Example 41 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceInvalidIP.
@Test
public void testConfirmInstanceInvalidIP() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("api");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.2");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
try {
provider.confirmInstance(confirmation);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
assertTrue(ex.getMessage().contains("validate request IP address"));
}
provider.close();
}
Also used :
InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation)
InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
ResourceException(com.yahoo.athenz.instance.provider.ResourceException)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Test(org.testng.annotations.Test)
Example 42 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceUnsupportedService.
@Test
public void testConfirmInstanceUnsupportedService() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "backend").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("backend");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "backend.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
try {
provider.confirmInstance(confirmation);
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("Service not supported to be launched by ZTS Provider"));
}
provider.close();
System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used :
InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation)
InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
ResourceException(com.yahoo.athenz.instance.provider.ResourceException)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Test(org.testng.annotations.Test)
Example 43 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceValidHostname.
@Test
public void testConfirmInstanceValidHostname() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Arrays.asList("10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1")));
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
provider.setHostnameResolver(hostnameResolver);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("api");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1,2001:db8:a0b:12f0:0:0:0:1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_URI, "athenz://instanceid/zts/hostabc.athenz.com,athenz://hostname/hostabc.athenz.com");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
assertNotNull(provider.confirmInstance(confirmation));
provider.close();
}
Also used :
InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation)
HostnameResolver(com.yahoo.athenz.common.server.dns.HostnameResolver)
InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Test(org.testng.annotations.Test)
Example 44 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class PrincipalAuthority method authenticate.
@Override
public Principal authenticate(String signedToken, String remoteAddr, String httpMethod, StringBuilder errMsg) {
errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
if (LOG.isDebugEnabled()) {
LOG.debug("Authenticating PrincipalToken: {}", signedToken);
}
PrincipalToken serviceToken;
try {
serviceToken = new PrincipalToken(signedToken);
} catch (IllegalArgumentException ex) {
errMsg.append("PrincipalAuthority:authenticate: Invalid token: exc=").append(ex.getMessage()).append(" : credential=").append(Token.getUnsignedToken(signedToken));
LOG.error(errMsg.toString());
return null;
}
/* before authenticating verify that if this is a valid
* authorized service token or not and if required
* components are provided (the method already logs
* all error messages) */
StringBuilder errDetail = new StringBuilder(512);
if (!serviceToken.isValidAuthorizedServiceToken(errDetail)) {
errMsg.append("PrincipalAuthority:authenticate: Invalid authorized service token: ");
errMsg.append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
String tokenDomain = serviceToken.getDomain().toLowerCase();
String tokenName = serviceToken.getName().toLowerCase();
String keyService = serviceToken.getKeyService();
boolean userToken = tokenDomain.equals(userDomain);
/* get the public key for this token to validate signature */
String publicKey = getPublicKey(tokenDomain, tokenName, keyService, serviceToken.getKeyId(), userToken);
/* the validate method logs all error messages */
boolean writeOp = isWriteOperation(httpMethod);
if (!serviceToken.validate(publicKey, allowedOffset, !writeOp, errDetail)) {
errMsg.append("PrincipalAuthority:authenticate: service token validation failure: ");
errMsg.append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
/* if an authorized service signature is available then we're going to validate
* that signature as well to support token chaining in Athenz and, if necessary,
* bypass IP address mismatch for users */
String authorizedServiceName = null;
if (serviceToken.getAuthorizedServiceSignature() != null) {
authorizedServiceName = validateAuthorizeService(serviceToken, errDetail);
if (authorizedServiceName == null) {
errMsg.append("PrincipalAuthority:authenticate: validation of authorized service failure: ").append(errDetail).append(" : credential=").append(Token.getUnsignedToken(signedToken));
return null;
}
}
if (userToken && !remoteIpCheck(remoteAddr, writeOp, serviceToken, authorizedServiceName)) {
errMsg.append("PrincipalAuthority:authenticate: IP Mismatch - token (").append(serviceToken.getIP()).append(") request (").append(remoteAddr).append(")");
LOG.error(errMsg.toString());
return null;
}
/* all the role members in Athenz are normalized to lower case so we need to make
* sure our principal's name and domain are created with lower case as well */
SimplePrincipal princ = (SimplePrincipal) SimplePrincipal.create(tokenDomain, tokenName, signedToken, serviceToken.getTimestamp(), this);
princ.setUnsignedCreds(serviceToken.getUnsignedToken());
princ.setAuthorizedService(authorizedServiceName);
princ.setOriginalRequestor(serviceToken.getOriginalRequestor());
princ.setKeyService(keyService);
princ.setIP(serviceToken.getIP());
princ.setKeyId(serviceToken.getKeyId());
return princ;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
Example 45 with PrincipalToken
use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.
the class ZMSClient method getPrincipal.
/**
* The client will validate the given serviceToken against the ZMS Server
* and if the token is valid, it will return a Principal object.
*
* @param serviceToken token to be validated.
* @param tokenHeader name of the authorization header for the token
* @return Principal object if the token is successfully validated or
* @throws ZMSClientException in case of failure
*/
public Principal getPrincipal(String serviceToken, String tokenHeader) {
if (serviceToken == null) {
throw new ZMSClientException(401, "Null service token provided");
}
if (tokenHeader == null) {
tokenHeader = PRINCIPAL_AUTHORITY.getHeader();
}
// verify that service token is valid before sending the data to
// the ZMS server
PrincipalToken token;
try {
token = new PrincipalToken(serviceToken);
} catch (IllegalArgumentException ex) {
throw new ZMSClientException(ResourceException.UNAUTHORIZED, "Invalid service token provided: " + ex.getMessage());
}
Principal servicePrincipal = SimplePrincipal.create(token.getDomain(), token.getName(), serviceToken, 0, PRINCIPAL_AUTHORITY);
client.addCredentials(tokenHeader, serviceToken);
principalCheckDone = true;
ServicePrincipal validatedPrincipal;
try {
validatedPrincipal = client.getServicePrincipal();
} catch (ResourceException ex) {
throw new ZMSClientException(ex.getCode(), ex.getData());
} catch (Exception ex) {
throw new ZMSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
}
if (validatedPrincipal == null) {
throw new ZMSClientException(ResourceException.UNAUTHORIZED, "Invalid service token provided");
}
if (!servicePrincipal.getDomain().equalsIgnoreCase(validatedPrincipal.getDomain())) {
throw new ZMSClientException(ResourceException.UNAUTHORIZED, "Validated principal domain name mismatch");
}
if (!servicePrincipal.getName().equalsIgnoreCase(validatedPrincipal.getService())) {
throw new ZMSClientException(ResourceException.UNAUTHORIZED, "Validated principal service name mismatch");
}
return servicePrincipal;
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)47
Test (org.testng.annotations.Test)29
KeyStore (com.yahoo.athenz.auth.KeyStore)25
BeforeTest (org.testng.annotations.BeforeTest)17
Principal (com.yahoo.athenz.auth.Principal)15
InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)14
InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)12
ArrayList (java.util.ArrayList)10
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7
ResourceException (com.yahoo.athenz.instance.provider.ResourceException)6
CryptoException (com.yahoo.athenz.auth.util.CryptoException)4
HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)4
InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)4
X509Certificate (java.security.cert.X509Certificate)4
Priority (com.yahoo.athenz.common.server.cert.Priority)2
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)2
SSHCertRecord (com.yahoo.athenz.common.server.ssh.SSHCertRecord)2
StatusCheckException (com.yahoo.athenz.common.server.status.StatusCheckException)2
ZMSClient (com.yahoo.athenz.zms.ZMSClient)2
DataCache (com.yahoo.athenz.zts.cache.DataCache)2
