From eae9a80a026c8133393e7870681415cac2c79996 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Tue, 24 Sep 2024 22:22:59 -0700 Subject: [PATCH] first round of fixes from functional tests suites (#2741) Signed-off-by: Henry Avetisyan --- clients/java/zms/examples/tls-support/pom.xml | 6 +- clients/java/zts/examples/tls-support/pom.xml | 17 +- .../tls/client/ZTSTLSClientAccessToken.java | 24 +- clients/java/zts/pom.xml | 18 - .../container/AthenzJettyContainer.java | 43 +- .../container/AthenzJettyContainerTest.java | 27 +- .../examples/tls-support/pom.xml | 6 +- .../examples/gcp-sia-creds/pom.xml | 8 +- .../examples/gcp-zts-creds/pom.xml | 10 +- libs/java/gcp_zts_creds/pom.xml | 12 - libs/java/instance_provider/pom.xml | 19 - ...tAWSElasticKubernetesServiceValidator.java | 12 +- .../provider/impl/InstanceAWSProvider.java | 28 +- libs/java/server_aws_common/pom.xml | 7 +- .../common/creds/impl/TempCredsProvider.java | 272 +----- .../creds/impl/TempCredsProviderTest.java | 803 +----------------- libs/java/server_common/pom.xml | 15 +- .../common/server/store/impl/JDBCConsts.java | 1 + .../store/impl/JDBCObjectStoreFactory.java | 14 + .../util/config/ConfigManagerSingleton.java | 26 +- pom.xml | 34 + .../yahoo/athenz/zts/store/CloudStore.java | 7 - .../athenz/zts/store/CloudStoreTest.java | 12 +- syncers/auth_history_syncer/pom.xml | 12 - .../S3ClientFactory.java | 1 - 25 files changed, 169 insertions(+), 1265 deletions(-) diff --git a/clients/java/zms/examples/tls-support/pom.xml b/clients/java/zms/examples/tls-support/pom.xml index 7b356a5634d..35d2bb4fad0 100644 --- a/clients/java/zms/examples/tls-support/pom.xml +++ b/clients/java/zms/examples/tls-support/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.11.52 + 1.12.1 @@ -49,12 +49,12 @@ commons-cli commons-cli - 1.6.0 + 1.9.0 ch.qos.logback logback-classic - 1.5.2 + 1.5.8 diff --git a/clients/java/zts/examples/tls-support/pom.xml b/clients/java/zts/examples/tls-support/pom.xml index 2cf937014e7..d0426a96674 100644 --- a/clients/java/zts/examples/tls-support/pom.xml +++ b/clients/java/zts/examples/tls-support/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.11.52 + 1.12.1 0.11.5 @@ -62,31 +62,22 @@ commons-cli commons-cli - 1.6.0 + 1.9.0 org.slf4j slf4j-api - 2.0.12 + 2.0.16 ch.qos.logback logback-classic - 1.5.2 + 1.5.8 - - org.apache.maven.plugins - maven-compiler-plugin - 3.8.1 - - 1.8 - 1.8 - - org.apache.maven.plugins maven-dependency-plugin diff --git a/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSTLSClientAccessToken.java b/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSTLSClientAccessToken.java index ef11c17ba74..d94f12f587d 100644 --- a/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSTLSClientAccessToken.java +++ b/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSTLSClientAccessToken.java @@ -26,7 +26,7 @@ import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; -import org.apache.http.conn.DnsResolver; +import org.apache.hc.client5.http.DnsResolver; import com.oath.auth.KeyRefresher; import com.oath.auth.Utils; @@ -198,14 +198,24 @@ private static DnsResolver getDnsResolver(final String resolveHostname) throws U final String ipAddress = resolveHostname.substring(idx + 1); final InetAddress[] inetResponse = new InetAddress[1]; - inetResponse[0] = InetAddress.getByName(resolveHostname.substring(idx + 1)); + inetResponse[0] = InetAddress.getByName(ipAddress); - DnsResolver dnsResolver = host -> { - if (host.equalsIgnoreCase(hostname)) { - return inetResponse; + return new DnsResolver() { + @Override + public InetAddress[] resolve(String host) throws UnknownHostException { + if (host.equalsIgnoreCase(hostname)) { + return inetResponse; + } + throw new UnknownHostException("unknown host: " + host); + } + + @Override + public String resolveCanonicalHostname(String host) throws UnknownHostException { + if (host.equalsIgnoreCase(hostname)) { + return hostname; + } + throw new UnknownHostException("unknown host: " + host); } - throw new UnknownHostException("unknown host: " + host); }; - return dnsResolver; } } diff --git a/clients/java/zts/pom.xml b/clients/java/zts/pom.xml index 9e51242a58f..7f71046b35c 100644 --- a/clients/java/zts/pom.xml +++ b/clients/java/zts/pom.xml @@ -25,24 +25,6 @@ jar athenz-zts-java-client ZTS Java Client Library - - - - com.amazonaws - aws-java-sdk-bom - ${aws.version} - pom - import - - - software.amazon.awssdk - bom - ${aws2.version} - pom - import - - - 3.10.8 diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java index 8311882c011..a2568e8e586 100644 --- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java +++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java @@ -149,7 +149,7 @@ public void addRequestLogHandler() { } } - void addRewriteHandler(final String serverHostName) { + RewriteHandler createRewriteHandler(final String serverHostName) { RewriteHandler rewriteHandler = new RewriteHandler(); @@ -200,32 +200,46 @@ void addRewriteHandler(final String serverHostName) { hostNameRule.setHeaderValue(serverHostName); rewriteHandler.addRule(hostNameRule); - handlers.addHandler(rewriteHandler); + return rewriteHandler; + } + + GzipHandler createGzipHandler() { + boolean gzipSupport = Boolean.parseBoolean(System.getProperty(AthenzConsts.ATHENZ_PROP_GZIP_SUPPORT, "false")); + + if (!gzipSupport) { + return null; + } + int gzipMinSize = Integer.parseInt(System.getProperty(AthenzConsts.ATHENZ_PROP_GZIP_MIN_SIZE, "1024")); + + GzipHandler gzipHandler = new GzipHandler(); + gzipHandler.setMinGzipSize(gzipMinSize); + gzipHandler.setIncludedMimeTypes("application/json"); + return gzipHandler; } - void addServletHandlers() { + void addServletHandlers(final String serverHostName) { Environment.ensure("ee10"); Environment.get("ee10").setAttribute("contextHandlerClass", WebAppContext.class.getName()); + // create our rewrite handler + + RewriteHandler rewriteHandler = createRewriteHandler(serverHostName); + handlers.addHandler(rewriteHandler); + // create our context handler connection ContextHandlerCollection contexts = new ContextHandlerCollection(); // check to see if gzip support is enabled - boolean gzipSupport = Boolean.parseBoolean(System.getProperty(AthenzConsts.ATHENZ_PROP_GZIP_SUPPORT, "false")); - - if (gzipSupport) { - int gzipMinSize = Integer.parseInt( - System.getProperty(AthenzConsts.ATHENZ_PROP_GZIP_MIN_SIZE, "1024")); - - GzipHandler gzipHandler = new GzipHandler(); - gzipHandler.setMinGzipSize(gzipMinSize); - gzipHandler.setIncludedMimeTypes("application/json"); + GzipHandler gzipHandler = createGzipHandler(); + if (gzipHandler != null) { gzipHandler.setHandler(contexts); - handlers.addHandler(gzipHandler); + rewriteHandler.setHandler(gzipHandler); + } else { + rewriteHandler.setHandler(contexts); } // check to see if graceful shutdown support is enabled @@ -601,8 +615,7 @@ public static AthenzJettyContainer createJettyContainer() { HttpConfiguration httpConfig = container.newHttpConfiguration(); container.addHTTPConnectors(httpConfig, httpPort, httpsPort, oidcPort, statusPort); - container.addRewriteHandler(serverHostName); - container.addServletHandlers(); + container.addServletHandlers(serverHostName); container.addRequestLogHandler(); return container; diff --git a/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java b/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java index 356b7ca5445..0071c9bc72a 100644 --- a/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java +++ b/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java @@ -142,8 +142,7 @@ public void testAddServletHandlers() { System.setProperty(AthenzConsts.ATHENZ_PROP_KEEP_ALIVE, "false"); AthenzJettyContainer container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); } @Test @@ -616,8 +615,7 @@ public void testGracefulShutdown() { // If the athenz.graceful_shutdown is not true. container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); server = container.getServer(); assertNotNull(server); @@ -637,8 +635,7 @@ public void testGracefulShutdown() { container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); server = container.getServer(); assertNotNull(server); @@ -656,8 +653,7 @@ public void testGracefulShutdown() { container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); server = container.getServer(); assertNotNull(server); @@ -677,8 +673,7 @@ public void testGracefulShutdown() { container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); server = container.getServer(); assertNotNull(server); @@ -698,8 +693,7 @@ public void testStatisticsHandler() { System.setProperty(AthenzConsts.ATHENZ_PROP_GRACEFUL_SHUTDOWN, "false"); AthenzJettyContainer container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); Handler.Sequence contextHandlerCollection = container.getHandlers(); for (Handler handler : contextHandlerCollection.getHandlers()) { @@ -718,8 +712,7 @@ public void testStatisticsHandler() { System.setProperty(AthenzConsts.ATHENZ_PROP_GRACEFUL_SHUTDOWN, "true"); container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); contextHandlerCollection = container.getHandlers(); for (Handler handler : contextHandlerCollection.getHandlers()) { @@ -740,8 +733,7 @@ public void testHttpResponseHeaders() { AthenzJettyContainer container = new AthenzJettyContainer(); container.createServer(100); - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); boolean header1Handled = false; boolean header2Handled = false; @@ -775,8 +767,7 @@ public void testHttpResponseHeadersInvalidJson() { container.createServer(100); try { - container.addRewriteHandler("localhost"); - container.addServletHandlers(); + container.addServletHandlers("localhost"); fail(); } catch (Exception ex) { assertTrue(ex.getMessage().contains("must be a JSON object with string values")); diff --git a/libs/java/cert_refresher/examples/tls-support/pom.xml b/libs/java/cert_refresher/examples/tls-support/pom.xml index 5b9b664c8bc..77afcd992e6 100644 --- a/libs/java/cert_refresher/examples/tls-support/pom.xml +++ b/libs/java/cert_refresher/examples/tls-support/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.11.52 + 1.12.1 @@ -39,12 +39,12 @@ commons-cli commons-cli - 1.6.0 + 1.9.0 ch.qos.logback logback-classic - 1.5.2 + 1.5.8 diff --git a/libs/java/gcp_zts_creds/examples/gcp-sia-creds/pom.xml b/libs/java/gcp_zts_creds/examples/gcp-sia-creds/pom.xml index 8b35638810c..a37b78180a7 100644 --- a/libs/java/gcp_zts_creds/examples/gcp-sia-creds/pom.xml +++ b/libs/java/gcp_zts_creds/examples/gcp-sia-creds/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.11.58 + 1.12.1 @@ -39,17 +39,17 @@ commons-cli commons-cli - 1.7.0 + 1.9.0 org.slf4j slf4j-api - 2.0.13 + 2.0.16 ch.qos.logback logback-classic - 1.5.6 + 1.5.8 diff --git a/libs/java/gcp_zts_creds/examples/gcp-zts-creds/pom.xml b/libs/java/gcp_zts_creds/examples/gcp-zts-creds/pom.xml index 13398258455..bee230c48df 100644 --- a/libs/java/gcp_zts_creds/examples/gcp-zts-creds/pom.xml +++ b/libs/java/gcp_zts_creds/examples/gcp-zts-creds/pom.xml @@ -27,8 +27,8 @@ UTF-8 UTF-8 - 1.11.58 - 26.37.0 + 1.12.1 + 26.47.0 @@ -57,17 +57,17 @@ commons-cli commons-cli - 1.7.0 + 1.9.0 org.slf4j slf4j-api - 2.0.13 + 2.0.16 ch.qos.logback logback-classic - 1.5.6 + 1.5.8 com.google.auth diff --git a/libs/java/gcp_zts_creds/pom.xml b/libs/java/gcp_zts_creds/pom.xml index 397dbba7e30..ccbcec70ca8 100644 --- a/libs/java/gcp_zts_creds/pom.xml +++ b/libs/java/gcp_zts_creds/pom.xml @@ -30,18 +30,6 @@ 1.00 - - - - com.google.cloud - libraries-bom - ${gcp.bom.version} - pom - import - - - - ${project.groupId} diff --git a/libs/java/instance_provider/pom.xml b/libs/java/instance_provider/pom.xml index ac648e9feda..935b0c84813 100644 --- a/libs/java/instance_provider/pom.xml +++ b/libs/java/instance_provider/pom.xml @@ -33,25 +33,6 @@ 0.9983 - - - - software.amazon.awssdk - bom - ${aws2.version} - pom - import - - - com.google.cloud - libraries-bom - ${gcp.bom.version} - pom - import - - - - org.slf4j diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java index a1947aadd29..774fe849327 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java @@ -33,6 +33,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import software.amazon.awssdk.auth.credentials.AwsSessionCredentials; import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; import software.amazon.awssdk.regions.Region; @@ -40,7 +41,6 @@ import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersRequest; import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersResponse; import software.amazon.awssdk.services.iam.model.OpenIDConnectProviderListEntry; -import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; @@ -184,14 +184,12 @@ IamClient getIamClient(final String awsAccount) { .roleArn(roleArn).roleSessionName(roleSessionName).build(); AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(assumeRoleRequest); - AwsBasicCredentials credentials = AwsBasicCredentials.builder() - .accessKeyId(assumeRoleResponse.credentials().accessKeyId()) - .secretAccessKey(assumeRoleResponse.credentials().secretAccessKey()) - .build(); - // Create Static Credentials Provider - StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); + StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create( + AwsSessionCredentials.create(assumeRoleResponse.credentials().accessKeyId(), + assumeRoleResponse.credentials().secretAccessKey(), + assumeRoleResponse.credentials().sessionToken())); // Create IAM Client diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java index 0a7cd279250..c49f97ab0c8 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java @@ -24,7 +24,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.auth.credentials.AwsSessionCredentials; import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.sts.StsClient; @@ -414,32 +414,28 @@ protected void setConfirmationAttributes(InstanceConfirmation confirmation, bool StsClient getInstanceClient(AWSAttestationData info) { - String access = info.getAccess(); - if (access == null || access.isEmpty()) { - LOGGER.error("getInstanceClient: No access key id available in instance document"); + final String accessKey = info.getAccess(); + if (StringUtil.isEmpty(accessKey)) { + LOGGER.error("getInstanceClient: No access key available in instance document"); return null; } - String secret = info.getSecret(); - if (secret == null || secret.isEmpty()) { - LOGGER.error("getInstanceClient: No secret access key available in instance document"); + final String secretKey = info.getSecret(); + if (StringUtil.isEmpty(secretKey)) { + LOGGER.error("getInstanceClient: No secret key available in instance document"); return null; } - String token = info.getToken(); - if (token == null || token.isEmpty()) { - LOGGER.error("getInstanceClient: No token available in instance document"); + final String sessionToken = info.getToken(); + if (StringUtil.isEmpty(sessionToken)) { + LOGGER.error("getInstanceClient: No session token available in instance document"); return null; } - AwsBasicCredentials credentials = AwsBasicCredentials.builder() - .accessKeyId(access) - .secretAccessKey(secret) - .build(); - // Create Static Credentials Provider - StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); + StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create( + AwsSessionCredentials.create(accessKey, secretKey, sessionToken)); // Create STS Client diff --git a/libs/java/server_aws_common/pom.xml b/libs/java/server_aws_common/pom.xml index 3d5b80c822e..7e353f63ecb 100644 --- a/libs/java/server_aws_common/pom.xml +++ b/libs/java/server_aws_common/pom.xml @@ -27,7 +27,7 @@ jar - 0.9612 + 0.9604 2.0.2 @@ -97,11 +97,6 @@ aws-secretsmanager-jdbc ${aws.secretmanager.version} - - org.eclipse.jetty - jetty-client - ${jetty.version} - ch.qos.logback logback-classic diff --git a/libs/java/server_aws_common/src/main/java/io/athenz/server/aws/common/creds/impl/TempCredsProvider.java b/libs/java/server_aws_common/src/main/java/io/athenz/server/aws/common/creds/impl/TempCredsProvider.java index b773fe50ef9..84eaabcf151 100644 --- a/libs/java/server_aws_common/src/main/java/io/athenz/server/aws/common/creds/impl/TempCredsProvider.java +++ b/libs/java/server_aws_common/src/main/java/io/athenz/server/aws/common/creds/impl/TempCredsProvider.java @@ -16,21 +16,13 @@ package io.athenz.server.aws.common.creds.impl; - import com.yahoo.athenz.zts.AWSTemporaryCredentials; import com.yahoo.athenz.common.server.ServerResourceException; -import com.yahoo.rdl.JSON; -import com.yahoo.rdl.Struct; import com.yahoo.rdl.Timestamp; -import org.eclipse.jetty.client.ContentResponse; -import org.eclipse.jetty.client.HttpClient; -import org.eclipse.jetty.client.Request; -import org.eclipse.jetty.http.HttpMethod; import org.eclipse.jetty.util.StringUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; -import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; +import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider; import software.amazon.awssdk.awscore.exception.AwsServiceException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.sts.StsClient; @@ -38,34 +30,20 @@ import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; import software.amazon.awssdk.services.sts.model.Credentials; -import java.net.URI; - import static com.yahoo.athenz.common.ServerCommonConsts.ZTS_PROP_AWS_REGION_NAME; public class TempCredsProvider { private static final Logger LOGGER = LoggerFactory.getLogger(TempCredsProvider.class); - private static final String AWS_METADATA_BASE_URI = "http://169.254.169.254/latest"; - private static final String AWS_METADATA_TOKEN_URI = "http://169.254.169.254/latest/api/token"; - private static final String AWS_METADATA_TOKEN_HEADER = "X-aws-ec2-metadata-token"; - private static final String AWS_METADATA_TOKEN_TTL_HEADER = "X-aws-ec2-metadata-token-ttl-seconds"; - public static final String ZTS_PROP_AWS_ROLE_SESSION_NAME = "athenz.zts.aws_role_session_name"; - String awsRole = null; String awsRegion; String awsRoleSessionName; - AwsBasicCredentials credentials; - private HttpClient httpClient; + InstanceProfileCredentialsProvider credentialsProvider; public TempCredsProvider() throws ServerResourceException { - // Instantiate and start our HttpClient - - httpClient = new HttpClient(); - setupHttpClient(httpClient); - // check to see if we are given region name awsRegion = System.getProperty(ZTS_PROP_AWS_REGION_NAME); @@ -76,242 +54,9 @@ public TempCredsProvider() throws ServerResourceException { } public void initialize() throws ServerResourceException { - // initialize and load our bootstrap data - - if (!loadBootMetaData()) { - throw new ServerResourceException(ServerResourceException.INTERNAL_SERVER_ERROR, "Unable to load boot data"); - } - - // finally fetch the role credentials - - if (!fetchRoleCredentials()) { - throw new ServerResourceException(ServerResourceException.INTERNAL_SERVER_ERROR, "Unable to fetch aws role credentials"); - } - } - - void setupHttpClient(HttpClient client) throws ServerResourceException { - - client.setFollowRedirects(false); - try { - client.start(); - } catch (Exception ex) { - LOGGER.error("CloudStore: unable to start http client", ex); - throw new ServerResourceException(ServerResourceException.INTERNAL_SERVER_ERROR, "Http client not available"); - } - } - - public void close() { - stopHttpClient(); - } - - - public void setHttpClient(HttpClient client) { - stopHttpClient(); - httpClient = client; - } - - private void stopHttpClient() { - if (httpClient == null) { - return; - } - try { - httpClient.stop(); - } catch (Exception ignored) { - } - } - - boolean loadBootMetaData() { - - // first load the dynamic document - - final String document = getMetaData("/dynamic/instance-identity/document"); - if (document == null) { - return false; - } - - if (!parseInstanceInfo(document)) { - return false; - } - - // then the document signature - - final String docSignature = getMetaData("/dynamic/instance-identity/pkcs7"); - if (docSignature == null) { - return false; - } - - // next the iam profile data - - final String iamRole = getMetaData("/meta-data/iam/info"); - if (iamRole == null) { - return false; - } - - // now parse and extract the profile details. we'll catch - // all possible index out of bounds exceptions here and just - // report the error and return false - - if (!parseIamRoleInfo(iamRole)) { - return false; - } - - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("CloudStore: service meta information:"); - LOGGER.debug("CloudStore: role: {}", awsRole); - LOGGER.debug("CloudStore: region: {}", awsRegion); - } - return true; - } - - public boolean fetchRoleCredentials() { - - // verify that we have a valid awsRole already retrieved - - if (StringUtil.isEmpty(awsRole)) { - LOGGER.error("CloudStore: awsRole is not available to fetch role credentials"); - return false; - } - - final String creds = getMetaData("/meta-data/iam/security-credentials/" + awsRole); - if (creds == null) { - return false; - } - - Struct credsStruct = JSON.fromString(creds, Struct.class); - if (credsStruct == null) { - LOGGER.error("CloudStore: unable to parse role credentials data: {}", creds); - return false; - } - String accessKeyId = credsStruct.getString("AccessKeyId"); - String secretAccessKey = credsStruct.getString("SecretAccessKey"); - - credentials = AwsBasicCredentials.builder() - .accessKeyId(accessKeyId) - .secretAccessKey(secretAccessKey) - .build(); - - return true; - } - - boolean parseInstanceInfo(String document) { - - Struct instStruct = JSON.fromString(document, Struct.class); - if (instStruct == null) { - LOGGER.error("CloudStore: unable to parse instance identity document: {}", document); - return false; - } - - // if we're overriding the region name, then we'll - // extract that value here - - if (StringUtil.isEmpty(awsRegion)) { - awsRegion = instStruct.getString("region"); - if (StringUtil.isEmpty(awsRegion)) { - LOGGER.error("CloudStore: unable to extract region from instance identity document: {}", document); - return false; - } - } - - return true; - } - - boolean parseIamRoleInfo(final String iamRole) { - - Struct iamRoleStruct = JSON.fromString(iamRole, Struct.class); - if (iamRoleStruct == null) { - LOGGER.error("CloudStore: unable to parse iam role data: {}", iamRole); - return false; - } - - // extract and parse our profile arn - // "InstanceProfileArn" : "arn:aws:iam::1111111111111:instance-profile/iaas.athenz.zts,athenz", - - final String profileArn = iamRoleStruct.getString("InstanceProfileArn"); - if (StringUtil.isEmpty(profileArn)) { - LOGGER.error("CloudStore: unable to extract InstanceProfileArn from iam role data: {}", iamRole); - return false; - } - - return parseInstanceProfileArn(profileArn); - } - - boolean parseInstanceProfileArn(final String profileArn) { - - // "InstanceProfileArn" : "arn:aws:iam::1111111111111:instance-profile/iaas.athenz.zts,athenz", - - if (!profileArn.startsWith("arn:aws:iam::")) { - LOGGER.error("CloudStore: InstanceProfileArn does not start with 'arn:aws:iam::' : {}", - profileArn); - return false; - } - - int idx = profileArn.indexOf(":instance-profile/"); - if (idx == -1) { - LOGGER.error("CloudStore: unable to parse InstanceProfileArn: {}", profileArn); - return false; - } - - final String awsProfile = profileArn.substring(idx + ":instance-profile/".length()); - - // make sure we have valid profile and account data - - if (awsProfile.isEmpty()) { - LOGGER.error("CloudStore: unable to extract profile/account data from InstanceProfileArn: {}", - profileArn); - return false; - } - - // we need to extract the role from the profile - - idx = awsProfile.indexOf(','); - if (idx == -1) { - awsRole = awsProfile; - } else { - awsRole = awsProfile.substring(0, idx); - } - - return true; - } - - String getMetaData(String path) { - - // first we need to get a token for IMDSv2 support - // if the token is not available we'll just try without - // it to see if we can get the data with v1 support - - final String token = processHttpRequest(HttpMethod.PUT, AWS_METADATA_TOKEN_URI, AWS_METADATA_TOKEN_TTL_HEADER, "60"); - if (StringUtil.isEmpty(token)) { - LOGGER.info("unable to get token for IMDSv2 support"); - } - return processHttpRequest(HttpMethod.GET, AWS_METADATA_BASE_URI + path, AWS_METADATA_TOKEN_HEADER, token); - } - - String processHttpRequest(HttpMethod httpMethod, String uri, String headerName, String headerValue) { - - ContentResponse response; - try { - Request request = httpClient.newRequest(URI.create(uri)).method(httpMethod); - if (!StringUtil.isEmpty(headerName) && !StringUtil.isEmpty(headerValue)) { - request.headers((fields) -> fields.put(headerName, headerValue)); - } - response = request.send(); - } catch (Exception ex) { - LOGGER.error("unable to fetch requested uri '{}':{}", uri, ex.getMessage()); - return null; - } - if (response.getStatus() != 200) { - LOGGER.error("unable to fetch requested uri '{}' status:{}", uri, response.getStatus()); - return null; - } - - String data = response.getContentAsString(); - if (StringUtil.isEmpty(data)) { - LOGGER.error("received empty response from uri '{}' status:{}", uri, response.getStatus()); - return null; - } - - return data; + credentialsProvider = InstanceProfileCredentialsProvider.builder() + .asyncCredentialUpdateEnabled(true).build(); } String getAssumeRoleSessionName(final String principal) { @@ -336,7 +81,7 @@ String getAssumeRoleSessionName(final String principal) { } AssumeRoleRequest getAssumeRoleRequest(final String account, final String roleName, Integer durationSeconds, - final String externalId, final String principal) { + final String externalId, final String principal) { // assume the target role to get the credentials for the client // aws format is arn:aws:iam:::role/ @@ -358,7 +103,7 @@ AssumeRoleRequest getAssumeRoleRequest(final String account, final String roleNa StsClient getTokenServiceClient() { return StsClient.builder() - .credentialsProvider(StaticCredentialsProvider.create(credentials)) + .credentialsProvider(credentialsProvider) .region(Region.of(awsRegion)) .build(); } @@ -407,4 +152,9 @@ public AWSTemporaryCredentials getTemporaryCredentials(final String account, fin } } + public void close() { + if (credentialsProvider != null) { + credentialsProvider.close(); + } + } } diff --git a/libs/java/server_aws_common/src/test/java/io/athenz/server/aws/common/creds/impl/TempCredsProviderTest.java b/libs/java/server_aws_common/src/test/java/io/athenz/server/aws/common/creds/impl/TempCredsProviderTest.java index 9e323fa385e..9a8cc0ff131 100644 --- a/libs/java/server_aws_common/src/test/java/io/athenz/server/aws/common/creds/impl/TempCredsProviderTest.java +++ b/libs/java/server_aws_common/src/test/java/io/athenz/server/aws/common/creds/impl/TempCredsProviderTest.java @@ -18,13 +18,9 @@ import com.yahoo.athenz.common.server.ServerResourceException; import com.yahoo.athenz.zts.AWSTemporaryCredentials; -import org.eclipse.jetty.client.ContentResponse; -import org.eclipse.jetty.client.HttpClient; -import org.eclipse.jetty.client.Request; -import org.eclipse.jetty.http.HttpMethod; import org.mockito.Mockito; import org.testng.annotations.Test; -import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider; import software.amazon.awssdk.awscore.exception.AwsErrorDetails; import software.amazon.awssdk.awscore.exception.AwsServiceException; import software.amazon.awssdk.http.SdkHttpResponse; @@ -32,46 +28,17 @@ import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; import software.amazon.awssdk.services.sts.model.Credentials; - -import java.net.URI; import java.util.Date; -import java.util.concurrent.ExecutionException; -import java.util.concurrent.TimeoutException; -import static com.yahoo.athenz.common.ServerCommonConsts.ZTS_PROP_AWS_REGION_NAME; import static io.athenz.server.aws.common.creds.impl.TempCredsProvider.ZTS_PROP_AWS_ROLE_SESSION_NAME; import static org.testng.Assert.*; public class TempCredsProviderTest { - private final static String AWS_INSTANCE_DOCUMENT = "{\n" - + " \"devpayProductCodes\" : null,\n" - + " \"availabilityZone\" : \"us-west-2a\",\n" - + " \"privateIp\" : \"10.10.10.10\",\n" - + " \"version\" : \"2010-08-31\",\n" - + " \"instanceId\" : \"i-056921225f1fbb47a\",\n" - + " \"billingProducts\" : null,\n" - + " \"instanceType\" : \"t2.micro\",\n" - + " \"accountId\" : \"111111111111\",\n" - + " \"pendingTime\" : \"2016-04-26T05:37:23Z\",\n" - + " \"imageId\" : \"ami-c229c0a2\",\n" - + " \"architecture\" : \"x86_64\",\n" - + " \"kernelId\" : null,\n" - + " \"ramdiskId\" : null,\n" - + " \"region\" : \"us-west-2\"\n" - + "}"; - - private final static String AWS_IAM_ROLE_INFO = "{\n" - + "\"Code\" : \"Success\",\n" - + "\"LastUpdated\" : \"2016-04-26T05:37:04Z\",\n" - + "\"InstanceProfileArn\" : \"arn:aws:iam::111111111111:instance-profile/athenz.zts,athenz\",\n" - + "\"InstanceProfileId\" : \"AIPAJAVNLUGEWFWTIDPRA\"\n" - + "}"; - @Test public void testGetTokenServiceClient() throws ServerResourceException { TempCredsProvider credsProvider = new TempCredsProvider(); - credsProvider.credentials = AwsBasicCredentials.builder().accessKeyId("accessKey").secretAccessKey("secretKey").build(); + credsProvider.credentialsProvider = Mockito.mock(InstanceProfileCredentialsProvider.class); credsProvider.awsRegion = "us-west-2"; assertNotNull(credsProvider.getTokenServiceClient()); credsProvider.close(); @@ -124,772 +91,24 @@ public void testGetAssumeRoleRequest() throws ServerResourceException { System.clearProperty(ZTS_PROP_AWS_ROLE_SESSION_NAME); } - @Test - public void testParseInstanceInfo() throws ServerResourceException { - TempCredsProvider credsProvider = new TempCredsProvider(); - assertTrue(credsProvider.parseInstanceInfo(AWS_INSTANCE_DOCUMENT)); - assertEquals(credsProvider.awsRegion, "us-west-2"); - credsProvider.close(); - } - - @Test - public void testParseInstanceInfoInvalid() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertFalse(credsProvider.parseInstanceInfo("some_invalid_doc")); - credsProvider.close(); - } - - @Test - public void testParseInstanceInfoRegion() throws ServerResourceException { - - // first this should fail since we have no region - // override and the document has no region - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertFalse(credsProvider.parseInstanceInfo("{\"accountId\":\"012345678901\"}")); - - // now we're going to use the same doc with override - - System.setProperty(ZTS_PROP_AWS_REGION_NAME, "us-west-3"); - credsProvider.close(); - - credsProvider = new TempCredsProvider(); - assertTrue(credsProvider.parseInstanceInfo("{\"accountId\":\"012345678901\"}")); - assertEquals(credsProvider.awsRegion, "us-west-3"); - System.clearProperty(ZTS_PROP_AWS_REGION_NAME); - credsProvider.close(); - } - - @Test - public void testParseIamRoleInfoInvalid() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertFalse(credsProvider.parseIamRoleInfo("some_invalid_doc")); - credsProvider.close(); - } - - @Test - public void testParseIamRoleInfoMissingInstanceProfile() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertFalse(credsProvider.parseIamRoleInfo("{\"accountId\":\"012345678901\"}")); - assertFalse(credsProvider.parseIamRoleInfo("{\"accountId\":\"012345678901\",\"InstanceProfileArn\":\"\"}")); - credsProvider.close(); - } - - @Test - public void testParseIamRoleInfoInvalidInstanceProfile() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertFalse(credsProvider.parseIamRoleInfo("{\"accountId\":\"012345678901\"}")); - assertFalse(credsProvider.parseIamRoleInfo("{\"accountId\":\"012345678901\",\"InstanceProfileArn\":\"invalid\"}")); - credsProvider.close(); - } - - @Test - public void testParseIamRoleInfo() throws ServerResourceException { - TempCredsProvider credsProvider = new TempCredsProvider(); - assertTrue(credsProvider.parseIamRoleInfo(AWS_IAM_ROLE_INFO)); - assertEquals(credsProvider.awsRole, "athenz.zts"); - credsProvider.close(); - } - - @Test - public void testParseInstanceProfileArn() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - assertTrue(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance-profile/athenz.zts,athenz")); - assertEquals(credsProvider.awsRole, "athenz.zts"); - credsProvider.close(); - } - - @Test - public void testParseInstanceProfileArnInvalidPrefix() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - - // invalid starting prefix - - assertFalse(credsProvider.parseInstanceProfileArn("arn:aws:iam:111111111111:instance-profile/athenz.zts,athenz")); - assertFalse(credsProvider.parseInstanceProfileArn("arn:aws:iam2:111111111111:instance-profile/athenz.zts,athenz")); - assertFalse(credsProvider.parseInstanceProfileArn("instance-profile/athenz.zts,athenz")); - credsProvider.close(); - } - - @Test - public void testParseInstanceProfileArnInvalidProfile()throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - - // missing instance-profile part - - assertFalse(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance-profile2/athenz.zts,athenz")); - assertFalse(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance/athenz.zts,athenz")); - credsProvider.close(); - } - - @Test - public void testParseInstanceProfileArnInvalidNoProfile() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - - // no profile name - - assertFalse(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance-profile/")); - credsProvider.close(); - } - - @Test - public void testParseInstanceProfileArnCloud() throws ServerResourceException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - // cloud name is optional for backwards compatibility - assertTrue(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance-profile/athenz.zts")); - assertEquals(credsProvider.awsRole, "athenz.zts"); - assertTrue(credsProvider.parseInstanceProfileArn("arn:aws:iam::111111111111:instance-profile/athenz.proxy,athenz,test")); - assertEquals(credsProvider.awsRole, "athenz.proxy"); - credsProvider.close(); - } - - @Test - public void testGetMetaDataExceptions() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/exc1"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenThrow(TimeoutException.class); - Mockito.doThrow(new IndexOutOfBoundsException()).when(httpClient).stop(); - - assertNull(credsProvider.getMetaData("/exc1")); - credsProvider.close(); - } - - @Test - public void testGetMetaDataFailureStatus() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(404); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/iam-info"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertNull(credsProvider.getMetaData("/iam-info")); - credsProvider.close(); - } - - @Test - public void testGetMetaDataNullResponse() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn(null); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/iam-info"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertNull(credsProvider.getMetaData("/iam-info")); - credsProvider.close(); - } - - @Test - public void testGetMetaDataEmptyResponse() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn(""); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/iam-info"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertNull(credsProvider.getMetaData("/iam-info")); - credsProvider.close(); - } - - @Test - public void testGetMetaDataValidResponse() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn("json-document"); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/iam-info"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertEquals(credsProvider.getMetaData("/iam-info"), "json-document"); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidDocumentGet() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(404); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidDocumentParse() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn("{\"accountId\":\"012345678901\"}"); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidDocumentException() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn("json-document"); - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidSignature() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(404); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidIamInfoGet() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(404); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidIamInfoException() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn("invalid-info"); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataInvalidIamInfoParse() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn("{\"accountId\":\"012345678901\",\"InstanceProfileArn\":\"invalid\"}"); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - assertFalse(credsProvider.loadBootMetaData()); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataV1() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn(AWS_IAM_ROLE_INFO); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - assertTrue(credsProvider.loadBootMetaData()); - assertEquals(credsProvider.awsRole, "athenz.zts"); - assertEquals(credsProvider.awsRegion, "us-west-2"); - credsProvider.close(); - } - - @Test - public void testLoadBootMetaDataV2() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn(AWS_IAM_ROLE_INFO); - - ContentResponse responseToken = Mockito.mock(ContentResponse.class); - Mockito.when(responseToken.getStatus()).thenReturn(200); - Mockito.when(responseToken.getContentAsString()).thenReturn("aws-token-info"); - - credsProvider.setHttpClient(httpClient); - - Request tokenRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/api/token"))) - .thenReturn(tokenRequest); - Mockito.when(tokenRequest.method(HttpMethod.PUT)).thenReturn(tokenRequest); - Mockito.when(tokenRequest.send()).thenReturn(responseToken); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - assertTrue(credsProvider.loadBootMetaData()); - assertEquals(credsProvider.awsRole, "athenz.zts"); - assertEquals(credsProvider.awsRegion, "us-west-2"); - credsProvider.close(); - } - - @Test - public void testFetchRoleCredentialsNoRole() throws ServerResourceException{ - - TempCredsProvider credsProvider = new TempCredsProvider(); - - credsProvider.awsRole = null; - assertFalse(credsProvider.fetchRoleCredentials()); - - credsProvider.awsRole = ""; - assertFalse(credsProvider.fetchRoleCredentials()); - credsProvider.close(); - } - - @Test - public void testFetchRoleCredentialsNoCreds() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - credsProvider.awsRole = "athenz.zts"; - - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(404); - credsProvider.setHttpClient(httpClient); - - Request credsRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/security-credentials/athenz.zts"))) - .thenReturn(credsRequest); - Mockito.when(credsRequest.method(HttpMethod.GET)).thenReturn(credsRequest); - Mockito.when(credsRequest.send()).thenReturn(response); - - assertFalse(credsProvider.fetchRoleCredentials()); - credsProvider.close(); - } - - @Test - public void testFetchRoleCredentialInvalidCreds() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - credsProvider.awsRole = "athenz.zts"; - - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn("invalid-creds"); - - credsProvider.setHttpClient(httpClient); - - Request credsRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/security-credentials/athenz.zts"))) - .thenReturn(credsRequest); - Mockito.when(credsRequest.method(HttpMethod.GET)).thenReturn(credsRequest); - Mockito.when(credsRequest.send()).thenReturn(response); - - assertFalse(credsProvider.fetchRoleCredentials()); - credsProvider.close(); - } - - @Test - public void testFetchRoleCredential() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - credsProvider.awsRole = "athenz.zts"; - - HttpClient httpClient = Mockito.mock(HttpClient.class); - ContentResponse response = Mockito.mock(ContentResponse.class); - Mockito.when(response.getStatus()).thenReturn(200); - Mockito.when(response.getContentAsString()).thenReturn("{\"AccessKeyId\":\"id\",\"SecretAccessKey\":\"key\",\"Token\":\"token\"}"); - - credsProvider.setHttpClient(httpClient); - - Request request = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/security-credentials/athenz.zts"))) - .thenReturn(request); - Mockito.when(request.method(HttpMethod.GET)).thenReturn(request); - Mockito.when(request.send()).thenReturn(response); - - assertTrue(credsProvider.fetchRoleCredentials()); - credsProvider.close(); - } @Test public void testInitializeAwsSupportInvalidDocument() throws Exception { TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn("invalid-document"); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - try { - credsProvider.initialize(); - } catch (ServerResourceException ex) { - assertEquals(ex.getCode(), 500); - } - credsProvider.close(); - } - - @Test - public void testInitializeAwsSupportInvalidCreds() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn(AWS_IAM_ROLE_INFO); - - ContentResponse responseCreds = Mockito.mock(ContentResponse.class); - Mockito.when(responseCreds.getStatus()).thenReturn(200); - Mockito.when(responseCreds.getContentAsString()).thenReturn("invalid-creds"); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - Request credsRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/security-credentials/athenz.zts"))) - .thenReturn(credsRequest); - Mockito.when(credsRequest.method(HttpMethod.GET)).thenReturn(credsRequest); - Mockito.when(credsRequest.send()).thenReturn(responseCreds); try { credsProvider.initialize(); - fail(); } catch (ServerResourceException ex) { assertEquals(ex.getCode(), 500); } credsProvider.close(); } - @Test - public void testInitializeAwsSupport() throws TimeoutException, InterruptedException, ServerResourceException, ExecutionException { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - - ContentResponse responseDoc = Mockito.mock(ContentResponse.class); - Mockito.when(responseDoc.getStatus()).thenReturn(200); - Mockito.when(responseDoc.getContentAsString()).thenReturn(AWS_INSTANCE_DOCUMENT); - - ContentResponse responseSig = Mockito.mock(ContentResponse.class); - Mockito.when(responseSig.getStatus()).thenReturn(200); - Mockito.when(responseSig.getContentAsString()).thenReturn("pkcs7-signature"); - - ContentResponse responseInfo = Mockito.mock(ContentResponse.class); - Mockito.when(responseInfo.getStatus()).thenReturn(200); - Mockito.when(responseInfo.getContentAsString()).thenReturn(AWS_IAM_ROLE_INFO); - - ContentResponse responseCreds = Mockito.mock(ContentResponse.class); - Mockito.when(responseCreds.getStatus()).thenReturn(200); - Mockito.when(responseCreds.getContentAsString()).thenReturn("{\"AccessKeyId\":\"id\",\"SecretAccessKey\":\"key\",\"Token\":\"token\"}"); - - credsProvider.setHttpClient(httpClient); - - Request docRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/document"))) - .thenReturn(docRequest); - Mockito.when(docRequest.method(HttpMethod.GET)).thenReturn(docRequest); - Mockito.when(docRequest.send()).thenReturn(responseDoc); - - Request sigRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"))) - .thenReturn(sigRequest); - Mockito.when(sigRequest.method(HttpMethod.GET)).thenReturn(sigRequest); - Mockito.when(sigRequest.send()).thenReturn(responseSig); - - Request infoRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/info"))) - .thenReturn(infoRequest); - Mockito.when(infoRequest.method(HttpMethod.GET)).thenReturn(infoRequest); - Mockito.when(infoRequest.send()).thenReturn(responseInfo); - - Request credsRequest = Mockito.mock(Request.class); - Mockito.when(httpClient.newRequest(URI.create("http://169.254.169.254/latest/meta-data/iam/security-credentials/athenz.zts"))) - .thenReturn(credsRequest); - Mockito.when(credsRequest.method(HttpMethod.GET)).thenReturn(credsRequest); - Mockito.when(credsRequest.send()).thenReturn(responseCreds); - - credsProvider.initialize(); - - // sleep a couple of seconds for the background thread to run - // before we try to shut it down - - try { - Thread.sleep(2000); - } catch (InterruptedException ignored) { - } - credsProvider.close(); - } - @Test public void testAssumeAWSRole() throws ServerResourceException { MockTempCredsProvider credsProvider = new MockTempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - credsProvider.setHttpClient(httpClient); AssumeRoleResponse mockResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); @@ -914,8 +133,6 @@ public void testAssumeAWSRole() throws ServerResourceException { public void testAssumeAWSRoleFailedCreds() throws ServerResourceException { MockTempCredsProvider credsProvider = new MockTempCredsProvider(); - HttpClient httpClient = Mockito.mock(HttpClient.class); - credsProvider.setHttpClient(httpClient); AwsServiceException exception = AwsServiceException.builder() .awsErrorDetails(AwsErrorDetails.builder() @@ -954,22 +171,6 @@ public void testAssumeAWSRoleFailedCreds() throws ServerResourceException { credsProvider.close(); } - @Test - public void testSetupHttpClient() throws Exception { - - TempCredsProvider credsProvider = new TempCredsProvider(); - HttpClient client = Mockito.mock(HttpClient.class); - Mockito.doThrow(new Exception("Invalid client")).when(client).start(); - - try { - credsProvider.setupHttpClient(client); - fail(); - } catch (ServerResourceException ex) { - assertEquals(ex.getCode(), 500); - } - credsProvider.close(); - } - static class MockTempCredsProvider extends TempCredsProvider { AssumeRoleResponse assumeRoleResponse; diff --git a/libs/java/server_common/pom.xml b/libs/java/server_common/pom.xml index b02c2229551..f70d62e6741 100644 --- a/libs/java/server_common/pom.xml +++ b/libs/java/server_common/pom.xml @@ -27,7 +27,7 @@ jar - 0.8777 + 0.8774 2.12.0 2.12.0 2.1.3 @@ -36,21 +36,8 @@ 3.3.1 5.1.0 0.3 - 1.42.1 - - - - io.opentelemetry - opentelemetry-bom - ${opentelemetry.version} - pom - import - - - - org.apache.httpcomponents.client5 diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConsts.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConsts.java index f06c4ef360d..468e69a134c 100644 --- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConsts.java +++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConsts.java @@ -31,6 +31,7 @@ public final class JDBCConsts { public static final String ZMS_PROP_JDBC_VERIFY_SERVER_CERT = "athenz.zms.jdbc_verify_server_certificate"; public static final String ZMS_PROP_JDBC_USE_SSL = "athenz.zms.jdbc_use_ssl"; public static final String ZMS_PROP_JDBC_TLS_VERSIONS = "athenz.zms.jdbc_tls_versions"; + public static final String ZMS_PROP_JDBC_DRIVER_CLASS = "athenz.db.driver.class"; public static final String ZMS_PROP_MYSQL_SERVER_TIMEZONE = "athenz.zms.mysql_server_timezone"; public static final String ZMS_PROP_MYSQL_SERVER_TRUST_ROLES_UPDATE_TIMEOUT = "athenz.zms.mysql_server_trust_roles_update_timeout"; diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCObjectStoreFactory.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCObjectStoreFactory.java index 949f8315253..6ded00c0188 100644 --- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCObjectStoreFactory.java +++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCObjectStoreFactory.java @@ -24,15 +24,29 @@ import com.yahoo.athenz.common.server.store.ObjectStore; import com.yahoo.athenz.common.server.store.ObjectStoreFactory; import org.eclipse.jetty.util.StringUtil; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class JDBCObjectStoreFactory implements ObjectStoreFactory { + private static final Logger LOGGER = LoggerFactory.getLogger(JDBCObjectStoreFactory.class); + private static final String JDBC_APP_NAME = "jdbc"; private static final String JDBC_TIME_ZONE = "SERVER"; private static final String JDBC_TLS_VERSIONS = "TLSv1.2,TLSv1.3"; @Override public ObjectStore create(PrivateKeyStore keyStore) { + + final String dbDriverClass = System.getProperty(JDBCConsts.ZMS_PROP_JDBC_DRIVER_CLASS); + if (!StringUtil.isEmpty(dbDriverClass)) { + try { + Class.forName(dbDriverClass).getDeclaredConstructor().newInstance(); + } catch (Exception ex) { + LOGGER.error("Invalid JDBC driver class: {}", dbDriverClass); + } + } + final String jdbcStore = System.getProperty(JDBCConsts.ZMS_PROP_JDBC_RW_STORE); final String jdbcUser = System.getProperty(JDBCConsts.ZMS_PROP_JDBC_RW_USER); final String password = System.getProperty(JDBCConsts.ZMS_PROP_JDBC_RW_PASSWORD, ""); diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/config/ConfigManagerSingleton.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/config/ConfigManagerSingleton.java index b2c44a03ac2..f1177269bbe 100644 --- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/config/ConfigManagerSingleton.java +++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/util/config/ConfigManagerSingleton.java @@ -37,21 +37,21 @@ private static class AthenzConfigManager extends ConfigManager { super("reload-configs-seconds", 60, TimeUnit.SECONDS); addConfigProviders(); } - } - private static void addConfigProviders() { - String providerClasses = System.getProperty(ATHENZ_CONFIG_PROVIDERS); - if (providerClasses != null && !providerClasses.isEmpty()) { - String[] providerClassList = providerClasses.split(","); - for (String providerClass : providerClassList) { - ConfigProvider configProvider; - try { - configProvider = (ConfigProvider) Class.forName(providerClass).getDeclaredConstructor().newInstance(); - } catch (Exception ex) { - LOGGER.error("unable to initialize config provider for: {}", providerClass, ex); - throw new IllegalArgumentException("unable to initialize config provider for: " + providerClass); + void addConfigProviders() { + String providerClasses = System.getProperty(ATHENZ_CONFIG_PROVIDERS); + if (providerClasses != null && !providerClasses.isEmpty()) { + String[] providerClassList = providerClasses.split(","); + for (String providerClass : providerClassList) { + ConfigProvider configProvider; + try { + configProvider = (ConfigProvider) Class.forName(providerClass).getDeclaredConstructor().newInstance(); + } catch (Exception ex) { + LOGGER.error("unable to initialize config provider for: {}", providerClass, ex); + throw new IllegalArgumentException("unable to initialize config provider for: " + providerClass); + } + addProvider(configProvider); } - CONFIG_MANAGER.addProvider(configProvider); } } } diff --git a/pom.xml b/pom.xml index d6163f819a3..81ddf538aea 100644 --- a/pom.xml +++ b/pom.xml @@ -102,6 +102,7 @@ 9.0.0 9.41.1 4.12.0 + 1.42.1 1.5.4 1.7.36 2.0.16 @@ -379,6 +380,39 @@ + + + + software.amazon.awssdk + bom + ${aws2.version} + pom + import + + + com.amazonaws + aws-java-sdk-bom + ${aws.version} + pom + import + + + com.google.cloud + libraries-bom + ${gcp.bom.version} + pom + import + + + io.opentelemetry + opentelemetry-bom + ${opentelemetry.version} + pom + import + + + + org.testng diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java index 01a881cf1d4..f5f2a1f5183 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java @@ -374,13 +374,6 @@ public void run() { LOGGER.debug("AWSCredentialsUpdater: Starting aws credentials updater task..."); } - try { - tempCredsProvider.fetchRoleCredentials(); - } catch (Exception ex) { - LOGGER.error("AWSCredentialsUpdater: unable to fetch aws role credentials: {}", - ex.getMessage()); - } - try { removeExpiredCredentials(); } catch (Exception ex) { diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java index cbc746da904..a21373d9959 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java @@ -327,22 +327,14 @@ public void testAWSCredentialsUpdaterExceptions () { // and make sure our run does not throw any // first operation - all return true - // second operation - fetchRoleCredentials throws exception - // third operation - removeExpiredCredentials throws exception - // forth opreation - removeExpiredInvalidCredentials throws exception + // second operation - removeExpiredCredentials throws exception + // third opreation - removeExpiredInvalidCredentials throws exception - Mockito.when(cloudStore.tempCredsProvider.fetchRoleCredentials()) - .thenReturn(true) - .thenThrow(new NullPointerException("invalid state")) - .thenReturn(true) - .thenReturn(true); Mockito.when(cloudStore.removeExpiredCredentials()) - .thenReturn(true) .thenReturn(true) .thenThrow(new NullPointerException("invalid state")) .thenReturn(true); Mockito.when(cloudStore.removeExpiredInvalidCredentials()) - .thenReturn(true) .thenReturn(true) .thenReturn(true) .thenThrow(new NullPointerException("invalid state")); diff --git a/syncers/auth_history_syncer/pom.xml b/syncers/auth_history_syncer/pom.xml index 55b9e37390f..466247126ed 100644 --- a/syncers/auth_history_syncer/pom.xml +++ b/syncers/auth_history_syncer/pom.xml @@ -38,18 +38,6 @@ 4.13.2 - - - - software.amazon.awssdk - bom - ${aws2.version} - pom - import - - - - org.slf4j diff --git a/syncers/zms_aws_domain_syncer/src/main/java/com/yahoo/athenz/zms_aws_domain_syncer/S3ClientFactory.java b/syncers/zms_aws_domain_syncer/src/main/java/com/yahoo/athenz/zms_aws_domain_syncer/S3ClientFactory.java index ebbafa40c6d..0b73747c4fe 100644 --- a/syncers/zms_aws_domain_syncer/src/main/java/com/yahoo/athenz/zms_aws_domain_syncer/S3ClientFactory.java +++ b/syncers/zms_aws_domain_syncer/src/main/java/com/yahoo/athenz/zms_aws_domain_syncer/S3ClientFactory.java @@ -28,7 +28,6 @@ import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain; import software.amazon.awssdk.services.s3.model.HeadBucketRequest; -import software.amazon.awssdk.services.s3.model.S3Exception; import java.time.Duration;