diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-22 13:22:24 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-22 13:22:24 +0100 |
commit | 554dda4fbb69d66151486ca3ee881dc31334c8df (patch) | |
tree | 879a1e84d98a6edf4ec3aba27a6cf4f38b41cc1f /security-utils | |
parent | d1313bb0425419f8a258e5e790e1bb35d4394e04 (diff) |
Rename peerName->policyName, add assumed roles to PeerPolicy
Diffstat (limited to 'security-utils')
7 files changed, 113 insertions, 13 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java index 7fad485f3de..80ef06d9cac 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java @@ -27,6 +27,7 @@ class TransportSecurityOptionsEntity { static class AuthorizedPeer { @JsonProperty("required-credentials") List<RequiredCredential> requiredCredentials = new ArrayList<>(); @JsonProperty("name") String name; + @JsonProperty("roles") List<String> roles = new ArrayList<>(); } static class RequiredCredential { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java index 47814546135..2e2148628e8 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java @@ -11,6 +11,7 @@ import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.HostGlobPattern; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; +import com.yahoo.security.tls.policy.Role; import java.io.IOException; import java.io.InputStream; @@ -80,7 +81,16 @@ public class TransportSecurityOptionsJsonSerializer { if (authorizedPeer.requiredCredentials.isEmpty()) { throw missingFieldException("required-credentials"); } - return new PeerPolicy(authorizedPeer.name, toRequestPeerCredentials(authorizedPeer.requiredCredentials)); + if (authorizedPeer.roles.isEmpty()) { + throw missingFieldException("roles"); + } + return new PeerPolicy(authorizedPeer.name, toRoles(authorizedPeer.roles), toRequestPeerCredentials(authorizedPeer.requiredCredentials)); + } + + private static Set<Role> toRoles(List<String> roles) { + return roles.stream() + .map(Role::new) + .collect(toSet()); } private static List<RequiredPeerCredential> toRequestPeerCredentials(List<RequiredCredential> requiredCredentials) { @@ -116,13 +126,14 @@ public class TransportSecurityOptionsJsonSerializer { options.getAuthorizedPeers().ifPresent( authorizedPeers -> { for (PeerPolicy peerPolicy : authorizedPeers.peerPolicies()) { AuthorizedPeer authorizedPeer = new AuthorizedPeer(); - authorizedPeer.name = peerPolicy.peerName(); + authorizedPeer.name = peerPolicy.policyName(); for (RequiredPeerCredential requiredPeerCredential : peerPolicy.requiredCredentials()) { RequiredCredential requiredCredential = new RequiredCredential(); requiredCredential.field = toField(requiredPeerCredential.field()); requiredCredential.matchExpression = requiredPeerCredential.pattern().asString(); authorizedPeer.requiredCredentials.add(requiredCredential); } + peerPolicy.assumedRoles().forEach(role -> authorizedPeer.roles.add(role.name())); entity.authorizedPeers.add(authorizedPeer); } }); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java index b5d295e29c8..d62219b2ebe 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java @@ -13,7 +13,18 @@ public class AuthorizedPeers { private final Set<PeerPolicy> peerPolicies; public AuthorizedPeers(Set<PeerPolicy> peerPolicies) { - this.peerPolicies = Collections.unmodifiableSet(peerPolicies); + this.peerPolicies = verifyPeerPolicies(peerPolicies); + } + + private Set<PeerPolicy> verifyPeerPolicies(Set<PeerPolicy> peerPolicies) { + long distinctNames = peerPolicies.stream() + .map(PeerPolicy::policyName) + .distinct() + .count(); + if (distinctNames != peerPolicies.size()) { + throw new IllegalArgumentException("'authorized-peers' contains entries with duplicate names"); + } + return Collections.unmodifiableSet(peerPolicies); } public Set<PeerPolicy> peerPolicies() { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java index 77ee793777c..294f8543f43 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java @@ -4,22 +4,29 @@ package com.yahoo.security.tls.policy; import java.util.Collections; import java.util.List; import java.util.Objects; +import java.util.Set; /** * @author bjorncs */ public class PeerPolicy { - private final String peerName; + private final String policyName; + private final Set<Role> assumedRoles; private final List<RequiredPeerCredential> requiredCredentials; - public PeerPolicy(String peerName, List<RequiredPeerCredential> requiredCredentials) { - this.peerName = peerName; + public PeerPolicy(String policyName, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) { + this.policyName = policyName; + this.assumedRoles = assumedRoles; this.requiredCredentials = Collections.unmodifiableList(requiredCredentials); } - public String peerName() { - return peerName; + public String policyName() { + return policyName; + } + + public Set<Role> assumedRoles() { + return assumedRoles; } public List<RequiredPeerCredential> requiredCredentials() { @@ -29,7 +36,8 @@ public class PeerPolicy { @Override public String toString() { return "PeerPolicy{" + - "peerName='" + peerName + '\'' + + "policyName='" + policyName + '\'' + + ", assumedRoles=" + assumedRoles + ", requiredCredentials=" + requiredCredentials + '}'; } @@ -39,12 +47,13 @@ public class PeerPolicy { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; PeerPolicy that = (PeerPolicy) o; - return Objects.equals(peerName, that.peerName) && + return Objects.equals(policyName, that.policyName) && + Objects.equals(assumedRoles, that.assumedRoles) && Objects.equals(requiredCredentials, that.requiredCredentials); } @Override public int hashCode() { - return Objects.hash(peerName, requiredCredentials); + return Objects.hash(policyName, assumedRoles, requiredCredentials); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java new file mode 100644 index 00000000000..6d64ccff2c5 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java @@ -0,0 +1,40 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls.policy; + +import java.util.Objects; + +/** + * @author bjorncs + */ +public class Role { + + private final String name; + + public Role(String name) { + this.name = name; + } + + public String name() { + return name; + } + + @Override + public String toString() { + return "Role{" + + "name='" + name + '\'' + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + Role role = (Role) o; + return Objects.equals(name, role.name); + } + + @Override + public int hashCode() { + return Objects.hash(name); + } +} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java index a6e1de66c68..952c4d05972 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java @@ -5,6 +5,7 @@ import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.HostGlobPattern; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; +import com.yahoo.security.tls.policy.Role; import org.junit.Test; import java.io.ByteArrayInputStream; @@ -15,6 +16,7 @@ import java.util.Collections; import java.util.HashSet; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.*; +import static java.util.Collections.singleton; import static org.junit.Assert.*; /** @@ -30,10 +32,10 @@ public class TransportSecurityOptionsJsonSerializerTest { .withAuthorizedPeers( new AuthorizedPeers( new HashSet<>(Arrays.asList( - new PeerPolicy("cfgserver", Arrays.asList( + new PeerPolicy("cfgserver", singleton(new Role("myrole")), Arrays.asList( new RequiredPeerCredential(CN, new HostGlobPattern("mycfgserver")), new RequiredPeerCredential(SAN_DNS, new HostGlobPattern("*.suffix.com")))), - new PeerPolicy("node", Collections.singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("hostname")))))))) + new PeerPolicy("node", singleton(new Role("anotherrole")), Collections.singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("hostname")))))))) .build(); ByteArrayOutputStream out = new ByteArrayOutputStream(); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java new file mode 100644 index 00000000000..ac201fcabbc --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java @@ -0,0 +1,26 @@ +package com.yahoo.security.tls.policy; + +import org.junit.Test; + +import java.util.HashSet; +import java.util.List; + +import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; +import static java.util.Arrays.asList; +import static java.util.Collections.singleton; +import static java.util.Collections.singletonList; + +/** + * @author bjorncs + */ +public class AuthorizedPeersTest { + + @Test(expected = IllegalArgumentException.class) + public void throws_exception_on_peer_policies_with_duplicate_names() { + List<RequiredPeerCredential> requiredPeerCredential = singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("mycfgserver"))); + PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singleton(new Role("role")), requiredPeerCredential); + PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singleton(new Role("anotherrole")), requiredPeerCredential); + new AuthorizedPeers(new HashSet<>(asList(peerPolicy1, peerPolicy2))); + } + +}
\ No newline at end of file |