diff --git a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java index 40359d567da..998e81b7c7b 100644 --- a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java +++ b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java @@ -76,14 +76,17 @@ public class ZMSClient implements Closeable { public static final String ZMS_CLIENT_PROP_KEYSTORE_TYPE = "athenz.zms.client.keystore_type"; public static final String ZMS_CLIENT_PROP_KEYSTORE_PASSWORD = "athenz.zms.client.keystore_password"; public static final String ZMS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME = "athenz.zms.client.keystore_pwd_app_name"; + public static final String ZMS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME = "athenz.zms.client.keystore_pwd_keygroup_name"; public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PASSWORD = "athenz.zms.client.keymanager_password"; public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME = "athenz.zms.client.keymanager_pwd_app_name"; + public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME = "athenz.zms.client.keymanager_pwd_keygroup_name"; public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PATH = "athenz.zms.client.truststore_path"; public static final String ZMS_CLIENT_PROP_TRUSTSTORE_TYPE = "athenz.zms.client.truststore_type"; public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PASSWORD = "athenz.zms.client.truststore_password"; public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME = "athenz.zms.client.truststore_pwd_app_name"; + public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME = "athenz.zms.client.truststore_pwd_keygroup_name"; public static final String ZMS_CLIENT_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS = "athenz.zms.client.private_keystore_factory_class"; public static final String ZMS_CLIENT_PROP_CLIENT_PROTOCOL = "athenz.zms.client.client_ssl_protocol"; @@ -421,12 +424,14 @@ SSLContext createSSLContext() { keyStorePassword = keyStorePwd.toCharArray(); } String keyStorePasswordAppName = System.getProperty(ZMS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME); + String keyStorePasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME); char[] keyManagerPassword = null; String keyManagerPwd = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PASSWORD); if (null != keyManagerPwd && !keyManagerPwd.isEmpty()) { keyManagerPassword = keyManagerPwd.toCharArray(); } String keyManagerPasswordAppName = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME); + String keyManagerPasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME); // truststore String trustStorePath = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PATH); @@ -437,6 +442,7 @@ SSLContext createSSLContext() { trustStorePassword = trustStorePwd.toCharArray(); } String trustStorePasswordAppName = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME); + String trustStorePasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME); // alias and protocol details String certAlias = System.getProperty(ZMS_CLIENT_PROP_CERT_ALIAS); @@ -453,9 +459,11 @@ SSLContext createSSLContext() { } builder.keyStorePassword(keyStorePassword); builder.keyStorePasswordAppName(keyStorePasswordAppName); - builder.keyManagerPassword(keyManagerPassword); + builder.keyStorePasswordKeygroupName(keyStorePasswordKeygroupName); + builder.keyManagerPassword(keyManagerPassword); builder.keyManagerPasswordAppName(keyManagerPasswordAppName); + builder.keyManagerPasswordKeygroupName(keyManagerPasswordKeygroupName); builder.trustStorePath(trustStorePath); if (null != trustStoreType && !trustStoreType.isEmpty()) { @@ -463,6 +471,7 @@ SSLContext createSSLContext() { } builder.trustStorePassword(trustStorePassword); builder.trustStorePasswordAppName(trustStorePasswordAppName); + builder.trustStorePasswordKeygroupName(trustStorePasswordKeygroupName); return builder.build(); } diff --git a/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java b/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java index 19df268b84e..f13b58fabe5 100644 --- a/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java +++ b/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java @@ -140,14 +140,17 @@ public class ZTSClient implements Closeable { public static final String ZTS_CLIENT_PROP_KEYSTORE_TYPE = "athenz.zts.client.keystore_type"; public static final String ZTS_CLIENT_PROP_KEYSTORE_PASSWORD = "athenz.zts.client.keystore_password"; public static final String ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME = "athenz.zts.client.keystore_pwd_app_name"; + public static final String ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME = "athenz.zts.client.keystore_pwd_keygroup_name"; public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD = "athenz.zts.client.keymanager_password"; public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME = "athenz.zts.client.keymanager_pwd_app_name"; + public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME = "athenz.zts.client.keymanager_pwd_keygroup_name"; public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PATH = "athenz.zts.client.truststore_path"; public static final String ZTS_CLIENT_PROP_TRUSTSTORE_TYPE = "athenz.zts.client.truststore_type"; public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.client.truststore_password"; public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME = "athenz.zts.client.truststore_pwd_app_name"; + public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME = "athenz.zts.client.truststore_pwd_keygroup_name"; public static final String ZTS_CLIENT_PROP_POOL_MAX_PER_ROUTE = "athenz.zts.client.http_pool_max_per_route"; public static final String ZTS_CLIENT_PROP_POOL_MAX_TOTAL = "athenz.zts.client.http_pool_max_total"; @@ -650,12 +653,14 @@ private SSLContext createSSLContext() { keyStorePassword = keyStorePwd.toCharArray(); } String keyStorePasswordAppName = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME); + String keyStorePasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME); char[] keyManagerPassword = null; String keyManagerPwd = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD); if (!isEmpty(keyManagerPwd)) { keyManagerPassword = keyManagerPwd.toCharArray(); } String keyManagerPasswordAppName = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME); + String keyManagerPasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME); // truststore String trustStorePath = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PATH); @@ -666,6 +671,7 @@ private SSLContext createSSLContext() { trustStorePassword = trustStorePwd.toCharArray(); } String trustStorePasswordAppName = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME); + String trustStorePasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME); // alias and protocol details String certAlias = System.getProperty(ZTS_CLIENT_PROP_CERT_ALIAS); @@ -687,12 +693,18 @@ private SSLContext createSSLContext() { if (null != keyStorePasswordAppName) { builder.keyStorePasswordAppName(keyStorePasswordAppName); } + if (null != keyStorePasswordKeygroupName) { + builder.keyStorePasswordKeygroupName(keyStorePasswordKeygroupName); + } if (null != keyManagerPassword) { builder.keyManagerPassword(keyManagerPassword); } if (null != keyManagerPasswordAppName) { builder.keyManagerPasswordAppName(keyManagerPasswordAppName); } + if (null != keyManagerPasswordKeygroupName) { + builder.keyManagerPasswordKeygroupName(keyManagerPasswordKeygroupName); + } if (!isEmpty(trustStorePath)) { builder.trustStorePath(trustStorePath); } @@ -705,6 +717,9 @@ private SSLContext createSSLContext() { if (null != trustStorePasswordAppName) { builder.trustStorePasswordAppName(trustStorePasswordAppName); } + if (null != trustStorePasswordKeygroupName) { + builder.trustStorePasswordKeygroupName(trustStorePasswordKeygroupName); + } return builder.build(); } diff --git a/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java b/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java index 7edc61d5aa0..152c59de9dc 100644 --- a/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java +++ b/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java @@ -19,6 +19,7 @@ import static com.yahoo.athenz.zts.AccessTokenTestFileHelper.setupTokenFile; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertFalse; import static org.testng.Assert.assertNotEquals; @@ -39,17 +40,15 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Path; import java.nio.file.Paths; -import java.security.PrivateKey; -import java.security.PublicKey; +import java.security.*; import java.security.cert.*; +import java.security.cert.Certificate; import java.util.*; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLSession; +import javax.net.ssl.*; import org.mockito.ArgumentCaptor; +import org.mockito.MockedStatic; import org.mockito.Mockito; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeClass; @@ -548,7 +547,7 @@ public void testUpdateServicePrincipal() { @Test public void testUpdateServicePrincipalException() { ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(Mockito.eq("iaas.athenz"), + when(siaProvider.getIdentity(Mockito.eq("iaas.athenz"), Mockito.eq("ci"))).thenThrow(IllegalArgumentException.class); ZTSClient client = new ZTSClient("http://localhost:4080/", @@ -783,7 +782,7 @@ public void testGetRoleTokenWithSiaProvider() { // the sia provider instead of principal given SimpleServiceIdentityProvider siaProvider = Mockito.mock(SimpleServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity("user_domain", "user")).thenReturn(principal); + when(siaProvider.getIdentity("user_domain", "user")).thenReturn(principal); ZTSClient client2 = new ZTSClient("http://localhost:4080", "user_domain", "user", siaProvider); client2.setZTSRDLGeneratedClient(ztsClientMock); @@ -814,7 +813,7 @@ public void testPrefetchRoleTokenShouldNotCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -913,7 +912,7 @@ public void testPrefetchRoleTokenWithUserDataShouldNotCallServer() throws Except final Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -1026,7 +1025,7 @@ public void testPrefetchAwsCredShouldNotCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -1150,7 +1149,7 @@ public void testPrefetchShouldNotCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -1294,7 +1293,7 @@ public void testPrefetchRoleTokenShouldCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -1388,7 +1387,7 @@ public void testPrefetchAwsCredShouldCallServerNoNotification() throws Exception "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClientNotificationSender notificationSender = Mockito.mock(ZTSClientNotificationSender.class); @@ -1504,7 +1503,7 @@ public void testPrefetchAwsCredShouldSendNotifications() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClientNotificationSender notificationSender = Mockito.mock(ZTSClientNotificationSender.class); @@ -1591,7 +1590,7 @@ public void testPrefetchShouldCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -2243,7 +2242,7 @@ public void testHostnamVerifierDnsMatchStandard() throws SSLPeerUnverifiedExcept Certificate[] certs1 = new Certificate[1]; X509Certificate cert1 = Mockito.mock(X509Certificate.class); - Mockito.when(cert1.getSubjectAlternativeNames()).thenReturn(altNames1); + when(cert1.getSubjectAlternativeNames()).thenReturn(altNames1); certs1[0] = cert1; ArrayList> altNames2 = new ArrayList<>(); @@ -2259,10 +2258,10 @@ public void testHostnamVerifierDnsMatchStandard() throws SSLPeerUnverifiedExcept Certificate[] certs2 = new Certificate[1]; X509Certificate cert2 = Mockito.mock(X509Certificate.class); - Mockito.when(cert2.getSubjectAlternativeNames()).thenReturn(altNames2); + when(cert2.getSubjectAlternativeNames()).thenReturn(altNames2); certs2[0] = cert2; - Mockito.when(session.getPeerCertificates()).thenReturn(certs1).thenReturn(certs2); + when(session.getPeerCertificates()).thenReturn(certs1).thenReturn(certs2); assertTrue(hostnameVerifier.verify("host1", session)); assertFalse(hostnameVerifier.verify("host1", session)); @@ -2612,7 +2611,7 @@ public void testHostNameVerifierVerifyCertNull() throws SSLPeerUnverifiedExcepti ZTSClient.AWSHostNameVerifier hostnameVerifier = new ZTSClient.AWSHostNameVerifier("host1"); SSLSession session = Mockito.mock(SSLSession.class); - Mockito.when(session.getPeerCertificates()).thenReturn(null); + when(session.getPeerCertificates()).thenReturn(null); assertFalse(hostnameVerifier.verify("host1", session)); @@ -2664,7 +2663,7 @@ public void testHostNameVerifierVerifyCert() throws CertificateException, IOExce certs[0] = cert; SSLSession session = Mockito.mock(SSLSession.class); - Mockito.when(session.getPeerCertificates()).thenReturn(certs); + when(session.getPeerCertificates()).thenReturn(certs); assertFalse(hostnameVerifier.verify("unknown", session)); client.close(); @@ -3545,7 +3544,7 @@ public void testPrefetchAccessTokenShouldNotCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -3683,7 +3682,7 @@ public void testGetInfo() throws IOException, URISyntaxException { .setImplementationTitle("title") .setImplementationVendor("vendor") .setImplementationVersion("version"); - Mockito.when(c.getInfo()).thenReturn(info) + when(c.getInfo()).thenReturn(info) .thenThrow(new ZTSClientException(401, "fail")) .thenThrow(new IllegalArgumentException("other-error")); @@ -4004,7 +4003,7 @@ public void testPrefetchIdTokenShouldNotCallServer() throws Exception { "auth_creds", PRINCIPAL_AUTHORITY); ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class); - Mockito.when(siaProvider.getIdentity(any(), + when(siaProvider.getIdentity(any(), any())).thenReturn(principal); ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", @@ -4083,7 +4082,7 @@ public void testPostExternalCredentialsRequest() throws IOException, URISyntaxEx .setClientId("athenz.api") .setExpiryTime(3600); ExternalCredentialsResponse response = new ExternalCredentialsResponse(); - Mockito.when(c.postExternalCredentialsRequest(anyString(), anyString(), any())) + when(c.postExternalCredentialsRequest(anyString(), anyString(), any())) .thenReturn(response) .thenThrow(new ZTSClientException(401, "fail")) .thenThrow(new IllegalArgumentException("other-error")); @@ -4222,4 +4221,35 @@ public void testGetExceptionCode() { client.close(); } + + @Test + public void testZTSClientSslContext() { + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME, "athenz"); + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME, "athenz"); + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME, "athenz"); + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PASSWORD, "changeit"); + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD, "changeit"); + System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PATH, "src/test/resources/unit.jks"); + try (MockedStatic keyStoreMockedStatic = Mockito.mockStatic(KeyStore.class); + MockedStatic keyManagerFactoryMockedStatic = Mockito.mockStatic(KeyManagerFactory.class)) { + KeyStore ksMock = Mockito.mock(KeyStore.class); + when(KeyStore.getInstance(any())).thenReturn(ksMock); + KeyManager kmMock = Mockito.mock(KeyManager.class); + KeyManagerFactory kmf = Mockito.mock(KeyManagerFactory.class); + when(kmf.getInstance(any())).thenReturn(kmf); + when(kmf.getKeyManagers()).thenReturn(new KeyManager[]{kmMock}); + + ZTSClient client = new ZTSClient(); + client.close(); + } catch (KeyStoreException | NoSuchAlgorithmException ignored) { + fail(); + } finally { + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME); + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME); + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME); + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PASSWORD); + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD); + System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PATH); + } + } } diff --git a/clients/java/zts/src/test/resources/unit.cert.pem b/clients/java/zts/src/test/resources/unit.cert.pem new file mode 100644 index 00000000000..13c892a9159 --- /dev/null +++ b/clients/java/zts/src/test/resources/unit.cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIClDCCAhqgAwIBAgIULAkStVe95W+lNCWvAp9Yn/+uvQkwCgYIKoZIzj0EAwIw +TjELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FWIENvcnAgTExDMRQwEgYDVQQLDAtB +Vi1TZWN1cml0eTETMBEGA1UEAwwKQVYgUk9PVCBDQTAeFw0yNDA1MzAyMzQwMDZa +Fw0zNDA1MjgyMzQwMDZaMFAxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBViBDb3Jw +IExMQzEUMBIGA1UECwwLQVYtU2VjdXJpdHkxFTATBgNVBAMMDGF0aGVuei5sb2Nh +bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDwigkLhEofKoaCqhx9M3xGJGVuH +qJQLCb8IKucDURnfB35PlVvss7IiBw1Swiu8W5C0ljLyVFCxrNyGBlqRjsyjgdMw +gdAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG +CCsGAQUFBwMCMB8GA1UdIwQYMBaAFIGOvLHSa501Egx6dpFUibAmvgosMFcGA1Ud +EQRQME6CDGF0aGVuei5sb2NhbIIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAA +AAAAAAABhhtzcGlmZmU6Ly9hdGhlbnouaW8vc2EvbG9jYWwwHQYDVR0OBBYEFDiz +KF6ZjI8tCFDdd14P81mdbe2zMAoGCCqGSM49BAMCA2gAMGUCMGiLdKeXKfVDYo0j +Ns1J/kFg5rgfpjRMTIUdVlen/0CBiVGsuiiC8gHucS70XWTk9AIxAI0X4bbI9LF6 ++PUHVa+2ijcw8lnvn6nJ638LhMsPpslX4Sfkv9GKSGMI1v4IKXeUTQ== +-----END CERTIFICATE----- diff --git a/clients/java/zts/src/test/resources/unit.jks b/clients/java/zts/src/test/resources/unit.jks new file mode 100644 index 00000000000..64fee8848e0 Binary files /dev/null and b/clients/java/zts/src/test/resources/unit.jks differ diff --git a/clients/java/zts/src/test/resources/unit.key.pem b/clients/java/zts/src/test/resources/unit.key.pem new file mode 100644 index 00000000000..484e2d3cba4 --- /dev/null +++ b/clients/java/zts/src/test/resources/unit.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIE/VlPZw8q+/Hk3vPnSDruIE00/TLt9E1OU3Hp5ZVs0loAoGCCqGSM49 +AwEHoUQDQgAEPCKCQuESh8qhoKqHH0zfEYkZW4eolAsJvwgq5wNRGd8Hfk+VW+yz +siIHDVLCK7xbkLSWMvJUULGs3IYGWpGOzA== +-----END EC PRIVATE KEY----- diff --git a/clients/java/zts/src/test/resources/unit.p12 b/clients/java/zts/src/test/resources/unit.p12 new file mode 100644 index 00000000000..831ffd9e4b9 Binary files /dev/null and b/clients/java/zts/src/test/resources/unit.p12 differ diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java index f282d899111..07031e1c6ea 100644 --- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java +++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java @@ -93,8 +93,13 @@ public final class AthenzConsts { public static final String ATHENZ_PKEY_STORE_FACTORY_CLASS = "com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory"; public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname"; + public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_store_password_keygroupname"; + public static final String ATHENZ_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.ssl_key_manager_password_appname"; + public static final String ATHENZ_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_manager_password_keygroupname"; + public static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname"; + public static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_trust_store_password_keygroupname"; public static final String ATHENZ_PROP_GRACEFUL_SHUTDOWN = "athenz.graceful_shutdown"; public static final String ATHENZ_PROP_GRACEFUL_SHUTDOWN_TIMEOUT = "athenz.graceful_shutdown_timeout"; diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java index 1c9ea46af05..c69372ce038 100644 --- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java +++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java @@ -351,13 +351,16 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) { final String keyStorePath = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PATH); final String keyStorePasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME); + final String keyStorePasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME); final String keyStorePassword = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD); final String keyStoreType = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_TYPE, "PKCS12"); final String keyManagerPassword = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD); final String keyManagerPasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD_APPNAME); + final String keyManagerPasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME); final String trustStorePath = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PATH); final String trustStorePassword = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD); final String trustStorePasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME); + final String trustStorePasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME); final String trustStoreType = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_TYPE, "PKCS12"); final String includedCipherSuites = System.getProperty(AthenzConsts.ATHENZ_PROP_INCLUDED_CIPHER_SUITES); final String excludedCipherSuites = System.getProperty(AthenzConsts.ATHENZ_PROP_EXCLUDED_CIPHER_SUITES); @@ -373,19 +376,19 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) { } if (!StringUtil.isEmpty(keyStorePassword)) { //default implementation should just return the same - sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword))); + sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePasswordKeygroupName, keyStorePassword))); } sslContextFactory.setKeyStoreType(keyStoreType); if (!StringUtil.isEmpty(keyManagerPassword)) { - sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, null, keyManagerPassword))); + sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, keyManagerPasswordKeygroupName, keyManagerPassword))); } if (!StringUtil.isEmpty(trustStorePath)) { LOG.info("Using SSL TrustStore path: {}", trustStorePath); sslContextFactory.setTrustStorePath(trustStorePath); } if (!StringUtil.isEmpty(trustStorePassword)) { - sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, null, trustStorePassword))); + sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, trustStorePasswordKeygroupName, trustStorePassword))); } sslContextFactory.setTrustStoreType(trustStoreType); diff --git a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java index b1944495c27..abb0de680e7 100644 --- a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java +++ b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java @@ -39,6 +39,9 @@ public static class ClientSSLContextBuilder { private String keyManagerPasswordAppName; private String trustStorePasswordAppName; private String certAlias; + private String keyStorePasswordKeygroupName; + private String keyManagerPasswordKeygroupName; + private String trustStorePasswordKeygroupName; public ClientSSLContextBuilder(final String sslProtocol) { this.sslProtocol = sslProtocol; @@ -103,6 +106,21 @@ public ClientSSLContextBuilder certAlias(final String certAlias) { this.certAlias = certAlias; return this; } + + public ClientSSLContextBuilder keyStorePasswordKeygroupName(final String keyStorePasswordKeygroupName) { + this.keyStorePasswordKeygroupName = keyStorePasswordKeygroupName; + return this; + } + + public ClientSSLContextBuilder keyManagerPasswordKeygroupName(final String keyManagerPasswordKeygroupName) { + this.keyManagerPasswordKeygroupName = keyManagerPasswordKeygroupName; + return this; + } + + public ClientSSLContextBuilder trustStorePasswordKeygroupName(final String trustStorePasswordKeygroupName) { + this.trustStorePasswordKeygroupName = trustStorePasswordKeygroupName; + return this; + } public SSLContext build() { SSLContext context; @@ -120,18 +138,15 @@ public SSLContext build() { try { if (keyStorePath != null) { LOGGER.info("createSSLContextObject: using SSL KeyStore path: {}", keyStorePath); - keyStore = loadStore(keyStorePath, keyStoreType, getPassword(keyStorePassword, privateKeyStore, keyStorePasswordAppName)); + keyStore = loadStore(keyStorePath, keyStoreType, getPassword(keyStorePassword, privateKeyStore, keyStorePasswordAppName, keyStorePasswordKeygroupName)); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - if (keyManagerPassword == null) { - throw new IllegalArgumentException("Missing key manager password for the key store: " + keyStorePath); - } - keyManagerPassword = getPassword(keyManagerPassword, privateKeyStore, keyManagerPasswordAppName); + keyManagerPassword = getPassword(keyManagerPassword, privateKeyStore, keyManagerPasswordAppName, keyManagerPasswordKeygroupName); kmf.init(keyStore, keyStorePassword); keyManagers = getAliasedKeyManagers(kmf.getKeyManagers(), certAlias); } if (trustStorePath != null) { LOGGER.info("createSSLContextObject: using SSL TrustStore path: {}", trustStorePath); - trustStore = loadStore(trustStorePath, trustStoreType, getPassword(trustStorePassword, privateKeyStore, trustStorePasswordAppName)); + trustStore = loadStore(trustStorePath, trustStoreType, getPassword(trustStorePassword, privateKeyStore, trustStorePasswordAppName, trustStorePasswordKeygroupName)); tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); trustManagers = tmf.getTrustManagers(); @@ -146,10 +161,10 @@ public SSLContext build() { return context; } - private static char[] getPassword(char[] password, final PrivateKeyStore privateKeyStore, String appName) { + private static char[] getPassword(char[] password, final PrivateKeyStore privateKeyStore, String appName, String keygroupName) { if (password != null) { if (null != privateKeyStore) { - password = privateKeyStore.getSecret(appName, null, String.valueOf(password)); + password = privateKeyStore.getSecret(appName, keygroupName, String.valueOf(password)); } } return password; diff --git a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java index 3cb49c7a8c5..546a67a4d45 100644 --- a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java +++ b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java @@ -75,6 +75,9 @@ public class SSLUtilsTest { private static final String KEY_MANAGER_PASSWORD_APP_NAME = "testKeyManager"; private static final String TRUSTSTORE_PASSWORD_APP_NAME = "testTruststorePassword"; private static final String TRUSTSTORE_PATH = "src/test/resources/testKeyStore.pkcs12"; + private static final String KEYSTORE_PASSWORD_KEYGROUP_NAME = "testKeystorePasswordKG"; + private static final String KEY_MANAGER_PASSWORD_KEYGROUP_NAME = "testKeyManagerKG"; + private static final String TRUSTSTORE_PASSWORD_KEYGROUP_NAME = "testTruststorePasswordKG"; @Test public void testEmptyConstructor() { @@ -94,6 +97,9 @@ public void testClientSSLContextBuilder() { .keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME) .keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME) .trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME) + .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME) + .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME) + .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME) .privateKeyStore(new FilePrivateKeyStore()) .certAlias("test") .build(); @@ -112,6 +118,9 @@ public void testClientSSLContextBuilder() { .keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME) .keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME) .trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME) + .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME) + .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME) + .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME) .privateKeyStore(new FilePrivateKeyStore()) .build()); @@ -125,6 +134,9 @@ public void testClientSSLContextBuilder() { .keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME) .keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME) .trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME) + .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME) + .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME) + .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME) .trustStorePassword(null) .trustStorePath(TRUSTSTORE_PATH) .privateKeyStore(new FilePrivateKeyStore()) @@ -139,6 +151,9 @@ public void testClientSSLContextBuilder() { .keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME) .keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME) .trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME) + .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME) + .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME) + .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME) .trustStorePassword(null) .trustStorePath(TRUSTSTORE_PATH) .privateKeyStore(new FilePrivateKeyStore()) diff --git a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java index 6ea111028a7..cf959e683f0 100644 --- a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java +++ b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java @@ -63,8 +63,9 @@ public DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSende String maxExpiryTimeStr = System.getProperty("athenz.zts.dynamodb_max_expiry_time", ""); Integer minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr); Integer maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr); + String keygroupName = System.getProperty("athenz.zts.dynamodb_trust_store_keygroup_name", ""); - DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime); + DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName); return getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings); } diff --git a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java index a8acfa27f8e..fea4fc41841 100644 --- a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java +++ b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java @@ -34,6 +34,7 @@ public class DynamoDBClientSettings { private final String externalId; private final Integer minExpiryTime; private final Integer maxExpiryTime; + private final String keygroupName; public DynamoDBClientSettings(String certPath, String domainName, @@ -47,7 +48,8 @@ public DynamoDBClientSettings(String certPath, PrivateKeyStore keyStore, String externalId, Integer minExpiryTime, - Integer maxExpiryTime) { + Integer maxExpiryTime, + String keygroupName) { this.certPath = certPath; this.domainName = domainName; this.roleName = roleName; @@ -61,6 +63,7 @@ public DynamoDBClientSettings(String certPath, this.externalId = externalId; this.minExpiryTime = minExpiryTime; this.maxExpiryTime = maxExpiryTime; + this.keygroupName = keygroupName; } public boolean areCredentialsProvided() { @@ -125,6 +128,6 @@ char[] getTrustStorePasswordChars() { return null; } - return keyStore.getSecret(appName, null, trustStorePassword); + return keyStore.getSecret(appName, keygroupName, trustStorePassword); } } diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java index 709950c8b7a..26ec7b0a899 100644 --- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java +++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java @@ -50,7 +50,7 @@ public void testGetClientWitSpecifiedRegion() { ZTSClientNotificationSender ztsClientNotificationSender = Mockito.mock(ZTSClientNotificationSender.class); AmazonDynamoDB dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); - DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "test.region", null, null, keyStore, null, null, null); + DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "test.region", null, null, keyStore, null, null, null, null); dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); System.clearProperty(ZTS_PROP_DYNAMODB_REGION); @@ -63,7 +63,7 @@ public void testGetClientWithDefaultRegion() { ZTSClientNotificationSender ztsClientNotificationSender = Mockito.mock(ZTSClientNotificationSender.class); AmazonDynamoDB dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); - DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "testRegion", null, null, keyStore, null, null, null); + DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "testRegion", null, null, keyStore, null, null, null, null); dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); } @@ -95,7 +95,7 @@ public void testGetAuthenticatedClient() { dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); - DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, "test.domain", "test.role", "test.truststore", "test.truststore.password", "https://dev.zts.athenzcompany.com:4443/zts/v1", "test.region", keyPath, null, keyStore, null, null, null); + DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, "test.domain", "test.role", "test.truststore", "test.truststore.password", "https://dev.zts.athenzcompany.com:4443/zts/v1", "test.region", keyPath, null, keyStore, null, null, null, null); dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB(); assertNotNull(dynamoDBClient); diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java index 196cf0ebf75..2891f392557 100644 --- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java +++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java @@ -42,6 +42,7 @@ public void credentialsNotProvided() { keyStore, null, null, + null, null); assertFalse(dynamoDBClientSettings.areCredentialsProvided()); @@ -63,7 +64,7 @@ public void testCredentialsProvided() { when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password"))) .thenReturn("decryptedPassword".toCharArray()); - DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, keyStore, null, null, null); + DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, keyStore, null, null, null, null); assertTrue(dynamoDBClientSettings.areCredentialsProvided()); assertEquals("test.keypath", dynamoDBClientSettings.getKeyPath()); @@ -76,7 +77,7 @@ public void testCredentialsProvided() { assertEquals("test.ztsurl", dynamoDBClientSettings.getZtsURL()); // Now verify that when keyStore isn't provided, trustStorePassword will be null - dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, null, null, null, null); + dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, null, null, null, null, null); assertNull(dynamoDBClientSettings.getTrustStorePasswordChars()); } } \ No newline at end of file diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java index ded2a7cb12b..e251974440b 100644 --- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java +++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java @@ -38,9 +38,10 @@ public class ZMSFileChangeLogStoreFactory implements ChangeLogStoreFactory { // truststore path and password settings - private static final String ZTS_SERVER_PROP_TRUSTORE_PATH = "athenz.common.server.clog.zts_server_trust_store_path"; - private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_NAME = "athenz.common.server.clog.zts_server_trust_store_password_name"; - private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_APP = "athenz.common.server.clog.zts_server_trust_store_password_app"; + private static final String ZTS_SERVER_PROP_TRUSTORE_PATH = "athenz.common.server.clog.zts_server_trust_store_path"; + private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_NAME = "athenz.common.server.clog.zts_server_trust_store_password_name"; + private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_APP = "athenz.common.server.clog.zts_server_trust_store_password_app"; + private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_KEYGROUP = "athenz.common.server.clog.zts_server_trust_store_password_keygroup"; // default truststore password used by the jdk, added as a char array directly to not have the string literal available. private static final char[] DEFAULT_JDK_TRUSTSTORE_PWD = new char[] {'c', 'h', 'a', 'n', 'g', 'e', 'i', 't'}; @@ -86,8 +87,9 @@ ChangeLogStore mtlsClientChangeLogStore(final String rootDirectory) { final String trustStorePwdName = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_NAME, ""); if (!trustStorePwdName.isEmpty()) { final String trustStorePwdApp = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_APP); + final String trustStorePwdKeygroup = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_KEYGROUP); trustStorePassword = (privateKeyStore == null) ? trustStorePwdName.toCharArray() : - privateKeyStore.getSecret(trustStorePwdApp, null, trustStorePwdName); + privateKeyStore.getSecret(trustStorePwdApp, trustStorePwdKeygroup, trustStorePwdName); } // catch any exceptions thrown from the change log store and instead diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java index d868ae09346..5f144fb9575 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java @@ -53,6 +53,7 @@ public final class ZMSConsts { public static final String ZMS_PROP_JDBC_RO_USER = "athenz.zms.jdbc_ro_user"; public static final String ZMS_PROP_JDBC_RO_PASSWORD = "athenz.zms.jdbc_ro_password"; public static final String ZMS_PROP_JDBC_APP_NAME = "athenz.zms.jdbc_app_name"; + public static final String ZMS_PROP_JDBC_KEYGROUP_NAME = "athenz.zms.jdbc_keygroup_name"; public static final String ZMS_PROP_JDBC_VERIFY_SERVER_CERT = "athenz.zms.jdbc_verify_server_certificate"; public static final String ZMS_PROP_JDBC_USE_SSL = "athenz.zms.jdbc_use_ssl"; public static final String ZMS_PROP_JDBC_TLS_VERSIONS = "athenz.zms.jdbc_tls_versions"; @@ -390,6 +391,7 @@ public final class ZMSConsts { public static final String ZMS_PROP_PROVIDER_TRUST_STORE = "athenz.zms.provider.client.truststore"; public static final String ZMS_PROP_PROVIDER_TRUST_STORE_PASSWORD = "athenz.zms.provider.client.truststore_password"; public static final String ZMS_PROP_PROVIDER_APP_NAME = "athenz.zms.provider.client.app_name"; + public static final String ZMS_PROP_PROVIDER_KEYGROUP_NAME = "athenz.zms.provider.client.keygroup_name"; public static final String ZMS_PROP_PROVIDER_CERT_PATH = "athenz.zms.provider.client.cert_path"; public static final String ZMS_PROP_PROVIDER_KEY_PATH = "athenz.zms.provider.client.key_path"; public static final String ZMS_PROP_PROVIDER_MAX_POOL_ROUTE = "athenz.zms.provider.client.max_pool_route"; diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java index 1ee557fa444..cee722443b3 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java @@ -108,6 +108,7 @@ private SSLContext getDomainDependencyProviderSSLContext(PrivateKeyStore keyStor final String appName = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_APP_NAME, ""); final String certPath = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_CERT_PATH, ""); final String keyPath = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_KEY_PATH, ""); + final String keygroupName = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_KEYGROUP_NAME, ""); if (StringUtil.isEmpty(trustStore) || StringUtil.isEmpty(certPath) || StringUtil.isEmpty(keyPath) || StringUtil.isEmpty(trustStorePassword)) { @@ -116,7 +117,7 @@ private SSLContext getDomainDependencyProviderSSLContext(PrivateKeyStore keyStor } KeyRefresher keyRefresher = Utils.generateKeyRefresher( trustStore, - keyStore.getSecret(appName, null, trustStorePassword), + keyStore.getSecret(appName, keygroupName, trustStorePassword), certPath, keyPath); keyRefresher.startup(); diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java index 48a2dc5bd92..b217655234d 100644 --- a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java +++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java @@ -38,7 +38,8 @@ public ObjectStore create(PrivateKeyStore keyStore) { final String jdbcUser = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_USER); final String password = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_PASSWORD, ""); final String jdbcAppName = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_APP_NAME, JDBC_APP_NAME); - Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, null, password)); + final String jdbcKeygroupName = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_KEYGROUP_NAME, ""); + Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password)); PoolableDataSource readWriteSrc = DataSourceFactory.create(jdbcStore, readWriteProperties); // now check to see if we also have a read-only jdbc store configured @@ -50,7 +51,7 @@ public ObjectStore create(PrivateKeyStore keyStore) { if (jdbcReadOnlyStore != null && jdbcReadOnlyStore.startsWith(JDBC_APP_NAME)) { final String jdbcReadOnlyUser = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_USER, jdbcUser); final String readOnlyPassword = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD, password); - Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, null, readOnlyPassword)); + Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, jdbcKeygroupName, readOnlyPassword)); readOnlySrc = DataSourceFactory.create(jdbcReadOnlyStore, readOnlyProperties); } return new JDBCObjectStore(readWriteSrc, readOnlySrc); diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java index 7f514e96bda..77b903d802e 100644 --- a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java +++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java @@ -37,7 +37,7 @@ public void testCreateWriteOnly() { System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD); PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); - Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password"); + Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password"); JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory(); ObjectStore store = factory.create(keyStore); @@ -57,10 +57,17 @@ public void testCreateReadWrite() { PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); char[] passwordMock = new char[]{'p','a','s','s','w','o','r','d'}; - Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", null, "password"); + Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", "", "password"); JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory(); ObjectStore store = factory.create(keyStore); assertNotNull(store); + + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_STORE); + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_USER); + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_PASSWORD); + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_STORE); + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_USER); + System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD); } } diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java index b5d9e0f0c71..f4d41978a6f 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java @@ -30,12 +30,16 @@ public final class ZTSConsts { public static final String ZTS_PROP_ROOT_DIR = "athenz.zts.root_dir"; public static final String ZTS_PROP_HOSTNAME = "athenz.zts.hostname"; - public static final String ZTS_PROP_KEYSTORE_PASSWORD = "athenz.zts.ssl_key_store_password"; - public static final String ZTS_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_key_store_password_appname"; - public static final String ZTS_PROP_KEYMANAGER_PASSWORD = "athenz.zts.ssl_key_manager_password"; - public static final String ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.zts.ssl_key_manager_password_appname"; - public static final String ZTS_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.ssl_trust_store_password"; - public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_trust_store_password_appname"; + public static final String ZTS_PROP_KEYSTORE_PASSWORD = "athenz.zts.ssl_key_store_password"; + public static final String ZTS_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_key_store_password_appname"; + public static final String ZTS_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_key_store_password_keygroupname"; + public static final String ZTS_PROP_KEYMANAGER_PASSWORD = "athenz.zts.ssl_key_manager_password"; + public static final String ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.zts.ssl_key_manager_password_appname"; + public static final String ZTS_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_key_manager_password_keygroupname"; + public static final String ZTS_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.ssl_trust_store_password"; + public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_trust_store_password_appname"; + public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_trust_store_password_keygroupname"; + public static final String ZTS_PROP_KEYSTORE_PATH = "athenz.zts.ssl_key_store"; public static final String ZTS_PROP_KEYSTORE_TYPE = "athenz.zts.ssl_key_store_type"; @@ -105,6 +109,7 @@ public final class ZTSConsts { public static final String ZTS_PROP_CERT_JDBC_USER = "athenz.zts.cert_jdbc_user"; public static final String ZTS_PROP_CERT_JDBC_PASSWORD = "athenz.zts.cert_jdbc_password"; public static final String ZTS_PROP_CERT_JDBC_APP_NAME = "athenz.zts.cert_jdbc_app_name"; + public static final String ZTS_PROP_CERT_JDBC_KEYGROUP_NAME = "athenz.zts.cert_jdbc_keygroup_name"; public static final String ZTS_PROP_CERT_JDBC_VERIFY_SERVER_CERT = "athenz.zts.cert_jdbc_verify_server_certificate"; public static final String ZTS_PROP_CERT_JDBC_USE_SSL = "athenz.zts.cert_jdbc_use_ssl"; public static final String ZTS_PROP_CERT_OP_TIMEOUT = "athenz.zts.cert_op_timeout"; @@ -118,23 +123,25 @@ public final class ZTSConsts { public static final String ZTS_PROP_CERT_DYNAMODB_RETRIES = "athenz.zts.cert_dynamodb_retries"; public static final String ZTS_PROP_CERT_DYNAMODB_RETRIES_SLEEP_MILLIS = "athenz.zts.cert_dynamodb_retries_sleep_millis"; - public static final String ZTS_PROP_DYNAMODB_KEY_PATH = "athenz.zts.dynamodb_key_path"; - public static final String ZTS_PROP_DYNAMODB_CERT_PATH = "athenz.zts.dynamodb_cert_path"; - public static final String ZTS_PROP_DYNAMODB_DOMAIN = "athenz.zts.dynamodb_aws_domain"; - public static final String ZTS_PROP_DYNAMODB_ROLE = "athenz.zts.dynamodb_aws_role"; - public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE = "athenz.zts.dynamodb_trust_store_path"; - public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "athenz.zts.dynamodb_trust_store_password"; - public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME = "athenz.zts.dynamodb_trust_store_app_name"; - public static final String ZTS_PROP_DYNAMODB_REGION = "athenz.zts.dynamodb_region"; - public static final String ZTS_PROP_DYNAMODB_ZTS_URL = "athenz.zts.dynamodb_zts_url"; - public static final String ZTS_PROP_DYNAMODB_EXTERNAL_ID = "athenz.zts.dynamodb_external_id"; - public static final String ZTS_PROP_DYNAMODB_MIN_EXPIRY_TIME = "athenz.zts.dynamodb_min_expiry_time"; - public static final String ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME = "athenz.zts.dynamodb_max_expiry_time"; + public static final String ZTS_PROP_DYNAMODB_KEY_PATH = "athenz.zts.dynamodb_key_path"; + public static final String ZTS_PROP_DYNAMODB_CERT_PATH = "athenz.zts.dynamodb_cert_path"; + public static final String ZTS_PROP_DYNAMODB_DOMAIN = "athenz.zts.dynamodb_aws_domain"; + public static final String ZTS_PROP_DYNAMODB_ROLE = "athenz.zts.dynamodb_aws_role"; + public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE = "athenz.zts.dynamodb_trust_store_path"; + public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "athenz.zts.dynamodb_trust_store_password"; + public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME = "athenz.zts.dynamodb_trust_store_app_name"; + public static final String ZTS_PROP_DYNAMODB_REGION = "athenz.zts.dynamodb_region"; + public static final String ZTS_PROP_DYNAMODB_ZTS_URL = "athenz.zts.dynamodb_zts_url"; + public static final String ZTS_PROP_DYNAMODB_EXTERNAL_ID = "athenz.zts.dynamodb_external_id"; + public static final String ZTS_PROP_DYNAMODB_MIN_EXPIRY_TIME = "athenz.zts.dynamodb_min_expiry_time"; + public static final String ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME = "athenz.zts.dynamodb_max_expiry_time"; + public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME = "athenz.zts.dynamodb_trust_store_app_name"; public static final String ZTS_PROP_SSH_JDBC_STORE = "athenz.zts.ssh_jdbc_store"; public static final String ZTS_PROP_SSH_JDBC_USER = "athenz.zts.ssh_jdbc_user"; public static final String ZTS_PROP_SSH_JDBC_PASSWORD = "athenz.zts.ssh_jdbc_password"; public static final String ZTS_PROP_SSH_JDBC_APP_NAME = "athenz.zts.ssh_jdbc_app_name"; + public static final String ZTS_PROP_SSH_JDBC_KEYGROUP_NAME = "athenz.zts.ssh_jdbc_keygroup_name"; public static final String ZTS_PROP_SSH_JDBC_USE_SSL = "athenz.zts.ssh_jdbc_use_ssl"; public static final String ZTS_PROP_SSH_JDBC_VERIFY_SERVER_CERT = "athenz.zts.ssh_jdbc_verify_server_certificate"; public static final String ZTS_PROP_SSH_FILE_STORE_PATH = "athenz.zts.ssh_file_store_path"; @@ -148,6 +155,7 @@ public final class ZTSConsts { public static final String ZTS_PROP_WORKLOAD_JDBC_USER = "athenz.zts.workload_jdbc_user"; public static final String ZTS_PROP_WORKLOAD_JDBC_PASSWORD = "athenz.zts.workload_jdbc_password"; public static final String ZTS_PROP_WORKLOAD_JDBC_APP_NAME = "athenz.zts.workload_jdbc_app_name"; + public static final String ZTS_PROP_WORKLOAD_JDBC_KEYGROUP_NAME = "athenz.zts.workload_jdbc_keygroup_name"; public static final String ZTS_PROP_WORKLOAD_JDBC_USE_SSL = "athenz.zts.workload_jdbc_use_ssl"; public static final String ZTS_PROP_WORKLOAD_JDBC_VERIFY_SERVER_CERT = "athenz.zts.workload_jdbc_verify_server_certificate"; public static final String ZTS_PROP_WORKLOAD_FILE_STORE_PATH = "athenz.zts.workload_file_store_path"; diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java index de55c5a5159..fd42e3021c6 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java @@ -35,10 +35,11 @@ public CertRecordStore create(PrivateKeyStore keyStore) { final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_USER); final String password = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_PASSWORD, ""); final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_APP_NAME, JDBC); + final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_KEYGROUP_NAME, ""); Properties props = new Properties(); props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser); - props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password))); + props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password))); props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT, System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_VERIFY_SERVER_CERT, "false")); props.setProperty(ZTSConsts.DB_PROP_USE_SSL, diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java index 0f897ef6249..63b3f611349 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java @@ -35,10 +35,11 @@ public SSHRecordStore create(PrivateKeyStore keyStore) { final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_USER); final String password = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_PASSWORD, ""); final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_APP_NAME, JDBC); + final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_KEYGROUP_NAME, ""); Properties props = new Properties(); props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser); - props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password))); + props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password))); props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT, System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_VERIFY_SERVER_CERT, "false")); props.setProperty(ZTSConsts.DB_PROP_USE_SSL, diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java index d98217839b1..746855749e8 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java @@ -37,6 +37,7 @@ public class ZTSDynamoDBClientSettingsFactory { private final String externalId; private final Integer minExpiryTime; private final Integer maxExpiryTime; + private final String keygroupName; public ZTSDynamoDBClientSettingsFactory(PrivateKeyStore keyStore) { keyPath = System.getProperty(ZTS_PROP_DYNAMODB_KEY_PATH, ""); @@ -53,11 +54,12 @@ public ZTSDynamoDBClientSettingsFactory(PrivateKeyStore keyStore) { String maxExpiryTimeStr = System.getProperty(ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME, ""); minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr); maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr); + keygroupName = System.getProperty(ZTS_PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME, ""); this.keyStore = keyStore; } public DynamoDBClientSettings getDynamoDBClientSettings() { - return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime); + return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName); } } diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java index 83ec4436c29..3b7b2842971 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java @@ -64,21 +64,24 @@ public class ZTSUtils { public static final long CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY = Long.parseLong(System.getProperty(ZTSConsts.ZTS_PROP_CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY, ZTSConsts.ZTS_CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY_DEFAULT)); public static final long CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY = Long.parseLong(System.getProperty(ZTSConsts.ZTS_PROP_CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY, ZTSConsts.ZTS_CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY_DEFAULT)); - private static final String ATHENZ_PROP_KEYSTORE_PATH = "athenz.ssl_key_store"; - private static final String ATHENZ_PROP_KEYSTORE_TYPE = "athenz.ssl_key_store_type"; - private static final String ATHENZ_PROP_KEYSTORE_PASSWORD = "athenz.ssl_key_store_password"; - private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname"; - - private static final String ATHENZ_PROP_TRUSTSTORE_PATH = "athenz.ssl_trust_store"; - private static final String ATHENZ_PROP_TRUSTSTORE_TYPE = "athenz.ssl_trust_store_type"; - private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD = "athenz.ssl_trust_store_password"; - private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname"; - - private static final String ATHENZ_PROP_PROVIDER_CLIENT_PUBLIC_CERT_PATH = "athenz.zts.provider.ssl_client_public_cert_path"; - private static final String ATHENZ_PROP_PROVIDER_CLIENT_PRIVATE_KEY_PATH = "athenz.zts.provider.ssl_client_private_key_path"; - private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PATH = "athenz.zts.provider.ssl_client_trust_store"; - private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD = "athenz.zts.provider.ssl_client_trust_store_password"; - private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.provider.ssl_client_trust_store_password_appname"; + private static final String ATHENZ_PROP_KEYSTORE_PATH = "athenz.ssl_key_store"; + private static final String ATHENZ_PROP_KEYSTORE_TYPE = "athenz.ssl_key_store_type"; + private static final String ATHENZ_PROP_KEYSTORE_PASSWORD = "athenz.ssl_key_store_password"; + private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname"; + private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_store_password_keygroupname"; + + private static final String ATHENZ_PROP_TRUSTSTORE_PATH = "athenz.ssl_trust_store"; + private static final String ATHENZ_PROP_TRUSTSTORE_TYPE = "athenz.ssl_trust_store_type"; + private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD = "athenz.ssl_trust_store_password"; + private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname"; + private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_trust_store_password_keygroupname"; + + private static final String ATHENZ_PROP_PROVIDER_CLIENT_PUBLIC_CERT_PATH = "athenz.zts.provider.ssl_client_public_cert_path"; + private static final String ATHENZ_PROP_PROVIDER_CLIENT_PRIVATE_KEY_PATH = "athenz.zts.provider.ssl_client_private_key_path"; + private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PATH = "athenz.zts.provider.ssl_client_trust_store"; + private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD = "athenz.zts.provider.ssl_client_trust_store_password"; + private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.provider.ssl_client_trust_store_password_appname"; + private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.provider.ssl_client_trust_store_password_keygroupname"; private final static char[] EMPTY_PASSWORD = "".toCharArray(); @@ -87,14 +90,18 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli String keyStorePath = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PATH); String keyStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_APPNAME); + String keyStorePasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME); String keyStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD); String keyStoreType = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_TYPE, "PKCS12"); + String keyManagerPassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD); String keyManagerPasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME); + String keyManagerPasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME); String trustStorePath = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PATH); String trustStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD); String trustStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME); + String trustStorePasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME); String trustStoreType = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_TYPE, "PKCS12"); String excludedCipherSuites = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_CIPHER_SUITES, @@ -109,13 +116,13 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli } if (!StringUtil.isEmpty(keyStorePassword)) { - keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword); + keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keyStorePasswordKeygroupName); sslContextFactory.setKeyStorePassword(keyStorePassword); } sslContextFactory.setKeyStoreType(keyStoreType); if (!StringUtil.isEmpty(keyManagerPassword)) { - keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword); + keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword, keyManagerPasswordKeygroupName); sslContextFactory.setKeyManagerPassword(keyManagerPassword); } @@ -124,7 +131,7 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli sslContextFactory.setTrustStorePath(trustStorePath); } if (!StringUtil.isEmpty(trustStorePassword)) { - trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword); + trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName); sslContextFactory.setTrustStorePassword(trustStorePassword); } sslContextFactory.setTrustStoreType(trustStoreType); @@ -140,17 +147,17 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli } static String getApplicationSecret(final PrivateKeyStore privateKeyStore, - final String keyStorePasswordAppName, final String keyStorePassword) { - return String.valueOf(getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword)); + final String keyStorePasswordAppName, final String keyStorePassword, final String keygroupName) { + return String.valueOf(getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keygroupName)); } static char[] getSecret(final PrivateKeyStore privateKeyStore, - final String keyStorePasswordAppName, final String keyStorePassword) { + final String keyStorePasswordAppName, final String keyStorePassword, final String keyStorePasswordKeygroupName) { if (privateKeyStore == null) { return keyStorePassword.toCharArray(); } - return privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword); + return privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePasswordKeygroupName, keyStorePassword); } public static boolean emitMonmetricError(int errorCode, String caller, @@ -329,8 +336,11 @@ public static SSLContext getAthenzProviderClientSSLContext(PrivateKeyStore priva final String serverTrustStorePasswordAppName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME); final String trustStorePasswordAppName = System.getProperty(ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME, serverTrustStorePasswordAppName); + final String serverTrustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME); + final String trustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_KEYGROUPNAME, + serverTrustStorePasswordKeygroupName); try { - final char[] passwordChars = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword); + final char[] passwordChars = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName); KeyRefresher keyRefresher = Utils.generateKeyRefresher(trustStorePath, passwordChars, certPath, keyPath); keyRefresher.startup(); return Utils.buildSSLContext(keyRefresher.getKeyManagerProxy(), keyRefresher.getTrustManagerProxy()); @@ -347,6 +357,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto return null; } final String keyStorePasswordAppName = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME); + final String keyStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME); final String keyStorePassword = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD); final String keyStoreType = System.getProperty(ATHENZ_PROP_KEYSTORE_TYPE, "PKCS12"); @@ -358,6 +369,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto final String trustStorePassword = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD); final String trustStorePasswordAppName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME); + final String trustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME); final String trustStoreType = System.getProperty(ATHENZ_PROP_TRUSTSTORE_TYPE, "PKCS12"); SSLContext sslcontext = null; @@ -365,7 +377,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); try (FileInputStream instream = new FileInputStream(trustStorePath)) { KeyStore trustStore = KeyStore.getInstance(trustStoreType); - final char[] password = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword); + final char[] password = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName); trustStore.load(instream, password != null ? password : EMPTY_PASSWORD); tmfactory.init(trustStore); } @@ -373,7 +385,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); try (FileInputStream instream = new FileInputStream(keyStorePath)) { KeyStore keyStore = KeyStore.getInstance(keyStoreType); - final char[] password = getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword); + final char[] password = getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keyStorePasswordKeygroupName); keyStore.load(instream, password != null ? password : EMPTY_PASSWORD); kmfactory.init(keyStore, password != null ? password : EMPTY_PASSWORD); } diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java index 1e92a2cfb37..c2c3eadd31e 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java @@ -35,10 +35,11 @@ public WorkloadRecordStore create(PrivateKeyStore keyStore) { final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_USER); final String password = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD, ""); final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_APP_NAME, JDBC); + final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_KEYGROUP_NAME, ""); Properties props = new Properties(); props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser); - props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password))); + props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password))); props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT, System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_VERIFY_SERVER_CERT, "false")); props.setProperty(ZTSConsts.DB_PROP_USE_SSL, diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java index 23f9e1aa6cf..b08302c2708 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java @@ -34,7 +34,7 @@ public void testCreate() { System.setProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_PASSWORD, "password"); PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); - Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password"); + Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password"); JDBCCertRecordStoreFactory factory = new JDBCCertRecordStoreFactory(); CertRecordStore store = factory.create(keyStore); diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java index 4d97c7ccef5..64776fc4747 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java @@ -33,7 +33,7 @@ public void testCreate() { System.setProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_PASSWORD, "password"); PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); - Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password"); + Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password"); JDBCSSHRecordStoreFactory factory = new JDBCSSHRecordStoreFactory(); SSHRecordStore store = factory.create(keyStore); diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java index b889dac1ad3..89e830aa8ac 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java @@ -319,14 +319,14 @@ public void testValidateCertReqCommonNameException() { @Test public void testGetApplicationSecret() { - assertEquals(ZTSUtils.getApplicationSecret(null, "appname", "pass"), "pass"); + assertEquals(ZTSUtils.getApplicationSecret(null, "appname", "pass", null), "pass"); PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); Mockito.when(keyStore.getSecret(null, null, "pass")).thenReturn("app234".toCharArray()); - assertEquals(ZTSUtils.getSecret(keyStore, null, "pass"), "app234".toCharArray()); + assertEquals(ZTSUtils.getSecret(keyStore, null, "pass", null), "app234".toCharArray()); Mockito.when(keyStore.getSecret("appname", null, "passname")).thenReturn("app123".toCharArray()); - assertEquals(ZTSUtils.getSecret(keyStore, "appname", "passname"), "app123".toCharArray()); + assertEquals(ZTSUtils.getSecret(keyStore, "appname", "passname", null), "app123".toCharArray()); } @Test diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java index 49c4a8a24c5..05e87e99c5a 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java @@ -33,10 +33,13 @@ public void testCreate() { System.setProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD, "password"); PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class); - Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password"); + Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password"); JDBCWorkloadRecordStoreFactory factory = new JDBCWorkloadRecordStoreFactory(); WorkloadRecordStore store = factory.create(keyStore); Assert.assertNotNull(store); + System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_STORE); + System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_USER); + System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD); } } \ No newline at end of file diff --git a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java index 9573837c86d..6557f66e8ab 100644 --- a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java +++ b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java @@ -22,19 +22,20 @@ public class AuthHistorySyncerConsts { private AuthHistorySyncerConsts() { } - public static final String PROP_DYNAMODB_KEY_PATH = "auth_history_syncer.dynamodb_key_path"; - public static final String PROP_DYNAMODB_CERT_PATH = "auth_history_syncer.dynamodb_cert_path"; - public static final String PROP_DYNAMODB_DOMAIN = "auth_history_syncer.dynamodb_aws_domain"; - public static final String PROP_DYNAMODB_ROLE = "auth_history_syncer.dynamodb_aws_role"; - public static final String PROP_DYNAMODB_TRUSTSTORE = "auth_history_syncer.dynamodb_trust_store_path"; - public static final String PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "auth_history_syncer.dynamodb_trust_store_password"; - public static final String PROP_DYNAMODB_TRUSTSTORE_APPNAME = "auth_history_syncer.dynamodb_trust_store_app_name"; - public static final String PROP_DYNAMODB_REGION = "auth_history_syncer.dynamodb_region"; - public static final String PROP_DYNAMODB_ZTS_URL = "auth_history_syncer.dynamodb_zts_url"; - public static final String PROP_DYNAMODB_EXTERNAL_ID = "auth_history_syncer.dynamodb_external_id"; - public static final String PROP_DYNAMODB_MIN_EXPIRY_TIME = "auth_history_syncer.dynamodb_min_expiry_time"; - public static final String PROP_DYNAMODB_MAX_EXPIRY_TIME = "auth_history_syncer.dynamodb_max_expiry_time"; + public static final String PROP_DYNAMODB_KEY_PATH = "auth_history_syncer.dynamodb_key_path"; + public static final String PROP_DYNAMODB_CERT_PATH = "auth_history_syncer.dynamodb_cert_path"; + public static final String PROP_DYNAMODB_DOMAIN = "auth_history_syncer.dynamodb_aws_domain"; + public static final String PROP_DYNAMODB_ROLE = "auth_history_syncer.dynamodb_aws_role"; + public static final String PROP_DYNAMODB_TRUSTSTORE = "auth_history_syncer.dynamodb_trust_store_path"; + public static final String PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "auth_history_syncer.dynamodb_trust_store_password"; + public static final String PROP_DYNAMODB_TRUSTSTORE_APPNAME = "auth_history_syncer.dynamodb_trust_store_app_name"; + public static final String PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME = "auth_history_syncer.dynamodb_trust_store_keygroup_name"; + public static final String PROP_DYNAMODB_REGION = "auth_history_syncer.dynamodb_region"; + public static final String PROP_DYNAMODB_ZTS_URL = "auth_history_syncer.dynamodb_zts_url"; + public static final String PROP_DYNAMODB_EXTERNAL_ID = "auth_history_syncer.dynamodb_external_id"; + public static final String PROP_DYNAMODB_MIN_EXPIRY_TIME = "auth_history_syncer.dynamodb_min_expiry_time"; + public static final String PROP_DYNAMODB_MAX_EXPIRY_TIME = "auth_history_syncer.dynamodb_max_expiry_time"; - public static final String PROP_CLOUDWATCH_ZMS_LOG_GROUP = "auth_history_syncer.cloudwatch_zms_log_group"; - public static final String PROP_CLOUDWATCH_ZTS_LOG_GROUP = "auth_history_syncer.cloudwatch_zts_log_group"; + public static final String PROP_CLOUDWATCH_ZMS_LOG_GROUP = "auth_history_syncer.cloudwatch_zms_log_group"; + public static final String PROP_CLOUDWATCH_ZTS_LOG_GROUP = "auth_history_syncer.cloudwatch_zts_log_group"; } diff --git a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java index b183150c041..3fdc72804d2 100644 --- a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java +++ b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java @@ -56,7 +56,8 @@ private DynamoDBClientSettings getClientSettings(PrivateKeyStore pkeyStore) { String maxExpiryTimeStr = System.getProperty(PROP_DYNAMODB_MAX_EXPIRY_TIME, ""); Integer minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr); Integer maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr); + String keygroupName = System.getProperty(PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME, ""); - return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, pkeyStore, externalId, minExpiryTime, maxExpiryTime); + return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, pkeyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName); } }