Search in sources :

Example 41 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceWithRegisterTokenMismatchProvider.

@Test
public void testConfirmInstanceWithRegisterTokenMismatchProvider() throws IOException {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api,weather.api,sports.backend");
    // get our ec public key
    Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
    String keyPem = new String(Files.readAllBytes(path));
    PublicKey publicKey = Crypto.loadPublicKey(keyPem);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("athenz.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.signingKeyResolver.addPublicKey("k0", publicKey);
    // get our private key now
    path = Paths.get("./src/test/resources/unit_test_ec_private.key");
    keyPem = new String(Files.readAllBytes(path));
    PrivateKey privateKey = Crypto.loadPrivateKey(keyPem);
    provider.setPrivateKey(privateKey, "k0", SignatureAlgorithm.ES256);
    InstanceConfirmation tokenConfirmation = new InstanceConfirmation();
    tokenConfirmation.setDomain("sports");
    tokenConfirmation.setService("api");
    tokenConfirmation.setProvider("sys.auth.zts");
    Map<String, String> attrs = new HashMap<>();
    attrs.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
    tokenConfirmation.setAttributes(attrs);
    InstanceRegisterToken token = provider.getInstanceRegisterToken(tokenConfirmation);
    // generate instance confirmation
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(token.getAttestationData());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,id001.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    attributes.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), ResourceException.FORBIDDEN);
    }
    // calling validation directly should fail as well
    StringBuilder errMsg = new StringBuilder();
    assertFalse(provider.validateRegisterToken(token.getAttestationData(), "sports", "api", "id001", false, errMsg));
    assertTrue(errMsg.toString().contains("token audience is not ZTS provider"));
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : Path(java.nio.file.Path) InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) PrivateKey(java.security.PrivateKey) PublicKey(java.security.PublicKey) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) InstanceRegisterToken(com.yahoo.athenz.zts.InstanceRegisterToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 42 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceInvalidIP.

@Test
public void testConfirmInstanceInvalidIP() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.2");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
        assertTrue(ex.getMessage().contains("validate request IP address"));
    }
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 43 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceEmptyCredentials.

@Test
public void testConfirmInstanceEmptyCredentials() throws IOException {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
    // get our ec public key
    Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
    String keyPem = new String(Files.readAllBytes(path));
    PublicKey publicKey = Crypto.loadPublicKey(keyPem);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("sys.auth.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.signingKeyResolver.addPublicKey("k0", publicKey);
    InstanceConfirmation tokenConfirmation = new InstanceConfirmation();
    tokenConfirmation.setDomain("sports");
    tokenConfirmation.setService("api");
    tokenConfirmation.setProvider("sys.auth.zts");
    Map<String, String> attrs = new HashMap<>();
    attrs.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
    tokenConfirmation.setAttributes(attrs);
    // generate instance confirmation
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,id001.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    attributes.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), ResourceException.FORBIDDEN);
        assertTrue(ex.getMessage().contains("Service credentials not provided"));
    }
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : Path(java.nio.file.Path) InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) PublicKey(java.security.PublicKey) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 44 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceUnsupportedService.

@Test
public void testConfirmInstanceUnsupportedService() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "backend").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("backend");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "backend.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertTrue(ex.getMessage().contains("Service not supported to be launched by ZTS Provider"));
    }
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 45 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceValidHostname.

@Test
public void testConfirmInstanceValidHostname() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
    Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
    Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Arrays.asList("10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1")));
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.setHostnameResolver(hostnameResolver);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1,2001:db8:a0b:12f0:0:0:0:1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_URI, "athenz://instanceid/zts/hostabc.athenz.com,athenz://hostname/hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    assertNotNull(provider.confirmInstance(confirmation));
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Aggregations

KeyStore (com.yahoo.athenz.auth.KeyStore)51 Test (org.testng.annotations.Test)50 BeforeTest (org.testng.annotations.BeforeTest)28 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)25 InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)19 ArrayList (java.util.ArrayList)17 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)16 Principal (com.yahoo.athenz.auth.Principal)15 PublicKey (java.security.PublicKey)9 ResourceException (com.yahoo.athenz.instance.provider.ResourceException)8 RoleToken (com.yahoo.athenz.auth.token.RoleToken)7 Path (java.nio.file.Path)7 PrivateKey (java.security.PrivateKey)6 HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)4 InstanceRegisterToken (com.yahoo.athenz.zts.InstanceRegisterToken)4 SigningKeyResolver (io.jsonwebtoken.SigningKeyResolver)2 DefaultClaims (io.jsonwebtoken.impl.DefaultClaims)2 DefaultJwsHeader (io.jsonwebtoken.impl.DefaultJwsHeader)2 FileReader (java.io.FileReader)2 Field (java.lang.reflect.Field)2