Example 11 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class ZMSImplTest method testGetUserTokenExpiredIssueTime.
@Test
public void testGetUserTokenExpiredIssueTime() {
// Use real Principal Authority to verify signatures
PrincipalAuthority principalAuthority = new com.yahoo.athenz.auth.impl.PrincipalAuthority();
principalAuthority.setKeyStore(zms);
// we're going to set the issue time 2 hours before the current time
long issueTime = (System.currentTimeMillis() / 1000) - 7200;
Authority userAuthority = new com.yahoo.athenz.common.server.debug.DebugUserAuthority();
String userId = "george";
Principal principal = SimplePrincipal.create("user", userId, userId + ":password", 0, userAuthority);
((SimplePrincipal) principal).setUnsignedCreds(userId);
ResourceContext rsrcCtx1 = createResourceContext(principal);
zms.privateKeyId = "0";
zms.privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKey));
UserToken token = zms.getUserToken(rsrcCtx1, userId, null, null);
assertNotNull(token);
// Verify signature
Principal principalToVerify = principalAuthority.authenticate(token.getToken(), "10.11.12.13", "GET", null);
assertNotNull(principalToVerify);
// verify that the issue time for the user token is not our issue time
PrincipalToken pToken = new PrincipalToken(token.getToken());
assertNotEquals(pToken.getTimestamp(), issueTime);
// verify that our expiry is close to 1 hour default value
assertTrue(pToken.getExpiryTime() - (System.currentTimeMillis() / 1000) > 3500);
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Example 12 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class ZMSFileChangeLogStore method getZMSClient.
ZMSClient getZMSClient() {
PrincipalToken token = new PrincipalToken.Builder("S1", ZTSConsts.ATHENZ_SYS_DOMAIN, ZTSConsts.ZTS_SERVICE).expirationWindow(24 * 60 * 60L).keyId(privateKeyId).build();
token.sign(privateKey);
Principal principal = SimplePrincipal.create(ZTSConsts.ATHENZ_SYS_DOMAIN, ZTSConsts.ZTS_SERVICE, token.getSignedToken(), authority);
ZMSClient zmsClient = new ZMSClient(zmsUrl);
zmsClient.addCredentials(principal);
return zmsClient;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
ZMSClient(com.yahoo.athenz.zms.ZMSClient)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 13 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class ZMSAuthorizer method access.
/**
* Requests the ZMS to indicate whether or not the specific request for the
* specified resource with authentication details will be granted or not.
* @param action value of the action to be carried out (e.g. "UPDATE", "DELETE")
* @param resource resource value
* @param token either principal token (NToken) or role token (ZToken) that will
* be authenticated and checked for requested access
* @param trustDomain (optional - usually null) if the access checks involves cross
* domain check only check the specified trusted domain and ignore all others
* If the token is a role token, this argument must be null.
* @return boolean indicating whether or not the request will be granted or not
*/
public boolean access(String action, String resource, String token, String trustDomain) {
// first let's find out what type of token we're given
// either Role Token with version Z1 or principal token
Principal principal = null;
if (isRoleToken(token)) {
RoleToken roleToken = new RoleToken(token);
principal = SimplePrincipal.create(roleToken.getDomain(), roleToken.getSignedToken(), roleToken.getRoles(), ROLE_AUTHORITY);
} else {
PrincipalToken principalToken = new PrincipalToken(token);
principal = SimplePrincipal.create(principalToken.getDomain(), principalToken.getName(), principalToken.getSignedToken(), 0, PRINCIPAL_AUTHORITY);
}
if (principal == null) {
LOGGER.error("ZMSAuthorizer.access: unable to create principal object");
return false;
}
return access(action, resource, principal, trustDomain);
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
Principal(com.yahoo.athenz.auth.Principal)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
RoleToken(com.yahoo.athenz.auth.token.RoleToken)
Example 14 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class ZMSClient method getPrincipal.
/**
* The client will validate the given serviceToken against the ZMS Server
* and if the token is valid, it will return a Principal object.
* @param serviceToken token to be validated.
* @param tokenHeader name of the authorization header for the token
* @return Principal object if the token is successfully validated or
* @throws ZMSClientException in case of failure
*/
public Principal getPrincipal(String serviceToken, String tokenHeader) {
if (serviceToken == null) {
throw new ZMSClientException(401, "Null service token provided");
}
if (tokenHeader == null) {
tokenHeader = PRINCIPAL_AUTHORITY.getHeader();
}
// verify that service token is valid before sending the data to
// the ZMS server
PrincipalToken token = null;
try {
token = new PrincipalToken(serviceToken);
} catch (IllegalArgumentException ex) {
throw new ZMSClientException(ZMSClientException.UNAUTHORIZED, "Invalid service token provided: " + ex.getMessage());
}
Principal servicePrincipal = SimplePrincipal.create(token.getDomain(), token.getName(), serviceToken, 0, PRINCIPAL_AUTHORITY);
if (servicePrincipal == null) {
throw new ZMSClientException(ZMSClientException.UNAUTHORIZED, "Invalid service token provided");
}
client.addCredentials(tokenHeader, serviceToken);
principalCheckDone = true;
ServicePrincipal validatedPrincipal = null;
try {
validatedPrincipal = client.getServicePrincipal();
} catch (ResourceException ex) {
throw new ZMSClientException(ex.getCode(), ex.getData());
} catch (Exception ex) {
throw new ZMSClientException(ZMSClientException.BAD_REQUEST, ex.getMessage());
}
if (validatedPrincipal == null) {
throw new ZMSClientException(ZMSClientException.UNAUTHORIZED, "Invalid service token provided");
}
if (!servicePrincipal.getDomain().equalsIgnoreCase(validatedPrincipal.getDomain())) {
throw new ZMSClientException(ZMSClientException.UNAUTHORIZED, "Validated principal domain name mismatch");
}
if (!servicePrincipal.getName().equalsIgnoreCase(validatedPrincipal.getService())) {
throw new ZMSClientException(ZMSClientException.UNAUTHORIZED, "Validated principal service name mismatch");
}
return servicePrincipal;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Example 15 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class PrincipalAuthority method authenticate.
@Override
public Principal authenticate(String signedToken, String remoteAddr, String httpMethod, StringBuilder errMsg) {
errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
if (LOG.isDebugEnabled()) {
LOG.debug("Authenticating PrincipalToken: " + signedToken);
}
PrincipalToken serviceToken = null;
try {
serviceToken = new PrincipalToken(signedToken);
} catch (IllegalArgumentException ex) {
errMsg.append("PrincipalAuthority:authenticate: Invalid token: exc=").append(ex.getMessage()).append(" : credential=").append(Token.getUnsignedToken(signedToken));
LOG.error(errMsg.toString());
return null;
}
/* before authenticating verify that if this is a valid
* authorized service token or not and if required
* components are provided (the method already logs
* all error messages) */
StringBuilder errDetail = new StringBuilder(512);
if (!serviceToken.isValidAuthorizedServiceToken(errDetail)) {
errMsg.append("PrincipalAuthority:authenticate: Invalid authorized service token: ");
errMsg.append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
String tokenDomain = serviceToken.getDomain().toLowerCase();
String tokenName = serviceToken.getName().toLowerCase();
String keyService = serviceToken.getKeyService();
boolean userToken = tokenDomain.equals(userDomain);
/* get the public key for this token to validate signature */
String publicKey = getPublicKey(tokenDomain, tokenName, keyService, serviceToken.getKeyId(), userToken);
/* the validate method logs all error messages */
boolean writeOp = isWriteOperation(httpMethod);
if (serviceToken.validate(publicKey, allowedOffset, !writeOp, errDetail) == false) {
errMsg.append("PrincipalAuthority:authenticate: service token validation failure: ");
errMsg.append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
/* if an authorized service signature is available then we're going to validate
* that signature as well to support token chaining in Athenz and, if necessary,
* bypass IP address mismatch for users */
String authorizedServiceName = null;
if (serviceToken.getAuthorizedServiceSignature() != null) {
authorizedServiceName = validateAuthorizeService(serviceToken, errDetail);
if (authorizedServiceName == null) {
errMsg.append("PrincipalAuthority:authenticate: validation of authorized service failure: ").append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
}
if (userToken && !remoteIpCheck(remoteAddr, writeOp, serviceToken, authorizedServiceName)) {
errMsg.append("PrincipalAuthority:authenticate: IP Mismatch - token (").append(serviceToken.getIP()).append(") request (").append(remoteAddr).append(")");
LOG.error(errMsg.toString());
return null;
}
/* all the role members in Athenz are normalized to lower case so we need to make
* sure our principal's name and domain are created with lower case as well */
SimplePrincipal princ = (SimplePrincipal) SimplePrincipal.create(tokenDomain, tokenName, signedToken, serviceToken.getTimestamp(), this);
princ.setUnsignedCreds(serviceToken.getUnsignedToken());
princ.setAuthorizedService(authorizedServiceName);
princ.setOriginalRequestor(serviceToken.getOriginalRequestor());
princ.setKeyService(keyService);
princ.setIP(serviceToken.getIP());
princ.setKeyId(serviceToken.getKeyId());
return princ;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
Aggregations
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)24
BeforeTest (org.testng.annotations.BeforeTest)14
Test (org.testng.annotations.Test)14
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)13
Principal (com.yahoo.athenz.auth.Principal)12
KeyStore (com.yahoo.athenz.auth.KeyStore)9
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7
ArrayList (java.util.ArrayList)6
Authority (com.yahoo.athenz.auth.Authority)2
SimpleServiceIdentityProvider (com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)2
CryptoException (com.yahoo.athenz.auth.util.CryptoException)2
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)2
InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)2
InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)2
X509CertRequest (com.yahoo.athenz.zts.cert.X509CertRequest)2
X509Certificate (java.security.cert.X509Certificate)2
Date (java.util.Date)2
RoleToken (com.yahoo.athenz.auth.token.RoleToken)1
ZMSClient (com.yahoo.athenz.zms.ZMSClient)1
X509CertRecord (com.yahoo.athenz.zts.cert.X509CertRecord)1
