Add wrapper for ZPE

6 files changed, 133 insertions, 0 deletions

diff --git a/parent/pom.xml b/parent/pom.xml
index 10e93d4ffbf..aa75c124579 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -671,6 +671,11 @@
                 <version>${athenz.version}</version>
             </dependency>
             <dependency>
+                <groupId>com.yahoo.athenz</groupId>
+                <artifactId>athenz-zpe-java-client</artifactId>
+                <version>${athenz.version}</version>
+            </dependency>
+            <dependency>
                 <groupId>com.github.tomakehurst</groupId>
                 <artifactId>wiremock-standalone</artifactId>
                 <version>2.6.0</version>
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index 7721d1829e5..75116812915 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -111,6 +111,34 @@
             </exclusions>
         </dependency>
         <dependency>
+            <groupId>com.yahoo.athenz</groupId>
+            <artifactId>athenz-zpe-java-client</artifactId>
+            <scope>compile</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+                <!--Exclude all Jackson bundles provided by JDisc -->
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-annotations</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore</artifactId>
             <version>4.4.1</version>
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java
new file mode 100644
index 00000000000..20f95df566f
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java
@@ -0,0 +1,46 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus;
+
+import java.util.Arrays;
+
+/**
+ * The various types of access control results.
+ *
+ * @author bjorncs
+ */
+public enum AccessCheckResult {
+    ALLOW(AccessCheckStatus.ALLOW),
+    DENY(AccessCheckStatus.DENY),
+    DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
+    DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
+    DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
+    DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
+    DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
+    DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
+    DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
+    DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
+    DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
+    DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
+    DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
+    DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
+
+    private final AccessCheckStatus wrappedElement;
+
+    AccessCheckResult(AccessCheckStatus wrappedElement) {
+        this.wrappedElement = wrappedElement;
+    }
+
+    public String getDescription() {
+        return wrappedElement.toString();
+    }
+
+    static AccessCheckResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
+        return Arrays.stream(values())
+                .filter(value -> value.wrappedElement == accessCheckStatus)
+                .findFirst()
+                .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
+    }
+
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
new file mode 100644
index 00000000000..d7365a6d727
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -0,0 +1,29 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.athenz.zpe.AuthZpeClient;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.ZToken;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * The default implementation of {@link Zpe}.
+ * This implementation is currently based on the official Athenz ZPE library.
+ *
+ * @author bjorncs
+ */
+public class DefaultZpe implements Zpe {
+    @Override
+    public AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
+        return AccessCheckResult.fromAccessCheckStatus(
+                AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action));
+    }
+
+    @Override
+    public AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
+        return AccessCheckResult.fromAccessCheckStatus(
+                AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action));
+    }
+
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
new file mode 100644
index 00000000000..d2599a7dc76
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -0,0 +1,17 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.ZToken;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * Interface for interacting with ZPE (Authorization Policy Engine)
+ *
+ * @author bjorncs
+ */
+public interface Zpe {
+    AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
+    AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java
new file mode 100644
index 00000000000..341eb887021
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java
@@ -0,0 +1,8 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * @author bjorncs
+ */
+@ExportPackage
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file