use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.
the class PolicyUpdater method validateSignedPolicies.
static boolean validateSignedPolicies(ZTSClient zts, PolicyUpdaterConfiguration configuration, DomainSignedPolicyData domainSignedPolicyData, String domain) {
if (domainSignedPolicyData == null || domain == null) {
throw new IllegalArgumentException("null parameters are not valid arguments");
}
LOG.info("Checking expiration time for:" + domain);
Timestamp expires = domainSignedPolicyData.getSignedPolicyData().getExpires();
if (System.currentTimeMillis() > expires.millis()) {
LOG.error("Signed policy for domain:" + domain + " was expired.");
return false;
}
// first we're going to verify the ZTS signature for the data
LOG.info("Verifying ZTS signature for: " + domain);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
LOG.debug("Policies retrieved from the ZTS server: " + signedPolicyData);
String signature = domainSignedPolicyData.getSignature();
String keyId = domainSignedPolicyData.getKeyId();
LOG.debug("validateSignedPolicies: domain=" + domain + " zts key id=" + keyId + " Digital ZTS signature=" + signature);
PublicKey ztsPublicKey = configuration.getZtsPublicKey(zts, keyId);
if (ztsPublicKey == null) {
LOG.error("validateSignedPolicies: Missing ZTS Public key for id: " + keyId);
return false;
}
boolean verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), ztsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZTS signature verification.");
LOG.error("ZTS Signature: " + signature + ". Policies data returned from ZTS: " + signedPolicyData);
return false;
}
// then we're going to verify the ZMS signature for the policy data
LOG.info("Verifying ZMS signature for: " + domain);
PolicyData policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
LOG.debug("Digital ZMS signature: " + signature);
keyId = signedPolicyData.getZmsKeyId();
LOG.debug("Digital ZMS signature key Id: " + keyId);
PublicKey zmsPublicKey = configuration.getZmsPublicKey(zts, keyId);
if (zmsPublicKey == null) {
LOG.error("Missing ZMS Public key with id: " + keyId);
return false;
}
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), zmsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZMS signature verification.");
LOG.error("ZMS Signature: " + signature + ". Policies data returned from ZTS: " + policyData);
}
return verified;
}
use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.
the class SignPoliciesUtility method signPolicies.
static String signPolicies(String ztsPrivateKeyPath, String zmsPrivateKeyPath, String signedPolicyFile, String newPolicyFile) {
String etag = null;
try {
Path path = Paths.get(ztsPrivateKeyPath);
PrivateKey ztsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(zmsPrivateKeyPath);
PrivateKey zmsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(signedPolicyFile);
DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
PolicyData policyData = signedPolicyData.getPolicyData();
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKey));
signedPolicyData.setZmsKeyId("0");
long curTime = System.currentTimeMillis();
Timestamp modified = Timestamp.fromMillis(curTime);
signedPolicyData.setModified(modified);
Timestamp expires = Timestamp.fromMillis(curTime + (1000L * 60 * 60 * 24 * 7));
signedPolicyData.setExpires(expires);
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKey);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
File file = new File(newPolicyFile);
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
etag = "\"" + modified.toString() + "\"";
} catch (IOException e) {
System.out.println("Exception: " + e.getMessage());
System.exit(-1);
}
System.out.println("Signed " + newPolicyFile + " policy file");
return etag;
}
use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
use of com.yahoo.athenz.zts.PolicyData in project athenz by yahoo.
the class ZTSMock method getDomainSignedPolicyData.
@Override
public DomainSignedPolicyData getDomainSignedPolicyData(String domainName, String matchingTag, Map<String, List<String>> responseHeaders) {
DomainSignedPolicyData result = null;
if (!domainName.equals("sports") && !domainName.equals("sys.auth") && !domainName.equals("expiredDomain")) {
return result;
}
SignedPolicyData signedPolicyData = new SignedPolicyData();
Timestamp expires;
if (domainName.equals("expiredDomain")) {
expires = Timestamp.fromMillis(System.currentTimeMillis() - (1000L * 60));
} else {
expires = Timestamp.fromMillis(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 7));
}
signedPolicyData.setExpires(expires);
Timestamp modified = Timestamp.fromMillis(System.currentTimeMillis());
signedPolicyData.setModified(modified);
String policyName = domainName + ":policy." + "admin";
Policy policy = new Policy();
policy.setName(policyName);
Assertion assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*");
String roleName = domainName + ":role." + "admin";
assertion.setRole(roleName);
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion);
assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.DENY);
assertion.setResource("*");
roleName = domainName + ":role." + "non-admin";
assertion.setRole(roleName);
assertList.add(assertion);
policy.setAssertions(assertList);
List<Policy> listOfPolicies = new ArrayList<Policy>();
listOfPolicies.add(policy);
PolicyData policyData = new PolicyData();
policyData.setPolicies(listOfPolicies);
policyData.setDomain(domainName);
signedPolicyData.setPolicyData(policyData);
signedPolicyData.setZmsKeyId("0");
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKeyK0));
DomainSignedPolicyData domainSignedPolicyData = new DomainSignedPolicyData();
domainSignedPolicyData.setSignedPolicyData(signedPolicyData);
PrivateKey ztsKey = null;
if ("0".equals(keyId)) {
ztsKey = ztsPrivateKeyK0;
} else if ("1".equals(keyId)) {
ztsKey = ztsPrivateKeyK1;
}
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsKey);
domainSignedPolicyData.setKeyId(keyId);
domainSignedPolicyData.setSignature(signature);
return domainSignedPolicyData;
}
Aggregations