aboutsummaryrefslogtreecommitdiffstats
path: root/vespa-athenz/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'vespa-athenz/src/main/java')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java46
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java29
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java17
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java8
4 files changed, 100 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java
new file mode 100644
index 00000000000..20f95df566f
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/AccessCheckResult.java
@@ -0,0 +1,46 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus;
+
+import java.util.Arrays;
+
+/**
+ * The various types of access control results.
+ *
+ * @author bjorncs
+ */
+public enum AccessCheckResult {
+ ALLOW(AccessCheckStatus.ALLOW),
+ DENY(AccessCheckStatus.DENY),
+ DENY_NO_MATCH(AccessCheckStatus.DENY_NO_MATCH),
+ DENY_ROLETOKEN_EXPIRED(AccessCheckStatus.DENY_ROLETOKEN_EXPIRED),
+ DENY_ROLETOKEN_INVALID(AccessCheckStatus.DENY_ROLETOKEN_INVALID),
+ DENY_DOMAIN_MISMATCH(AccessCheckStatus.DENY_DOMAIN_MISMATCH),
+ DENY_DOMAIN_NOT_FOUND(AccessCheckStatus.DENY_DOMAIN_NOT_FOUND),
+ DENY_DOMAIN_EXPIRED(AccessCheckStatus.DENY_DOMAIN_EXPIRED),
+ DENY_DOMAIN_EMPTY(AccessCheckStatus.DENY_DOMAIN_EMPTY),
+ DENY_INVALID_PARAMETERS(AccessCheckStatus.DENY_INVALID_PARAMETERS),
+ DENY_CERT_MISMATCH_ISSUER(AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER),
+ DENY_CERT_MISSING_SUBJECT(AccessCheckStatus.DENY_CERT_MISSING_SUBJECT),
+ DENY_CERT_MISSING_DOMAIN(AccessCheckStatus.DENY_CERT_MISSING_DOMAIN),
+ DENY_CERT_MISSING_ROLE_NAME(AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME);
+
+ private final AccessCheckStatus wrappedElement;
+
+ AccessCheckResult(AccessCheckStatus wrappedElement) {
+ this.wrappedElement = wrappedElement;
+ }
+
+ public String getDescription() {
+ return wrappedElement.toString();
+ }
+
+ static AccessCheckResult fromAccessCheckStatus(AccessCheckStatus accessCheckStatus) {
+ return Arrays.stream(values())
+ .filter(value -> value.wrappedElement == accessCheckStatus)
+ .findFirst()
+ .orElseThrow(() -> new IllegalArgumentException("Unknown status: " + accessCheckStatus));
+ }
+
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
new file mode 100644
index 00000000000..d7365a6d727
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/DefaultZpe.java
@@ -0,0 +1,29 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.athenz.zpe.AuthZpeClient;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.ZToken;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * The default implementation of {@link Zpe}.
+ * This implementation is currently based on the official Athenz ZPE library.
+ *
+ * @author bjorncs
+ */
+public class DefaultZpe implements Zpe {
+ @Override
+ public AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action) {
+ return AccessCheckResult.fromAccessCheckStatus(
+ AuthZpeClient.allowAccess(roleToken.getRawToken(), resourceName.toResourceNameString(), action));
+ }
+
+ @Override
+ public AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action) {
+ return AccessCheckResult.fromAccessCheckStatus(
+ AuthZpeClient.allowAccess(roleCertificate, resourceName.toResourceNameString(), action));
+ }
+
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
new file mode 100644
index 00000000000..d2599a7dc76
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/Zpe.java
@@ -0,0 +1,17 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
+import com.yahoo.vespa.athenz.api.ZToken;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * Interface for interacting with ZPE (Authorization Policy Engine)
+ *
+ * @author bjorncs
+ */
+public interface Zpe {
+ AccessCheckResult checkAccessAllowed(ZToken roleToken, AthenzResourceName resourceName, String action);
+ AccessCheckResult checkAccessAllowed(X509Certificate roleCertificate, AthenzResourceName resourceName, String action);
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java
new file mode 100644
index 00000000000..341eb887021
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/zpe/package-info.java
@@ -0,0 +1,8 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * @author bjorncs
+ */
+@ExportPackage
+package com.yahoo.vespa.athenz.zpe;
+
+import com.yahoo.osgi.annotation.ExportPackage; \ No newline at end of file