Examples with X509CertRecord com.yahoo.athenz.common.server.cert.X509CertRecord used on opensource projects

Example 66 with X509CertRecord

use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.

the class JDBCCertRecordStoreConnection method getNotifyUnrefreshedCertificates.

private List<X509CertRecord> getNotifyUnrefreshedCertificates(String lastNotifiedServer, long lastNotifiedTime) {
    final String caller = "listNotifyUnrefreshedCertificates";
    List<X509CertRecord> certRecords = new ArrayList<>();
    try (PreparedStatement ps = con.prepareStatement(SQL_LIST_NOTIFY_UNREFRESHED_X509_RECORDS)) {
        ps.setTimestamp(1, new java.sql.Timestamp(lastNotifiedTime));
        ps.setString(2, lastNotifiedServer);
        try (ResultSet rs = executeQuery(ps, caller)) {
            while (rs.next()) {
                X509CertRecord certRecord = setRecordFromResultSet(rs);
                certRecords.add(certRecord);
            }
        }
    } catch (SQLException ex) {
        throw sqlError(ex, caller);
    }
    return certRecords;
}

Example 67 with X509CertRecord

use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.

the class ZTSImplTest method testPostInstanceRefreshInformationCSRValidateFailure.

@Test
public void testPostInstanceRefreshInformationCSRValidateFailure() throws IOException {
    ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
    DataStore store = new DataStore(structStore, null, ztsMetric);
    ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
    SignedDomain providerDomain = signedAuthorizedProviderDomain();
    store.processSignedDomain(providerDomain, false);
    SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
    store.processSignedDomain(tenantDomain, false);
    Path path = Paths.get("src/test/resources/athenz.mismatch.cn.csr");
    String certCsr = new String(Files.readAllBytes(path));
    InstanceProviderManager instanceProviderManager = Mockito.mock(InstanceProviderManager.class);
    InstanceProvider providerClient = Mockito.mock(InstanceProvider.class);
    InstanceConfirmation confirmation = new InstanceConfirmation().setDomain("athenz").setService("production").setProvider("athenz.provider");
    InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
    X509CertRecord certRecord = new X509CertRecord();
    certRecord.setInstanceId("1001");
    certRecord.setProvider("athenz.provider");
    certRecord.setService("athenz.production");
    certRecord.setCurrentSerial("16503746516960996918");
    certRecord.setPrevSerial("16503746516960996918");
    Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001", "athenz.production")).thenReturn(certRecord);
    Mockito.when(instanceProviderManager.getProvider(eq("athenz.provider"), Mockito.any())).thenReturn(providerClient);
    Mockito.when(providerClient.refreshInstance(Mockito.any())).thenReturn(confirmation);
    path = Paths.get("src/test/resources/athenz.instanceid.pem");
    String pem = new String(Files.readAllBytes(path));
    InstanceIdentity identity = new InstanceIdentity().setName("athenz.production").setX509Certificate(pem);
    Mockito.doReturn(identity).when(instanceManager).generateIdentity(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyInt(), Mockito.any());
    ztsImpl.instanceProviderManager = instanceProviderManager;
    ztsImpl.instanceCertManager = instanceManager;
    InstanceRefreshInformation info = new InstanceRefreshInformation().setCsr(certCsr);
    CertificateAuthority certAuthority = new CertificateAuthority();
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
    assertNotNull(principal);
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    principal.setX509Certificate(cert);
    ResourceContext context = createResourceContext(principal);
    try {
        ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 400);
        assertTrue(ex.getMessage().contains("CSR validation failed"));
    }
}

Example 68 with X509CertRecord

use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.

the class ZTSImplTest method testPostInstanceRefreshInformationSSH.

@Test
public void testPostInstanceRefreshInformationSSH() throws IOException {
    ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
    DataStore store = new DataStore(structStore, null, ztsMetric);
    ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
    SignedDomain providerDomain = signedAuthorizedProviderDomain();
    store.processSignedDomain(providerDomain, false);
    SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
    store.processSignedDomain(tenantDomain, false);
    InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
    X509CertRecord certRecord = new X509CertRecord();
    certRecord.setInstanceId("1001");
    certRecord.setProvider("athenz.provider");
    certRecord.setService("athenz.production");
    certRecord.setCurrentSerial("16503746516960996918");
    certRecord.setPrevSerial("16503746516960996918");
    Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001", "athenz.production")).thenReturn(certRecord);
    Mockito.when(instanceManager.updateX509CertRecord(Mockito.any())).thenReturn(true);
    CertificateAuthority certAuthority = new CertificateAuthority();
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
    assertNotNull(principal);
    InstanceIdentity identity = new InstanceIdentity().setName("athenz.production");
    Mockito.when(instanceManager.generateSSHIdentity(principal, identity, null, "ssh-csr", null, null, "user")).thenReturn(true);
    ztsImpl.instanceCertManager = instanceManager;
    InstanceRefreshInformation info = new InstanceRefreshInformation().setSsh("ssh-csr");
    Path path = Paths.get("src/test/resources/athenz.instanceid.pem");
    String pem = new String(Files.readAllBytes(path));
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    principal.setX509Certificate(cert);
    ResourceContext context = createResourceContext(principal);
    InstanceIdentity instanceIdentity = ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
    assertNotNull(instanceIdentity);
}

Example 69 with X509CertRecord

use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.

the class CertFailedRefreshNotificationTask method getRecordsNotSnoozed.

private List<X509CertRecord> getRecordsNotSnoozed(List<X509CertRecord> unrefreshedCerts) {
    List<X509CertRecord> unsnoozedDomains = new ArrayList<>();
    for (X509CertRecord x509CertRecord : unrefreshedCerts) {
        String domainName = AthenzUtils.extractPrincipalDomainName(x509CertRecord.getService());
        DomainData domainData = dataStore.getDomainData(domainName);
        if (!isDomainSnoozed(domainData)) {
            unsnoozedDomains.add(x509CertRecord);
        }
    }
    return unsnoozedDomains;
}

Example 70 with X509CertRecord

use of com.yahoo.athenz.common.server.cert.X509CertRecord in project athenz by yahoo.

the class CertFailedRefreshNotificationTaskTest method testValidHosts.

@Test
public void testValidHosts() {
    Date currentDate = new Date();
    List<X509CertRecord> records = new ArrayList<>();
    System.setProperty(ZTS_PROP_NOTIFICATION_CERT_FAIL_PROVIDER_LIST, "provider");
    // Create 6 mock records. Only even records host are valid
    boolean isValidHost = true;
    for (int i = 0; i < 6; ++i) {
        X509CertRecord record = getMockX509CertRecord(currentDate, i);
        records.add(record);
        NotificationTestsCommon.mockDomainData(i, dataStore);
        Mockito.when(hostnameResolver.isValidHostname(eq("hostName" + i))).thenReturn(isValidHost);
        isValidHost = !isValidHost;
    }
    // Make a 7th record with no host (but make it valid). It shouldn't return
    X509CertRecord record = getMockX509CertRecord(currentDate, 7);
    record.setHostName(null);
    records.add(record);
    NotificationTestsCommon.mockDomainData(7, dataStore);
    Mockito.when(hostnameResolver.isValidHostname(eq(null))).thenReturn(true);
    Mockito.when(instanceCertManager.getUnrefreshedCertsNotifications(eq(serverName), anyString())).thenReturn(records);
    CertFailedRefreshNotificationTask certFailedRefreshNotificationTask = new CertFailedRefreshNotificationTask(instanceCertManager, dataStore, hostnameResolver, userDomainPrefix, serverName, httpsPort, notificationToEmailConverterCommon);
    List<Notification> notifications = certFailedRefreshNotificationTask.getNotifications();
    assertEquals(3, notifications.size());
    assertEquals("domain4", notifications.get(0).getDetails().get("domain"));
    assertEquals("domain2", notifications.get(1).getDetails().get("domain"));
    assertEquals("domain0", notifications.get(2).getDetails().get("domain"));
    System.clearProperty(ZTS_PROP_NOTIFICATION_CERT_FAIL_PROVIDER_LIST);
}