|
Important
|
Work in progress
TODO:
|
This an implementation of the API from protego-core. It focuses on the security aspect of the poly rules. Meaning that it tries to prevent loading of unwanted rules, changing the existing rules or adding rules trough reflection. The intention is not to protect the application from the developer (you must trust your developers), but to avoid changes made by a malicious third party library from a project’s dependency.
In order to forbid changes trough reflection, I am using Java Platform Module System (JPMS). The application must also run as a module to kick in the reflection protection mechanism of JPMS.
Each policy rule must be tested rigorously.
This project contains a maven project in the protego-rules-signatures subfolder.
This project is used to sign the policy rule classes.
Policy rules are loaded from protego-policy-rules-and-signatures.yaml file that must be located in project’s root folder.
The file contains the public key used to decrypt the signature, the names of the fully qualified policy rule classes and a signature for each class.
The signature is made from hashing the class bytecode (SHA-1).
From the bytecode is extracted the 8 bytes header (CAFE BABE + 4 bytes containing the class version).
-
The first step is to generate the public and private keys (RSA-512) in
tempsubfolder by running thegenerate-certificate.sh(or.bat) script:-
key.pem- private key, -
publicKey.pub- public key, -
key.pkcs8- public+private key pair)
-
-
After that, a dependency to your project must be added to the project (in
artifactId: protego-rules-signatures). If your project is a uber jar, then a thin jar must be also installed in your repository. Add this to your (Spring Boot) project:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<id>thin-jar</id>
<goals>
<goal>jar</goal>
</goals>
<configuration>
<classifier>thin-jar</classifier>
</configuration>
</execution>
</executions>
</plugin>then in protego-rules-signatures’s pom.xml file:
<dependency>
<groupId>your.group.id</groupId>
<artifactId>your.artifact.id</artifactId>
<version>1.0.0-SNAPSHOT</version>
<classifier>thin-jar</classifier>
</dependency>-
Create a file named
protego-policy-rules-and-signatures.yamlin the project’s root (the project that use the protego framework). The file must have the keypublicKeyin the root and another key namedpolicyRuleCofigurationswhich is a list of policy rule classes toghether with theirs signatures (classNameamdsignature). You can copy this file content:
# thins key must be present
publicKey: >-
<copy pub key>
# also class/signature keys must be present
policyRuleCofigurations:
- className: your.policy.RuleClass
signature: "<generate signture>"
- className: your.policy.OtherRuleClass
signature: "<generate signture>"
-
Then, using a terminal, go to the folder where the
allow-same-tenant-policy-rules.yamlfile is located (for example/home/user/protego-singed-rules/src/test/resources/). From this folder run thesign.sh(or.bat) script. For example:../../../protego-rules-signatures/sign.sh. This will sign the policy classes and copy the public key to the yaml file. After that, the file should look something like this:
# thins key must be present publicKey: >- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJW2DQAcahQ1MpNCRDR4wBFn+hGwUQ3K5DgIepusbC6r6tw3m5xUc54UttWwQCpxLwCfuN7aR6VXLuPghpKHEfkCAwEAAQ== # also class/signature keys must be present policyRuleCofigurations: - className: your.policy.RuleClass signature: "R/Uif8JOkDOCafzAqlGl6SG6JZzWueSaS46MomKF8Lvsu3KL5RdlNpVpmtUcgpfvSD1Jd0cPjqwEFGwbb3MEIQ==" - className: your.policy.OtherRuleClass signature: "TOLeozjr1bcZazbCr7dfLmjVhxR7gxYNjqwYTGWslQeUxm0ohV/hh/zGYMCwfsKjoEb4fqR1EPKQUZgSOuMqFA=="
For example use cases you should check the integration tests.
This project is licensed under the MIT License - see the License.adoc file for details.