc);
            strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
            String passertRole = assertion.getRole();
            String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
            // strip the prefix "role." too
            pRoleName = pRoleName.replaceFirst("^role.", "");
            strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
            // based on the effect and role name determine what
            // map we're going to use
            Map<String, List<Struct>> roleMap = null;
            AssertionEffect passertEffect = assertion.getEffect();
            matchStruct = getMatchObject(pRoleName);
            strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
            if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardDenyMap;
                } else {
                    roleMap = roleWildcardDenyMap;
                }
            } else {
                if (matchStruct instanceof ZpeMatchEqual) {
                    roleMap = roleStandardAllowMap;
                } else {
                    roleMap = roleWildcardAllowMap;
                }
            }
            List<Struct> assertList = roleMap.get(pRoleName);
            if (assertList == null) {
                assertList = new ArrayList<Struct>();
                roleMap.put(pRoleName, assertList);
            }
            assertList.add(strAssert);
        }
    }
    Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
    ZpeFileStatus fstat = fsmap.get(polFile.getName());
    if (fstat != null) {
        fstat.validPolFile = true;
        fstat.domain = domainName;
    }
    domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
    domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
    domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
    domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used : Policy(com.yahoo.athenz.zts.Policy) AssertionEffect(com.yahoo.athenz.zts.AssertionEffect) ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual) Struct(com.yahoo.rdl.Struct) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) PolicyData(com.yahoo.athenz.zts.PolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) ArrayList(java.util.ArrayList) List(java.util.List) Struct(com.yahoo.rdl.Struct) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch) Path(java.nio.file.Path) Assertion(com.yahoo.athenz.zts.Assertion) TreeMap(java.util.TreeMap)

Example 4 with PolicyData

use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.

the class ZTSMock method getDomainSignedPolicyData.

@Override
public DomainSignedPolicyData getDomainSignedPolicyData(String domainName, String matchingTag, Map<String, List<String>> responseHeaders) {
    DomainSignedPolicyData result = null;
    if (!domainName.equals("sports") && !domainName.equals("sys.auth") && !domainName.equals("expiredDomain")) {
        return result;
    }
    SignedPolicyData signedPolicyData = new SignedPolicyData();
    Timestamp expires;
    if (domainName.equals("expiredDomain")) {
        expires = Timestamp.fromMillis(System.currentTimeMillis() - (1000L * 60));
    } else {
        expires = Timestamp.fromMillis(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 7));
    }
    signedPolicyData.setExpires(expires);
    Timestamp modified = Timestamp.fromMillis(System.currentTimeMillis());
    signedPolicyData.setModified(modified);
    String policyName = domainName + ":policy." + "admin";
    Policy policy = new Policy();
    policy.setName(policyName);
    Assertion assertion = new Assertion();
    assertion.setAction("*");
    assertion.setEffect(AssertionEffect.ALLOW);
    assertion.setResource("*");
    String roleName = domainName + ":role." + "admin";
    assertion.setRole(roleName);
    List<Assertion> assertList = new ArrayList<Assertion>();
    assertList.add(assertion);
    assertion = new Assertion();
    assertion.setAction("*");
    assertion.setEffect(AssertionEffect.DENY);
    assertion.setResource("*");
    roleName = domainName + ":role." + "non-admin";
    assertion.setRole(roleName);
    assertList.add(assertion);
    policy.setAssertions(assertList);
    List<Policy> listOfPolicies = new ArrayList<Policy>();
    listOfPolicies.add(policy);
    PolicyData policyData = new PolicyData();
    policyData.setPolicies(listOfPolicies);
    policyData.setDomain(domainName);
    signedPolicyData.setPolicyData(policyData);
    signedPolicyData.setZmsKeyId("0");
    signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKeyK0));
    DomainSignedPolicyData domainSignedPolicyData = new DomainSignedPolicyData();
    domainSignedPolicyData.setSignedPolicyData(signedPolicyData);
    PrivateKey ztsKey = null;
    if ("0".equals(keyId)) {
        ztsKey = ztsPrivateKeyK0;
    } else if ("1".equals(keyId)) {
        ztsKey = ztsPrivateKeyK1;
    }
    String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsKey);
    domainSignedPolicyData.setKeyId(keyId);
    domainSignedPolicyData.setSignature(signature);
    return domainSignedPolicyData;
}
Also used : Policy(com.yahoo.athenz.zts.Policy) PrivateKey(java.security.PrivateKey) Assertion(com.yahoo.athenz.zts.Assertion) ArrayList(java.util.ArrayList) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) PolicyData(com.yahoo.athenz.zts.PolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData) DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData) Timestamp(com.yahoo.rdl.Timestamp)

Aggregations

DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)4 PolicyData (com.yahoo.athenz.zts.PolicyData)4 SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)4 Timestamp (com.yahoo.rdl.Timestamp)3 Assertion (com.yahoo.athenz.zts.Assertion)2 Policy (com.yahoo.athenz.zts.Policy)2 Path (java.nio.file.Path)2 PrivateKey (java.security.PrivateKey)2 ArrayList (java.util.ArrayList)2 ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1 ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1 AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1 Struct (com.yahoo.rdl.Struct)1 File (java.io.File)1 IOException (java.io.IOException)1 PublicKey (java.security.PublicKey)1 List (java.util.List)1 TreeMap (java.util.TreeMap)1