Example 76 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSImpl method postOSTKInstanceRefreshRequest.
// this method will be removed and replaced with call to postInstanceRefreshInformation
@Override
public Identity postOSTKInstanceRefreshRequest(ResourceContext ctx, String domain, String service, OSTKInstanceRefreshRequest req) {
final String caller = "postostkinstancerefreshrequest";
final String callerTiming = "postostkinstancerefreshrequest_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postOSTKInstanceRefreshRequest: " + req);
}
validateRequest(ctx.request(), caller);
validate(domain, TYPE_DOMAIN_NAME, caller);
validate(service, TYPE_SIMPLE_NAME, caller);
validate(req, TYPE_OSTK_INSTANCE_REFRESH_REQUEST, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// make sure the credentials match to whatever the request is
Principal principal = ((RsrcCtxWrapper) ctx).principal();
String principalName = domain + "." + service;
if (!principalName.equals(principal.getFullName())) {
throw requestError("postOSTKInstanceRefreshRequest: Principal mismatch: " + principalName + " vs. " + principal.getFullName(), caller, domain);
}
Authority authority = principal.getAuthority();
if (!(authority instanceof CertificateAuthority)) {
throw requestError("postOSTKInstanceRefreshRequest: Unsupported authority for TLS Certs: " + authority.toString(), caller, domain);
}
X509Certificate cert = principal.getX509Certificate();
X509CertRecord x509CertRecord = instanceCertManager.getX509CertRecord("ostk", cert);
if (x509CertRecord == null) {
throw forbiddenError("postOSTKInstanceRefreshRequest: Unable to find certificate record", caller, domain);
}
// validate that the cn and public key (if required) match to
// the provided details
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(req.getCsr());
if (certReq == null) {
throw requestError("postOSTKInstanceRefreshRequest: unable to parse PKCS10 certificate request", caller, domain);
}
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, x509CertRecord)) {
throw requestError("postOSTKInstanceRefreshRequest: invalid CSR - cn mismatch", caller, domain);
}
// now we need to make sure the serial number for the certificate
// matches to what we had issued previously. If we have a mismatch
// then we're going to revoke this instance as it has been possibly
// compromised
String serialNumber = cert.getSerialNumber().toString();
if (x509CertRecord.getCurrentSerial().equals(serialNumber)) {
// update the record to mark current as previous
// and we'll update the current set with our existing
// details
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
} else if (!x509CertRecord.getPrevSerial().equals(serialNumber)) {
// we have a mismatch for both current and previous serial
// numbers so we're going to revoke it
LOGGER.error("postOSTKInstanceRefreshRequest: Revoking certificate refresh for cn: {} " + "instance id: {}, current serial: {}, previous serial: {}, cert serial: {}", principalName, x509CertRecord.getInstanceId(), x509CertRecord.getCurrentSerial(), x509CertRecord.getPrevSerial(), serialNumber);
x509CertRecord.setPrevSerial("-1");
x509CertRecord.setCurrentSerial("-1");
instanceCertManager.updateX509CertRecord(x509CertRecord);
throw forbiddenError("postOSTKInstanceRefreshRequest: Certificate revoked", caller, domain);
}
// generate identity with the certificate
Identity identity = ZTSUtils.generateIdentity(certSigner, req.getCsr(), principalName, null, 0);
if (identity == null) {
throw serverError("Unable to generate identity", caller, domain);
}
// need to update our cert record with new certificate details
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
if (!instanceCertManager.updateX509CertRecord(x509CertRecord)) {
throw serverError("postOSTKInstanceRefreshRequest: unable to update cert db", caller, domain);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
Authority(com.yahoo.athenz.auth.Authority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
X509Certificate(java.security.cert.X509Certificate)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Date(java.util.Date)
Example 77 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSImpl method postInstanceRefreshInformation.
@Override
public InstanceIdentity postInstanceRefreshInformation(ResourceContext ctx, String provider, String domain, String service, String instanceId, InstanceRefreshInformation info) {
final String caller = "postinstancerefreshinformation";
final String callerTiming = "postinstancerefreshinformation_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(provider, TYPE_SERVICE_NAME, caller);
validate(domain, TYPE_DOMAIN_NAME, caller);
validate(service, TYPE_SIMPLE_NAME, caller);
validate(instanceId, TYPE_PATH_ELEMENT, caller);
validate(info, TYPE_INSTANCE_REFRESH_INFO, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
provider = provider.toLowerCase();
domain = domain.toLowerCase();
service = service.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// before running any checks make sure it's coming from
// an authorized ip address
final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request());
if (!instanceCertManager.verifyInstanceCertIPAddress(ipAddress)) {
throw forbiddenError("Unknown IP: " + ipAddress, caller, domain);
}
// we are going to get two use cases here. client asking for:
// * x509 cert (optionally with ssh certificate)
// * only ssh certificate
// both CSRs are marked as optional so we need to make sure
// at least one of the CSRs is provided
final String x509Csr = convertEmptyStringToNull(info.getCsr());
final String sshCsr = convertEmptyStringToNull(info.getSsh());
if (x509Csr == null && sshCsr == null) {
throw requestError("no csr provided", caller, domain);
}
// make sure the credentials match to whatever the request is
Principal principal = ((RsrcCtxWrapper) ctx).principal();
final String principalName = domain + "." + service;
if (!principalName.equals(principal.getFullName())) {
throw requestError("Principal mismatch: " + principalName + " vs. " + principal.getFullName(), caller, domain);
}
Authority authority = principal.getAuthority();
if (!(authority instanceof CertificateAuthority)) {
throw requestError("Unsupported authority for TLS Certs: " + authority.toString(), caller, domain);
}
// first we need to make sure that the provider has been
// authorized in Athenz to bootstrap/launch instances
Principal providerService = createPrincipalForName(provider);
StringBuilder errorMsg = new StringBuilder(256);
if (!instanceCertManager.authorizeLaunch(providerService, domain, service, authorizer, errorMsg)) {
throw forbiddenError(errorMsg.toString(), caller, domain);
}
// extract our instance certificate record to make sure it
// hasn't been revoked already
X509CertRecord x509CertRecord = instanceCertManager.getX509CertRecord(provider, instanceId);
if (x509CertRecord == null) {
throw forbiddenError("Unable to find certificate record", caller, domain);
}
if (!principalName.equals(x509CertRecord.getService())) {
throw requestError("service name mismatch - csr: " + principalName + " cert db: " + x509CertRecord.getService(), caller, domain);
}
InstanceIdentity identity = null;
if (x509Csr != null) {
identity = processProviderX509RefreshRequest(ctx, principal, domain, service, provider, providerService, instanceId, info, x509CertRecord, caller);
} else {
identity = processProviderSSHRefreshRequest(ctx, principal, domain, service, provider, instanceId, sshCsr, x509CertRecord, caller);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Example 78 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSImpl method getAuditLogMsgBuilder.
AuditLogMsgBuilder getAuditLogMsgBuilder(ResourceContext ctx, String domainName, String caller, String method) {
AuditLogMsgBuilder msgBldr = auditLogger.getMsgBuilder();
// get the where - which means where this server is running
msgBldr.where(serverHostName).whatDomain(domainName).whatApi(caller).whatMethod(method).when(Timestamp.fromCurrentTime().toString());
// get the 'who' and set it
Principal princ = ((RsrcCtxWrapper) ctx).principal();
if (princ != null) {
String unsignedCreds = princ.getUnsignedCredentials();
if (unsignedCreds == null) {
msgBldr.who(princ.getFullName());
} else {
msgBldr.who(unsignedCreds);
}
}
// get the client IP
msgBldr.clientIp(ServletRequestUtil.getRemoteAddress(ctx.request()));
return msgBldr;
}
Also used :
AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 79 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSImpl method postInstanceRegisterInformation.
@Override
public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegisterInformation info, PostInstanceRegisterInformationResult instanceResult) {
final String caller = "postinstanceregisterinformation";
final String callerTiming = "postinstanceregisterinformation_timing";
metric.increment(HTTP_POST);
validateRequest(ctx.request(), caller);
validate(info, TYPE_INSTANCE_REGISTER_INFO, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
AthenzObject.INSTANCE_REGISTER_INFO.convertToLowerCase(info);
final String domain = info.getDomain();
final String service = info.getService();
final String cn = domain + "." + service;
((RsrcCtxWrapper) ctx).logPrincipal(cn);
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// before running any checks make sure it's coming from
// an authorized ip address
final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request());
if (!instanceCertManager.verifyInstanceCertIPAddress(ipAddress)) {
throw forbiddenError("Unknown IP: " + ipAddress, caller, domain);
}
// run the authorization checks to make sure the provider has been
// authorized to launch instances in Athenz and the service has
// authorized this provider to launch its instances
final String provider = info.getProvider();
Principal providerService = createPrincipalForName(provider);
StringBuilder errorMsg = new StringBuilder(256);
if (!instanceCertManager.authorizeLaunch(providerService, domain, service, authorizer, errorMsg)) {
throw forbiddenError(errorMsg.toString(), caller, domain);
}
// validate request/csr details
X509CertRequest certReq = null;
try {
certReq = new X509CertRequest(info.getCsr());
} catch (CryptoException ex) {
throw requestError("unable to parse PKCS10 CSR: " + ex.getMessage(), caller, domain);
}
if (!certReq.validate(providerService, domain, service, null, authorizer, errorMsg)) {
throw requestError("CSR validation failed - " + errorMsg.toString(), caller, domain);
}
final String certReqInstanceId = certReq.getInstanceId();
// validate attestation data is included in the request
InstanceProvider instanceProvider = instanceProviderManager.getProvider(provider);
if (instanceProvider == null) {
throw requestError("unable to get instance for provider: " + provider, caller, domain);
}
InstanceConfirmation instance = generateInstanceConfirmObject(ctx, provider, domain, service, info.getAttestationData(), certReq);
try {
instance = instanceProvider.confirmInstance(instance);
} catch (Exception ex) {
throw forbiddenError("unable to verify attestation data: " + ex.getMessage(), caller, domain);
} finally {
instanceProvider.close();
}
// determine what type of certificate the provider is authorizing
// this instance to get - possible values are: server, client or
// null (indicating both client and server). Additionally, we're
// going to see if the provider wants to impose an expiry time
// though the certificate signer might decide to ignore that
// request and override it with its own value.
String certUsage = null;
int certExpiryTime = 0;
boolean certRefreshAllowed = true;
Map<String, String> instanceAttrs = instance.getAttributes();
if (instanceAttrs != null) {
certUsage = instanceAttrs.remove(ZTSConsts.ZTS_CERT_USAGE);
final String expiryTime = instanceAttrs.remove(ZTSConsts.ZTS_CERT_EXPIRY_TIME);
if (expiryTime != null && !expiryTime.isEmpty()) {
certExpiryTime = Integer.parseInt(expiryTime);
}
final String certRefreshState = instanceAttrs.remove(ZTSConsts.ZTS_CERT_REFRESH);
if (certRefreshState != null && !certRefreshState.isEmpty()) {
certRefreshAllowed = Boolean.parseBoolean(certRefreshState);
}
}
// generate certificate for the instance
InstanceIdentity identity = instanceCertManager.generateIdentity(info.getCsr(), cn, certUsage, certExpiryTime);
if (identity == null) {
throw serverError("unable to generate identity", caller, domain);
}
// if we're asked then we should also generate a ssh
// certificate for the instance as well
instanceCertManager.generateSshIdentity(identity, info.getSsh(), ZTSConsts.ZTS_SSH_HOST);
// set the other required attributes in the identity object
identity.setAttributes(instanceAttrs);
identity.setProvider(provider);
identity.setInstanceId(certReqInstanceId);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getX509Certificate());
final String certSerial = newCert.getSerialNumber().toString();
if (certRefreshAllowed) {
X509CertRecord x509CertRecord = new X509CertRecord();
x509CertRecord.setService(cn);
x509CertRecord.setProvider(provider);
x509CertRecord.setInstanceId(certReqInstanceId);
x509CertRecord.setCurrentSerial(certSerial);
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
x509CertRecord.setClientCert(ZTSConsts.ZTS_CERT_USAGE_CLIENT.equalsIgnoreCase(certUsage));
if (!instanceCertManager.insertX509CertRecord(x509CertRecord)) {
throw serverError("unable to update cert db", caller, domain);
}
}
if (info.getToken() == Boolean.TRUE) {
PrincipalToken svcToken = new PrincipalToken.Builder("S1", domain, service).expirationWindow(svcTokenTimeout).keyId(privateKeyId).host(serverHostName).ip(ServletRequestUtil.getRemoteAddress(ctx.request())).keyService(ZTSConsts.ZTS_SERVICE).build();
svcToken.sign(privateKey);
identity.setServiceToken(svcToken.getSignedToken());
}
// create our audit log entry
AuditLogMsgBuilder msgBldr = getAuditLogMsgBuilder(ctx, domain, caller, HTTP_POST);
msgBldr.whatEntity(certReqInstanceId);
StringBuilder auditLogDetails = new StringBuilder(512);
auditLogDetails.append("Provider: ").append(provider).append(" Domain: ").append(domain).append(" Service: ").append(service).append(" InstanceId: ").append(certReqInstanceId).append(" Serial: ").append(certSerial);
msgBldr.whatDetails(auditLogDetails.toString());
auditLogger.log(msgBldr);
final String location = "/zts/v1/instance/" + provider + "/" + domain + "/" + service + "/" + certReqInstanceId;
metric.stopTiming(timerMetric);
instanceResult.done(ResourceException.CREATED, identity, location);
}
Also used :
InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation)
AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)
AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
X509Certificate(java.security.cert.X509Certificate)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Date(java.util.Date)
X509CertRequest(com.yahoo.athenz.zts.cert.X509CertRequest)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
InstanceProvider(com.yahoo.athenz.instance.provider.InstanceProvider)
Example 80 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSImplTest method testGetAWSTemporaryCredentialsForbidden.
@Test
public void testGetAWSTemporaryCredentialsForbidden() {
Principal principal = SimplePrincipal.create("user_domain", "user102", "v=U1;d=user_domain;n=user102;s=signature", 0, null);
CloudStore cloudStore = Mockito.mock(CloudStore.class);
Mockito.when(cloudStore.isAwsEnabled()).thenReturn(true);
store.setCloudStore(cloudStore);
zts.cloudStore = cloudStore;
SignedDomain signedDomain = createAwsSignedDomain("athenz.product", "1234");
store.processDomain(signedDomain, false);
try {
zts.getAWSTemporaryCredentials(createResourceContext(principal), "athenz.product", "aws_role_name");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
}
}
Also used :
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
SignedDomain(com.yahoo.athenz.zms.SignedDomain)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Aggregations
Principal (com.yahoo.athenz.auth.Principal)259
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)219
Test (org.testng.annotations.Test)168
Authority (com.yahoo.athenz.auth.Authority)66
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)52
ArrayList (java.util.ArrayList)35
SignedDomain (com.yahoo.athenz.zms.SignedDomain)33
BeforeTest (org.testng.annotations.BeforeTest)17
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)14
SimpleServiceIdentityProvider (com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)13
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)13
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)13
IOException (java.io.IOException)13
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
KeyStore (com.yahoo.athenz.auth.KeyStore)11
UnsupportedEncodingException (java.io.UnsupportedEncodingException)10
WebApplicationException (javax.ws.rs.WebApplicationException)10
X509Certificate (java.security.cert.X509Certificate)9
ServiceIdentityProvider (com.yahoo.athenz.auth.ServiceIdentityProvider)8
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)8
