use of com.yahoo.athenz.common.server.store.ChangeLogStore in project athenz by yahoo.
the class ZTSImplTest method testPostInstanceRefreshInformationWithHostnameCnames.
@Test
public void testPostInstanceRefreshInformationWithHostnameCnames() throws IOException {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null, ztsMetric);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
SignedDomain providerDomain = signedAuthorizedProviderDomain();
store.processSignedDomain(providerDomain, false);
SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
store.processSignedDomain(tenantDomain, false);
Path path = Paths.get("src/test/resources/athenz.instanceid.cname.csr");
String certCsr = new String(Files.readAllBytes(path));
List<String> cnames = new ArrayList<>();
cnames.add("cname1.athenz.info");
cnames.add("cname2.athenz.info");
String service = "athenz.production";
HostnameResolver resolver = Mockito.mock(HostnameResolver.class);
Mockito.when(resolver.isValidHostCnameList(service, "host1.athenz.cloud", cnames, CertType.X509)).thenReturn(true);
Mockito.when(resolver.isValidHostname("host1.athenz.cloud")).thenReturn(true);
InstanceProviderManager instanceProviderManager = Mockito.mock(InstanceProviderManager.class);
InstanceProvider providerClient = Mockito.mock(InstanceProvider.class);
Mockito.when(providerClient.getProviderScheme()).thenReturn(InstanceProvider.Scheme.CLASS);
InstanceConfirmation confirmation = new InstanceConfirmation().setDomain("athenz").setService("production").setProvider("athenz.provider");
InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
Mockito.when(instanceProviderManager.getProvider("athenz.provider", resolver)).thenReturn(providerClient);
Mockito.when(providerClient.refreshInstance(Mockito.any())).thenReturn(confirmation);
Mockito.when(instanceManager.insertX509CertRecord(Mockito.any())).thenReturn(true);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setInstanceId("1001");
certRecord.setProvider("athenz.provider");
certRecord.setService("athenz.production");
certRecord.setCurrentSerial("16503746516960996918");
certRecord.setPrevSerial("16503746516960996918");
Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001", "athenz.production")).thenReturn(certRecord);
Mockito.when(instanceManager.updateX509CertRecord(Mockito.any())).thenReturn(true);
path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
InstanceIdentity identity = new InstanceIdentity().setName("athenz.production").setX509Certificate(pem);
Mockito.doReturn(identity).when(instanceManager).generateIdentity(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyInt(), Mockito.any());
ztsImpl.instanceProviderManager = instanceProviderManager;
ztsImpl.instanceCertManager = instanceManager;
InstanceRefreshInformation info = new InstanceRefreshInformation().setCsr(certCsr).setToken(true).setHostname("host1.athenz.cloud").setHostCnames(cnames);
CertificateAuthority certAuthority = new CertificateAuthority();
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
assertNotNull(principal);
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal);
// setup the hostname resolver for our request
ztsImpl.hostnameResolver = resolver;
InstanceIdentity instanceIdentity = ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
assertNotNull(instanceIdentity);
}
use of com.yahoo.athenz.common.server.store.ChangeLogStore in project athenz by yahoo.
the class ZTSImplTest method setup.
@BeforeMethod
public void setup() {
// we want to make sure we start we clean dir structure
ZTSTestUtils.deleteDirectory(new File(ZTS_DATA_STORE_PATH));
String privKeyName = System.getProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY);
File privKeyFile = new File(privKeyName);
String privKey = Crypto.encodedFile(privKeyFile);
privateKey = Crypto.loadPrivateKey(Crypto.ybase64DecodeString(privKey));
System.setProperty(ZTSConsts.ZTS_PROP_CERTSIGN_BASE_URI, "https://localhost:443/certsign/v2");
/* create our data store */
roleTokenDefaultTimeout = 2400;
System.setProperty(ZTSConsts.ZTS_PROP_ROLE_TOKEN_DEFAULT_TIMEOUT, Integer.toString(roleTokenDefaultTimeout));
roleTokenMaxTimeout = 96000;
System.setProperty(ZTSConsts.ZTS_PROP_ROLE_TOKEN_MAX_TIMEOUT, Integer.toString(roleTokenMaxTimeout));
System.setProperty(ZTSConsts.ZTS_PROP_AUTHORIZED_PROXY_USERS, "user_domain.proxy-user1,user_domain.proxy-user2");
ChangeLogStore structStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
System.setProperty(ZTSConsts.ZTS_PROP_CERT_ALLOWED_O_VALUES, "Athenz, Inc.|My Test Company|Athenz|Yahoo");
System.setProperty(ZTSConsts.ZTS_PROP_NOAUTH_URI_LIST, "/zts/v1/schema,/zts/v1/status");
System.setProperty(ZTSConsts.ZTS_PROP_SELF_SIGNER_PRIVATE_KEY_FNAME, "src/test/resources/unit_test_private_encrypted.key");
System.setProperty(ZTSConsts.ZTS_PROP_SELF_SIGNER_PRIVATE_KEY_PASSWORD, "athenz");
ZTSTestUtils.deleteDirectory(new File("/tmp/zts_server_cert_store"));
System.setProperty(ZTSConsts.ZTS_PROP_CERT_FILE_STORE_PATH, "/tmp/zts_server_cert_store");
System.setProperty(ZTSConsts.ZTS_PROP_VALIDATE_SERVICE_IDENTITY, "false");
// enable ip validation for cert requests
System.setProperty(ZTSConsts.ZTS_PROP_CERT_REQUEST_VERIFY_IP, "true");
store = new DataStore(structStore, cloudStore, ztsMetric);
zts = new ZTSImpl(cloudStore, store);
ZTSImpl.serverHostName = "localhost";
authorizer = new ZTSAuthorizer(store);
// enable openid scope
AccessTokenRequest.setSupportOpenIdScope(true);
}
use of com.yahoo.athenz.common.server.store.ChangeLogStore in project athenz by yahoo.
the class ZTSImplTest method testValidateRequestNonSecureRequests.
@Test
public void testValidateRequestNonSecureRequests() {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null, ztsMetric);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
ztsImpl.secureRequestsOnly = true;
ztsImpl.statusPort = 0;
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
// if request is not secure, should be rejected
Mockito.when(request.isSecure()).thenReturn(false);
try {
ztsImpl.validateRequest(request, "principal-domain", "test");
fail();
} catch (ResourceException ignored) {
}
try {
ztsImpl.validateRequest(request, "principal-domain", "test", false);
fail();
} catch (ResourceException ignored) {
}
try {
ztsImpl.validateRequest(request, "principal-domain", "test", true);
fail();
} catch (ResourceException ignored) {
}
}
use of com.yahoo.athenz.common.server.store.ChangeLogStore in project athenz by yahoo.
the class ZTSImplTest method testPostInstanceRefreshInformationNoCertAuthority.
@Test
public void testPostInstanceRefreshInformationNoCertAuthority() throws IOException {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null, ztsMetric);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
store.processSignedDomain(tenantDomain, false);
Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
String certCsr = new String(Files.readAllBytes(path));
InstanceRefreshInformation info = new InstanceRefreshInformation().setCsr(certCsr);
PrincipalAuthority authority = new PrincipalAuthority();
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, authority);
ResourceContext context = createResourceContext(principal);
try {
ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 400);
assertTrue(ex.getMessage().contains("Unsupported authority for TLS Certs"));
}
}
use of com.yahoo.athenz.common.server.store.ChangeLogStore in project athenz by yahoo.
the class ZTSImplTest method testPostInstanceRefreshInformationIdentityFailure.
@Test
public void testPostInstanceRefreshInformationIdentityFailure() throws IOException {
ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
DataStore store = new DataStore(structStore, null, ztsMetric);
ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
SignedDomain providerDomain = signedAuthorizedProviderDomain();
store.processSignedDomain(providerDomain, false);
SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
store.processSignedDomain(tenantDomain, false);
Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
String certCsr = new String(Files.readAllBytes(path));
InstanceProviderManager instanceProviderManager = Mockito.mock(InstanceProviderManager.class);
InstanceProvider providerClient = Mockito.mock(InstanceProvider.class);
InstanceConfirmation confirmation = new InstanceConfirmation().setDomain("athenz").setService("production").setProvider("athenz.provider");
InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
Mockito.when(instanceProviderManager.getProvider(eq("athenz.provider"), Mockito.any())).thenReturn(providerClient);
Mockito.when(providerClient.refreshInstance(Mockito.any())).thenReturn(confirmation);
X509CertRecord certRecord = new X509CertRecord();
certRecord.setInstanceId("1001");
certRecord.setProvider("athenz.provider");
certRecord.setService("athenz.production");
certRecord.setCurrentSerial("16503746516960996918");
certRecord.setPrevSerial("16503746516960996918");
Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001", "athenz.production")).thenReturn(certRecord);
Mockito.when(instanceManager.updateX509CertRecord(Mockito.any())).thenReturn(true);
path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
Mockito.doReturn(null).when(instanceManager).generateIdentity(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyInt(), Mockito.any());
ztsImpl.instanceProviderManager = instanceProviderManager;
ztsImpl.instanceCertManager = instanceManager;
InstanceRefreshInformation info = new InstanceRefreshInformation().setCsr(certCsr);
CertificateAuthority certAuthority = new CertificateAuthority();
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
assertNotNull(principal);
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal);
try {
ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 500);
assertTrue(ex.getMessage().contains("unable to generate identity"));
}
}
Aggregations