Example 1 with SignedPolicyData
use of com.yahoo.athenz.zts.SignedPolicyData in project athenz by yahoo.
the class PolicyUpdater method validateSignedPolicies.
static boolean validateSignedPolicies(ZTSClient zts, PolicyUpdaterConfiguration configuration, DomainSignedPolicyData domainSignedPolicyData, String domain) {
if (domainSignedPolicyData == null || domain == null) {
throw new IllegalArgumentException("null parameters are not valid arguments");
}
LOG.info("Checking expiration time for:" + domain);
Timestamp expires = domainSignedPolicyData.getSignedPolicyData().getExpires();
if (System.currentTimeMillis() > expires.millis()) {
LOG.error("Signed policy for domain:" + domain + " was expired.");
return false;
}
// first we're going to verify the ZTS signature for the data
LOG.info("Verifying ZTS signature for: " + domain);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
LOG.debug("Policies retrieved from the ZTS server: " + signedPolicyData);
String signature = domainSignedPolicyData.getSignature();
String keyId = domainSignedPolicyData.getKeyId();
LOG.debug("validateSignedPolicies: domain=" + domain + " zts key id=" + keyId + " Digital ZTS signature=" + signature);
PublicKey ztsPublicKey = configuration.getZtsPublicKey(zts, keyId);
if (ztsPublicKey == null) {
LOG.error("validateSignedPolicies: Missing ZTS Public key for id: " + keyId);
return false;
}
boolean verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), ztsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZTS signature verification.");
LOG.error("ZTS Signature: " + signature + ". Policies data returned from ZTS: " + signedPolicyData);
return false;
}
// then we're going to verify the ZMS signature for the policy data
LOG.info("Verifying ZMS signature for: " + domain);
PolicyData policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
LOG.debug("Digital ZMS signature: " + signature);
keyId = signedPolicyData.getZmsKeyId();
LOG.debug("Digital ZMS signature key Id: " + keyId);
PublicKey zmsPublicKey = configuration.getZmsPublicKey(zts, keyId);
if (zmsPublicKey == null) {
LOG.error("Missing ZMS Public key with id: " + keyId);
return false;
}
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), zmsPublicKey, signature);
if (verified == false) {
LOG.error("Signed policy for domain:" + domain + " failed ZMS signature verification.");
LOG.error("ZMS Signature: " + signature + ". Policies data returned from ZTS: " + policyData);
}
return verified;
}
Also used :
PublicKey(java.security.PublicKey)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
Example 2 with SignedPolicyData
use of com.yahoo.athenz.zts.SignedPolicyData in project athenz by yahoo.
the class SignPoliciesUtility method signPolicies.
static String signPolicies(String ztsPrivateKeyPath, String zmsPrivateKeyPath, String signedPolicyFile, String newPolicyFile) {
String etag = null;
try {
Path path = Paths.get(ztsPrivateKeyPath);
PrivateKey ztsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(zmsPrivateKeyPath);
PrivateKey zmsPrivateKey = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get(signedPolicyFile);
DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
PolicyData policyData = signedPolicyData.getPolicyData();
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKey));
signedPolicyData.setZmsKeyId("0");
long curTime = System.currentTimeMillis();
Timestamp modified = Timestamp.fromMillis(curTime);
signedPolicyData.setModified(modified);
Timestamp expires = Timestamp.fromMillis(curTime + (1000L * 60 * 60 * 24 * 7));
signedPolicyData.setExpires(expires);
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKey);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
File file = new File(newPolicyFile);
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
etag = "\"" + modified.toString() + "\"";
} catch (IOException e) {
System.out.println("Exception: " + e.getMessage());
System.exit(-1);
}
System.out.println("Signed " + newPolicyFile + " policy file");
return etag;
}
Also used :
Path(java.nio.file.Path)
PrivateKey(java.security.PrivateKey)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
IOException(java.io.IOException)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
File(java.io.File)
Example 3 with SignedPolicyData
use of com.yahoo.athenz.zts.SignedPolicyData in project athenz by yahoo.
the class TestAuthZpe method beforeClass.
@BeforeClass
public void beforeClass() throws IOException {
Path path = Paths.get("./src/test/resources/zts_private_k0.pem");
ztsPrivateKeyK0 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zms_private_k0.pem");
zmsPrivateKeyK0 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k1.pem");
ztsPrivateKeyK1 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k17.pem");
ztsPrivateKeyK17 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
path = Paths.get("./src/test/resources/zts_private_k99.pem");
ztsPrivateKeyK99 = Crypto.loadPrivateKey(new String((Files.readAllBytes(path))));
List<String> roles = new ArrayList<String>();
roles.add("public");
rToken0AnglerPublic = createRoleToken("angler", roles, "0");
rToken0AnglerExpirePublic = createRoleToken("angler", roles, "0", 3);
rToken0CoreTechPublic = createRoleToken("coretech", roles, "0");
rToken0EmptyPublic = createRoleToken("empty", roles, "0");
roles = new ArrayList<String>();
roles.add("admin");
rToken0AnglerAdmin = createRoleToken("angler", roles, "0");
rToken0SportsAdmin = createRoleToken("sports", roles, "0");
rToken1SportsAdmin = createRoleToken("sports", roles, "1");
roles = new ArrayList<String>();
roles.add("pachinko");
rToken0AnglerPachinko = createRoleToken("angler", roles, "0");
roles = new ArrayList<String>();
roles.add("full_regex");
roles.add("matchall");
roles.add("matchstarts");
roles.add("matchcompare");
roles.add("matchregex");
rToken0AnglerRegex = createRoleToken("angler", roles, "0");
// NOTE: we will create file with different suffix so as not to confuse
// ZPE update-load thread due to possible timing issue.
// Then rename it with ".pol" suffix afterwards.
// Issue: file is created, but file is empty because it has not
// been written out yet - thus zpe thinks its a bad file and will
// wait for it to get updated before trying to reload.
// Ouch, but the file doesnt get a change in modified timestamp so zpe
// never reloads.
path = Paths.get("./src/test/resources/angler.pol");
DomainSignedPolicyData domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
SignedPolicyData signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK0);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
File file = new File("./src/test/resources/pol_dir/angler.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
File renamedFile = new File("./src/test/resources/pol_dir/angler.pol");
file.renameTo(renamedFile);
path = Paths.get("./src/test/resources/sports.pol");
domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK1);
domainSignedPolicyData.setSignature(signature).setKeyId("1");
file = new File("./src/test/resources/pol_dir/sports.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
renamedFile = new File("./src/test/resources/pol_dir/sports.pol");
file.renameTo(renamedFile);
path = Paths.get("./src/test/resources/empty.pol");
domainSignedPolicyData = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
signedPolicyData = domainSignedPolicyData.getSignedPolicyData();
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData.getPolicyData()), zmsPrivateKeyK0);
signedPolicyData.setZmsSignature(signature).setZmsKeyId("0");
signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsPrivateKeyK0);
domainSignedPolicyData.setSignature(signature).setKeyId("0");
file = new File("./src/test/resources/pol_dir/empty.gen");
file.createNewFile();
Files.write(file.toPath(), JSON.bytes(domainSignedPolicyData));
renamedFile = new File("./src/test/resources/pol_dir/empty.pol");
file.renameTo(renamedFile);
String issuers = "C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain2, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler.test:role.public";
System.setProperty(ZpeConsts.ZPE_PROP_X509_CA_ISSUERS, issuers);
}
Also used :
Path(java.nio.file.Path)
ArrayList(java.util.ArrayList)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
File(java.io.File)
BeforeClass(org.testng.annotations.BeforeClass)
Example 4 with SignedPolicyData
use of com.yahoo.athenz.zts.SignedPolicyData in project athenz by yahoo.
the class ZpeUpdPolLoader method loadFile.
/**
* Loads and parses the given file. It will create the domain assertion
* list per role and put it into the domain policy maps(domRoleMap, domWildcardRoleMap).
*/
private void loadFile(File polFile) {
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: file(" + polFile.getName() + ")");
}
Path path = Paths.get(polDirName + File.separator + polFile.getName());
DomainSignedPolicyData spols = null;
try {
spols = JSON.fromBytes(Files.readAllBytes(path), DomainSignedPolicyData.class);
} catch (Exception ex) {
LOG.error("loadFile: unable to decode policy file=" + polFile.getName() + " error: " + ex.getMessage());
}
if (spols == null) {
LOG.error("loadFile: unable to decode domain file=" + polFile.getName());
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
SignedPolicyData signedPolicyData = spols.getSignedPolicyData();
String signature = spols.getSignature();
String keyId = spols.getKeyId();
// first let's verify the ZTS signature for our policy file
boolean verified = false;
if (signedPolicyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZtsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(signedPolicyData), pubKey, signature);
}
PolicyData policyData = null;
if (verified) {
// now let's verify that the ZMS signature for our policy file
policyData = signedPolicyData.getPolicyData();
signature = signedPolicyData.getZmsSignature();
keyId = signedPolicyData.getZmsKeyId();
if (policyData != null) {
java.security.PublicKey pubKey = AuthZpeClient.getZmsPublicKey(keyId);
verified = Crypto.verify(SignUtils.asCanonicalString(policyData), pubKey, signature);
}
}
if (verified == false) {
LOG.error("loadFile: policy file=" + polFile.getName() + " is invalid");
// mark this as an invalid file
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = false;
}
return;
}
// HAVE: valid policy file
String domainName = policyData.getDomain();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: policy file(" + polFile.getName() + ") for domain(" + domainName + ") is valid");
}
// Process the policies into assertions, process the assertions: action, resource, role
// If there is a wildcard in the action or resource, compile the
// regexpr and place it into the assertion Struct.
// This is a performance enhancement for AuthZpeClient when it
// performs the authorization checks.
Map<String, List<Struct>> roleStandardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardAllowMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleStandardDenyMap = new TreeMap<String, List<Struct>>();
Map<String, List<Struct>> roleWildcardDenyMap = new TreeMap<String, List<Struct>>();
List<Policy> policies = policyData.getPolicies();
for (Policy policy : policies) {
String pname = policy.getName();
if (LOG.isDebugEnabled()) {
LOG.debug("loadFile: domain(" + domainName + ") policy(" + pname + ")");
}
List<Assertion> assertions = policy.getAssertions();
if (assertions == null) {
continue;
}
for (Assertion assertion : assertions) {
com.yahoo.rdl.Struct strAssert = new Struct();
strAssert.put(ZpeConsts.ZPE_FIELD_POLICY_NAME, pname);
String passertAction = assertion.getAction();
ZpeMatch matchStruct = getMatchObject(passertAction);
strAssert.put(ZpeConsts.ZPE_ACTION_MATCH_STRUCT, matchStruct);
String passertResource = assertion.getResource();
String rsrc = AuthZpeClient.stripDomainPrefix(passertResource, domainName, passertResource);
strAssert.put(ZpeConsts.ZPE_FIELD_RESOURCE, rsrc);
matchStruct = getMatchObject(rsrc);
strAssert.put(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT, matchStruct);
String passertRole = assertion.getRole();
String pRoleName = AuthZpeClient.stripDomainPrefix(passertRole, domainName, passertRole);
// strip the prefix "role." too
pRoleName = pRoleName.replaceFirst("^role.", "");
strAssert.put(ZpeConsts.ZPE_FIELD_ROLE, pRoleName);
// based on the effect and role name determine what
// map we're going to use
Map<String, List<Struct>> roleMap = null;
AssertionEffect passertEffect = assertion.getEffect();
matchStruct = getMatchObject(pRoleName);
strAssert.put(ZpeConsts.ZPE_ROLE_MATCH_STRUCT, matchStruct);
if (passertEffect != null && passertEffect.toString().compareTo("DENY") == 0) {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardDenyMap;
} else {
roleMap = roleWildcardDenyMap;
}
} else {
if (matchStruct instanceof ZpeMatchEqual) {
roleMap = roleStandardAllowMap;
} else {
roleMap = roleWildcardAllowMap;
}
}
List<Struct> assertList = roleMap.get(pRoleName);
if (assertList == null) {
assertList = new ArrayList<Struct>();
roleMap.put(pRoleName, assertList);
}
assertList.add(strAssert);
}
}
Map<String, ZpeFileStatus> fsmap = getFileStatusMap();
ZpeFileStatus fstat = fsmap.get(polFile.getName());
if (fstat != null) {
fstat.validPolFile = true;
fstat.domain = domainName;
}
domStandardRoleAllowMap.put(domainName, roleStandardAllowMap);
domWildcardRoleAllowMap.put(domainName, roleWildcardAllowMap);
domStandardRoleDenyMap.put(domainName, roleStandardDenyMap);
domWildcardRoleDenyMap.put(domainName, roleWildcardDenyMap);
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
AssertionEffect(com.yahoo.athenz.zts.AssertionEffect)
ZpeMatchEqual(com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ArrayList(java.util.ArrayList)
List(java.util.List)
Struct(com.yahoo.rdl.Struct)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
ZpeMatch(com.yahoo.athenz.zpe.match.ZpeMatch)
Path(java.nio.file.Path)
Assertion(com.yahoo.athenz.zts.Assertion)
TreeMap(java.util.TreeMap)
Example 5 with SignedPolicyData
use of com.yahoo.athenz.zts.SignedPolicyData in project athenz by yahoo.
the class ZTSMock method getDomainSignedPolicyData.
@Override
public DomainSignedPolicyData getDomainSignedPolicyData(String domainName, String matchingTag, Map<String, List<String>> responseHeaders) {
DomainSignedPolicyData result = null;
if (!domainName.equals("sports") && !domainName.equals("sys.auth") && !domainName.equals("expiredDomain")) {
return result;
}
SignedPolicyData signedPolicyData = new SignedPolicyData();
Timestamp expires;
if (domainName.equals("expiredDomain")) {
expires = Timestamp.fromMillis(System.currentTimeMillis() - (1000L * 60));
} else {
expires = Timestamp.fromMillis(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 7));
}
signedPolicyData.setExpires(expires);
Timestamp modified = Timestamp.fromMillis(System.currentTimeMillis());
signedPolicyData.setModified(modified);
String policyName = domainName + ":policy." + "admin";
Policy policy = new Policy();
policy.setName(policyName);
Assertion assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.ALLOW);
assertion.setResource("*");
String roleName = domainName + ":role." + "admin";
assertion.setRole(roleName);
List<Assertion> assertList = new ArrayList<Assertion>();
assertList.add(assertion);
assertion = new Assertion();
assertion.setAction("*");
assertion.setEffect(AssertionEffect.DENY);
assertion.setResource("*");
roleName = domainName + ":role." + "non-admin";
assertion.setRole(roleName);
assertList.add(assertion);
policy.setAssertions(assertList);
List<Policy> listOfPolicies = new ArrayList<Policy>();
listOfPolicies.add(policy);
PolicyData policyData = new PolicyData();
policyData.setPolicies(listOfPolicies);
policyData.setDomain(domainName);
signedPolicyData.setPolicyData(policyData);
signedPolicyData.setZmsKeyId("0");
signedPolicyData.setZmsSignature(Crypto.sign(SignUtils.asCanonicalString(policyData), zmsPrivateKeyK0));
DomainSignedPolicyData domainSignedPolicyData = new DomainSignedPolicyData();
domainSignedPolicyData.setSignedPolicyData(signedPolicyData);
PrivateKey ztsKey = null;
if ("0".equals(keyId)) {
ztsKey = ztsPrivateKeyK0;
} else if ("1".equals(keyId)) {
ztsKey = ztsPrivateKeyK1;
}
String signature = Crypto.sign(SignUtils.asCanonicalString(signedPolicyData), ztsKey);
domainSignedPolicyData.setKeyId(keyId);
domainSignedPolicyData.setSignature(signature);
return domainSignedPolicyData;
}
Also used :
Policy(com.yahoo.athenz.zts.Policy)
PrivateKey(java.security.PrivateKey)
Assertion(com.yahoo.athenz.zts.Assertion)
ArrayList(java.util.ArrayList)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
PolicyData(com.yahoo.athenz.zts.PolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
SignedPolicyData(com.yahoo.athenz.zts.SignedPolicyData)
DomainSignedPolicyData(com.yahoo.athenz.zts.DomainSignedPolicyData)
Timestamp(com.yahoo.rdl.Timestamp)
Aggregations
DomainSignedPolicyData (com.yahoo.athenz.zts.DomainSignedPolicyData)5
SignedPolicyData (com.yahoo.athenz.zts.SignedPolicyData)5
PolicyData (com.yahoo.athenz.zts.PolicyData)4
Timestamp (com.yahoo.rdl.Timestamp)3
Path (java.nio.file.Path)3
ArrayList (java.util.ArrayList)3
Assertion (com.yahoo.athenz.zts.Assertion)2
Policy (com.yahoo.athenz.zts.Policy)2
File (java.io.File)2
PrivateKey (java.security.PrivateKey)2
ZpeMatch (com.yahoo.athenz.zpe.match.ZpeMatch)1
ZpeMatchEqual (com.yahoo.athenz.zpe.match.impl.ZpeMatchEqual)1
AssertionEffect (com.yahoo.athenz.zts.AssertionEffect)1
Struct (com.yahoo.rdl.Struct)1
IOException (java.io.IOException)1
PublicKey (java.security.PublicKey)1
List (java.util.List)1
TreeMap (java.util.TreeMap)1
BeforeClass (org.testng.annotations.BeforeClass)1
