Example 66 with DataCache
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class DataStoreTest method testDeleteDomainFromCacheServices.
@Test
public void testDeleteDomainFromCacheServices() {
ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
DataStore store = new DataStore(clogStore, null);
SignedDomain signedDomain = new SignedDomain();
List<Role> roles = new ArrayList<>();
Role role = new Role();
role.setName("coretech:role.admin");
List<RoleMember> members = new ArrayList<>();
members.add(new RoleMember().setMemberName("user_domain.user"));
role.setRoleMembers(members);
DomainData domainData = new DomainData();
domainData.setName("coretech");
domainData.setRoles(roles);
signedDomain.setDomain(domainData);
signedDomain.setKeyId("0");
((MockZMSFileChangeLogStore) store.changeLogStore).put("coretech", JSON.bytes(signedDomain));
DataCache dataCache = new DataCache();
dataCache.setDomainData(domainData);
store.addDomainToCache("coretech", dataCache);
store.deleteDomainFromCache("coretech");
store.changeLogStore.removeLocalDomain("coretech");
assertNull(store.getCacheStore().getIfPresent("coretech"));
File file = new File("/tmp/zts_server_unit_tests/zts_root/coretech");
assertFalse(file.exists());
}
Also used :
Role(com.yahoo.athenz.zms.Role)
MemberRole(com.yahoo.athenz.zts.cache.MemberRole)
ZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)
MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)
SignedDomain(com.yahoo.athenz.zms.SignedDomain)
ArrayList(java.util.ArrayList)
DomainData(com.yahoo.athenz.zms.DomainData)
MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)
File(java.io.File)
RoleMember(com.yahoo.athenz.zms.RoleMember)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
Test(org.testng.annotations.Test)
Example 67 with DataCache
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImpl method postDomainMetrics.
/*
* /metrics/{domainName}
*/
@Override
public DomainMetrics postDomainMetrics(ResourceContext ctx, String domainName, DomainMetrics domainMetrics) {
final String caller = "postdomainmetrics";
final String callerTiming = "postdomainmetrics_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
validate(domainMetrics, TYPE_DOMAIN_METRICS, caller);
domainName = domainName.toLowerCase();
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
AthenzObject.DOMAIN_METRICS.convertToLowerCase(domainMetrics);
Object timerMetric = metric.startTiming(callerTiming, domainName);
// verify valid domain specified
DataCache data = dataStore.getDataCache(domainName);
if (data == null) {
metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
throw notFoundError("postDomainMetrics: No such domain: " + domainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
}
// verify domain name matches domain name in request object
final String metricDomain = domainMetrics.getDomainName();
if (!metricDomain.equals(domainName)) {
final String errMsg = "postDomainMetrics: mismatched domain names: uri domain: " + domainName + " : metric domain: " + metricDomain;
throw requestError(errMsg, caller, domainName);
}
List<DomainMetric> dmList = domainMetrics.getMetricList();
if (dmList == null || dmList.size() == 0) {
// no metrics were sent - log error
final String errMsg = "postDomainMetrics: received no metrics for domain: " + domainName;
throw requestError(errMsg, caller, domainName);
}
for (DomainMetric dm : dmList) {
DomainMetricType dmType = dm.getMetricType();
if (dmType == null) {
LOGGER.error("postDomainMetrics: ignore missing metric received for domain: {}", domainName);
continue;
}
final String dmt = dmType.toString().toLowerCase();
Integer count = dm.getMetricVal();
if (count == null || count.intValue() < 0) {
LOGGER.error("postDomainMetrics: ignore metric: {} invalid counter {} received for domain {}", dmt, count, domainName);
continue;
}
String metricName = DOM_METRIX_PREFIX + dmt;
metric.increment(metricName, domainName, count);
}
metric.stopTiming(timerMetric);
return domainMetrics;
}
Also used :
DataCache(com.yahoo.athenz.zts.cache.DataCache)
Example 68 with DataCache
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImpl method postOSTKInstanceInformation.
// this method will be removed and replaced with call to postInstanceRegisterInformation
@Override
public Identity postOSTKInstanceInformation(ResourceContext ctx, OSTKInstanceInformation info) {
final String caller = "postostinstanceinformation";
final String callerTiming = "postostinstanceinformation_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postOSTKInstanceInformation: " + info);
}
validateRequest(ctx.request(), caller);
String domain = info.getDomain();
String service = info.getService();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
validate(info, TYPE_OSTK_INSTANCE_INFO, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
final String cn = domain + "." + service;
if (ostkHostSignerDomain == null) {
throw serverError("postOSTKInstanceInformation: Host Signer not configured", caller, domain);
}
// Fetch the public key of ostk host signer service
DataCache data = dataStore.getDataCache(ostkHostSignerDomain);
if (data == null) {
throw notFoundError("postOSTKInstanceInformation: No such domain: " + ostkHostSignerDomain, caller, domain);
}
String keyId = info.getKeyId();
String publicKey = dataStore.getPublicKey(ostkHostSignerDomain, ostkHostSignerService, keyId);
if (publicKey == null) {
throw notFoundError("postOSTKInstanceInformation: No publicKey for service: " + ostkHostSignerService + " with key id: " + keyId, caller, domain);
}
if (!cloudStore.verifyInstanceDocument(info, publicKey)) {
throw requestError("postOSTKInstanceInformation: unable to validate instance document", caller, domain);
}
// validate the CSR
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(info.getCsr());
if (certReq == null) {
throw requestError("postOSTKInstanceInformation: unable to parse PKCS10 certificate request", caller, domain);
}
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
throw requestError("postOSTKInstanceInformation: unable to verify certificate request, invalid csr", caller, domain);
}
final String instanceId = ZTSUtils.extractCertReqInstanceId(certReq);
if (instanceId == null) {
throw requestError("postOSTKInstanceInformation: unable to extract instance id", caller, domain);
}
// generate certificate for the instance
Identity identity = ZTSUtils.generateIdentity(certSigner, info.getCsr(), cn, null, 0);
if (identity == null) {
throw requestError("postOSTKInstanceInformation: unable to generate identity", caller, domain);
}
// need to update our cert record with new certificate details
X509CertRecord x509CertRecord = new X509CertRecord();
x509CertRecord.setService(cn);
x509CertRecord.setProvider("ostk");
x509CertRecord.setInstanceId(instanceId);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
if (!instanceCertManager.insertX509CertRecord(x509CertRecord)) {
throw serverError("postOSTKInstanceInformation: unable to update cert db", caller, domain);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
Example 69 with DataCache
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImpl method postRoleCertificateRequest.
@Override
public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainName, String roleName, RoleCertificateRequest req) {
final String caller = "postrolecertificaterequest";
final String callerTiming = "postrolecertificaterequest_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(domainName, TYPE_DOMAIN_NAME, caller);
validate(roleName, TYPE_ENTITY_NAME, caller);
validate(req, TYPE_ROLE_CERTIFICATE_REQUEST, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case since ZMS Server
// saves all of its object names in lower case
domainName = domainName.toLowerCase();
roleName = roleName.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domainName);
// get our principal's name
String principal = ((RsrcCtxWrapper) ctx).principal().getFullName();
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postRoleCertificateRequest(domain: " + domainName + ", principal: " + principal + ", role: " + roleName + ")");
}
// first retrieve our domain data object from the cache
DataCache data = dataStore.getDataCache(domainName);
if (data == null) {
// just increment the request counter without any dimension
// we don't want to get persistent indexes for invalid domains
metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
throw notFoundError("postRoleCertificateRequest: No such domain: " + domainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
}
// update our metric with dimension. we're moving the metric here
// after the domain name has been confirmed as valid since with
// dimensions we get stuck with persistent indexes so we only want
// to create them for valid domain names
metric.increment(HTTP_REQUEST, domainName);
metric.increment(caller, domainName);
// process our request and retrieve the roles for the principal
String[] requestedRoleList = { roleName };
Set<String> roles = new HashSet<>();
dataStore.getAccessibleRoles(data, domainName, principal, requestedRoleList, roles, false);
if (roles.isEmpty()) {
throw forbiddenError("postRoleCertificateRequest: No access to any roles in domain: " + domainName, caller, domainName);
}
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(req.getCsr());
if (certReq == null) {
throw requestError("postRoleCertificateRequest: Unable to parse cert request", caller, domainName);
}
if (!validateRoleCertificateRequest(certReq, domainName, roles, principal)) {
throw requestError("postRoleCertificateRequest: Unable to validate cert request", caller, domainName);
}
String x509Cert = certSigner.generateX509Certificate(req.getCsr(), ZTSConsts.ZTS_CERT_USAGE_CLIENT, (int) req.getExpiryTime());
if (null == x509Cert || x509Cert.isEmpty()) {
throw serverError("postRoleCertificateRequest: Unable to create certificate from the cert signer", caller, domainName);
}
RoleToken roleToken = new RoleToken().setToken(x509Cert).setExpiryTime(ZTS_ROLE_CERT_EXPIRY);
metric.stopTiming(timerMetric);
return roleToken;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
HashSet(java.util.HashSet)
Example 70 with DataCache
use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.
the class ZTSImpl method getTenantDomains.
public TenantDomains getTenantDomains(ResourceContext ctx, String providerDomainName, String userName, String roleName, String serviceName) {
final String caller = "gettenantdomains";
final String callerTiming = "gettenantdomains_timing";
metric.increment(HTTP_GET);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(providerDomainName, TYPE_DOMAIN_NAME, caller);
validate(userName, TYPE_ENTITY_NAME, caller);
if (roleName != null) {
validate(roleName, TYPE_ENTITY_NAME, caller);
}
if (serviceName != null) {
validate(serviceName, TYPE_SERVICE_NAME, caller);
}
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case since ZMS Server
// saves all of its object names in lower case
providerDomainName = providerDomainName.toLowerCase();
if (roleName != null) {
roleName = roleName.toLowerCase();
}
if (serviceName != null) {
serviceName = serviceName.toLowerCase();
}
userName = normalizeDomainAliasUser(userName.toLowerCase());
// first retrieve our domain data object from the cache
Object timerMetric = metric.startTiming(callerTiming, providerDomainName);
DataCache data = dataStore.getDataCache(providerDomainName);
if (data == null) {
// just increment the request counter without any dimension
// we don't want to get persistent indexes for invalid domains
metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
throw notFoundError("getTenantDomains: No such provider domain: " + providerDomainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
}
// update our metric with dimension. we're moving the metric here
// after the domain name has been confirmed as valid since with
// dimensions we get stuck with persistent indexes so we only want
// to create them for valid domain names
metric.increment(HTTP_REQUEST, providerDomainName);
metric.increment(caller, providerDomainName);
if (userName.indexOf('.') == -1) {
userName = this.userDomain + "." + userName;
}
roleName = convertEmptyStringToNull(roleName);
String[] requestedRoleList = null;
if (roleName != null) {
requestedRoleList = roleName.split(",");
}
// process our request and retrieve the roles for the principal
Set<String> roles = new HashSet<>();
dataStore.getAccessibleRoles(data, providerDomainName, userName, requestedRoleList, roles, false);
// we are going to process the list and only keep the tenant
// domains - this is based on the role names since our tenant
// roles are named: <service>.tenant.<domain>.[<resource_group>.]<action>
Set<String> domainNames = new HashSet<>();
for (String role : roles) {
String domainName = retrieveTenantDomainName(role, serviceName);
if (domainName != null) {
domainNames.add(domainName);
}
}
TenantDomains tenantDomains = new TenantDomains();
tenantDomains.setTenantDomainNames(new ArrayList<String>(domainNames));
metric.stopTiming(timerMetric);
return tenantDomains;
}Aggregations
DataCache (com.yahoo.athenz.zts.cache.DataCache)84
Test (org.testng.annotations.Test)68
ArrayList (java.util.ArrayList)44
MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)39
ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)38
DomainData (com.yahoo.athenz.zms.DomainData)32
Role (com.yahoo.athenz.zms.Role)31
HashSet (java.util.HashSet)24
RoleMember (com.yahoo.athenz.zms.RoleMember)23
ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)17
SignedDomain (com.yahoo.athenz.zms.SignedDomain)14
Policy (com.yahoo.athenz.zms.Policy)13
Domain (com.yahoo.athenz.zms.Domain)12
MemberRole (com.yahoo.athenz.zts.cache.MemberRole)12
Set (java.util.Set)12
Assertion (com.yahoo.athenz.zms.Assertion)7
HostServices (com.yahoo.athenz.zts.HostServices)6
HashMap (java.util.HashMap)6
SignedDomains (com.yahoo.athenz.zms.SignedDomains)5
Principal (com.yahoo.athenz.auth.Principal)4
