Search in sources :

Example 36 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class SimpleServiceIdentityProvider method getIdentity.

public Principal getIdentity(String domainName, String serviceName) {
    // all the role members in Athenz are normalized to lower case so we need to make
    // sure our principal's name and domain are created with lower case as well
    domainName = domainName.toLowerCase();
    serviceName = serviceName.toLowerCase();
    if (!domainName.equals(domain) || !serviceName.equals(service)) {
        return null;
    }
    PrincipalToken token = new PrincipalToken.Builder("S1", domainName, serviceName).expirationWindow(tokenTimeout).host(host).keyId(keyId).build();
    token.sign(key);
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domainName, serviceName, token.getSignedToken(), System.currentTimeMillis() / 1000, authority);
    principal.setUnsignedCreds(token.getUnsignedToken());
    return principal;
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)

Example 37 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceUnknownHostname.

@Test
public void testConfirmInstanceUnknownHostname() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
    Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
    Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Collections.singletonList("10.1.1.2")));
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.setHostnameResolver(hostnameResolver);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
        assertTrue(ex.getMessage().contains("validate certificate request hostname"));
    }
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 38 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceValidHostnameIpv6.

@Test
public void testConfirmInstanceValidHostnameIpv6() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
    Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
    Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Arrays.asList("10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1")));
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.setHostnameResolver(hostnameResolver);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "2001:db8:a0b:12f0:0:0:0:1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1,2001:db8:a0b:12f0:0:0:0:1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_URI, "athenz://instanceid/zts/hostabc.athenz.com,athenz://hostname/hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    assertNotNull(provider.confirmInstance(confirmation));
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 39 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceInvalidHostnameUri.

@Test
public void testConfirmInstanceInvalidHostnameUri() throws UnknownHostException {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
    Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
    Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Collections.singletonList("10.1.1.1")));
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.setHostnameResolver(hostnameResolver);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1");
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_URI, "athenz://instanceid/zts/def.athenz.com,athenz://hostname/def.athenz.com");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
        assertTrue(ex.getMessage().contains("validate certificate request URI hostname"));
    }
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 40 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstanceInvalidToken.

@Test
public void testConfirmInstanceInvalidToken() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken().replace(";s=", ";s=abc"));
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    try {
        provider.confirmInstance(confirmation);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
        assertTrue(ex.getMessage().contains("validate Certificate Request Auth Token"));
    }
    provider.close();
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) ResourceException(com.yahoo.athenz.instance.provider.ResourceException) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Aggregations

PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)47 Test (org.testng.annotations.Test)29 KeyStore (com.yahoo.athenz.auth.KeyStore)25 BeforeTest (org.testng.annotations.BeforeTest)17 Principal (com.yahoo.athenz.auth.Principal)15 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)14 InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)12 ArrayList (java.util.ArrayList)10 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7 ResourceException (com.yahoo.athenz.instance.provider.ResourceException)6 CryptoException (com.yahoo.athenz.auth.util.CryptoException)4 HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)4 InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)4 X509Certificate (java.security.cert.X509Certificate)4 Priority (com.yahoo.athenz.common.server.cert.Priority)2 AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)2 SSHCertRecord (com.yahoo.athenz.common.server.ssh.SSHCertRecord)2 StatusCheckException (com.yahoo.athenz.common.server.status.StatusCheckException)2 ZMSClient (com.yahoo.athenz.zms.ZMSClient)2 DataCache (com.yahoo.athenz.zts.cache.DataCache)2