use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testGetX509CertRecordNotFound.
@Test
public void testGetX509CertRecordNotFound() throws Exception {
Mockito.when(mockResultSet.next()).thenReturn(false);
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
X509CertRecord certRecord = jdbcConn.getX509CertRecord("ostk", "instance-id-not-found", "cn");
assertNull(certRecord);
jdbcConn.close();
}
use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testUpdateX509RecordNullableColumns.
@Test
public void testUpdateX509RecordNullableColumns() throws Exception {
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
Date now = new Date();
X509CertRecord certRecord = getRecordWithNonNullableColumns(now);
certRecord.setLastNotifiedTime(null);
certRecord.setLastNotifiedServer(null);
certRecord.setExpiryTime(null);
certRecord.setHostName(null);
Mockito.doReturn(1).when(mockPrepStmt).executeUpdate();
boolean requestSuccess = jdbcConn.updateX509CertRecord(certRecord);
assertTrue(requestSuccess);
verifyUpdateNonNullableColumns(now);
Mockito.verify(mockPrepStmt, times(1)).setTimestamp(7, null);
Mockito.verify(mockPrepStmt, times(1)).setString(8, null);
jdbcConn.close();
}
use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testGetX509CertRecord.
@Test
public void testGetX509CertRecord() throws Exception {
Date now = new Date();
Timestamp tstamp = new Timestamp(now.getTime());
Mockito.when(mockResultSet.next()).thenReturn(true);
mockNonNullableColumns(now);
Mockito.doReturn(tstamp).when(mockResultSet).getTimestamp(JDBCCertRecordStoreConnection.DB_COLUMN_LAST_NOTIFIED_TIME);
Mockito.doReturn("last-notified-server").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_LAST_NOTIFIED_SERVER);
Mockito.doReturn(tstamp).when(mockResultSet).getTimestamp(JDBCCertRecordStoreConnection.DB_COLUMN_EXPIRY_TIME);
Mockito.doReturn("hostname").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_HOSTNAME);
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
X509CertRecord certRecord = jdbcConn.getX509CertRecord("ostk", "instance-id", "cn");
assertNonNullableColumns(now, certRecord);
assertEquals(certRecord.getLastNotifiedTime(), now);
assertEquals(certRecord.getLastNotifiedServer(), "last-notified-server");
assertEquals(certRecord.getExpiryTime(), now);
assertEquals(certRecord.getHostName(), "hostname");
jdbcConn.close();
}
use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.
the class ZTSImpl method getValidatedX509CertRecord.
X509CertRecord getValidatedX509CertRecord(ResourceContext ctx, final String provider, final String instanceId, final String principalName, X509Certificate cert, final String caller, final String requestDomain, final String principalDomain, final String hostName) {
// extract our instance certificate record to make sure it
// hasn't been revoked already
X509CertRecord x509CertRecord = instanceCertManager.getX509CertRecord(provider, instanceId, principalName);
if (x509CertRecord == null) {
if (cert.getNotBefore().getTime() < x509CertRefreshResetTime.get()) {
x509CertRecord = insertX509CertRecord(ctx, principalName, provider, instanceId, cert.getSerialNumber().toString(), false, cert.getNotAfter(), hostName);
}
if (x509CertRecord == null) {
throw forbiddenError("Unable to find certificate record", caller, requestDomain, principalDomain);
}
}
if (!principalName.equals(x509CertRecord.getService())) {
throw requestError("service name mismatch - csr: " + principalName + " cert db: " + x509CertRecord.getService(), caller, requestDomain, principalDomain);
}
// now we need to make sure the serial number for the certificate
// matches to what we had issued previously. If we have a mismatch
// then we're going to revoke this instance as it has been possibly
// compromised
String serialNumber = cert.getSerialNumber().toString();
if (x509CertRecord.getCurrentSerial().equals(serialNumber)) {
// update the record to mark current as previous
// and we'll update the current set with our existing
// details
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
} else if (!x509CertRecord.getPrevSerial().equals(serialNumber)) {
if (cert.getNotBefore().getTime() > x509CertRefreshResetTime.get()) {
revokeCertificateRefresh(principalName, serialNumber, x509CertRecord);
throw forbiddenError("Certificate revoked", caller, requestDomain, principalDomain);
}
}
return x509CertRecord;
}
use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.
the class DynamoDBCertRecordStoreConnection method itemToX509CertRecord.
private X509CertRecord itemToX509CertRecord(Item item) {
boolean clientCert;
try {
clientCert = item.getBoolean(KEY_CLIENT_CERT);
} catch (Exception ex) {
LOGGER.warn("clientCert for item doesn't exist. Will set it to false. Item: {}", item.toString());
clientCert = false;
}
X509CertRecord certRecord = new X509CertRecord();
certRecord.setProvider(item.getString(KEY_PROVIDER));
certRecord.setInstanceId(item.getString(KEY_INSTANCE_ID));
certRecord.setService(item.getString(KEY_SERVICE));
certRecord.setCurrentSerial(item.getString(KEY_CURRENT_SERIAL));
certRecord.setCurrentIP(item.getString(KEY_CURRENT_IP));
certRecord.setCurrentTime(DynamoDBUtils.getDateFromItem(item, KEY_CURRENT_TIME));
certRecord.setPrevSerial(item.getString(KEY_PREV_SERIAL));
certRecord.setPrevIP(item.getString(KEY_PREV_IP));
certRecord.setPrevTime(DynamoDBUtils.getDateFromItem(item, KEY_PREV_TIME));
certRecord.setClientCert(clientCert);
certRecord.setLastNotifiedTime(DynamoDBUtils.getDateFromItem(item, KEY_LAST_NOTIFIED_TIME));
certRecord.setLastNotifiedServer(item.getString(KEY_LAST_NOTIFIED_SERVER));
certRecord.setExpiryTime(DynamoDBUtils.getDateFromItem(item, KEY_EXPIRY_TIME));
certRecord.setHostName(item.getString(KEY_HOSTNAME));
certRecord.setSvcDataUpdateTime(DynamoDBUtils.getDateFromItem(item, KEY_SVC_DATA_UPDATE_TIME));
return certRecord;
}
Aggregations