Example 31 with X509CertRecord
use of com.yahoo.athenz.zts.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testInsertX509RecordAlreadyExists.
@Test
public void testInsertX509RecordAlreadyExists() throws Exception {
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
X509CertRecord certRecord = new X509CertRecord();
Date now = new Date();
certRecord.setService("cn");
certRecord.setProvider("ostk");
certRecord.setInstanceId("instance-id");
certRecord.setCurrentIP("current-ip");
certRecord.setCurrentSerial("current-serial");
certRecord.setCurrentTime(now);
certRecord.setPrevIP("prev-ip");
certRecord.setPrevSerial("prev-serial");
certRecord.setPrevTime(now);
Mockito.doThrow(new SQLException("entry already exits", "state", 1062)).doReturn(1).when(mockPrepStmt).executeUpdate();
boolean requestSuccess = jdbcConn.insertX509CertRecord(certRecord);
assertTrue(requestSuccess);
// we should have all operation done once for insert and one for update
Mockito.verify(mockPrepStmt, times(1)).setString(1, "ostk");
Mockito.verify(mockPrepStmt, times(1)).setString(2, "instance-id");
Mockito.verify(mockPrepStmt, times(1)).setString(3, "cn");
Mockito.verify(mockPrepStmt, times(1)).setString(4, "current-serial");
Mockito.verify(mockPrepStmt, times(1)).setString(6, "current-ip");
Mockito.verify(mockPrepStmt, times(1)).setString(7, "prev-serial");
Mockito.verify(mockPrepStmt, times(1)).setTimestamp(8, new java.sql.Timestamp(now.getTime()));
Mockito.verify(mockPrepStmt, times(1)).setString(9, "prev-ip");
Mockito.verify(mockPrepStmt, times(1)).setString(1, "current-serial");
Mockito.verify(mockPrepStmt, times(1)).setTimestamp(2, new java.sql.Timestamp(now.getTime()));
Mockito.verify(mockPrepStmt, times(1)).setString(3, "current-ip");
Mockito.verify(mockPrepStmt, times(1)).setString(4, "prev-serial");
Mockito.verify(mockPrepStmt, times(1)).setString(6, "prev-ip");
Mockito.verify(mockPrepStmt, times(1)).setString(7, "cn");
Mockito.verify(mockPrepStmt, times(1)).setString(8, "ostk");
Mockito.verify(mockPrepStmt, times(1)).setString(9, "instance-id");
// common between insert/update so count is 2 times
Mockito.verify(mockPrepStmt, times(2)).setTimestamp(5, new java.sql.Timestamp(now.getTime()));
jdbcConn.close();
}
Also used :
SQLException(java.sql.SQLException)
Timestamp(java.sql.Timestamp)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Date(java.util.Date)
Test(org.testng.annotations.Test)
Example 32 with X509CertRecord
use of com.yahoo.athenz.zts.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testGetX509CertRecord.
@Test
public void testGetX509CertRecord() throws Exception {
Date now = new Date();
Timestamp tstamp = new Timestamp(now.getTime());
Mockito.when(mockResultSet.next()).thenReturn(true);
Mockito.doReturn("cn").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_SERVICE);
Mockito.doReturn("current-serial").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_CURRENT_SERIAL);
Mockito.doReturn("current-ip").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_CURRENT_IP);
Mockito.doReturn(tstamp).when(mockResultSet).getTimestamp(JDBCCertRecordStoreConnection.DB_COLUMN_CURRENT_TIME);
Mockito.doReturn("prev-serial").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_PREV_SERIAL);
Mockito.doReturn("prev-ip").when(mockResultSet).getString(JDBCCertRecordStoreConnection.DB_COLUMN_PREV_IP);
Mockito.doReturn(tstamp).when(mockResultSet).getTimestamp(JDBCCertRecordStoreConnection.DB_COLUMN_PREV_TIME);
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
X509CertRecord certRecord = jdbcConn.getX509CertRecord("ostk", "instance-id");
assertNotNull(certRecord);
assertEquals(certRecord.getService(), "cn");
assertEquals(certRecord.getCurrentIP(), "current-ip");
assertEquals(certRecord.getCurrentSerial(), "current-serial");
assertEquals(certRecord.getCurrentTime(), now);
assertEquals(certRecord.getInstanceId(), "instance-id");
assertEquals(certRecord.getPrevIP(), "prev-ip");
assertEquals(certRecord.getPrevSerial(), "prev-serial");
assertEquals(certRecord.getPrevTime(), now);
jdbcConn.close();
}
Also used :
Timestamp(java.sql.Timestamp)
Date(java.util.Date)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Test(org.testng.annotations.Test)
Example 33 with X509CertRecord
use of com.yahoo.athenz.zts.cert.X509CertRecord in project athenz by yahoo.
the class JDBCCertRecordStoreConnectionTest method testGetX509CertRecordNotFound.
@Test
public void testGetX509CertRecordNotFound() throws Exception {
Mockito.when(mockResultSet.next()).thenReturn(false);
JDBCCertRecordStoreConnection jdbcConn = new JDBCCertRecordStoreConnection(mockConn);
X509CertRecord certRecord = jdbcConn.getX509CertRecord("ostk", "instance-id-not-found");
assertNull(certRecord);
jdbcConn.close();
}
Also used :
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Test(org.testng.annotations.Test)
Example 34 with X509CertRecord
use of com.yahoo.athenz.zts.cert.X509CertRecord in project athenz by yahoo.
the class ZTSImpl method postOSTKInstanceInformation.
// this method will be removed and replaced with call to postInstanceRegisterInformation
@Override
public Identity postOSTKInstanceInformation(ResourceContext ctx, OSTKInstanceInformation info) {
final String caller = "postostinstanceinformation";
final String callerTiming = "postostinstanceinformation_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postOSTKInstanceInformation: " + info);
}
validateRequest(ctx.request(), caller);
String domain = info.getDomain();
String service = info.getService();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
validate(info, TYPE_OSTK_INSTANCE_INFO, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
final String cn = domain + "." + service;
if (ostkHostSignerDomain == null) {
throw serverError("postOSTKInstanceInformation: Host Signer not configured", caller, domain);
}
// Fetch the public key of ostk host signer service
DataCache data = dataStore.getDataCache(ostkHostSignerDomain);
if (data == null) {
throw notFoundError("postOSTKInstanceInformation: No such domain: " + ostkHostSignerDomain, caller, domain);
}
String keyId = info.getKeyId();
String publicKey = dataStore.getPublicKey(ostkHostSignerDomain, ostkHostSignerService, keyId);
if (publicKey == null) {
throw notFoundError("postOSTKInstanceInformation: No publicKey for service: " + ostkHostSignerService + " with key id: " + keyId, caller, domain);
}
if (!cloudStore.verifyInstanceDocument(info, publicKey)) {
throw requestError("postOSTKInstanceInformation: unable to validate instance document", caller, domain);
}
// validate the CSR
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(info.getCsr());
if (certReq == null) {
throw requestError("postOSTKInstanceInformation: unable to parse PKCS10 certificate request", caller, domain);
}
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
throw requestError("postOSTKInstanceInformation: unable to verify certificate request, invalid csr", caller, domain);
}
final String instanceId = ZTSUtils.extractCertReqInstanceId(certReq);
if (instanceId == null) {
throw requestError("postOSTKInstanceInformation: unable to extract instance id", caller, domain);
}
// generate certificate for the instance
Identity identity = ZTSUtils.generateIdentity(certSigner, info.getCsr(), cn, null, 0);
if (identity == null) {
throw requestError("postOSTKInstanceInformation: unable to generate identity", caller, domain);
}
// need to update our cert record with new certificate details
X509CertRecord x509CertRecord = new X509CertRecord();
x509CertRecord.setService(cn);
x509CertRecord.setProvider("ostk");
x509CertRecord.setInstanceId(instanceId);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
if (!instanceCertManager.insertX509CertRecord(x509CertRecord)) {
throw serverError("postOSTKInstanceInformation: unable to update cert db", caller, domain);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
Example 35 with X509CertRecord
use of com.yahoo.athenz.zts.cert.X509CertRecord in project athenz by yahoo.
the class ZTSUtilsTest method testVerifyCertificateRequest.
@Test
public void testVerifyCertificateRequest() throws IOException {
Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
String csr = new String(Files.readAllBytes(path));
X509CertRecord certRecord = new X509CertRecord();
certRecord.setService("athenz.production");
certRecord.setInstanceId("1001");
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(csr);
boolean result = ZTSUtils.verifyCertificateRequest(certReq, "athenz", "production", certRecord);
assertTrue(result);
certRecord.setService("athenz.production");
certRecord.setInstanceId("1001");
result = ZTSUtils.verifyCertificateRequest(certReq, "athenz2", "production", certRecord);
assertFalse(result);
certRecord.setService("athenz2.production");
certRecord.setInstanceId("1001");
result = ZTSUtils.verifyCertificateRequest(certReq, "athenz", "production", certRecord);
assertFalse(result);
certRecord.setService("athenz.production");
certRecord.setInstanceId("1002");
result = ZTSUtils.verifyCertificateRequest(certReq, "athenz", "production", certRecord);
assertFalse(result);
}
Also used :
Path(java.nio.file.Path)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Test(org.testng.annotations.Test)
Aggregations
X509CertRecord (com.yahoo.athenz.zts.cert.X509CertRecord)35
Test (org.testng.annotations.Test)29
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)25
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)24
X509Certificate (java.security.cert.X509Certificate)24
Path (java.nio.file.Path)23
SignedDomain (com.yahoo.athenz.zms.SignedDomain)18
InstanceCertManager (com.yahoo.athenz.zts.cert.InstanceCertManager)18
ChangeLogStore (com.yahoo.athenz.zts.store.ChangeLogStore)18
DataStore (com.yahoo.athenz.zts.store.DataStore)18
MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)18
ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)18
InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)14
InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)12
Date (java.util.Date)9
CertRecordStore (com.yahoo.athenz.zts.cert.CertRecordStore)4
CertRecordStoreConnection (com.yahoo.athenz.zts.cert.CertRecordStoreConnection)4
Timestamp (java.sql.Timestamp)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
Principal (com.yahoo.athenz.auth.Principal)3
