Example 11 with Policy
use of oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy in project grpc-java by grpc.
the class AuthorizationPolicyTranslator method parseRules.
private static Map<String, Policy> parseRules(List<Map<String, ?>> objects, String name) throws IllegalArgumentException {
Map<String, Policy> policies = new LinkedHashMap<String, Policy>();
for (Map<String, ?> object : objects) {
String policyName = JsonUtil.getString(object, "name");
if (policyName == null || policyName.isEmpty()) {
throw new IllegalArgumentException("rule \"name\" is absent or empty");
}
List<Principal> principals = new ArrayList<>();
Map<String, ?> source = JsonUtil.getObject(object, "source");
if (source != null) {
principals.add(parseSource(source));
} else {
principals.add(Principal.newBuilder().setAny(true).build());
}
List<Permission> permissions = new ArrayList<>();
Map<String, ?> request = JsonUtil.getObject(object, "request");
if (request != null) {
permissions.add(parseRequest(request));
} else {
permissions.add(Permission.newBuilder().setAny(true).build());
}
Policy policy = Policy.newBuilder().addAllPermissions(permissions).addAllPrincipals(principals).build();
policies.put(name + "_" + policyName, policy);
}
return policies;
}
Also used :
Policy(io.envoyproxy.envoy.config.rbac.v3.Policy)
ArrayList(java.util.ArrayList)
Permission(io.envoyproxy.envoy.config.rbac.v3.Permission)
Principal(io.envoyproxy.envoy.config.rbac.v3.Principal)
LinkedHashMap(java.util.LinkedHashMap)
Example 12 with Policy
use of oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy in project grpc-java by grpc.
the class RbacFilter method parseRbacConfig.
@VisibleForTesting
static ConfigOrError<RbacConfig> parseRbacConfig(RBAC rbac) {
if (!rbac.hasRules()) {
return ConfigOrError.fromConfig(RbacConfig.create(null));
}
io.envoyproxy.envoy.config.rbac.v3.RBAC rbacConfig = rbac.getRules();
GrpcAuthorizationEngine.Action authAction;
switch(rbacConfig.getAction()) {
case ALLOW:
authAction = GrpcAuthorizationEngine.Action.ALLOW;
break;
case DENY:
authAction = GrpcAuthorizationEngine.Action.DENY;
break;
case LOG:
return ConfigOrError.fromConfig(RbacConfig.create(null));
case UNRECOGNIZED:
default:
return ConfigOrError.fromError("Unknown rbacConfig action type: " + rbacConfig.getAction());
}
Map<String, Policy> policyMap = rbacConfig.getPoliciesMap();
List<GrpcAuthorizationEngine.PolicyMatcher> policyMatchers = new ArrayList<>();
for (Map.Entry<String, Policy> entry : policyMap.entrySet()) {
try {
Policy policy = entry.getValue();
if (policy.hasCondition() || policy.hasCheckedCondition()) {
return ConfigOrError.fromError("Policy.condition and Policy.checked_condition must not set: " + entry.getKey());
}
policyMatchers.add(PolicyMatcher.create(entry.getKey(), parsePermissionList(policy.getPermissionsList()), parsePrincipalList(policy.getPrincipalsList())));
} catch (Exception e) {
return ConfigOrError.fromError("Encountered error parsing policy: " + e);
}
}
return ConfigOrError.fromConfig(RbacConfig.create(AuthConfig.create(policyMatchers, authAction)));
}
Also used :
Policy(io.envoyproxy.envoy.config.rbac.v3.Policy)
ArrayList(java.util.ArrayList)
GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
UnknownHostException(java.net.UnknownHostException)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Map(java.util.Map)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 13 with Policy
use of oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy in project google-cloud-java by GoogleCloudPlatform.
the class SourceSnippets method setIamPolicySource.
// [END securitycenter_get_source]
/**
* Set IAM policy for a source.
*
* @param sourceName The source to set IAM Policy for.
*/
// [START securitycenter_set_source_iam]
static Policy setIamPolicySource(SourceName sourceName, String userEmail) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// userEmail = "someuser@domain.com"
// Set up IAM Policy for the user userMail to use the role findingsEditor.
// The user must be a valid google account.
Policy oldPolicy = client.getIamPolicy(sourceName.toString());
Binding bindings = Binding.newBuilder().setRole("roles/securitycenter.findingsEditor").addMembers("user:" + userEmail).build();
Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();
// Start setting up a request to set IAM policy for a source.
// SourceName sourceName = SourceName.of("123234324", "423432321");
SetIamPolicyRequest.Builder request = SetIamPolicyRequest.newBuilder().setPolicy(policy).setResource(sourceName.toString());
// Call the API.
Policy response = client.setIamPolicy(request.build());
System.out.println("Policy: " + response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Also used :
Policy(com.google.iam.v1.Policy)
Binding(com.google.iam.v1.Binding)
SetIamPolicyRequest(com.google.iam.v1.SetIamPolicyRequest)
IOException(java.io.IOException)
SecurityCenterClient(com.google.cloud.securitycenter.v1.SecurityCenterClient)
Example 14 with Policy
use of oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy in project google-cloud-java by GoogleCloudPlatform.
the class SourceSnippets method getIamPolicySource.
// [END securitycenter_set_source_iam]
/**
* Get IAM policy for a source.
*
* @param sourceName The source to set IAM Policy for.
*/
// [START securitycenter_get_source_iam]
static Policy getIamPolicySource(SourceName sourceName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to get IAM policy for a source.
// SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
// "423432321");
GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder().setResource(sourceName.toString()).build();
// Call the API.
Policy response = client.getIamPolicy(request);
System.out.println("Policy: " + response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Also used :
Policy(com.google.iam.v1.Policy)
IOException(java.io.IOException)
GetIamPolicyRequest(com.google.iam.v1.GetIamPolicyRequest)
SecurityCenterClient(com.google.cloud.securitycenter.v1.SecurityCenterClient)
Example 15 with Policy
use of oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy in project ddf by codice.
the class XacmlClientTest method testWrapperpoliciesdirectorypolicyadded.
@Test
public void testWrapperpoliciesdirectorypolicyadded() throws Exception {
LOGGER.debug("\n\n\n##### testXACMLWrapper_policies_directory_policy_added");
File policyDir = folder.newFolder("tempDir");
XacmlClient.defaultPollingIntervalInSeconds = 1;
// Perform Test
XacmlClient pdp = new XacmlClient(policyDir.getCanonicalPath(), new XmlParser(), mock(SecurityLogger.class));
File srcFile = new File(projectHome + File.separator + RELATIVE_POLICIES_DIR + File.separator + POLICY_FILE);
FileUtils.copyFileToDirectory(srcFile, policyDir);
Thread.sleep(2000);
RequestType xacmlRequestType = new RequestType();
xacmlRequestType.setCombinedDecision(false);
xacmlRequestType.setReturnPolicyIdList(false);
AttributesType actionAttributes = new AttributesType();
actionAttributes.setCategory(ACTION_CATEGORY);
AttributeType actionAttribute = new AttributeType();
actionAttribute.setAttributeId(ACTION_ID);
actionAttribute.setIncludeInResult(false);
AttributeValueType actionValue = new AttributeValueType();
actionValue.setDataType(STRING_DATA_TYPE);
actionValue.getContent().add(QUERY_ACTION);
actionAttribute.getAttributeValue().add(actionValue);
actionAttributes.getAttribute().add(actionAttribute);
AttributesType subjectAttributes = new AttributesType();
subjectAttributes.setCategory(SUBJECT_CATEGORY);
AttributeType subjectAttribute = new AttributeType();
subjectAttribute.setAttributeId(SUBJECT_ID);
subjectAttribute.setIncludeInResult(false);
AttributeValueType subjectValue = new AttributeValueType();
subjectValue.setDataType(STRING_DATA_TYPE);
subjectValue.getContent().add(TEST_USER_1);
subjectAttribute.getAttributeValue().add(subjectValue);
subjectAttributes.getAttribute().add(subjectAttribute);
AttributeType roleAttribute = new AttributeType();
roleAttribute.setAttributeId(ROLE_CLAIM);
roleAttribute.setIncludeInResult(false);
AttributeValueType roleValue = new AttributeValueType();
roleValue.setDataType(STRING_DATA_TYPE);
roleValue.getContent().add(ROLE);
roleAttribute.getAttributeValue().add(roleValue);
subjectAttributes.getAttribute().add(roleAttribute);
AttributesType categoryAttributes = new AttributesType();
categoryAttributes.setCategory(PERMISSIONS_CATEGORY);
AttributeType citizenshipAttribute = new AttributeType();
citizenshipAttribute.setAttributeId(CITIZENSHIP_ATTRIBUTE);
citizenshipAttribute.setIncludeInResult(false);
AttributeValueType citizenshipValue = new AttributeValueType();
citizenshipValue.setDataType(STRING_DATA_TYPE);
citizenshipValue.getContent().add(US_COUNTRY);
citizenshipAttribute.getAttributeValue().add(citizenshipValue);
categoryAttributes.getAttribute().add(citizenshipAttribute);
xacmlRequestType.getAttributes().add(actionAttributes);
xacmlRequestType.getAttributes().add(subjectAttributes);
xacmlRequestType.getAttributes().add(categoryAttributes);
// Perform Test
ResponseType xacmlResponse = pdp.evaluate(xacmlRequestType);
// Verify - The policy was loaded to allow a permit decision
JAXBContext jaxbContext = JAXBContext.newInstance(ResponseType.class);
Marshaller marshaller = jaxbContext.createMarshaller();
ObjectFactory objectFactory = new ObjectFactory();
Writer writer = new StringWriter();
marshaller.marshal(objectFactory.createResponse(xacmlResponse), writer);
LOGGER.debug("\nXACML 3.0 Response:\n{}", writer.toString());
assertEquals(xacmlResponse.getResult().get(0).getDecision(), DecisionType.PERMIT);
FileUtils.deleteDirectory(policyDir);
}
Also used :
XmlParser(org.codice.ddf.parser.xml.XmlParser)
Marshaller(javax.xml.bind.Marshaller)
AttributeValueType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType)
JAXBContext(javax.xml.bind.JAXBContext)
ResponseType(oasis.names.tc.xacml._3_0.core.schema.wd_17.ResponseType)
ObjectFactory(oasis.names.tc.xacml._3_0.core.schema.wd_17.ObjectFactory)
StringWriter(java.io.StringWriter)
AttributeType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeType)
AttributesType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributesType)
File(java.io.File)
StringWriter(java.io.StringWriter)
Writer(java.io.Writer)
SecurityLogger(ddf.security.audit.SecurityLogger)
RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)
Test(org.junit.Test)
Aggregations
Policy (com.google.iam.v1.Policy)217
Test (org.junit.Test)177
Binding (com.google.iam.v1.Binding)133
AbstractMessage (com.google.protobuf.AbstractMessage)115
GetIamPolicyRequest (com.google.iam.v1.GetIamPolicyRequest)78
ByteString (com.google.protobuf.ByteString)76
SetIamPolicyRequest (com.google.iam.v1.SetIamPolicyRequest)69
ResourceName (com.google.api.resourcenames.ResourceName)66
StatusRuntimeException (io.grpc.StatusRuntimeException)43
InvalidArgumentException (com.google.api.gax.rpc.InvalidArgumentException)41
KeyManagementServiceClient (com.google.cloud.kms.v1.KeyManagementServiceClient)8
TopicAdminClient (com.google.cloud.pubsub.v1.TopicAdminClient)8
DeadLetterPolicy (com.google.pubsub.v1.DeadLetterPolicy)8
StorageClient (com.google.storage.v2.StorageClient)8
MockIAMPolicy (com.google.iam.v1.MockIAMPolicy)7
CryptoKeyName (com.google.cloud.kms.v1.CryptoKeyName)6
TopicName (com.google.pubsub.v1.TopicName)6
IOException (java.io.IOException)6
SubscriptionAdminClient (com.google.cloud.pubsub.v1.SubscriptionAdminClient)4
SecretManagerServiceClient (com.google.cloud.secretmanager.v1.SecretManagerServiceClient)4
