Examples with Principal com.yahoo.athenz.auth.Principal used on opensource projects

Example 36 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testGetZTSUrlWithoutTrailingSlash.

@Test
public void testGetZTSUrlWithoutTrailingSlash() {
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
    ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
    assertEquals(client.getZTSUrl(), "http://localhost:4080/zts/v1");
    client.close();
}

Example 37 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class HttpExampleClient method main.

public static void main(String[] args) throws MalformedURLException, IOException {
    // parse our command line to retrieve required input
    CommandLine cmd = parseCommandLine(args);
    String domainName = cmd.getOptionValue("domain");
    String serviceName = cmd.getOptionValue("service");
    String privateKeyPath = cmd.getOptionValue("pkey");
    String keyId = cmd.getOptionValue("keyid");
    String url = cmd.getOptionValue("url");
    // we need to generate our principal credentials (ntoken). In
    // addition to the domain and service names, we need the
    // the service's private key and the key identifier - the
    // service with the corresponding public key must already be
    // registered in ZMS
    PrivateKey privateKey = Crypto.loadPrivateKey(new File(privateKeyPath));
    ServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider(domainName, serviceName, privateKey, keyId);
    Principal principal = identityProvider.getIdentity(domainName, serviceName);
    URL obj = new URL(url);
    HttpURLConnection con = (HttpURLConnection) obj.openConnection();
    // set our Athenz credentials. The authority in the principal provides
    // the header name that we must use for credentials while the principal
    // itself provides the credentials (ntoken).
    con.setRequestProperty(principal.getAuthority().getHeader(), principal.getCredentials());
    // now process our request
    int responseCode = con.getResponseCode();
    switch(responseCode) {
        case HttpURLConnection.HTTP_FORBIDDEN:
            System.out.println("Request was forbidden - not authorized: " + con.getResponseMessage());
            break;
        case HttpURLConnection.HTTP_OK:
            System.out.println("Successful response: ");
            try (BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()))) {
                String inputLine;
                while ((inputLine = in.readLine()) != null) {
                    System.out.println(inputLine);
                }
            }
            break;
        default:
            System.out.println("Request failed - response status code: " + responseCode);
    }
}

Example 38 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testPostInstanceRegisterInformationRequest.

@Test
public void testPostInstanceRegisterInformationRequest() {
    Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
    ZTSRDLClientMock ztsClientMock = new ZTSRDLClientMock();
    ZTSClient client = new ZTSClient("http://localhost:4080", principal);
    client.setZTSRDLGeneratedClient(ztsClientMock);
    InstanceRegisterInformation info = new InstanceRegisterInformation().setAttestationData("good-instance-document").setCsr("x509-csr").setDomain("athenz").setProvider("openstack.provider").setService("storage").setToken(false);
    Map<String, List<String>> responseHeaders = new HashMap<>();
    InstanceIdentity identity = client.postInstanceRegisterInformation(info, responseHeaders);
    assertNotNull(identity);
    assertNotNull(identity.getX509Certificate(), "x509");
    assertEquals(identity.getName(), "athenz.storage");
    client.close();
}

Example 39 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testGetRoleTokenCacheKeyNullRole.

@Test
public void testGetRoleTokenCacheKeyNullRole() {
    Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
    ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
    assertEquals(client.getRoleTokenCacheKey("coretech", null, null), "p=user_domain.user;d=coretech");
    client.close();
}

Example 40 with Principal

use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.

the class ZTSClientTest method testLookupAwsCredInCacheSecondClient.

@SuppressWarnings("static-access")
@Test
public void testLookupAwsCredInCacheSecondClient() {
    // test cache with ZTSClient created using a principal object
    // 
    Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
    ZTSClient ztsClient = new ZTSClient("http://localhost:4080/", principal);
    String accessKey = "accesskey";
    String secretKey = "secretkey";
    String sessToken = "sesstoken";
    AWSTemporaryCredentials awsCred = new AWSTemporaryCredentials().setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 3500000L)).setAccessKeyId(accessKey).setSecretAccessKey(secretKey).setSessionToken(sessToken);
    String cacheKey = ztsClient.getRoleTokenCacheKey("coretech", "Role1", null);
    ztsClient.AWS_CREDS_CACHE.put(cacheKey, awsCred);
    assertEquals(cacheKey, "p=user_domain.user;d=coretech;r=Role1");
    AWSTemporaryCredentials cred = ztsClient.lookupAwsCredInCache(cacheKey, 3000, 4000);
    assertTrue(cred.getAccessKeyId().contains(accessKey));
    assertEquals(cred.getSecretAccessKey(), secretKey);
    assertEquals(cred.getSessionToken(), sessToken);
    ztsClient.close();
    // rest of tests use ZTSClient object created using domain name and service parameters
    ZTSClient client = new ZTSClient(null, "mytenantdomain", "myservice", siaMockProvider);
    String cacheKey1 = client.getRoleTokenCacheKey("mydomain", "Role1", null);
    client.AWS_CREDS_CACHE.put(cacheKey1, awsCred);
    assertNotNull(client.lookupAwsCredInCache(cacheKey1, 3000, 4000));
    // add new aws cred for caching
    String cacheKey2 = client.getRoleTokenCacheKey("mydomain", "admin", null);
    AWSTemporaryCredentials awsCredNoTrustDomain = new AWSTemporaryCredentials().setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 3500000L)).setAccessKeyId("notrustdomaccesskey").setSecretAccessKey(secretKey).setSessionToken(sessToken);
    client.AWS_CREDS_CACHE.put(cacheKey2, awsCredNoTrustDomain);
    assertEquals(cacheKey2, "p=mytenantdomain.myservice;d=mydomain;r=admin");
    assertNotNull(client.lookupAwsCredInCache(cacheKey2, 3000, 4000));
    // now let's get another client - same domain and service as first one
    // 
    ZTSClient client1 = new ZTSClient(null, "mytenantdomain", "myservice", siaMockProvider);
    assertNotNull(client1.lookupAwsCredInCache(cacheKey, 3000, 4000));
    assertEquals(client1.lookupAwsCredInCache(cacheKey2, 3000, 4000).getAccessKeyId(), "notrustdomaccesskey");
    // now let's get yet another client - different domain and service
    // 
    ZTSClient client2 = new ZTSClient(null, "mytenantdomain2", "myservice2", siaMockProvider);
    // cache still contains aws creds for the following keys
    assertNotNull(client2.lookupAwsCredInCache(cacheKey, 3000, 4000));
    // add new role token to cache using new domain=mydomain2 and new tenant domain=mytenantdomain2 and new service=myservice2
    String cacheKeyNewDomain = client2.getRoleTokenCacheKey("mydomain2", "admin", null);
    AWSTemporaryCredentials awsCredNewDomain = new AWSTemporaryCredentials().setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 3500000L)).setAccessKeyId("newdomaccesskey").setSecretAccessKey(secretKey).setSessionToken(sessToken);
    client.AWS_CREDS_CACHE.put(cacheKeyNewDomain, awsCredNewDomain);
    assertEquals(cacheKeyNewDomain, "p=mytenantdomain2.myservice2;d=mydomain2;r=admin");
    assertEquals(client2.lookupAwsCredInCache(cacheKeyNewDomain, 3000, 4000).getAccessKeyId(), "newdomaccesskey");
    // set aws cred without specifying role for the key
    // 
    String cacheKeyNoRole = client2.getRoleTokenCacheKey("mydomain2", null, null);
    AWSTemporaryCredentials awsCredNoRole = new AWSTemporaryCredentials().setExpiration(Timestamp.fromMillis(System.currentTimeMillis() + 3500000L)).setAccessKeyId("noroleaccesskey").setSecretAccessKey(secretKey).setSessionToken(sessToken);
    client.AWS_CREDS_CACHE.put(cacheKeyNoRole, awsCredNoRole);
    assertEquals(cacheKeyNoRole, "p=mytenantdomain2.myservice2;d=mydomain2");
    assertEquals(client2.lookupAwsCredInCache(cacheKeyNoRole, 3000, 4000).getAccessKeyId(), "noroleaccesskey");
    // now let's get yet another client - specify domain but no service
    // 
    ZTSClient client3 = new ZTSClient(null, "mytenantdomain3", "newservice", siaMockProvider);
    // cache still contains role tokens for the following keys
    assertNotNull(client3.lookupAwsCredInCache(cacheKey, 3000, 4000));
    // token principal field has no service so in sync with ZTSClient
    String cacheKeyNoSvc = client3.getRoleTokenCacheKey("mydomain3", null, null);
    assertEquals(cacheKeyNoSvc, "p=mytenantdomain3.newservice;d=mydomain3");
    client.ROLE_TOKEN_CACHE.clear();
    client.close();
    client1.close();
    client2.close();
    client3.close();
}