Example 6 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class ZMSImplTest method testGetJWSDomainError.
@Test
public void testGetJWSDomainError() {
try {
zmsTestInitializer.getZms().getJWSDomain(zmsTestInitializer.getMockDomRsrcCtx(), "unknown", Boolean.TRUE, null);
fail();
} catch (ResourceException ex) {
assertEquals(ResourceException.NOT_FOUND, ex.getCode());
}
// null data causing exception which is caught
// and we return null back as result
ServerPrivateKey pkey = zmsTestInitializer.getZms().privateKey;
zmsTestInitializer.getZms().privateKey = null;
assertNull(zmsTestInitializer.getZms().signJwsDomain(null, null));
zmsTestInitializer.getZms().privateKey = pkey;
}
Also used :
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Example 7 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class FilePrivateKeyStoreTest method testRetrieveRSAPrivateKeyValid.
@Test
public void testRetrieveRSAPrivateKeyValid() {
FilePrivateKeyStoreFactory factory = new FilePrivateKeyStoreFactory();
PrivateKeyStore store = factory.create();
String saveProp = System.getProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_RSA_KEY);
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_RSA_KEY, "src/test/resources/unit_test_zts_private_k0.key");
ServerPrivateKey privKey = store.getPrivateKey("zms", "localhost", "us-east-1", "rsa");
assertNotNull(privKey);
if (saveProp == null) {
System.clearProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_RSA_KEY);
} else {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_RSA_KEY, saveProp);
}
}
Also used :
PrivateKeyStore(com.yahoo.athenz.auth.PrivateKeyStore)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Test(org.testng.annotations.Test)
Example 8 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class FilePrivateKeyStoreTest method testRetrieveECPrivateKeyValid.
@Test
public void testRetrieveECPrivateKeyValid() {
FilePrivateKeyStoreFactory factory = new FilePrivateKeyStoreFactory();
PrivateKeyStore store = factory.create();
String saveProp = System.getProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_EC_KEY);
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_EC_KEY, "src/test/resources/unit_test_ec_private.key");
ServerPrivateKey privKey = store.getPrivateKey("zms", "localhost", "us-east-1", "ec");
assertNotNull(privKey);
if (saveProp == null) {
System.clearProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_EC_KEY);
} else {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_EC_KEY, saveProp);
}
}
Also used :
PrivateKeyStore(com.yahoo.athenz.auth.PrivateKeyStore)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Test(org.testng.annotations.Test)
Example 9 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class ZMSImplTest method testGetSignedDomainsNotModified.
@Test
public void testGetSignedDomainsNotModified() {
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("SignedDom1", "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
// set the meta attributes for domain
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain1", null, true, false, "12345", 0);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", zmsTestInitializer.getAuditRef(), meta);
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKey())), "0");
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal sysPrincipal = principalAuthority.authenticate("v=U1;d=sys;n=zts;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx = zmsTestInitializer.createResourceContext(sysPrincipal);
EntityTag eTag = new EntityTag(Timestamp.fromCurrentTime().toString());
Response response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, "signeddom1", null, null, Boolean.TRUE, false, eTag.toString());
assertEquals(response.getStatus(), 304);
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom1", zmsTestInitializer.getAuditRef());
}
Also used :
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Authority(com.yahoo.athenz.auth.Authority)
EntityTag(javax.ws.rs.core.EntityTag)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Principal(com.yahoo.athenz.auth.Principal)
Example 10 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class ZMSImplTest method testGetSignedDomains.
@Test
public void testGetSignedDomains() {
zmsTestInitializer.loadServerPublicKeys(zmsTestInitializer.getZms());
// create multiple top level domains
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("SignedDom1", "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Group group1 = zmsTestInitializer.createGroupObject("signeddom1", "group1", "user.user1", "user.user2");
zmsTestInitializer.getZms().putGroup(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "group1", zmsTestInitializer.getAuditRef(), group1);
// set the meta attributes for domain
DomainMeta meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain1", null, true, false, "12345", 0);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", zmsTestInitializer.getAuditRef(), meta);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain1", null, true, false, "12345", 0);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "account", zmsTestInitializer.getAuditRef(), meta);
TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("SignedDom2", "Test Domain2", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom2);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain2", null, false, false, "12346", null);
zmsTestInitializer.getZms().putDomainMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2", zmsTestInitializer.getAuditRef(), meta);
meta = zmsTestInitializer.createDomainMetaObject("Tenant Domain2", null, false, false, "12346", null);
zmsTestInitializer.getZms().putDomainSystemMeta(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2", "account", zmsTestInitializer.getAuditRef(), meta);
Role role = zmsTestInitializer.createRoleObject("signeddom1", "role1", null, "user.john", "user.jane");
Policy pol = zmsTestInitializer.createPolicyObject("signeddom1", "pol1", "role1", "action1", "signeddom1:resource1", AssertionEffect.ALLOW);
zmsTestInitializer.getZms().putRole(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "role1", zmsTestInitializer.getAuditRef(), role);
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "pol1", zmsTestInitializer.getAuditRef(), pol);
DomainList domList = zmsTestInitializer.getZms().getDomainList(zmsTestInitializer.getMockDomRsrcCtx(), null, null, null, null, null, null, null, null, null, null, null, null, null);
List<String> domNames = domList.getNames();
int numDoms = domNames.size();
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKey())), "0");
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
Principal sysPrincipal = principalAuthority.authenticate("v=U1;d=sys;n=zts;s=signature", "10.11.12.13", "GET", null);
ResourceContext rsrcCtx = zmsTestInitializer.createResourceContext(sysPrincipal);
Response response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, null, null, false, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
List<SignedDomain> list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
boolean dom1Found = false;
boolean dom2Found = false;
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
DomainData domainData = sDomain.getDomain();
if (domainData.getName().equals("signeddom1")) {
assertEquals("12345", domainData.getAccount());
dom1Found = true;
} else if (domainData.getName().equals("signeddom2")) {
assertEquals("12346", domainData.getAccount());
dom2Found = true;
}
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
}
assertTrue(dom1Found);
assertTrue(dom2Found);
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKeyK1())), "1");
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, "all", null, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
// we now need to verify the policy struct signature as well
SignedPolicies signedPolicies = sDomain.getDomain().getPolicies();
signature = signedPolicies.getSignature();
assertTrue(Crypto.verify(SignUtils.asCanonicalString(signedPolicies.getContents()), Crypto.loadPublicKey(publicKey), signature));
}
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKeyK2())), "2");
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, null, Boolean.TRUE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
}
// test metaonly=true
//
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, "tRuE", null, Boolean.FALSE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
assertTrue(signature == null || signature.isEmpty());
String keyId = sDomain.getKeyId();
assertTrue(keyId == null || keyId.isEmpty());
DomainData ddata = sDomain.getDomain();
assertNotNull(ddata);
assertFalse(ddata.getName().isEmpty());
assertNotNull(ddata.getModified());
assertNull(ddata.getPolicies());
assertNull(ddata.getRoles());
assertNull(ddata.getServices());
}
// test metaonly=garbage
//
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, "garbage", null, null, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
DomainData ddata = sDomain.getDomain();
assertNotNull(ddata.getPolicies());
assertTrue(ddata.getRoles() != null && ddata.getRoles().size() > 0);
assertNotNull(ddata.getServices());
}
// test metaonly=false
//
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, "fAlSe", null, null, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
for (SignedDomain sDomain : list) {
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
DomainData ddata = sDomain.getDomain();
assertNotNull(ddata.getPolicies());
assertTrue(ddata.getRoles() != null && ddata.getRoles().size() > 0);
assertNotNull(ddata.getServices());
}
// test bad tag format
//
String eTag = "I am not good";
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, null, Boolean.TRUE, false, eTag);
sdoms = (SignedDomains) response.getEntity();
String eTag2 = response.getHeaderString("ETag");
assertNotNull(eTag2);
assertNotEquals(eTag, eTag2);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
ZMSUtils.threadSleep(1000);
Policy policy1 = zmsTestInitializer.createPolicyObject("SignedDom1", "Policy1");
zmsTestInitializer.getZms().putPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom1", "Policy1", zmsTestInitializer.getAuditRef(), policy1);
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, null, true, false, eTag2);
sdoms = (SignedDomains) response.getEntity();
eTag = response.getHeaderString("ETag");
assertNotNull(eTag);
assertNotEquals(eTag, eTag2);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(1, list.size());
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, null, null, Boolean.TRUE, false, eTag);
assertEquals(304, response.getStatus());
eTag2 = response.getHeaderString("ETag");
assertNotNull(eTag2);
assertEquals(eTag, eTag2);
// test with conditions
Policy policyResp = zmsTestInitializer.getZms().getPolicy(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "pol1");
AssertionConditions acs = new AssertionConditions().setConditionsList(new ArrayList<>());
acs.getConditionsList().add(createAssertionConditionObject(1, "instances", "host1,host2,host3"));
zmsTestInitializer.getZms().putAssertionConditions(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1", "pol1", policyResp.getAssertions().get(0).getId(), zmsTestInitializer.getAuditRef(), acs);
response = zmsTestInitializer.getZms().getSignedDomains(rsrcCtx, null, "false", null, true, true, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(list.size(), numDoms);
AssertionCondition conditionResp = createAssertionConditionObject(1, "instances", "host1,host2,host3");
AssertionConditions conditionsResp;
for (SignedDomain sDomain : list) {
if ("signeddom1".equals(sDomain.getDomain().getName())) {
DomainPolicies dompols = sDomain.getDomain().getPolicies().getContents();
assertNotNull(dompols);
for (Policy polResp : dompols.getPolicies()) {
if (("signeddom1:policy.pol1").equals(polResp.getName())) {
conditionsResp = polResp.getAssertions().get(0).getConditions();
assertNotNull(conditionsResp);
assertThat(conditionsResp.getConditionsList(), CoreMatchers.hasItems(conditionResp));
}
}
}
}
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom1", zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom2", zmsTestInitializer.getAuditRef());
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)15
Authority (com.yahoo.athenz.auth.Authority)7
Principal (com.yahoo.athenz.auth.Principal)7
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Response (javax.ws.rs.core.Response)4
PrivateKey (java.security.PrivateKey)3
Test (org.testng.annotations.Test)3
PrivateKeyStore (com.yahoo.athenz.auth.PrivateKeyStore)2
File (java.io.File)2
AWSKMS (com.amazonaws.services.kms.AWSKMS)1
AmazonS3 (com.amazonaws.services.s3.AmazonS3)1
S3Object (com.amazonaws.services.s3.model.S3Object)1
S3ObjectInputStream (com.amazonaws.services.s3.model.S3ObjectInputStream)1
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1
HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)1
InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)1
SignedDomain (com.yahoo.athenz.zms.SignedDomain)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
