diff options
Diffstat (limited to 'vespa-athenz/src/main/java')
4 files changed, 100 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java new file mode 100644 index 00000000000..20f95df566f --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java @@ -0,0 +1,46 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus; + +import java.util.Arrays; + +/** + * The various types of access control results. + * + * @author bjorncs + */ +public enum AccessCheckResult { + ALLOW(AccessCheckStatus.ALLOW), + DENY(AccessCheckStatus.DENY), + DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH), + DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED), + DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID), + DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH), + DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND), + DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED), + DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY), + DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS), + DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER), + DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT), + DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN), + DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME); + + private final AccessCheckStatus wrappedElement; + + AccessCheckResult(AccessCheckStatus wrappedElement) { + this.wrappedElement = wrappedElement; + } + + public String getDescription() { + return wrappedElement.toString(); + } + + static AccessCheckResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) { + return Arrays.stream(values()) + .filter(value -> value.wrappedElement == accessCheckStatus) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus)); + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java new file mode 100644 index 00000000000..d7365a6d727 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java @@ -0,0 +1,29 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.athenz.zpe.AuthZpeClient; +import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.ZToken; + +import java.security.cert.X509Certificate; + +/** + * The default implementation of {@link Zpe}. + * This implementation is currently based on the official Athenz ZPE library. + * + * @author bjorncs + */ +public class DefaultZpe implements Zpe { + @Override + public AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) { + return AccessCheckResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action)); + } + + @Override + public AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) { + return AccessCheckResult.fromAccessCheckStatus( + AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action)); + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java new file mode 100644 index 00000000000..d2599a7dc76 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java @@ -0,0 +1,17 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.vespa.athenz.api.AthenzResourceName; +import com.yahoo.vespa.athenz.api.ZToken; + +import java.security.cert.X509Certificate; + +/** + * Interface for interacting with ZPE (Authorization Policy Engine) + * + * @author bjorncs + */ +public interface Zpe { + AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action); + AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action); +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java new file mode 100644 index 00000000000..341eb887021 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java @@ -0,0 +1,8 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author bjorncs + */ +@ExportPackage +package com.yahoo.vespa.athenz.zpe; + +import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |