use of com.yahoo.athenz.auth.impl.CertificateAuthority in project athenz by yahoo.
the class ZTSImplTest method testPostOSTKInstanceRefreshRequestSerialMisMatch.
@Test
public void testPostOSTKInstanceRefreshRequestSerialMisMatch() throws IOException {
Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
String certCsr = new String(Files.readAllBytes(path));
OSTKInstanceRefreshRequest req = new OSTKInstanceRefreshRequest().setCsr(certCsr);
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1,d=athenz;n=production;s=sig", 0, new CertificateAuthority());
HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class);
Mockito.when(servletRequest.isSecure()).thenReturn(true);
path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal, servletRequest);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setService("athenz.production");
certRecord.setProvider("ostk");
certRecord.setInstanceId("1001");
certRecord.setCurrentSerial("12341324334");
certRecord.setPrevSerial("2342134323");
CertRecordStore certStore = Mockito.mock(CertRecordStore.class);
CertRecordStoreConnection certConnection = Mockito.mock(CertRecordStoreConnection.class);
Mockito.when(certStore.getConnection()).thenReturn(certConnection);
Mockito.when(certConnection.getX509CertRecord("ostk", "1001")).thenReturn(certRecord);
Mockito.when(certConnection.updateX509CertRecord(ArgumentMatchers.isA(X509CertRecord.class))).thenReturn(true);
zts.instanceCertManager.setCertStore(certStore);
try {
zts.postOSTKInstanceRefreshRequest(context, "athenz", "production", req);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
assertTrue(ex.getMessage().contains("Certificate revoked"));
}
}
use of com.yahoo.athenz.auth.impl.CertificateAuthority in project athenz by yahoo.
the class ZTSImpl method postInstanceRefreshRequest.
@Override
public Identity postInstanceRefreshRequest(ResourceContext ctx, String domain, String service, InstanceRefreshRequest req) {
final String caller = "postinstancerefreshrequest";
final String callerTiming = "postinstancerefreshrequest_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domain, TYPE_DOMAIN_NAME, caller);
validate(service, TYPE_SIMPLE_NAME, caller);
validate(req, TYPE_INSTANCE_REFRESH_REQUEST, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// make sure the credentials match to whatever the request is
Principal principal = ((RsrcCtxWrapper) ctx).principal();
String fullServiceName = domain + "." + service;
final String principalName = principal.getFullName();
boolean userRequest = false;
if (!fullServiceName.equals(principalName)) {
try {
userRequest = authorizer.access("update", domain + ":service", principal, null);
} catch (ResourceException ex) {
LOGGER.error("postInstanceRefreshRequest: access check failure for {}: {}", principalName, ex.getMessage());
}
if (!userRequest) {
throw requestError("Principal mismatch: " + fullServiceName + " vs. " + principalName, caller, domain);
}
}
if (userDomain.equalsIgnoreCase(domain)) {
throw requestError("TLS Certificates require ServiceTokens: " + fullServiceName, caller, domain);
}
// determine if this is a refresh or initial request
final Authority authority = principal.getAuthority();
boolean refreshOperation = (!userRequest && (authority instanceof CertificateAuthority));
// retrieve the public key for the request for verification
final String keyId = userRequest || refreshOperation ? req.getKeyId() : principal.getKeyId();
String publicKey = getPublicKey(domain, service, keyId);
if (publicKey == null) {
throw requestError("Unable to retrieve public key for " + fullServiceName + " with key id: " + keyId, caller, domain);
}
// validate that the cn and public key match to the provided details
X509CertRequest x509CertReq = null;
try {
x509CertReq = new X509CertRequest(req.getCsr());
} catch (CryptoException ex) {
throw requestError("Unable to parse PKCS10 certificate request", caller, domain);
}
final PKCS10CertificationRequest certReq = x509CertReq.getCertReq();
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
throw requestError("Invalid CSR - data mismatch", caller, domain);
}
if (!x509CertReq.comparePublicKeys(publicKey)) {
throw requestError("Invalid CSR - public key mismatch", caller, domain);
}
if (refreshOperation) {
final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request());
ServiceX509RefreshRequestStatus status = validateServiceX509RefreshRequest(principal, x509CertReq, ipAddress);
if (status == ServiceX509RefreshRequestStatus.IP_NOT_ALLOWED) {
throw forbiddenError("IP not allowed for refresh: " + ipAddress, caller, domain);
}
if (status != ServiceX509RefreshRequestStatus.SUCCESS) {
throw requestError("Request valiation failed: " + status, caller, domain);
}
}
// generate identity with the certificate
int expiryTime = req.getExpiryTime() != null ? req.getExpiryTime() : 0;
Identity identity = ZTSUtils.generateIdentity(certSigner, req.getCsr(), fullServiceName, null, expiryTime);
if (identity == null) {
throw serverError("Unable to generate identity", caller, domain);
}
// create our audit log entry
AuditLogMsgBuilder msgBldr = getAuditLogMsgBuilder(ctx, domain, caller, HTTP_POST);
msgBldr.whatEntity(fullServiceName);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
StringBuilder auditLogDetails = new StringBuilder(512);
auditLogDetails.append("Provider: ").append(ZTSConsts.ZTS_SERVICE).append(" Domain: ").append(domain).append(" Service: ").append(service).append(" Serial: ").append(newCert.getSerialNumber().toString()).append(" Principal: ").append(principalName).append(" Type: x509");
msgBldr.whatDetails(auditLogDetails.toString());
auditLogger.log(msgBldr);
metric.stopTiming(timerMetric);
return identity;
}
use of com.yahoo.athenz.auth.impl.CertificateAuthority in project athenz by yahoo.
the class ZTSImplTest method testPostInstanceRefreshInformationSSHMatchPrevSerial.
@Test
public void testPostInstanceRefreshInformationSSHMatchPrevSerial() throws IOException {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
SignedDomain providerDomain = signedAuthorizedProviderDomain();
store.processDomain(providerDomain, false);
SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
store.processDomain(tenantDomain, false);
InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setInstanceId("1001");
certRecord.setProvider("athenz.provider");
certRecord.setService("athenz.production");
certRecord.setCurrentSerial("123413");
certRecord.setPrevSerial("16503746516960996918");
Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001")).thenReturn(certRecord);
Mockito.when(instanceManager.updateX509CertRecord(Mockito.any())).thenReturn(true);
InstanceIdentity identity = new InstanceIdentity().setName("athenz.production");
Mockito.when(instanceManager.generateSshIdentity(identity, "ssh-csr", null)).thenReturn(true);
ztsImpl.instanceCertManager = instanceManager;
InstanceRefreshInformation info = new InstanceRefreshInformation().setSsh("ssh-csr");
CertificateAuthority certAuthority = new CertificateAuthority();
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
Path path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal);
InstanceIdentity instanceIdentity = ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
assertNotNull(instanceIdentity);
}
use of com.yahoo.athenz.auth.impl.CertificateAuthority in project athenz by yahoo.
the class ZTSImplTest method testPostOSTKInstanceRefreshRequestPreviousSerialMatch.
@Test
public void testPostOSTKInstanceRefreshRequestPreviousSerialMatch() throws IOException {
Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
String certCsr = new String(Files.readAllBytes(path));
OSTKInstanceRefreshRequest req = new OSTKInstanceRefreshRequest().setCsr(certCsr);
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1,d=athenz;n=production;s=sig", 0, new CertificateAuthority());
HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class);
Mockito.when(servletRequest.isSecure()).thenReturn(true);
path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal, servletRequest);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setService("athenz.production");
certRecord.setProvider("ostk");
certRecord.setInstanceId("1001");
certRecord.setCurrentSerial("12341324334");
certRecord.setPrevSerial("16503746516960996918");
CertRecordStore certStore = Mockito.mock(CertRecordStore.class);
CertRecordStoreConnection certConnection = Mockito.mock(CertRecordStoreConnection.class);
Mockito.when(certStore.getConnection()).thenReturn(certConnection);
Mockito.when(certConnection.getX509CertRecord("ostk", "1001")).thenReturn(certRecord);
Mockito.when(certConnection.updateX509CertRecord(ArgumentMatchers.isA(X509CertRecord.class))).thenReturn(true);
zts.instanceCertManager.setCertStore(certStore);
Identity identity = zts.postOSTKInstanceRefreshRequest(context, "athenz", "production", req);
assertNotNull(identity);
X509Certificate x509Cert = Crypto.loadX509Certificate(identity.getCertificate());
assertNotNull(x509Cert);
}
use of com.yahoo.athenz.auth.impl.CertificateAuthority in project athenz by yahoo.
the class ZTSImplTest method testPostInstanceRefreshInformationSSHIdentityFailure.
@Test
public void testPostInstanceRefreshInformationSSHIdentityFailure() throws IOException {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
SignedDomain providerDomain = signedAuthorizedProviderDomain();
store.processDomain(providerDomain, false);
SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
store.processDomain(tenantDomain, false);
InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setInstanceId("1001");
certRecord.setProvider("athenz.provider");
certRecord.setService("athenz.production");
certRecord.setCurrentSerial("16503746516960996918");
certRecord.setPrevSerial("16503746516960996918");
Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001")).thenReturn(certRecord);
Mockito.when(instanceManager.updateX509CertRecord(Mockito.any())).thenReturn(true);
InstanceIdentity identity = new InstanceIdentity().setName("athenz.production");
Mockito.when(instanceManager.generateSshIdentity(identity, "ssh-csr", "user")).thenReturn(false);
ztsImpl.instanceCertManager = instanceManager;
InstanceRefreshInformation info = new InstanceRefreshInformation().setSsh("ssh-csr");
CertificateAuthority certAuthority = new CertificateAuthority();
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
Path path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal);
try {
ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 500);
}
}
Aggregations