driver-eu / test-bed-security-authorization-service Goto Github PK

2.0 2.0 0.0 264 KB

Testbed Security Service for Authorization (policy administration and decision, aka XACML PAP/PDP)

License: GNU General Public License v3.0

Java 87.47% FreeMarker 4.46% XSLT 7.04% Dockerfile 1.03%

authorization xacml security authzforce abac

test-bed-security-authorization-service's Introduction

Test-bed Security Service for Authorization

REST service that provides access policy administration and evaluation to render a decision (Permit/Deny) for a given access request, aka PAP (Policy Access Point) and PDP (Policy Decision Point) in XACML standard.

System requirements

OS: Linux x86_64
Filesystem: ext4
JRE: OpenJDK 8
RAM: 2GB or more

Docker build

Make sure the Docker service is running. To build the Docker image:

$ mvn install dockerfile:build

Docker run

Make sure the Docker service is running. To run the Docker image:

$ docker run -p 8080:8080 -t drivereu/driver-testbed-sec-authz-service

You can customize the application's configuration (application.yml and conf folder) by mounting volumes (on /application.yml and and/opt/driver-testbed-sec-authz-service/conf` respectively):

$ docker run -v docker/application.yml:/application.yml:ro -v target/test-classes:/opt/driver-testbed-sec-authz-service/conf:ro -p 8080:8080 -t drivereu/driver-testbed-sec-authz-service

You can enable SSL with ssl Spring profile and customize other application properties, either using a custom application.yml as shown above (with line spring.profiles.active: ssl), or with JVM arguments on the command line:

$ docker run -e JAVA_OPTS="-Dspring.profiles.active=ssl -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx2048m -XX:+UseConcMarkSweepGC -server" -p 8443:8443 -t drivereu/driver-testbed-sec-authz-service

API usage

Authentication

Each request on URL path /services/authz/pap requires HTTP Basic authentication with test admin account: username admin, password admin.

You can also enable SSL (with client certificate authentication) by modifying the file application.yml and setting the following properties:

spring.profiles.active=ssl

Once SSL is enabled, access to URL path /services/authz/pap requires authentication with a client certificate issued by the test CA (PKCS#12 keystore file is ca.p12) in the test folder. In this case, this replaces HTTP Basic Authentication. You can use the example of client certificate client.p12 (PKCS#12 keystore file).

Create or Update the access policy for a given Kafka topic

Create/update the access policy of a given topic (if the policy does not exist, it is created on the fly), say topic Topic_A with the HTTP request below (only important headers shown for conciseness, e.g.Content-Length header is omitted but required as usual): If SSL is not enabled, beware the Authorization header with value: Basic xxx, where xxx is the string (username:password) admin:admin encoded in base 64, according to HTTP Basic Authentication standard.

Every HTTP payload sent to this API is a JSON object that must be valid against the JSON schema in src/main/resources/eu/driver/testbed/sec/authz/service/access_policy.schema.json.

Authorizing Kafka clients on a given topic

Address: http://localhost:8080/services/authz/pap/policies/resource.type=TOPIC/policies;resource.id=Topic_A
Encoding: UTF-8
Http-Method: PUT
Content-Type: application/json
Headers: {Accept=[application/json], content-type=[application/json], Authorization=[Basic YWRtaW46YWRtaW4=]}
Payload: {"rules":[{"subject.id":"client1","permissions":[{"allow":true,"action":"PUBLISH"},{"allow":false,"action":"SUBSCRIBE"},{"allow":false,"action":"DESCRIBE"}]},{"subject.id":"client2","permissions":[{"allow":true,"action":"SUBSCRIBE"},{"allow":false,"action":"DESCRIBE"}]}]}

This request grants publish/subscribe permissions to client1 (publish only) and client2 (subscribe only) on the topic Topic_A.

The subject.id value must match the Kafka client ID, i.e. if SSL is enabled, the subject DN in the client certificate, e.g. CN=client1,OU=Authz Service Dev Project,OU=WP923,O=DRIVER-PROJECT.eu

For a Kafka topic, actions PUBLISH (resp. SUBSCRIBE) and WRITE (resp. READ) are interchangeable in the request above.

Authorizing Kafka clients to join a given consumer group

Address: http://localhost:8080/services/authz/pap/policies/resource.type=GROUP/policies;resource.id=ConsumerGroup1
Encoding: UTF-8
Http-Method: PUT
Content-Type: application/json
Headers: {Accept=[application/json], content-type=[application/json], Authorization=[Basic YWRtaW46YWRtaW4=]}
Payload: {"rules":[{"subject.id":"client1","permissions":[{"allow":true,"action":"READ"},{"allow":true,"action":"DESCRIBE"}]}]}

This request allows client1 to join the consumer group ConsumerGroup1.

Authorizing a Kafka consumer group on a given topic

Address: http://localhost:8080/services/authz/pap/policies/resource.type=TOPIC/policies;resource.id=TOPIC_A
Encoding: UTF-8
Http-Method: PUT
Content-Type: application/json
Headers: {Accept=[application/json], content-type=[application/json], Authorization=[Basic YWRtaW46YWRtaW4=]}
Payload: {"rules":[{"subject.group":"ConsumerGroup1","permissions":[{"allow":true,"action":"READ"},{"allow":true,"action":"DESCRIBE"}]}]}

This request allows (all clients in) the consumer group ConsumerGroup1 to subscribe to the topic Topic_A.

Get the current access policy for a given Kafka topic or group

Get the access policy for topic Topic_A for instance with a HTTP request as follows (only important headers shown for conciseness, e.g.Content-Length header is omitted but required as usual):

Address: http://localhost:8080/services/authz/pap/policies/resource.type=TOPIC/policies;resource.id=Topic_A
Encoding: UTF-8
Http-Method: GET
Content-Type: 
Headers: {Accept=[application/json], Authorization=[Basic YWRtaW46YWRtaW4=]}

To get a group access policy, replace TOPIC with GROUP (and Topic_A with the group ID) in the previous request.

Example of response:

Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json]}
Payload: {"rules":[{"subject":"clientID1","permissions":[{"allow":true,"action":"PUBLISH"},{"allow":false,"action":"SUBSCRIBE"},{"allow":false,"action":"DESCRIBE"}]},{"subject":"client2","permissions":[{"allow":true,"action":"SUBSCRIBE"},{"allow":false,"action":"DESCRIBE"}]}]}

Delete the access policy for a given Kafka topic

E.g. for topic Topic_A

Address: http://localhost:8080/services/authz/pap/policies/resource.type=TOPIC/policies;resource.id=Topic_A
Encoding: UTF-8
Http-Method: DELETE
Content-Type: */*
Headers: {Accept=[application/json], Authorization=[Basic YWRtaW46YWRtaW4=]}

To delete a group access policy, replace TOPIC with GROUP (and Topic_A with the group ID) in the previous request.

test-bed-security-authorization-service's People

Contributors

Stargazers

Watchers

test-bed-security-authorization-service's Issues

Kafka-Consumer-Group-based permission

Add a subject.group parameter to REST API to allow setting permissions for specific Kafka consumer group ID.

Authorization Service won't run on Windows

The Authorization Service won't run on Windows because of an issue with Paths:

2018-06-20 14:44:02.876 ERROR 6692 --- [           main] o.s.boot.SpringApplication               : Application startup failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'tazService': Cannot create inner bean 'eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource#6a9d5dff' of type [eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource] while setting bean property 'serviceBeans' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource#6a9d5dff' defined in URL [file:target/test-classes/spring-beans.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource]: Constructor threw exception; nested exception is java.nio.file.InvalidPathException: Illegal char <:> at index 2: /C:/Users/hameetepa/Projects/DRIVER/test-bed-security-authorization-service/target/test-classes//policies
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:122)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:382)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1533)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1280)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543)
	at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
	at org.springframework.boot.test.context.SpringBootContextLoader.loadContext(SpringBootContextLoader.java:120)
	at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:98)
	at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:116)
	at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:83)
	at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.injectDependencies(DependencyInjectionTestExecutionListener.java:117)
	at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.prepareTestInstance(DependencyInjectionTestExecutionListener.java:83)
	at org.springframework.boot.test.autoconfigure.SpringBootDependencyInjectionTestExecutionListener.prepareTestInstance(SpringBootDependencyInjectionTestExecutionListener.java:44)
	at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:230)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.createTest(SpringJUnit4ClassRunner.java:228)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner$1.runReflectiveCall(SpringJUnit4ClassRunner.java:287)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.methodBlock(SpringJUnit4ClassRunner.java:289)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:247)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:94)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
	at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:191)
	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:538)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:760)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:460)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:206)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource#6a9d5dff' defined in URL [file:target/test-classes/spring-beans.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource]: Constructor threw exception; nested exception is java.nio.file.InvalidPathException: Illegal char <:> at index 2: /C:/Users/hameetepa/Projects/DRIVER/test-bed-security-authorization-service/target/test-classes//policies
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:279)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1197)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1099)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:299)
	... 48 common frames omitted
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource]: Constructor threw exception; nested exception is java.nio.file.InvalidPathException: Illegal char <:> at index 2: /C:/Users/hameetepa/Projects/DRIVER/test-bed-security-authorization-service/target/test-classes//policies
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:122)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:271)
	... 53 common frames omitted
Caused by: java.nio.file.InvalidPathException: Illegal char <:> at index 2: /C:/Users/hameetepa/Projects/DRIVER/test-bed-security-authorization-service/target/test-classes//policies
	at sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:182)
	at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:153)
	at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)
	at sun.nio.fs.WindowsPath.parse(WindowsPath.java:94)
	at sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:255)
	at java.nio.file.Paths.get(Paths.java:84)
	at eu.driver.testbed.sec.authz.service.AuthzWsJaxrsRootResource.<init>(AuthzWsJaxrsRootResource.java:301)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142)
	... 55 common frames omitted

You can easily replicate by running JUnit tests on a Windows machine.

Automate builds with Travis CI

For releases in particular: https://docs.travis-ci.com/user/deployment/releases/

CVE-2018-8088 affecting slf4j <= before 1.8.0-beta2

Vulnerability reported by owasp dependency-check on slf4j-api dependency:

jul-to-slf4j-1.7.25.jar (org.slf4j:jul-to-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
log4j-over-slf4j-1.7.25.jar (org.slf4j:log4j-over-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
slf4j-api-1.7.25.jar (org.slf4j:slf4j-api:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
jcl-over-slf4j-1.7.25.jar (org.slf4j:jcl-over-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088

Fix it with the next stable release of slf4j-api (as of writing: 1.8.0-beta2).

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.