Example 11 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class AwsPrivateKeyStore method getPrivateKey.
@Override
public ServerPrivateKey getPrivateKey(String service, String serverHostName, String serverRegion, String algorithm) {
final String bucketName;
String keyName;
String keyIdName;
final String objectSuffix = "." + algorithm.toLowerCase();
if (ZMS_SERVICE.equals(service)) {
bucketName = System.getProperty(ATHENZ_PROP_ZMS_BUCKET_NAME);
keyName = System.getProperty(ATHENZ_PROP_ZMS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + objectSuffix;
keyIdName = System.getProperty(ATHENZ_PROP_ZMS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + objectSuffix;
} else if (ZTS_SERVICE.equals(service)) {
bucketName = System.getProperty(ATHENZ_PROP_ZTS_BUCKET_NAME);
keyName = System.getProperty(ATHENZ_PROP_ZTS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + objectSuffix;
keyIdName = System.getProperty(ATHENZ_PROP_ZTS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + objectSuffix;
} else {
LOG.error("Unknown service specified: {}", service);
return null;
}
if (bucketName == null) {
LOG.error("No bucket name specified with system property");
return null;
}
PrivateKey pkey = null;
try {
pkey = Crypto.loadPrivateKey(getDecryptedData(bucketName, keyName));
} catch (Exception ex) {
LOG.error("unable to load private key", ex);
}
return pkey == null ? null : new ServerPrivateKey(pkey, getDecryptedData(bucketName, keyIdName));
}
Also used :
PrivateKey(java.security.PrivateKey)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
IOException(java.io.IOException)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Example 12 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class FilePrivateKeyStore method getPrivateKey.
@Override
public ServerPrivateKey getPrivateKey(String service, String serverHostName, String serverRegion, String algorithm) {
if (!ZMS_SERVICE.equalsIgnoreCase(service) && !ZTS_SERVICE.equalsIgnoreCase(service) && !MSD_SERVICE.equalsIgnoreCase(service)) {
LOG.error("FilePrivateKeyStore: unknown service: {}", service);
return null;
}
if (!ALGO_RSA.equalsIgnoreCase(algorithm) && !ALGO_EC.equalsIgnoreCase(algorithm)) {
LOG.error("FilePrivateKeyStore: unknown algorithm: {}", algorithm);
return null;
}
String privKeyName;
String privKeyId;
if (ALGO_RSA.equalsIgnoreCase(algorithm)) {
privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_RSA_KEY);
privKeyId = System.getProperty(ATHENZ_PROP_PRIVATE_RSA_KEY_ID, "0");
} else {
privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_EC_KEY);
privKeyId = System.getProperty(ATHENZ_PROP_PRIVATE_EC_KEY_ID, "0");
}
if (LOG.isDebugEnabled()) {
LOG.debug("FilePrivateKeyStore: private key file: {}, id: {}", privKeyName, privKeyId);
}
if (privKeyName == null) {
return null;
}
// check to see if this is running in dev mode and thus it's
// a resource in our jar file
File privKeyFile = new File(privKeyName);
PrivateKey pkey = Crypto.loadPrivateKey(privKeyFile);
ServerPrivateKey privateKey = null;
if (pkey != null) {
privateKey = new ServerPrivateKey(pkey, privKeyId);
}
return privateKey;
}
Also used :
PrivateKey(java.security.PrivateKey)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
File(java.io.File)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Example 13 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class ZMSImplTest method testGetUserTokenDefaultSelfName.
@Test
public void testGetUserTokenDefaultSelfName() {
// Use real Principal Authority to verify signatures
PrincipalAuthority principalAuthority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
principalAuthority.setKeyStore(zmsTestInitializer.getZms());
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
String userId = "user10";
Principal principal = SimplePrincipal.create("user", userId, userId + ":password", 0, userAuthority);
assertNotNull(principal);
((SimplePrincipal) principal).setUnsignedCreds(userId);
ResourceContext rsrcCtx1 = zmsTestInitializer.createResourceContext(principal);
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKey())), "0");
zmsTestInitializer.loadServerPublicKeys(zmsTestInitializer.getZms());
UserToken token = zmsTestInitializer.getZms().getUserToken(rsrcCtx1, "_self_", null, false);
assertNotNull(token);
assertTrue(token.getToken().startsWith("v=U1;d=user;n=" + userId + ";"));
assertTrue(token.getToken().contains(";h=localhost"));
assertTrue(token.getToken().contains(";i=10.11.12.13"));
assertTrue(token.getToken().contains(";k=0"));
// Verify signature
Principal principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Principal(com.yahoo.athenz.auth.Principal)
Example 14 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class ZMSImplTest method testGetSignedDomainsFiltered.
@Test
public void testGetSignedDomainsFiltered() {
zmsTestInitializer.loadServerPublicKeys(zmsTestInitializer.getZms());
// create multiple top level domains
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("signeddom1filtered", "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("signeddom2filtered", "Test Domain2", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom2);
zmsTestInitializer.getZms().privateKey = new ServerPrivateKey(Crypto.loadPrivateKey(Crypto.ybase64DecodeString(zmsTestInitializer.getPrivKey())), "0");
Response response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1filtered", null, null, null, false, null);
SignedDomains sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
List<SignedDomain> list = sdoms.getDomains();
assertNotNull(list);
assertEquals(1, list.size());
SignedDomain sDomain = list.get(0);
String signature = sDomain.getSignature();
String keyId = sDomain.getKeyId();
String publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
assertEquals("signeddom1filtered", sDomain.getDomain().getName());
// use domain=signeddom1filtered and metaonly=true
//
response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1filtered", "true", null, Boolean.TRUE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(1, list.size());
sDomain = list.get(0);
signature = sDomain.getSignature();
assertTrue(signature == null || signature.isEmpty());
keyId = sDomain.getKeyId();
assertTrue(keyId == null || keyId.isEmpty());
DomainData ddata = sDomain.getDomain();
assertEquals("signeddom1filtered", ddata.getName());
assertNotNull(ddata.getModified());
assertNull(ddata.getPolicies());
assertNull(ddata.getRoles());
assertNull(ddata.getServices());
// no changes, we should still get the same data back
// we're going to pass the domain name with caps and
// make sure we still get back our domain
response = zmsTestInitializer.getZms().getSignedDomains(zmsTestInitializer.getMockDomRsrcCtx(), "SignedDom1Filtered", null, null, Boolean.TRUE, false, null);
sdoms = (SignedDomains) response.getEntity();
assertNotNull(sdoms);
list = sdoms.getDomains();
assertNotNull(list);
assertEquals(1, list.size());
sDomain = list.get(0);
signature = sDomain.getSignature();
keyId = sDomain.getKeyId();
publicKey = zmsTestInitializer.getZms().getPublicKey("sys.auth", "zms", keyId);
assertTrue(Crypto.verify(SignUtils.asCanonicalString(sDomain.getDomain()), Crypto.loadPublicKey(publicKey), signature));
assertEquals("signeddom1filtered", sDomain.getDomain().getName());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom1filtered", zmsTestInitializer.getAuditRef());
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), "signeddom2filtered", zmsTestInitializer.getAuditRef());
}
Also used :
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
Example 15 with ServerPrivateKey
use of com.yahoo.athenz.auth.ServerPrivateKey in project athenz by yahoo.
the class InstanceProviderManagerTest method testGetClassProviderForZTS.
@Test
public void testGetClassProviderForZTS() {
SignedDomain signedDomain = createSignedDomainClassEndpoint("sys.auth", "zts", true, true);
store.processSignedDomain(signedDomain, false);
PrivateKey privateKey = Mockito.mock(PrivateKey.class);
ServerPrivateKey serverPrivateKey = new ServerPrivateKey(privateKey, "0");
InstanceProviderManager provider = new InstanceProviderManager(store, null, null, serverPrivateKey, null);
InstanceProvider client = provider.getProvider("sys.auth.zts", new HostnameResolver() {
});
assertNotNull(client);
client.close();
}
Also used :
PrivateKey(java.security.PrivateKey)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver)
SignedDomain(com.yahoo.athenz.zms.SignedDomain)
ServerPrivateKey(com.yahoo.athenz.auth.ServerPrivateKey)
InstanceProvider(com.yahoo.athenz.instance.provider.InstanceProvider)
Test(org.testng.annotations.Test)
Aggregations
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)15
Authority (com.yahoo.athenz.auth.Authority)7
Principal (com.yahoo.athenz.auth.Principal)7
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Response (javax.ws.rs.core.Response)4
PrivateKey (java.security.PrivateKey)3
Test (org.testng.annotations.Test)3
PrivateKeyStore (com.yahoo.athenz.auth.PrivateKeyStore)2
File (java.io.File)2
AWSKMS (com.amazonaws.services.kms.AWSKMS)1
AmazonS3 (com.amazonaws.services.s3.AmazonS3)1
S3Object (com.amazonaws.services.s3.model.S3Object)1
S3ObjectInputStream (com.amazonaws.services.s3.model.S3ObjectInputStream)1
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)1
HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)1
InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)1
SignedDomain (com.yahoo.athenz.zms.SignedDomain)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
