diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-19 14:17:54 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-20 13:15:11 +0200 |
commit | 65ff10dfd5747864c8309b866b17d812a4c5daa6 (patch) | |
tree | 6092284ac7e2ed1291813c01e01963995174d343 | |
parent | daf00113bc58b4a0236332432016ee6b46f67db3 (diff) |
Add wrapper for ZPE
6 files changed, 133 insertions, 0 deletions
diff --git a/parent/pom.xml b/parent/pom.xml index 10e93d4ffbf..aa75c124579 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -671,6 +671,11 @@ <version>${athenz.version}</version> </dependency> <dependency> + <groupId>com.yahoo.athenz</groupId> + <artifactId>athenz-zpe-java-client</artifactId> + <version>${athenz.version}</version> + </dependency> + <dependency> <groupId>com.github.tomakehurst</groupId> <artifactId>wiremock-standalone</artifactId> <version>2.6.0</version> diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index 7721d1829e5..75116812915 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -111,6 +111,34 @@ </exclusions> </dependency> <dependency> + <groupId>com.yahoo.athenz</groupId> + <artifactId>athenz-zpe-java-client</artifactId> + <scope>compile</scope> + <exclusions> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </exclusion> + <exclusion> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + </exclusion> + <!--Exclude all Jackson bundles provided by JDisc --> + <exclusion> + <groupId>com.fasterxml.jackson.core</groupId> + <artifactId>jackson-core</artifactId> + </exclusion> + <exclusion> + <groupId>com.fasterxml.jackson.core</groupId> + <artifactId>jackson-databind</artifactId> + </exclusion> + <exclusion> + <groupId>com.fasterxml.jackson.core</groupId> + <artifactId>jackson-annotations</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpcore</artifactId> <version>4.4.1</version> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java new file mode 100644 index 00000000000..20f95df566f --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java @@ -0,0 +1,46 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus; + +import java.util.Arrays; + +/** + * The various types of access control results. + * + * @author bjorncs + */ +public enum AccessCheckResult { + ALLOW(AccessCheckStatus.ALLOW), + DENY(AccessCheckStatus.DENY), + DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), + DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), + DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), + DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), + DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), + DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), + DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), + DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), + DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), + DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), + DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), + DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); + + private final AccessCheckStatus wrappedElement; + + AccessCheckResult(AccessCheckStatus wrappedElement) { + this.wrappedElement = wrappedElement; + } + + public String getDescription() { + return wrappedElement.toString(); + } + + static AccessCheckResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { + return Arrays.stream(values()) + .filter(value -> value.wrappedElement == accessCheckStatus) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java new file mode 100644 index 00000000000..d7365a6d727 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -0,0 +1,29 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.athenz.zpe.AuthZpeClient; +import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.ZToken; + +import java.security.cert.X509Certificate; + +/** + * The default implementation of {@link Zpe}. + * This implementation is currently based on the official Athenz ZPE library. + * + * @author bjorncs + */ +public class DefaultZpe implements Zpe { + @Override + public AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { + return AccessCheckResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action)); + } + + @Override + public AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { + return AccessCheckResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action)); + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java new file mode 100644 index 00000000000..d2599a7dc76 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -0,0 +1,17 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.ZToken; + +import java.security.cert.X509Certificate; + +/** + * Interface for interacting with ZPE (Authorization Policy Engine) + * + * @author bjorncs + */ +public interface Zpe { + AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); + AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java new file mode 100644 index 00000000000..341eb887021 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java @@ -0,0 +1,8 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author bjorncs + */ +@ExportPackage +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |