Examples with SignedDomain com.yahoo.athenz.zms.SignedDomain used on opensource projects

Example 61 with SignedDomain

use of com.yahoo.athenz.zms.SignedDomain in project athenz by yahoo.

the class DataStore method processSignedDomains.

// Internal
boolean processSignedDomains(SignedDomains signedDomains) {
    if (signedDomains == null) {
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("No updates received from ZMS Server");
        }
        return true;
    }
    /* now process all of our domains */
    List<SignedDomain> domains = signedDomains.getDomains();
    if (domains == null || domains.isEmpty()) {
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("No updates received from ZMS Server");
        }
        return true;
    }
    // we're going to return success as long as one of the
    // domains was successfully processed, otherwise there is
    // no point of retrying all domains over and over again
    boolean result = false;
    for (SignedDomain domain : domains) {
        if (processDomain(domain, true)) {
            result = true;
        }
    }
    return result;
}

Example 62 with SignedDomain

use of com.yahoo.athenz.zms.SignedDomain in project athenz by yahoo.

the class S3ChangeLogStore method getSignedDomain.

SignedDomain getSignedDomain(AmazonS3 s3, String domainName) {
    if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("AWSS3ChangeLog: getting signed domain {}", domainName);
    }
    SignedDomain signedDomain = null;
    try {
        S3Object object = s3.getObject(s3BucketName, domainName);
        try (S3ObjectInputStream s3is = object.getObjectContent()) {
            byte[] data = ByteStreams.toByteArray(s3is);
            signedDomain = JSON.fromBytes(data, SignedDomain.class);
        }
    } catch (Exception ex) {
        LOGGER.error("AWSS3ChangeLog: getSignedDomain - unable to get domain {} error: {}", domainName, ex.getMessage());
    }
    return signedDomain;
}

Example 63 with SignedDomain

use of com.yahoo.athenz.zms.SignedDomain in project athenz by yahoo.

the class ZMSFileChangeLogStore method getUpdatedSignedDomains.

@Override
public SignedDomains getUpdatedSignedDomains(StringBuilder lastModTimeBuffer) {
    try (ZMSClient zmsClient = getZMSClient()) {
        // request all the changes from ZMS. In this call we're asking for
        // meta data only so we'll only get the list of domains
        Map<String, List<String>> responseHeaders = new HashMap<String, List<String>>();
        SignedDomains domainList = zmsClient.getSignedDomains(null, VALUE_TRUE, lastModTime, responseHeaders);
        // retrieve the tag value for the request
        String newLastModTime = retrieveTagHeader(responseHeaders);
        if (newLastModTime == null) {
            return null;
        }
        // set the last modification time to be returned to the caller
        lastModTimeBuffer.setLength(0);
        lastModTimeBuffer.append(newLastModTime);
        if (domainList == null || domainList.getDomains() == null) {
            return null;
        }
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("getUpdatedSignedDomains: {} updated domains", domainList.getDomains().size());
        }
        List<SignedDomain> domains = getSignedDomainList(zmsClient, domainList);
        return new SignedDomains().setDomains(domains);
    } catch (ZMSClientException ex) {
        LOGGER.error("Error when refreshing data from ZMS: {}", ex.getMessage());
        return null;
    }
}

Example 64 with SignedDomain

use of com.yahoo.athenz.zms.SignedDomain in project athenz by yahoo.

the class ZTSImplTest method testPostInstanceRefreshInformationCertDNSMismatch.

@Test
public void testPostInstanceRefreshInformationCertDNSMismatch() throws IOException {
    ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
    DataStore store = new DataStore(structStore, null);
    ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
    SignedDomain providerDomain = signedAuthorizedProviderDomain();
    store.processDomain(providerDomain, false);
    SignedDomain tenantDomain = signedBootstrapTenantDomain("athenz.provider", "athenz", "production");
    store.processDomain(tenantDomain, false);
    Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
    String certCsr = new String(Files.readAllBytes(path));
    InstanceProviderManager instanceProviderManager = Mockito.mock(InstanceProviderManager.class);
    InstanceProvider providerClient = Mockito.mock(InstanceProvider.class);
    InstanceConfirmation confirmation = new InstanceConfirmation().setDomain("athenz").setService("production").setProvider("athenz.provider");
    InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager);
    X509CertRecord certRecord = new X509CertRecord();
    certRecord.setInstanceId("1001");
    certRecord.setProvider("athenz.provider");
    certRecord.setService("athenz.production");
    certRecord.setCurrentSerial("16503746516960996918");
    certRecord.setPrevSerial("16503746516960996918");
    Mockito.when(instanceManager.getX509CertRecord("athenz.provider", "1001")).thenReturn(certRecord);
    Mockito.when(instanceProviderManager.getProvider("athenz.provider")).thenReturn(providerClient);
    Mockito.when(providerClient.refreshInstance(Mockito.any())).thenReturn(confirmation);
    path = Paths.get("src/test/resources/valid_cn_x509.cert");
    String pem = new String(Files.readAllBytes(path));
    InstanceIdentity identity = new InstanceIdentity().setName("athenz.production").setX509Certificate(pem);
    Mockito.doReturn(identity).when(instanceManager).generateIdentity(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyInt());
    ztsImpl.instanceProviderManager = instanceProviderManager;
    ztsImpl.instanceCertManager = instanceManager;
    InstanceRefreshInformation info = new InstanceRefreshInformation().setCsr(certCsr);
    CertificateAuthority certAuthority = new CertificateAuthority();
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", "v=S1;d=athenz;n=production;s=signature", 0, certAuthority);
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    principal.setX509Certificate(cert);
    ResourceContext context = createResourceContext(principal);
    try {
        ztsImpl.postInstanceRefreshInformation(context, "athenz.provider", "athenz", "production", "1001", info);
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 400);
        assertTrue(ex.getMessage().contains("dnsName attribute mismatch in CSR"));
    }
}

Example 65 with SignedDomain

use of com.yahoo.athenz.zms.SignedDomain in project athenz by yahoo.

the class ZTSImplTest method testGetAWSTemporaryCredentialsForbidden.

@Test
public void testGetAWSTemporaryCredentialsForbidden() {
    Principal principal = SimplePrincipal.create("user_domain", "user102", "v=U1;d=user_domain;n=user102;s=signature", 0, null);
    CloudStore cloudStore = Mockito.mock(CloudStore.class);
    Mockito.when(cloudStore.isAwsEnabled()).thenReturn(true);
    store.setCloudStore(cloudStore);
    zts.cloudStore = cloudStore;
    SignedDomain signedDomain = createAwsSignedDomain("athenz.product", "1234");
    store.processDomain(signedDomain, false);
    try {
        zts.getAWSTemporaryCredentials(createResourceContext(principal), "athenz.product", "aws_role_name");
        fail();
    } catch (ResourceException ex) {
        assertEquals(ex.getCode(), 403);
    }
}