use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceInvalidIP.
@Test
public void testConfirmInstanceInvalidIP() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("api");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.2");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
try {
provider.confirmInstance(confirmation);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 403);
assertTrue(ex.getMessage().contains("validate request IP address"));
}
provider.close();
}
use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceEmptyCredentials.
@Test
public void testConfirmInstanceEmptyCredentials() throws IOException {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
// get our ec public key
Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
String keyPem = new String(Files.readAllBytes(path));
PublicKey publicKey = Crypto.loadPublicKey(keyPem);
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("sys.auth.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
provider.signingKeyResolver.addPublicKey("k0", publicKey);
InstanceConfirmation tokenConfirmation = new InstanceConfirmation();
tokenConfirmation.setDomain("sports");
tokenConfirmation.setService("api");
tokenConfirmation.setProvider("sys.auth.zts");
Map<String, String> attrs = new HashMap<>();
attrs.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
tokenConfirmation.setAttributes(attrs);
// generate instance confirmation
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setDomain("sports");
confirmation.setService("api");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,id001.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
attributes.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
confirmation.setAttributes(attributes);
try {
provider.confirmInstance(confirmation);
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), ResourceException.FORBIDDEN);
assertTrue(ex.getMessage().contains("Service credentials not provided"));
}
provider.close();
System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceUnsupportedService.
@Test
public void testConfirmInstanceUnsupportedService() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api");
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "backend").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("backend");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "backend.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
try {
provider.confirmInstance(confirmation);
fail();
} catch (ResourceException ex) {
assertTrue(ex.getMessage().contains("Service not supported to be launched by ZTS Provider"));
}
provider.close();
System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.
the class InstanceZTSProviderTest method testConfirmInstanceValidHostname.
@Test
public void testConfirmInstanceValidHostname() {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
HostnameResolver hostnameResolver = Mockito.mock(HostnameResolver.class);
Mockito.when(hostnameResolver.isValidHostname("hostabc.athenz.com")).thenReturn(true);
Mockito.when(hostnameResolver.getAllByName("hostabc.athenz.com")).thenReturn(new HashSet<>(Arrays.asList("10.1.1.1", "2001:db8:a0b:12f0:0:0:0:1")));
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("provider", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
provider.setHostnameResolver(hostnameResolver);
PrincipalToken tokenToSign = new PrincipalToken.Builder("S1", "sports", "api").keyId("v0").salt("salt").issueTime(System.currentTimeMillis() / 1000).expirationWindow(3600).build();
tokenToSign.sign(servicePrivateKeyStringK0);
InstanceConfirmation confirmation = new InstanceConfirmation();
confirmation.setAttestationData(tokenToSign.getSignedToken());
confirmation.setDomain("sports");
confirmation.setService("api");
confirmation.setProvider("sys.auth.zts");
Map<String, String> attributes = new HashMap<>();
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_DNS, "api.sports.zts.athenz.cloud,inst1.instanceid.athenz.zts.athenz.cloud");
attributes.put(InstanceProvider.ZTS_INSTANCE_HOSTNAME, "hostabc.athenz.com");
attributes.put(InstanceProvider.ZTS_INSTANCE_CLIENT_IP, "10.1.1.1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_IP, "10.1.1.1,2001:db8:a0b:12f0:0:0:0:1");
attributes.put(InstanceProvider.ZTS_INSTANCE_SAN_URI, "athenz://instanceid/zts/hostabc.athenz.com,athenz://hostname/hostabc.athenz.com");
attributes.put(InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY, servicePublicKeyStringK0);
confirmation.setAttributes(attributes);
assertNotNull(provider.confirmInstance(confirmation));
provider.close();
}
use of com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider in project athenz by yahoo.
the class InstanceZTSProviderTest method testValidateRegisterTokenMismatchProvider.
@Test
public void testValidateRegisterTokenMismatchProvider() throws IOException {
KeyStore keystore = Mockito.mock(KeyStore.class);
Mockito.when(keystore.getPublicKey("sports", "api", "v0")).thenReturn(servicePublicKeyStringK0);
System.setProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST, "sports.api,weather.api,sports.backend");
// get our ec public key
Path path = Paths.get("./src/test/resources/unit_test_ec_public.key");
String keyPem = new String(Files.readAllBytes(path));
PublicKey publicKey = Crypto.loadPublicKey(keyPem);
InstanceZTSProvider provider = new InstanceZTSProvider();
provider.initialize("sys.auth.zts", "com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider", null, keystore);
provider.signingKeyResolver.addPublicKey("k0", publicKey);
// get our private key now
path = Paths.get("./src/test/resources/unit_test_ec_private.key");
keyPem = new String(Files.readAllBytes(path));
PrivateKey privateKey = Crypto.loadPrivateKey(keyPem);
provider.setPrivateKey(privateKey, "k0", SignatureAlgorithm.ES256);
InstanceConfirmation tokenConfirmation = new InstanceConfirmation();
tokenConfirmation.setDomain("sports");
tokenConfirmation.setService("api");
tokenConfirmation.setProvider("athenz.zts");
Map<String, String> attrs = new HashMap<>();
attrs.put(InstanceProvider.ZTS_INSTANCE_ID, "id001");
tokenConfirmation.setAttributes(attrs);
InstanceRegisterToken token = provider.getInstanceRegisterToken(tokenConfirmation);
// calling validation directly should fail with invalid provider
StringBuilder errMsg = new StringBuilder();
assertFalse(provider.validateRegisterToken(token.getAttestationData(), "sports", "api", "id001", false, errMsg));
assertTrue(errMsg.toString().contains("invalid provider name"));
provider.close();
System.clearProperty(InstanceZTSProvider.ZTS_PROP_PRINCIPAL_LIST);
}
Aggregations