Search in sources :

Example 66 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class DataStoreTest method testDeleteDomainFromCacheServices.

@Test
public void testDeleteDomainFromCacheServices() {
    ChangeLogStore clogStore = new MockZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", pkey, "0");
    DataStore store = new DataStore(clogStore, null);
    SignedDomain signedDomain = new SignedDomain();
    List<Role> roles = new ArrayList<>();
    Role role = new Role();
    role.setName("coretech:role.admin");
    List<RoleMember> members = new ArrayList<>();
    members.add(new RoleMember().setMemberName("user_domain.user"));
    role.setRoleMembers(members);
    DomainData domainData = new DomainData();
    domainData.setName("coretech");
    domainData.setRoles(roles);
    signedDomain.setDomain(domainData);
    signedDomain.setKeyId("0");
    ((MockZMSFileChangeLogStore) store.changeLogStore).put("coretech", JSON.bytes(signedDomain));
    DataCache dataCache = new DataCache();
    dataCache.setDomainData(domainData);
    store.addDomainToCache("coretech", dataCache);
    store.deleteDomainFromCache("coretech");
    store.changeLogStore.removeLocalDomain("coretech");
    assertNull(store.getCacheStore().getIfPresent("coretech"));
    File file = new File("/tmp/zts_server_unit_tests/zts_root/coretech");
    assertFalse(file.exists());
}
Also used : Role(com.yahoo.athenz.zms.Role) MemberRole(com.yahoo.athenz.zts.cache.MemberRole) ZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore) MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore) SignedDomain(com.yahoo.athenz.zms.SignedDomain) ArrayList(java.util.ArrayList) DomainData(com.yahoo.athenz.zms.DomainData) MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore) File(java.io.File) RoleMember(com.yahoo.athenz.zms.RoleMember) DataCache(com.yahoo.athenz.zts.cache.DataCache) Test(org.testng.annotations.Test)

Example 67 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImpl method postDomainMetrics.

/*
     * /metrics/{domainName}
     */
@Override
public DomainMetrics postDomainMetrics(ResourceContext ctx, String domainName, DomainMetrics domainMetrics) {
    final String caller = "postdomainmetrics";
    final String callerTiming = "postdomainmetrics_timing";
    metric.increment(HTTP_POST);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    validate(domainMetrics, TYPE_DOMAIN_METRICS, caller);
    domainName = domainName.toLowerCase();
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    AthenzObject.DOMAIN_METRICS.convertToLowerCase(domainMetrics);
    Object timerMetric = metric.startTiming(callerTiming, domainName);
    // verify valid domain specified
    DataCache data = dataStore.getDataCache(domainName);
    if (data == null) {
        metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        throw notFoundError("postDomainMetrics: No such domain: " + domainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    // verify domain name matches domain name in request object
    final String metricDomain = domainMetrics.getDomainName();
    if (!metricDomain.equals(domainName)) {
        final String errMsg = "postDomainMetrics: mismatched domain names: uri domain: " + domainName + " : metric domain: " + metricDomain;
        throw requestError(errMsg, caller, domainName);
    }
    List<DomainMetric> dmList = domainMetrics.getMetricList();
    if (dmList == null || dmList.size() == 0) {
        // no metrics were sent - log error
        final String errMsg = "postDomainMetrics: received no metrics for domain: " + domainName;
        throw requestError(errMsg, caller, domainName);
    }
    for (DomainMetric dm : dmList) {
        DomainMetricType dmType = dm.getMetricType();
        if (dmType == null) {
            LOGGER.error("postDomainMetrics: ignore missing metric received for domain: {}", domainName);
            continue;
        }
        final String dmt = dmType.toString().toLowerCase();
        Integer count = dm.getMetricVal();
        if (count == null || count.intValue() < 0) {
            LOGGER.error("postDomainMetrics: ignore metric: {} invalid counter {} received for domain {}", dmt, count, domainName);
            continue;
        }
        String metricName = DOM_METRIX_PREFIX + dmt;
        metric.increment(metricName, domainName, count);
    }
    metric.stopTiming(timerMetric);
    return domainMetrics;
}
Also used : DataCache(com.yahoo.athenz.zts.cache.DataCache)

Example 68 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImpl method postOSTKInstanceInformation.

// this method will be removed and replaced with call to postInstanceRegisterInformation
@Override
public Identity postOSTKInstanceInformation(ResourceContext ctx, OSTKInstanceInformation info) {
    final String caller = "postostinstanceinformation";
    final String callerTiming = "postostinstanceinformation_timing";
    metric.increment(HTTP_POST);
    logPrincipal(ctx);
    if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("postOSTKInstanceInformation: " + info);
    }
    validateRequest(ctx.request(), caller);
    String domain = info.getDomain();
    String service = info.getService();
    Object timerMetric = metric.startTiming(callerTiming, domain);
    metric.increment(HTTP_REQUEST, domain);
    metric.increment(caller, domain);
    validate(info, TYPE_OSTK_INSTANCE_INFO, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domain = domain.toLowerCase();
    service = service.toLowerCase();
    final String cn = domain + "." + service;
    if (ostkHostSignerDomain == null) {
        throw serverError("postOSTKInstanceInformation: Host Signer not configured", caller, domain);
    }
    // Fetch the public key of ostk host signer service
    DataCache data = dataStore.getDataCache(ostkHostSignerDomain);
    if (data == null) {
        throw notFoundError("postOSTKInstanceInformation: No such domain: " + ostkHostSignerDomain, caller, domain);
    }
    String keyId = info.getKeyId();
    String publicKey = dataStore.getPublicKey(ostkHostSignerDomain, ostkHostSignerService, keyId);
    if (publicKey == null) {
        throw notFoundError("postOSTKInstanceInformation: No publicKey for service: " + ostkHostSignerService + " with key id: " + keyId, caller, domain);
    }
    if (!cloudStore.verifyInstanceDocument(info, publicKey)) {
        throw requestError("postOSTKInstanceInformation: unable to validate instance document", caller, domain);
    }
    // validate the CSR
    PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(info.getCsr());
    if (certReq == null) {
        throw requestError("postOSTKInstanceInformation: unable to parse PKCS10 certificate request", caller, domain);
    }
    if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
        throw requestError("postOSTKInstanceInformation: unable to verify certificate request, invalid csr", caller, domain);
    }
    final String instanceId = ZTSUtils.extractCertReqInstanceId(certReq);
    if (instanceId == null) {
        throw requestError("postOSTKInstanceInformation: unable to extract instance id", caller, domain);
    }
    // generate certificate for the instance
    Identity identity = ZTSUtils.generateIdentity(certSigner, info.getCsr(), cn, null, 0);
    if (identity == null) {
        throw requestError("postOSTKInstanceInformation: unable to generate identity", caller, domain);
    }
    // need to update our cert record with new certificate details
    X509CertRecord x509CertRecord = new X509CertRecord();
    x509CertRecord.setService(cn);
    x509CertRecord.setProvider("ostk");
    x509CertRecord.setInstanceId(instanceId);
    X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
    x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
    x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
    x509CertRecord.setCurrentTime(new Date());
    x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
    x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
    x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
    if (!instanceCertManager.insertX509CertRecord(x509CertRecord)) {
        throw serverError("postOSTKInstanceInformation: unable to update cert db", caller, domain);
    }
    metric.stopTiming(timerMetric);
    return identity;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DataCache(com.yahoo.athenz.zts.cache.DataCache) X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date)

Example 69 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImpl method postRoleCertificateRequest.

@Override
public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainName, String roleName, RoleCertificateRequest req) {
    final String caller = "postrolecertificaterequest";
    final String callerTiming = "postrolecertificaterequest_timing";
    metric.increment(HTTP_POST);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domainName, TYPE_DOMAIN_NAME, caller);
    validate(roleName, TYPE_ENTITY_NAME, caller);
    validate(req, TYPE_ROLE_CERTIFICATE_REQUEST, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case since ZMS Server
    // saves all of its object names in lower case
    domainName = domainName.toLowerCase();
    roleName = roleName.toLowerCase();
    Object timerMetric = metric.startTiming(callerTiming, domainName);
    // get our principal's name
    String principal = ((RsrcCtxWrapper) ctx).principal().getFullName();
    if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("postRoleCertificateRequest(domain: " + domainName + ", principal: " + principal + ", role: " + roleName + ")");
    }
    // first retrieve our domain data object from the cache
    DataCache data = dataStore.getDataCache(domainName);
    if (data == null) {
        // just increment the request counter without any dimension
        // we don't want to get persistent indexes for invalid domains
        metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        throw notFoundError("postRoleCertificateRequest: No such domain: " + domainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    // update our metric with dimension. we're moving the metric here
    // after the domain name has been confirmed as valid since with
    // dimensions we get stuck with persistent indexes so we only want
    // to create them for valid domain names
    metric.increment(HTTP_REQUEST, domainName);
    metric.increment(caller, domainName);
    // process our request and retrieve the roles for the principal
    String[] requestedRoleList = { roleName };
    Set<String> roles = new HashSet<>();
    dataStore.getAccessibleRoles(data, domainName, principal, requestedRoleList, roles, false);
    if (roles.isEmpty()) {
        throw forbiddenError("postRoleCertificateRequest: No access to any roles in domain: " + domainName, caller, domainName);
    }
    PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(req.getCsr());
    if (certReq == null) {
        throw requestError("postRoleCertificateRequest: Unable to parse cert request", caller, domainName);
    }
    if (!validateRoleCertificateRequest(certReq, domainName, roles, principal)) {
        throw requestError("postRoleCertificateRequest: Unable to validate cert request", caller, domainName);
    }
    String x509Cert = certSigner.generateX509Certificate(req.getCsr(), ZTSConsts.ZTS_CERT_USAGE_CLIENT, (int) req.getExpiryTime());
    if (null == x509Cert || x509Cert.isEmpty()) {
        throw serverError("postRoleCertificateRequest: Unable to create certificate from the cert signer", caller, domainName);
    }
    RoleToken roleToken = new RoleToken().setToken(x509Cert).setExpiryTime(ZTS_ROLE_CERT_EXPIRY);
    metric.stopTiming(timerMetric);
    return roleToken;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DataCache(com.yahoo.athenz.zts.cache.DataCache) HashSet(java.util.HashSet)

Example 70 with DataCache

use of com.yahoo.athenz.zts.cache.DataCache in project athenz by yahoo.

the class ZTSImpl method getTenantDomains.

public TenantDomains getTenantDomains(ResourceContext ctx, String providerDomainName, String userName, String roleName, String serviceName) {
    final String caller = "gettenantdomains";
    final String callerTiming = "gettenantdomains_timing";
    metric.increment(HTTP_GET);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(providerDomainName, TYPE_DOMAIN_NAME, caller);
    validate(userName, TYPE_ENTITY_NAME, caller);
    if (roleName != null) {
        validate(roleName, TYPE_ENTITY_NAME, caller);
    }
    if (serviceName != null) {
        validate(serviceName, TYPE_SERVICE_NAME, caller);
    }
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case since ZMS Server
    // saves all of its object names in lower case
    providerDomainName = providerDomainName.toLowerCase();
    if (roleName != null) {
        roleName = roleName.toLowerCase();
    }
    if (serviceName != null) {
        serviceName = serviceName.toLowerCase();
    }
    userName = normalizeDomainAliasUser(userName.toLowerCase());
    // first retrieve our domain data object from the cache
    Object timerMetric = metric.startTiming(callerTiming, providerDomainName);
    DataCache data = dataStore.getDataCache(providerDomainName);
    if (data == null) {
        // just increment the request counter without any dimension
        // we don't want to get persistent indexes for invalid domains
        metric.increment(HTTP_REQUEST, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
        throw notFoundError("getTenantDomains: No such provider domain: " + providerDomainName, caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
    }
    // update our metric with dimension. we're moving the metric here
    // after the domain name has been confirmed as valid since with
    // dimensions we get stuck with persistent indexes so we only want
    // to create them for valid domain names
    metric.increment(HTTP_REQUEST, providerDomainName);
    metric.increment(caller, providerDomainName);
    if (userName.indexOf('.') == -1) {
        userName = this.userDomain + "." + userName;
    }
    roleName = convertEmptyStringToNull(roleName);
    String[] requestedRoleList = null;
    if (roleName != null) {
        requestedRoleList = roleName.split(",");
    }
    // process our request and retrieve the roles for the principal
    Set<String> roles = new HashSet<>();
    dataStore.getAccessibleRoles(data, providerDomainName, userName, requestedRoleList, roles, false);
    // we are going to process the list and only keep the tenant
    // domains - this is based on the role names since our tenant
    // roles are named: <service>.tenant.<domain>.[<resource_group>.]<action>
    Set<String> domainNames = new HashSet<>();
    for (String role : roles) {
        String domainName = retrieveTenantDomainName(role, serviceName);
        if (domainName != null) {
            domainNames.add(domainName);
        }
    }
    TenantDomains tenantDomains = new TenantDomains();
    tenantDomains.setTenantDomainNames(new ArrayList<String>(domainNames));
    metric.stopTiming(timerMetric);
    return tenantDomains;
}
Also used : DataCache(com.yahoo.athenz.zts.cache.DataCache) HashSet(java.util.HashSet)

Aggregations

DataCache (com.yahoo.athenz.zts.cache.DataCache)84 Test (org.testng.annotations.Test)68 ArrayList (java.util.ArrayList)44 MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)39 ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)38 DomainData (com.yahoo.athenz.zms.DomainData)32 Role (com.yahoo.athenz.zms.Role)31 HashSet (java.util.HashSet)24 RoleMember (com.yahoo.athenz.zms.RoleMember)23 ServiceIdentity (com.yahoo.athenz.zms.ServiceIdentity)17 SignedDomain (com.yahoo.athenz.zms.SignedDomain)14 Policy (com.yahoo.athenz.zms.Policy)13 Domain (com.yahoo.athenz.zms.Domain)12 MemberRole (com.yahoo.athenz.zts.cache.MemberRole)12 Set (java.util.Set)12 Assertion (com.yahoo.athenz.zms.Assertion)7 HostServices (com.yahoo.athenz.zts.HostServices)6 HashMap (java.util.HashMap)6 SignedDomains (com.yahoo.athenz.zms.SignedDomains)5 Principal (com.yahoo.athenz.auth.Principal)4