use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testAccessTokenExpired.
@Test
public void testAccessTokenExpired() {
long now = System.currentTimeMillis() / 1000;
// we allow clock skew of 60 seconds so we'll go
// back 3600 + 61 to make our token expired
AccessToken accessToken = createAccessToken(now - 3661);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
final String oldConf = System.setProperty(JwtsSigningKeyResolver.ZTS_PROP_ATHENZ_CONF, "src/test/resources/athenz.conf");
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
try {
new AccessToken(accessJws, resolver);
fail();
} catch (Exception ex) {
assertTrue(ex.getMessage().contains("expired"));
}
resetConfProperty(oldConf);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testAccessTokenWithX509Cert.
@Test
public void testAccessTokenWithX509Cert() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
Path path = Paths.get("src/test/resources/mtls_token_spec.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
AccessToken checkToken = new AccessToken(accessJws, resolver, cert);
validateAccessToken(checkToken, now);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testAccessTokenSignedTokenConfigFile.
@Test
public void testAccessTokenSignedTokenConfigFile() {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
final String oldConf = System.setProperty(JwtsSigningKeyResolver.ZTS_PROP_ATHENZ_CONF, "src/test/resources/athenz.conf");
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
AccessToken checkToken = new AccessToken(accessJws, resolver);
validateAccessToken(checkToken, now);
resetConfProperty(oldConf);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testConfirmX509CertNoAuthzDetails.
@Test
public void testConfirmX509CertNoAuthzDetails() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
accessToken.setAuthorizationDetails(null);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
Path path = Paths.get("src/test/resources/x509_altnames_singleuri.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
try {
new AccessToken(accessJws, resolver, cert);
fail();
} catch (CryptoException ex) {
assertTrue(ex.getMessage().contains("Confirmation failure"));
}
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class InstanceAzureProvider method initialize.
@Override
public void initialize(String provider, String providerEndpoint, SSLContext sslContext, KeyStore keyStore) {
azureProvider = System.getProperty(AZURE_PROP_PROVIDER);
azureMgmtBaseUri = System.getProperty(AZURE_PROP_MGMT_BASE_URI, "https://management.azure.com");
azureMetaBaseUri = System.getProperty(AZURE_PROP_META_BASE_URI, "http://169.254.169.254");
// we need to extract Azure jwks uri and initialize our jwks signer
boolean enabled = true;
final String openIdConfigUri = System.getProperty(AZURE_PROP_OPENID_CONFIG_URI, AZURE_OPENID_CONFIG_URI);
JwtsHelper helper = new JwtsHelper();
azureJwksUri = helper.extractJwksUri(openIdConfigUri, sslContext);
if (StringUtil.isEmpty(azureJwksUri)) {
LOGGER.error("Azure jwks uri not available - no instance requests will be authorized");
enabled = false;
}
signingKeyResolver = new JwtsSigningKeyResolver(azureJwksUri, sslContext, true);
if (signingKeyResolver.publicKeyCount() == 0) {
LOGGER.error("No Azure public keys available - no instance requests will be authorized");
enabled = false;
}
// determine the dns suffix. if this is not specified we'll
// be rejecting all entries
dnsSuffixes = new HashSet<>();
final String dnsSuffix = System.getProperty(AZURE_PROP_DNS_SUFFIX);
if (StringUtil.isEmpty(dnsSuffix)) {
LOGGER.error("Azure Suffix not specified - no instance requests will be authorized");
enabled = false;
} else {
dnsSuffixes.addAll(Arrays.asList(dnsSuffix.split(",")));
}
ztsResourceUri = System.getProperty(AZURE_PROP_ZTS_RESOURCE_URI);
if (StringUtil.isEmpty(ztsResourceUri)) {
LOGGER.error("Azure ZTS Resource URI not specified - no instance requests will be authorized");
enabled = false;
}
// get our json deserializer
jsonMapper = new ObjectMapper();
jsonMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
try {
httpDriver = getHttpDriver(sslContext);
} catch (Exception ex) {
LOGGER.error("Azure HTTP Client not created - no instance requests will be authorized");
httpDriver = null;
enabled = false;
}
if (enabled) {
try {
fetchAccessToken();
} catch (Exception ex) {
LOGGER.error("Unable to fetch VM access token", ex);
}
// now setup our credential updater
int credsUpdateTime = Integer.parseInt(System.getProperty(AZURE_PROP_TOKEN_UPDATE_TIMEOUT, "10"));
scheduledThreadPool = Executors.newScheduledThreadPool(1);
scheduledThreadPool.scheduleAtFixedRate(new AzureCredentialsUpdater(), credsUpdateTime, credsUpdateTime, TimeUnit.MINUTES);
}
}
Aggregations