Examples with InstanceZTSProvider com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider used on opensource projects

Search in sources :

Example 1 with InstanceZTSProvider

use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.

the class InstanceZTSProviderTest method testValidateSanIp.

@Test
public void testValidateSanIp() {
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, null);
    assertTrue(provider.validateSanIp(new String[] { "10.1.1.1" }, "10.1.1.1"));
    assertTrue(provider.validateSanIp(null, "10.1.1.1"));
    assertTrue(provider.validateSanIp(new String[] {}, "10.1.1.1"));
    assertFalse(provider.validateSanIp(new String[] { "" }, "10.1.1.1"));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.2" }, "10.1.1.1"));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.2" }, null));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.2" }, ""));
    // ipv6
    assertTrue(provider.validateSanIp(new String[] { "2001:db8:a0b:12f0:0:0:0:1" }, "2001:db8:a0b:12f0:0:0:0:1"));
    assertTrue(provider.validateSanIp(null, "2001:db8:a0b:12f0:0:0:0:1"));
    assertTrue(provider.validateSanIp(new String[] {}, "2001:db8:a0b:12f0:0:0:0:1"));
    assertFalse(provider.validateSanIp(new String[] { "2002:db9:a0b:12f0:0:0:0:1" }, "2001:db8:a0b:12f0:0:0:0:1"));
    assertFalse(provider.validateSanIp(new String[] { "2002:db9:a0b:12f0:0:0:0:1" }, "10.1.1.1"));
    assertFalse(provider.validateSanIp(new String[] { "2002:db9:a0b:12f0:0:0:0:1" }, null));
    assertFalse(provider.validateSanIp(new String[] { "2002:db9:a0b:12f0:0:0:0:1" }, ""));
    // ipv4 and ipv6 mixed
    assertTrue(provider.validateSanIp(new String[] { "10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1" }, "10.1.1.1"));
    assertTrue(provider.validateSanIp(new String[] { "10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1" }, "2001:db8:a0b:12f0:0:0:0:1"));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1" }, "10.1.1.2"));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1" }, null));
    assertFalse(provider.validateSanIp(new String[] { "10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1" }, ""));
    provider.close();
}
Also used : InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) Test(org.testng.annotations.Test)

Example 2 with InstanceZTSProvider

use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.

the class InstanceZTSProviderTest method testConfirmInstance.

@Test
public void testConfirmInstance() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    InstanceConfirmation confirmation = new InstanceConfirmation();
    confirmation.setAttestationData(tokenToSign.getSignedToken());
    confirmation.setDomain("sports");
    confirmation.setService("api");
    confirmation.setProvider("sys.auth.zts");
    Map<String, String> attributes = new HashMap<>();
    attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
    attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
    confirmation.setAttributes(attributes);
    assertNotNull(provider.confirmInstance(confirmation));
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 3 with InstanceZTSProvider

use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.

the class InstanceZTSProviderTest method testValidateRegisterTokenMismatchFields.

@Test
public void testValidateRegisterTokenMismatchFields() throws IOException {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
    // get our ec public key
    Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
    String keyPem = new String(Files.readAllBytes(path));
    PublicKey publicKey = Crypto.loadPublicKey(keyPem);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("sys.auth.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.signingKeyResolver.addPublicKey("k0", publicKey);
    // get our private key now
    path = Paths.get("./src/test/resources/unit_test_ec_private.key");
    keyPem = new String(Files.readAllBytes(path));
    PrivateKey privateKey = Crypto.loadPrivateKey(keyPem);
    provider.setPrivateKey(privateKey, "k0", SignatureAlgorithm.ES256);
    InstanceConfirmation tokenConfirmation = new InstanceConfirmation();
    tokenConfirmation.setDomain("sports");
    tokenConfirmation.setService("api");
    tokenConfirmation.setProvider("sys.auth.zts");
    Map<String, String> attrs = new HashMap<>();
    attrs.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
    tokenConfirmation.setAttributes(attrs);
    InstanceRegisterToken token = provider.getInstanceRegisterToken(tokenConfirmation);
    // now let's use the validate method for specific cases
    StringBuilder errMsg = new StringBuilder();
    assertFalse(provider.validateRegisterToken(token.getAttestationData(), "weather", "api", "id001", false, errMsg));
    assertTrue(errMsg.toString().contains("invalid domain name"));
    // next service mismatch
    errMsg.setLength(0);
    assertFalse(provider.validateRegisterToken(token.getAttestationData(), "sports", "backend", "id001", false, errMsg));
    assertTrue(errMsg.toString().contains("invalid service name"));
    // invalid instance id
    errMsg.setLength(0);
    assertFalse(provider.validateRegisterToken(token.getAttestationData(), "sports", "api", "id002", false, errMsg));
    assertTrue(errMsg.toString().contains("invalid instance id"));
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : Path(java.nio.file.Path) InstanceConfirmation(com.yahoo.athenz.instance.provider.InstanceConfirmation) PrivateKey(java.security.PrivateKey) PublicKey(java.security.PublicKey) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) InstanceRegisterToken(com.yahoo.athenz.zts.InstanceRegisterToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 4 with InstanceZTSProvider

use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.

the class InstanceZTSProviderTest method testValidateRegisterTokenExpiredIssueDate.

@Test
public void testValidateRegisterTokenExpiredIssueDate() throws IOException {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
    // get our ec public key
    Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
    String keyPem = new String(Files.readAllBytes(path));
    PublicKey publicKey = Crypto.loadPublicKey(keyPem);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("sys.auth.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    provider.signingKeyResolver.addPublicKey("k0", publicKey);
    path = Paths.get("./src/test/resources/unit_test_ec_private.key");
    keyPem = new String(Files.readAllBytes(path));
    PrivateKey privateKey = Crypto.loadPrivateKey(keyPem);
    // first generate token with no issue date
    Instant issueTime = Instant.ofEpochMilli(System.currentTimeMillis() - TimeUnit.MINUTES.toMillis(31));
    Date issueDate = Date.from(issueTime);
    final String registerToken = Jwts.builder().setId("001").setSubject("sports.api").setIssuedAt(issueDate).setIssuer("sys.auth.zts").setAudience("sys.auth.zts").claim(CLAIM_PROVIDER, "sys.auth.zts").claim(CLAIM_DOMAIN, "sports").claim(CLAIM_SERVICE, "api").claim(CLAIM_INSTANCE_ID, "id001").claim(CLAIM_CLIENT_ID, "user.athenz").setHeaderParam(HDR_KEY_ID, "k0").setHeaderParam(HDR_TOKEN_TYPE, HDR_TOKEN_JWT).signWith(privateKey, SignatureAlgorithm.ES256).compact();
    // with register instance enabled, this is going to be reject since
    // there is no issue date
    StringBuilder errMsg = new StringBuilder();
    assertFalse(provider.validateRegisterToken(registerToken, "sports", "api", "id001", true, errMsg));
    assertTrue(errMsg.toString().contains("token is already expired, issued at: " + issueDate));
    // with refresh option it's going to be skipped
    errMsg.setLength(0);
    assertTrue(provider.validateRegisterToken(registerToken, "sports", "api", "id001", false, errMsg));
    provider.close();
    System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Also used : Path(java.nio.file.Path) PrivateKey(java.security.PrivateKey) PublicKey(java.security.PublicKey) Instant(java.time.Instant) InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 5 with InstanceZTSProvider

use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.

the class InstanceZTSProviderTest method testValidateToken.

@Test
public void testValidateToken() {
    KeyStore keystore = Mockito.mock(KeyStore.class);
    Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
    InstanceZTSProvider provider = new InstanceZTSProvider();
    provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
    StringBuilder errMsg = new StringBuilder(256);
    String token = "invalidtoken";
    assertFalse(provider.validateServiceToken(token, "sports", "api", servicePublicKeyStringK0, errMsg));
    assertTrue(errMsg.toString().contains("Invalid token"));
    errMsg.setLength(0);
    PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
    tokenToSign.sign(servicePrivateKeyStringK0);
    errMsg.setLength(0);
    assertTrue(provider.validateServiceToken(tokenToSign.getSignedToken(), "sports", "api", servicePublicKeyStringK0, errMsg));
    errMsg.setLength(0);
    assertFalse(provider.validateServiceToken(tokenToSign.getSignedToken(), "sports", "ui", servicePublicKeyStringK0, errMsg));
    assertTrue(errMsg.toString().contains("service mismatch"));
    errMsg.setLength(0);
    assertFalse(provider.validateServiceToken(tokenToSign.getSignedToken(), "weather", "api", servicePublicKeyStringK0, errMsg));
    assertTrue(errMsg.toString().contains("domain mismatch"));
    provider.close();
}
Also used : InstanceZTSProvider(com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Aggregations

InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)25 Test (org.testng.annotations.Test)25 KeyStore (com.yahoo.athenz.auth.KeyStore)19 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)16 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)12 ResourceException (com.yahoo.athenz.instance.provider.ResourceException)8 Path (java.nio.file.Path)8 PrivateKey (java.security.PrivateKey)7 PublicKey (java.security.PublicKey)7 HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)5 InstanceRegisterToken (com.yahoo.athenz.zts.InstanceRegisterToken)5 Instant (java.time.Instant)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial