From 8e3e0e5c805a983cea2ebd83838a71a21e44096e Mon Sep 17 00:00:00 2001
From: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
Date: Wed, 29 May 2024 16:50:36 -0700
Subject: [PATCH 1/4] server k8s common module
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
---
.../yahoo/athenz/auth/PrivateKeyStore.java | 16 +++
.../AWSParameterStorePrivateKeyStore.java | 2 +-
.../AWSParameterStorePrivateKeyStoreTest.java | 2 +-
libs/java/server_k8s_common/README.md | 12 ++
libs/java/server_k8s_common/pom.xml | 63 ++++++++++
.../impl/KubernetesSecretPrivateKeyStore.java | 112 +++++++++++++++++
...ubernetesSecretPrivateKeyStoreFactory.java | 31 +++++
...netesSecretPrivateKeyStoreFactoryTest.java | 46 +++++++
.../KubernetesSecretPrivateKeyStoreTest.java | 114 ++++++++++++++++++
.../invalid-secret-key-response.json | 1 +
.../resources/sample-secret-key-response.json | 1 +
.../resources/sample-secret-response.json | 1 +
pom.xml | 3 +
13 files changed, 402 insertions(+), 2 deletions(-)
create mode 100644 libs/java/server_k8s_common/README.md
create mode 100644 libs/java/server_k8s_common/pom.xml
create mode 100644 libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStore.java
create mode 100644 libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactory.java
create mode 100644 libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactoryTest.java
create mode 100644 libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreTest.java
create mode 100644 libs/java/server_k8s_common/src/test/resources/invalid-secret-key-response.json
create mode 100644 libs/java/server_k8s_common/src/test/resources/sample-secret-key-response.json
create mode 100644 libs/java/server_k8s_common/src/test/resources/sample-secret-response.json
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
index bb2d8d201b1..8dddd90a8cf 100644
--- a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
+++ b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
@@ -68,6 +68,7 @@ default String getApplicationSecret(String appName, String keyName) {
/**
* Retrieve the application secret based on the configured key name as char[].
+ * @deprecated
* The application name specifies what component is this secret for;
* for example, jdbc for accessing the secret for the jdbc user.
* The default implementation assumes the key name is the secret.
@@ -75,8 +76,23 @@ default String getApplicationSecret(String appName, String keyName) {
* @param keyName configured value for the secret
* @return secret for the given key and application as char[]
*/
+ @Deprecated
default char[] getSecret(String appName, String keyName) {
final String secret = getApplicationSecret(appName, keyName);
return secret != null ? secret.toCharArray() : null;
}
+
+ /**
+ * Retrieve the application secret based on the configured key name as char[].
+ * The application name specifies what component is this secret for;
+ * for example, jdbc for accessing the secret for the jdbc user.
+ * The default implementation assumes the key name is the secret.
+ * @param appName application name for the secret
+ * @param keygroupName key group name for the secret
+ * @param keyName name of the secret
+ * @return secret for the given key and application as char[]
+ */
+ default char[] getSecret(String appName, String keygroupName, String keyName) {
+ return keyName.toCharArray();
+ }
}
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
index b04ebdbd2c7..6d0a7a8786c 100644
--- a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
+++ b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
@@ -50,7 +50,7 @@ public class AWSParameterStorePrivateKeyStore implements PrivateKeyStore {
}
@Override
- public char[] getSecret(String appName, String keyName) {
+ public char[] getSecret(String appName, String keygroupName, String keyName) {
return getSsmParameter(keyName).toCharArray();
}
diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
index 16a451b6066..089a565e8e2 100644
--- a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
+++ b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
@@ -49,7 +49,7 @@ public void testGetSecret() {
when(ssmClient.getParameter(any(Consumer.class)))
.thenReturn(GetParameterResponse.builder().parameter(Parameter.builder().value("secret").build()).build());
AWSParameterStorePrivateKeyStore store = (AWSParameterStorePrivateKeyStore)getFactory(ssmClient).create();
- assertEquals(store.getSecret("app1", "key1"), "secret".toCharArray());
+ assertEquals(store.getSecret("app1", null, "key1"), "secret".toCharArray());
}
@Test
diff --git a/libs/java/server_k8s_common/README.md b/libs/java/server_k8s_common/README.md
new file mode 100644
index 00000000000..4db0efd2330
--- /dev/null
+++ b/libs/java/server_k8s_common/README.md
@@ -0,0 +1,12 @@
+Athenz Server Common Classes
+============================
+
+Common classes used throughout Athenz Server components if server is deployed in Kubernetes.
+
+- KeyStore: PrivateKeyStore implementation using Kubernetes secrets
+
+## License
+
+Copyright The Athenz Authors
+
+Licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)
diff --git a/libs/java/server_k8s_common/pom.xml b/libs/java/server_k8s_common/pom.xml
new file mode 100644
index 00000000000..d990792ec03
--- /dev/null
+++ b/libs/java/server_k8s_common/pom.xml
@@ -0,0 +1,63 @@
+
+
+
+ 4.0.0
+
+
+ com.yahoo.athenz
+ athenz
+ 1.11.60-SNAPSHOT
+ ../../../pom.xml
+
+
+ athenz-server-k8s-common
+ athenz-k8s-server-common
+ Athenz Kubernetes Server Common Packages
+ jar
+
+
+ 1.00
+
+
+
+
+ org.slf4j
+ slf4j-api
+ ${slf4j.server.version}
+
+
+ ch.qos.logback
+ logback-classic
+ ${logback.server.version}
+ test
+
+
+ com.squareup.okhttp3
+ mockwebserver
+ ${okhttp3.mockwebserver.version}
+ test
+
+
+ com.yahoo.athenz
+ athenz-auth-core
+ ${project.parent.version}
+
+
+ io.kubernetes
+ client-java
+ ${kubernetes-client.version}
+
+
+
+
diff --git a/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStore.java b/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStore.java
new file mode 100644
index 00000000000..a6d317ba8d2
--- /dev/null
+++ b/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStore.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.athenz.server.k8s.common.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.ServerPrivateKey;
+import com.yahoo.athenz.auth.util.Crypto;
+import io.kubernetes.client.openapi.ApiClient;
+import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.Configuration;
+import io.kubernetes.client.openapi.apis.CoreV1Api;
+import io.kubernetes.client.openapi.models.V1Secret;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+import java.security.PrivateKey;
+
+public class KubernetesSecretPrivateKeyStore implements PrivateKeyStore {
+
+ private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+ private static final String ZMS_SERVICE = "zms";
+ private static final String ZTS_SERVICE = "zts";
+ private static final String MSD_SERVICE = "msd";
+
+ private static final String ATHENZ_PROP_K8S_ZMS_KEY_NAME = "athenz.k8s.zms.key_name";
+ private static final String ATHENZ_PROP_K8S_ZMS_KEY_ID_NAME = "athenz.k8s.zms.key_id_name";
+ private static final String ATHENZ_PROP_K8S_ZTS_KEY_NAME = "athenz.k8s.zts.key_name";
+ private static final String ATHENZ_PROP_K8S_ZTS_KEY_ID_NAME = "athenz.k8s.zts.key_id_name";
+ private static final String ATHENZ_PROP_K8S_MSD_KEY_NAME = "athenz.k8s.msd.key_name";
+ private static final String ATHENZ_PROP_K8S_MSD_KEY_ID_NAME = "athenz.k8s.msd.key_id_name";
+
+ private static final String ATHENZ_K8S_DEFAULT_KEY_NAME = "service_k8s_private_key";
+ private static final String ATHENZ_K8S_DEFAULT_KEY_ID_NAME = "service_k8s_private_key_id";
+
+ private final ApiClient k8sClient;
+
+ private static final String ATHENZ_K8S_CONNECT_TIMEOUT = "athenz.k8s.connect_timeout";
+ private static final String ATHENZ_K8S_READ_TIMEOUT = "athenz.k8s.read_timeout";
+
+ public KubernetesSecretPrivateKeyStore(ApiClient k8sClient) {
+ this.k8sClient = k8sClient;
+ this.k8sClient.setConnectTimeout(Integer.parseInt(System.getProperty(ATHENZ_K8S_CONNECT_TIMEOUT, "500")));
+ this.k8sClient.setReadTimeout(Integer.parseInt(System.getProperty(ATHENZ_K8S_READ_TIMEOUT, "2000")));
+ Configuration.setDefaultApiClient(k8sClient);
+ }
+
+ @Override
+ public ServerPrivateKey getPrivateKey(String service, String namespace,
+ String secretName, String algorithm) {
+ String keyName;
+ String keyIdName;
+ final String objectSuffix = "." + algorithm.toLowerCase();
+ if (ZMS_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_K8S_ZMS_KEY_NAME, ATHENZ_K8S_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_K8S_ZMS_KEY_ID_NAME, ATHENZ_K8S_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else if (ZTS_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_K8S_ZTS_KEY_NAME, ATHENZ_K8S_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_K8S_ZTS_KEY_ID_NAME, ATHENZ_K8S_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else if (MSD_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_K8S_MSD_KEY_NAME, ATHENZ_K8S_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_K8S_MSD_KEY_ID_NAME, ATHENZ_K8S_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else {
+ LOG.error("Unknown service specified: {}", service);
+ return null;
+ }
+
+ PrivateKey pkey = null;
+ try {
+ pkey = Crypto.loadPrivateKey(getSecretFromK8S(namespace, secretName, keyName));
+ } catch (Exception ex) {
+ LOG.error("unable to load private key", ex);
+ }
+ return pkey == null ? null : new ServerPrivateKey(pkey, getSecretFromK8S(namespace, secretName, keyIdName));
+ }
+
+ @Override
+ public char[] getSecret(String namespace, String secretName, String keyName) {
+ return getSecretFromK8S(namespace, secretName, keyName).toCharArray();
+ }
+
+ String getSecretFromK8S(String namespace, String secretName, String keyName) {
+ try {
+ CoreV1Api api = new CoreV1Api(k8sClient);
+ V1Secret secret = api.readNamespacedSecret(secretName, namespace).execute();
+ if (secret != null && secret.getData() != null && secret.getData().get(keyName) != null) {
+ return new String(secret.getData().get(keyName), StandardCharsets.UTF_8);
+ } else {
+ LOG.error("Unable to retrieve secret={} for key={} from namespace={}", secretName, keyName, namespace);
+ return "";
+ }
+ } catch (ApiException e) {
+ LOG.error("Error in retrieving secret={} for key={} from namespace={}", secretName, keyName, namespace);
+ throw new RuntimeException(e);
+ }
+ }
+}
diff --git a/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactory.java b/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactory.java
new file mode 100644
index 00000000000..cb8b0781058
--- /dev/null
+++ b/libs/java/server_k8s_common/src/main/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactory.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.athenz.server.k8s.common.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.PrivateKeyStoreFactory;
+import io.kubernetes.client.util.Config;
+
+public class KubernetesSecretPrivateKeyStoreFactory implements PrivateKeyStoreFactory {
+ @Override
+ public PrivateKeyStore create() {
+ try {
+ return new KubernetesSecretPrivateKeyStore(Config.defaultClient());
+ } catch (Exception ex) {
+ throw new RuntimeException("Unable to create KubernetesSecretPrivateKeyStore", ex);
+ }
+ }
+}
diff --git a/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactoryTest.java b/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactoryTest.java
new file mode 100644
index 00000000000..5ee9702fe97
--- /dev/null
+++ b/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreFactoryTest.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.athenz.server.k8s.common.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import io.kubernetes.client.util.Config;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertTrue;
+import static org.testng.Assert.fail;
+
+public class KubernetesSecretPrivateKeyStoreFactoryTest {
+ @Test
+ public void createKubernetesSecretPrivateKeyStore() {
+ PrivateKeyStore privateKeyStore = new KubernetesSecretPrivateKeyStoreFactory().create();
+ assertTrue(privateKeyStore instanceof KubernetesSecretPrivateKeyStore);
+ }
+
+ @Test
+ public void createKubernetesSecretPrivateKeyStoreException() {
+ try (MockedStatic configMockedStatic = Mockito.mockStatic(Config.class)) {
+ configMockedStatic.when(Config::defaultClient).thenThrow(new RuntimeException("mocked exception"));
+ try {
+ new KubernetesSecretPrivateKeyStoreFactory().create();
+ fail();
+ } catch (RuntimeException ex) {
+ assertTrue(ex.getMessage().contains("Unable to create KubernetesSecretPrivateKeyStore"));
+ }
+ }
+ }
+}
diff --git a/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreTest.java b/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreTest.java
new file mode 100644
index 00000000000..0443abcd91e
--- /dev/null
+++ b/libs/java/server_k8s_common/src/test/java/io/athenz/server/k8s/common/impl/KubernetesSecretPrivateKeyStoreTest.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.athenz.server.k8s.common.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.ServerPrivateKey;
+import io.kubernetes.client.openapi.ApiClient;
+import okhttp3.HttpUrl;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import org.mockito.Mockito;
+import org.testng.annotations.AfterMethod;
+import org.testng.annotations.Test;
+
+import java.io.FileInputStream;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import static org.testng.Assert.*;
+
+public class KubernetesSecretPrivateKeyStoreTest {
+ private KubernetesSecretPrivateKeyStoreFactory getFactory(final ApiClient k8sClient) {
+ return new KubernetesSecretPrivateKeyStoreFactory() {
+ @Override
+ public PrivateKeyStore create() {
+ return new KubernetesSecretPrivateKeyStore(k8sClient);
+ }
+ };
+ }
+
+ private MockWebServer server;
+
+ @Test
+ public void testGetSecret() throws Exception {
+ server = new MockWebServer();
+ Path path = Paths.get("src/test/resources/sample-secret-response.json");
+ try (FileInputStream fis = new FileInputStream(path.toFile())) {
+ server.enqueue(new MockResponse().setBody(new String(fis.readAllBytes())));
+ server.start();
+ ApiClient k8sClient = Mockito.spy(new ApiClient());
+ HttpUrl baseUrl = server.url("/api/v1/namespaces/myns/secrets/mysecret");
+ k8sClient.setBasePath(baseUrl.toString());
+ KubernetesSecretPrivateKeyStoreFactory factory = getFactory(k8sClient);
+ assertEquals(factory.create().getSecret("myns", "mysecret", "password"), new char[]{'c', 'h', 'a', 'n', 'g', 'e', 'i', 't'});
+ }
+ }
+
+ @Test
+ public void testGetSecretMissing() throws Exception {
+ server = new MockWebServer();
+ Path path = Paths.get("src/test/resources/invalid-secret-key-response.json");
+ try (FileInputStream fis = new FileInputStream(path.toFile())) {
+ server.enqueue(new MockResponse().setBody(new String(fis.readAllBytes())));
+ server.start();
+ ApiClient k8sClient = Mockito.spy(new ApiClient());
+ HttpUrl baseUrl = server.url("/api/v1/namespaces/myns/secrets/mysecret");
+ k8sClient.setBasePath(baseUrl.toString());
+ KubernetesSecretPrivateKeyStoreFactory factory = getFactory(k8sClient);
+ assertEquals(factory.create().getSecret("myns", "mysecret", "password"), new char[]{});
+ }
+ }
+
+ @Test
+ public void testGetPrivateKey() throws Exception {
+ server = new MockWebServer();
+ Path path = Paths.get("src/test/resources/sample-secret-key-response.json");
+ byte[] keyBytes;
+ try (FileInputStream fis = new FileInputStream(path.toFile())) {
+ keyBytes = fis.readAllBytes();
+ //mock response for zms key
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ //mock response for zms key id
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ //mock response for zts key
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ //mock response for zts key id
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ //mock response for msd key
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ //mock response for msd key id
+ server.enqueue(new MockResponse().setBody(new String(keyBytes)));
+ server.start();
+ ApiClient k8sClient = Mockito.spy(new ApiClient());
+ HttpUrl baseUrl = server.url("/api/v1/namespaces/myns/secrets/mysecret");
+ k8sClient.setBasePath(baseUrl.toString());
+ KubernetesSecretPrivateKeyStoreFactory factory = getFactory(k8sClient);
+ KubernetesSecretPrivateKeyStore store = (KubernetesSecretPrivateKeyStore) factory.create();
+ assertNotNull(store.getPrivateKey("zms", "myns","mysecret", "EC"));
+ assertNotNull(store.getPrivateKey("zts", "myns","mysecret", "EC"));
+ assertNotNull(store.getPrivateKey("msd", "myns","mysecret", "EC"));
+ // no mock response present so expected a read timeout
+ assertNull(store.getPrivateKey("msd", "myns","mysecret", "EC"));
+ assertNull(store.getPrivateKey("unknown", "myns","mysecret", "EC"));
+ }
+ }
+
+ @AfterMethod
+ public void tearDown() throws Exception {
+ server.shutdown();
+ }
+}
\ No newline at end of file
diff --git a/libs/java/server_k8s_common/src/test/resources/invalid-secret-key-response.json b/libs/java/server_k8s_common/src/test/resources/invalid-secret-key-response.json
new file mode 100644
index 00000000000..7ad2cb1c114
--- /dev/null
+++ b/libs/java/server_k8s_common/src/test/resources/invalid-secret-key-response.json
@@ -0,0 +1 @@
+{"kind":"Secret","apiVersion":"v1","metadata":{"name":"mysecret","namespace":"myns","uid":"68427c0d-a549-4a44-b938-498d57a541af","resourceVersion":"118061","creationTimestamp":"2024-05-29T20:49:54Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2024-05-29T20:49:54Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:service_k8s_private_key.ec":{}},"f:type":{}}}]},"data":{"service_k8s_private_key.ec":"djAK","service_k8s_private_key_id.ec": "djAK"},"type":"Opaque"}
\ No newline at end of file
diff --git a/libs/java/server_k8s_common/src/test/resources/sample-secret-key-response.json b/libs/java/server_k8s_common/src/test/resources/sample-secret-key-response.json
new file mode 100644
index 00000000000..834c0287efc
--- /dev/null
+++ b/libs/java/server_k8s_common/src/test/resources/sample-secret-key-response.json
@@ -0,0 +1 @@
+{"kind":"Secret","apiVersion":"v1","metadata":{"name":"mysecret","namespace":"myns","uid":"68427c0d-a549-4a44-b938-498d57a541af","resourceVersion":"118061","creationTimestamp":"2024-05-29T20:49:54Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2024-05-29T20:49:54Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:service_k8s_private_key.ec":{}},"f:type":{}}}]},"data":{"service_k8s_private_key.ec":"LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNQbmFTaGRlY0xyMDViV0I2SnBrTjlGc1FVUndzam5GZkRmNk5VcGo5V0RvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFalRIckFSU1RsUFNHeVZwUHpjTTFYTG12M3hlY2JzY0NOREtlTUt0eDBKNEJOMVhaNXVsNQorb0dXTDlKZG5DOHZmN3M2SVBjeE92SVp0SDdORklWbit3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=","service_k8s_private_key_id.ec": "djAK"},"type":"Opaque"}
\ No newline at end of file
diff --git a/libs/java/server_k8s_common/src/test/resources/sample-secret-response.json b/libs/java/server_k8s_common/src/test/resources/sample-secret-response.json
new file mode 100644
index 00000000000..145cbbc7d48
--- /dev/null
+++ b/libs/java/server_k8s_common/src/test/resources/sample-secret-response.json
@@ -0,0 +1 @@
+{"kind":"Secret","apiVersion":"v1","metadata":{"name":"mysecret","namespace":"myns","uid":"68427c0d-a549-4a44-b938-498d57a541af","resourceVersion":"118061","creationTimestamp":"2024-05-29T20:49:54Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2024-05-29T20:49:54Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:password":{}},"f:type":{}}}]},"data":{"password":"Y2hhbmdlaXQ="},"type":"Opaque"}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 1f61d6020a5..1b1a9841daa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -93,11 +93,13 @@
11.0.21
0.11.5
5.14.0
+ 20.0.1
1.2.13
1.5.6
5.12.0
8.4.0
9.39.2
+ 4.12.0
1.5.4
1.7.36
2.0.13
@@ -145,6 +147,7 @@
libs/java/client_common
libs/java/cert_refresher
libs/java/server_common
+ libs/java/server_k8s_common
libs/java/syncer_common
libs/java/instance_provider
libs/java/dynamodb_client_factory
From 817a8b0c87b4f517ad44dd0e9021616fa3945805 Mon Sep 17 00:00:00 2001
From: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
Date: Thu, 30 May 2024 13:54:49 -0700
Subject: [PATCH 2/4] using new method from KeyStore with backward
compatibility in default implementation
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
---
.../com/yahoo/athenz/container/AthenzJettyContainer.java | 6 +++---
.../main/java/com/yahoo/athenz/auth/PrivateKeyStore.java | 4 ++--
.../main/java/com/yahoo/athenz/common/utils/SSLUtils.java | 2 +-
.../yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java | 2 +-
.../athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java | 2 +-
.../athenz/db/dynamodb/DynamoDBClientSettingsTest.java | 2 +-
.../com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.java | 7 ++++++-
.../server/store/impl/ZMSFileChangeLogStoreFactory.java | 2 +-
.../yahoo/athenz/zms/provider/ServiceProviderClient.java | 2 +-
.../athenz/zms/store/impl/JDBCObjectStoreFactory.java | 4 ++--
.../athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java | 4 ++--
.../athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java | 2 +-
.../athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java | 2 +-
.../src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java | 2 +-
.../zts/workload/impl/JDBCWorkloadRecordStoreFactory.java | 2 +-
.../zts/cert/impl/DynamoDBCertRecordStoreFactoryTest.java | 2 +-
.../zts/cert/impl/DynamoDBSSHRecordStoreFactoryTest.java | 2 +-
.../zts/cert/impl/JDBCCertRecordStoreFactoryTest.java | 2 +-
.../zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java | 2 +-
.../test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java | 4 ++--
.../impl/DynamoDBWorkloadRecordStoreFactoryTest.java | 2 +-
.../workload/impl/JDBCWorkloadRecordStoreFactoryTest.java | 2 +-
22 files changed, 33 insertions(+), 28 deletions(-)
diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
index 356010a93f0..1c9ea46af05 100644
--- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
+++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
@@ -373,19 +373,19 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) {
}
if (!StringUtil.isEmpty(keyStorePassword)) {
//default implementation should just return the same
- sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePassword)));
+ sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword)));
}
sslContextFactory.setKeyStoreType(keyStoreType);
if (!StringUtil.isEmpty(keyManagerPassword)) {
- sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, keyManagerPassword)));
+ sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, null, keyManagerPassword)));
}
if (!StringUtil.isEmpty(trustStorePath)) {
LOG.info("Using SSL TrustStore path: {}", trustStorePath);
sslContextFactory.setTrustStorePath(trustStorePath);
}
if (!StringUtil.isEmpty(trustStorePassword)) {
- sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, trustStorePassword)));
+ sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, null, trustStorePassword)));
}
sslContextFactory.setTrustStoreType(trustStoreType);
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
index 8dddd90a8cf..32a0abee1c1 100644
--- a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
+++ b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
@@ -90,9 +90,9 @@ default char[] getSecret(String appName, String keyName) {
* @param appName application name for the secret
* @param keygroupName key group name for the secret
* @param keyName name of the secret
- * @return secret for the given key and application as char[]
+ * @return secret for the given key, keygroup and application as char[]
*/
default char[] getSecret(String appName, String keygroupName, String keyName) {
- return keyName.toCharArray();
+ return getSecret(appName, keyName);
}
}
diff --git a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
index 39f70760278..b1944495c27 100644
--- a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
+++ b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
@@ -149,7 +149,7 @@ public SSLContext build() {
private static char[] getPassword(char[] password, final PrivateKeyStore privateKeyStore, String appName) {
if (password != null) {
if (null != privateKeyStore) {
- password = privateKeyStore.getSecret(appName, String.valueOf(password));
+ password = privateKeyStore.getSecret(appName, null, String.valueOf(password));
}
}
return password;
diff --git a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
index 0aa36916822..a8acfa27f8e 100644
--- a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
+++ b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
@@ -125,6 +125,6 @@ char[] getTrustStorePasswordChars() {
return null;
}
- return keyStore.getSecret(appName, trustStorePassword);
+ return keyStore.getSecret(appName, null, trustStorePassword);
}
}
diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
index 1cb4ce45a7c..709950c8b7a 100644
--- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
+++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
@@ -84,7 +84,7 @@ public void testGetAuthenticatedClient() {
DynamoDBClientFetcherImpl dynamoDBClientFetcher = new DynamoDBClientFetcherImpl();
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- when(keyStore.getSecret(Mockito.eq(""), Mockito.eq("test.truststore.password"))).thenReturn("mockPassword".toCharArray());
+ when(keyStore.getSecret(Mockito.eq(""), Mockito.eq(null), Mockito.eq("test.truststore.password"))).thenReturn("mockPassword".toCharArray());
ZTSClientNotificationSender ztsClientNotificationSender = Mockito.mock(ZTSClientNotificationSender.class);
AmazonDynamoDB dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
index 7cd1501e4ac..196cf0ebf75 100644
--- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
+++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
@@ -60,7 +60,7 @@ public void testCredentialsProvided() {
String appName = "test.appname";
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq("test.truststore.password")))
+ when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password")))
.thenReturn("decryptedPassword".toCharArray());
DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, keyStore, null, null, null);
diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.java
index 9619be4f74a..0b76341277f 100644
--- a/libs/java/server_common/src/main/java/com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.java
+++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/auth/impl/aws/AwsPrivateKeyStore.java
@@ -162,7 +162,12 @@ public PrivateKey getPrivateKey(String service, String serverHostName, StringBui
@Override
public String getApplicationSecret(final String appName, final String keyName) {
- return getDecryptedData(appName, keyName);
+ return String.valueOf(getSecret(appName, null, keyName));
+ }
+
+ @Override
+ public char[] getSecret(final String appName, final String keygroupName, final String keyName) {
+ return getDecryptedData(appName, keyName).toCharArray();
}
private String getDecryptedData(final String bucketName, final String keyName) {
diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
index 7bd5e6698cd..ded2a7cb12b 100644
--- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
+++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
@@ -87,7 +87,7 @@ ChangeLogStore mtlsClientChangeLogStore(final String rootDirectory) {
if (!trustStorePwdName.isEmpty()) {
final String trustStorePwdApp = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_APP);
trustStorePassword = (privateKeyStore == null) ? trustStorePwdName.toCharArray() :
- privateKeyStore.getSecret(trustStorePwdApp, trustStorePwdName);
+ privateKeyStore.getSecret(trustStorePwdApp, null, trustStorePwdName);
}
// catch any exceptions thrown from the change log store and instead
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
index 26e4a920484..1ee557fa444 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
@@ -116,7 +116,7 @@ private SSLContext getDomainDependencyProviderSSLContext(PrivateKeyStore keyStor
}
KeyRefresher keyRefresher = Utils.generateKeyRefresher(
trustStore,
- keyStore.getSecret(appName, trustStorePassword),
+ keyStore.getSecret(appName, null, trustStorePassword),
certPath,
keyPath);
keyRefresher.startup();
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
index ea98d012824..48a2dc5bd92 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
@@ -38,7 +38,7 @@ public ObjectStore create(PrivateKeyStore keyStore) {
final String jdbcUser = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_USER);
final String password = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_PASSWORD, "");
final String jdbcAppName = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_APP_NAME, JDBC_APP_NAME);
- Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, password));
+ Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, null, password));
PoolableDataSource readWriteSrc = DataSourceFactory.create(jdbcStore, readWriteProperties);
// now check to see if we also have a read-only jdbc store configured
@@ -50,7 +50,7 @@ public ObjectStore create(PrivateKeyStore keyStore) {
if (jdbcReadOnlyStore != null && jdbcReadOnlyStore.startsWith(JDBC_APP_NAME)) {
final String jdbcReadOnlyUser = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_USER, jdbcUser);
final String readOnlyPassword = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD, password);
- Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, readOnlyPassword));
+ Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, null, readOnlyPassword));
readOnlySrc = DataSourceFactory.create(jdbcReadOnlyStore, readOnlyProperties);
}
return new JDBCObjectStore(readWriteSrc, readOnlySrc);
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
index 691cb564e1a..7f514e96bda 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
@@ -37,7 +37,7 @@ public void testCreateWriteOnly() {
System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD);
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory();
ObjectStore store = factory.create(keyStore);
@@ -57,7 +57,7 @@ public void testCreateReadWrite() {
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
char[] passwordMock = new char[]{'p','a','s','s','w','o','r','d'};
- Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", "password");
+ Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", null, "password");
JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory();
ObjectStore store = factory.create(keyStore);
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
index 83877c45542..de55c5a5159 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
@@ -38,7 +38,7 @@ public CertRecordStore create(PrivateKeyStore keyStore) {
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
index 8f97e8e8f1e..0f897ef6249 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
@@ -38,7 +38,7 @@ public SSHRecordStore create(PrivateKeyStore keyStore) {
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
index d0178f73412..83ec4436c29 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
@@ -150,7 +150,7 @@ static char[] getSecret(final PrivateKeyStore privateKeyStore,
if (privateKeyStore == null) {
return keyStorePassword.toCharArray();
}
- return privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePassword);
+ return privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword);
}
public static boolean emitMonmetricError(int errorCode, String caller,
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
index 50596aee7cd..1e92a2cfb37 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
@@ -38,7 +38,7 @@ public WorkloadRecordStore create(PrivateKeyStore keyStore) {
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBCertRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBCertRecordStoreFactoryTest.java
index abf1278818e..32fadd4e7e2 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBCertRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBCertRecordStoreFactoryTest.java
@@ -182,7 +182,7 @@ public void testGetDynamoDBClient() {
System.setProperty(ZTS_PROP_DYNAMODB_ZTS_URL, "test.ztsurl");
System.setProperty(ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME, "test.appname");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq("test.truststore.password")))
+ when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password")))
.thenReturn("decryptedPassword".toCharArray());
DynamoDBCertRecordStoreFactory factory = new DynamoDBCertRecordStoreFactory();
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBSSHRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBSSHRecordStoreFactoryTest.java
index d8917c30982..39059039bbb 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBSSHRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/DynamoDBSSHRecordStoreFactoryTest.java
@@ -115,7 +115,7 @@ public void testGetDynamoDBClient() {
System.setProperty(ZTS_PROP_DYNAMODB_ZTS_URL, "test.ztsurl");
System.setProperty(ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME, "test.appname");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq("test.truststore.password")))
+ when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password")))
.thenReturn("decryptedPassword".toCharArray());
DynamoDBSSHRecordStoreFactory factory = new DynamoDBSSHRecordStoreFactory();
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
index e15dda9a706..23f9e1aa6cf 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
@@ -34,7 +34,7 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
JDBCCertRecordStoreFactory factory = new JDBCCertRecordStoreFactory();
CertRecordStore store = factory.create(keyStore);
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
index b92bf5b5e89..4d97c7ccef5 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
@@ -33,7 +33,7 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
JDBCSSHRecordStoreFactory factory = new JDBCSSHRecordStoreFactory();
SSHRecordStore store = factory.create(keyStore);
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
index 4c79c4ddfa5..b889dac1ad3 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
@@ -322,10 +322,10 @@ public void testGetApplicationSecret() {
assertEquals(ZTSUtils.getApplicationSecret(null, "appname", "pass"), "pass");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.when(keyStore.getSecret(null, "pass")).thenReturn("app234".toCharArray());
+ Mockito.when(keyStore.getSecret(null, null, "pass")).thenReturn("app234".toCharArray());
assertEquals(ZTSUtils.getSecret(keyStore, null, "pass"), "app234".toCharArray());
- Mockito.when(keyStore.getSecret("appname", "passname")).thenReturn("app123".toCharArray());
+ Mockito.when(keyStore.getSecret("appname", null, "passname")).thenReturn("app123".toCharArray());
assertEquals(ZTSUtils.getSecret(keyStore, "appname", "passname"), "app123".toCharArray());
}
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/DynamoDBWorkloadRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/DynamoDBWorkloadRecordStoreFactoryTest.java
index 68c17d7e0d5..88e3967beb9 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/DynamoDBWorkloadRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/DynamoDBWorkloadRecordStoreFactoryTest.java
@@ -178,7 +178,7 @@ public void testGetDynamoDBClient() {
System.setProperty(ZTS_PROP_DYNAMODB_ZTS_URL, "test.ztsurl");
System.setProperty(ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME, "test.appname");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq("test.truststore.password")))
+ when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password")))
.thenReturn("decryptedPassword".toCharArray());
DynamoDBWorkloadRecordStoreFactory factory = new DynamoDBWorkloadRecordStoreFactory();
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
index 1d706736489..49c4a8a24c5 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
@@ -33,7 +33,7 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
JDBCWorkloadRecordStoreFactory factory = new JDBCWorkloadRecordStoreFactory();
WorkloadRecordStore store = factory.create(keyStore);
From 2872b5a8ee6b6195c4b6f0dc796a583c80049ce9 Mon Sep 17 00:00:00 2001
From: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
Date: Thu, 30 May 2024 14:14:29 -0700
Subject: [PATCH 3/4] include new athenz-server-k8s-common module in maven and
docker publish
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
---
docker/util/athenz-builder/Dockerfile | 2 +-
docker/util/athenz-mvn-base/Dockerfile | 1 +
screwdriver/scripts/publish.sh | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/docker/util/athenz-builder/Dockerfile b/docker/util/athenz-builder/Dockerfile
index c626cb7fa71..a9bad9f5f04 100644
--- a/docker/util/athenz-builder/Dockerfile
+++ b/docker/util/athenz-builder/Dockerfile
@@ -17,7 +17,7 @@ LABEL org.label-schema.vcs-ref=$VCS_REF
WORKDIR /athenz
COPY . .
-RUN mvn -B install -pl core/zms -pl core/zts -pl core/msd -pl libs/java/auth_core -pl libs/java/client_common -pl libs/java/server_common -pl libs/java/syncer_common -pl libs/java/dynamodb_client_factory -pl libs/java/instance_provider -pl libs/java/cert_refresher -pl clients/java/zms -pl servers/zms -pl clients/java/zts -pl servers/zts -pl containers/jetty -pl assembly/zms -pl assembly/zts -DskipTests -Djacoco.skip=true -DdockerBuild=true
+RUN mvn -B install -pl core/zms -pl core/zts -pl core/msd -pl libs/java/auth_core -pl libs/java/client_common -pl libs/java/server_common -pl libs/java/server_k8s_common -pl libs/java/syncer_common -pl libs/java/dynamodb_client_factory -pl libs/java/instance_provider -pl libs/java/cert_refresher -pl clients/java/zms -pl servers/zms -pl clients/java/zts -pl servers/zts -pl containers/jetty -pl assembly/zms -pl assembly/zts -DskipTests -Djacoco.skip=true -DdockerBuild=true
RUN mkdir -p /tmp/zms \
&& mkdir -p /tmp/zts \
diff --git a/docker/util/athenz-mvn-base/Dockerfile b/docker/util/athenz-mvn-base/Dockerfile
index 3bd63d83a07..265d6b34471 100644
--- a/docker/util/athenz-mvn-base/Dockerfile
+++ b/docker/util/athenz-mvn-base/Dockerfile
@@ -45,6 +45,7 @@ COPY ./core/zts/pom.xml ./core/zts/pom.xml
COPY ./libs/java/auth_core/pom.xml ./libs/java/auth_core/pom.xml
COPY ./libs/java/client_common/pom.xml ./libs/java/client_common/pom.xml
COPY ./libs/java/server_common/pom.xml ./libs/java/server_common/pom.xml
+COPY ./libs/java/server_k8s_common/pom.xml ./libs/java/server_k8s_common/pom.xml
COPY ./libs/java/syncer_common/pom.xml ./libs/java/syncer_common/pom.xml
COPY ./libs/java/dynamodb_client_factory/pom.xml ./libs/java/dynamodb_client_factory/pom.xml
COPY ./libs/java/instance_provider/pom.xml ./libs/java/instance_provider/pom.xml
diff --git a/screwdriver/scripts/publish.sh b/screwdriver/scripts/publish.sh
index a60cc4a18a8..4555e6d3547 100755
--- a/screwdriver/scripts/publish.sh
+++ b/screwdriver/scripts/publish.sh
@@ -47,6 +47,7 @@ deployProject "com.yahoo.athenz:athenz-zts-java-client"
deployProject "com.yahoo.athenz:athenz-zpe-java-client"
deployProject "com.yahoo.athenz:athenz-msd-java-client"
deployProject "com.yahoo.athenz:athenz-server-common"
+deployProject "com.yahoo.athenz:athenz-server-k8s-common"
deployProject "com.yahoo.athenz:athenz-instance-provider"
deployProject "com.yahoo.athenz:athenz-syncer-common"
deployProject "com.yahoo.athenz:athenz-gcp-zts-creds"
From 8118073d5f9ff46b2ca40687910cf16dac431781 Mon Sep 17 00:00:00 2001
From: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
Date: Thu, 30 May 2024 23:01:31 -0700
Subject: [PATCH 4/4] allow setting keygroup name via system properties
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
---
.../java/com/yahoo/athenz/zms/ZMSClient.java | 11 ++-
.../java/com/yahoo/athenz/zts/ZTSClient.java | 15 ++++
.../com/yahoo/athenz/zts/ZTSClientTest.java | 80 ++++++++++++------
.../java/zts/src/test/resources/unit.cert.pem | 16 ++++
clients/java/zts/src/test/resources/unit.jks | Bin 0 -> 933 bytes
.../java/zts/src/test/resources/unit.key.pem | 8 ++
clients/java/zts/src/test/resources/unit.p12 | Bin 0 -> 1385 bytes
.../yahoo/athenz/container/AthenzConsts.java | 5 ++
.../container/AthenzJettyContainer.java | 9 +-
.../yahoo/athenz/common/utils/SSLUtils.java | 31 +++++--
.../athenz/common/utils/SSLUtilsTest.java | 21 ++++-
.../dynamodb/DynamoDBClientFetcherImpl.java | 3 +-
.../db/dynamodb/DynamoDBClientSettings.java | 7 +-
.../DynamoDBClientFetcherImplTest.java | 6 +-
.../dynamodb/DynamoDBClientSettingsTest.java | 5 +-
.../impl/ZMSFileChangeLogStoreFactory.java | 10 ++-
.../java/com/yahoo/athenz/zms/ZMSConsts.java | 2 +
.../zms/provider/ServiceProviderClient.java | 3 +-
.../store/impl/JDBCObjectStoreFactory.java | 5 +-
.../impl/JDBCObjectStoreFactoryTest.java | 11 ++-
.../java/com/yahoo/athenz/zts/ZTSConsts.java | 44 ++++++----
.../cert/impl/JDBCCertRecordStoreFactory.java | 3 +-
.../cert/impl/JDBCSSHRecordStoreFactory.java | 3 +-
.../ZTSDynamoDBClientSettingsFactory.java | 4 +-
.../com/yahoo/athenz/zts/utils/ZTSUtils.java | 62 ++++++++------
.../impl/JDBCWorkloadRecordStoreFactory.java | 3 +-
.../impl/JDBCCertRecordStoreFactoryTest.java | 2 +-
.../impl/JDBCSSHRecordStoreFactoryTest.java | 2 +-
.../yahoo/athenz/zts/utils/ZTSUtilsTest.java | 6 +-
.../JDBCWorkloadRecordStoreFactoryTest.java | 5 +-
.../auth/history/AuthHistorySyncerConsts.java | 29 ++++---
.../DynamoDBAuthHistorySenderFactory.java | 3 +-
32 files changed, 289 insertions(+), 125 deletions(-)
create mode 100644 clients/java/zts/src/test/resources/unit.cert.pem
create mode 100644 clients/java/zts/src/test/resources/unit.jks
create mode 100644 clients/java/zts/src/test/resources/unit.key.pem
create mode 100644 clients/java/zts/src/test/resources/unit.p12
diff --git a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java
index 40359d567da..998e81b7c7b 100644
--- a/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java
+++ b/clients/java/zms/src/main/java/com/yahoo/athenz/zms/ZMSClient.java
@@ -76,14 +76,17 @@ public class ZMSClient implements Closeable {
public static final String ZMS_CLIENT_PROP_KEYSTORE_TYPE = "athenz.zms.client.keystore_type";
public static final String ZMS_CLIENT_PROP_KEYSTORE_PASSWORD = "athenz.zms.client.keystore_password";
public static final String ZMS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME = "athenz.zms.client.keystore_pwd_app_name";
+ public static final String ZMS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME = "athenz.zms.client.keystore_pwd_keygroup_name";
public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PASSWORD = "athenz.zms.client.keymanager_password";
public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME = "athenz.zms.client.keymanager_pwd_app_name";
+ public static final String ZMS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME = "athenz.zms.client.keymanager_pwd_keygroup_name";
public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PATH = "athenz.zms.client.truststore_path";
public static final String ZMS_CLIENT_PROP_TRUSTSTORE_TYPE = "athenz.zms.client.truststore_type";
public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PASSWORD = "athenz.zms.client.truststore_password";
public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME = "athenz.zms.client.truststore_pwd_app_name";
+ public static final String ZMS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME = "athenz.zms.client.truststore_pwd_keygroup_name";
public static final String ZMS_CLIENT_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS = "athenz.zms.client.private_keystore_factory_class";
public static final String ZMS_CLIENT_PROP_CLIENT_PROTOCOL = "athenz.zms.client.client_ssl_protocol";
@@ -421,12 +424,14 @@ SSLContext createSSLContext() {
keyStorePassword = keyStorePwd.toCharArray();
}
String keyStorePasswordAppName = System.getProperty(ZMS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME);
+ String keyStorePasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME);
char[] keyManagerPassword = null;
String keyManagerPwd = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PASSWORD);
if (null != keyManagerPwd && !keyManagerPwd.isEmpty()) {
keyManagerPassword = keyManagerPwd.toCharArray();
}
String keyManagerPasswordAppName = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME);
+ String keyManagerPasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME);
// truststore
String trustStorePath = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PATH);
@@ -437,6 +442,7 @@ SSLContext createSSLContext() {
trustStorePassword = trustStorePwd.toCharArray();
}
String trustStorePasswordAppName = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME);
+ String trustStorePasswordKeygroupName = System.getProperty(ZMS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME);
// alias and protocol details
String certAlias = System.getProperty(ZMS_CLIENT_PROP_CERT_ALIAS);
@@ -453,9 +459,11 @@ SSLContext createSSLContext() {
}
builder.keyStorePassword(keyStorePassword);
builder.keyStorePasswordAppName(keyStorePasswordAppName);
- builder.keyManagerPassword(keyManagerPassword);
+ builder.keyStorePasswordKeygroupName(keyStorePasswordKeygroupName);
+ builder.keyManagerPassword(keyManagerPassword);
builder.keyManagerPasswordAppName(keyManagerPasswordAppName);
+ builder.keyManagerPasswordKeygroupName(keyManagerPasswordKeygroupName);
builder.trustStorePath(trustStorePath);
if (null != trustStoreType && !trustStoreType.isEmpty()) {
@@ -463,6 +471,7 @@ SSLContext createSSLContext() {
}
builder.trustStorePassword(trustStorePassword);
builder.trustStorePasswordAppName(trustStorePasswordAppName);
+ builder.trustStorePasswordKeygroupName(trustStorePasswordKeygroupName);
return builder.build();
}
diff --git a/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java b/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java
index 19df268b84e..f13b58fabe5 100644
--- a/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java
+++ b/clients/java/zts/src/main/java/com/yahoo/athenz/zts/ZTSClient.java
@@ -140,14 +140,17 @@ public class ZTSClient implements Closeable {
public static final String ZTS_CLIENT_PROP_KEYSTORE_TYPE = "athenz.zts.client.keystore_type";
public static final String ZTS_CLIENT_PROP_KEYSTORE_PASSWORD = "athenz.zts.client.keystore_password";
public static final String ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME = "athenz.zts.client.keystore_pwd_app_name";
+ public static final String ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME = "athenz.zts.client.keystore_pwd_keygroup_name";
public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD = "athenz.zts.client.keymanager_password";
public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME = "athenz.zts.client.keymanager_pwd_app_name";
+ public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME = "athenz.zts.client.keymanager_pwd_keygroup_name";
public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PATH = "athenz.zts.client.truststore_path";
public static final String ZTS_CLIENT_PROP_TRUSTSTORE_TYPE = "athenz.zts.client.truststore_type";
public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.client.truststore_password";
public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME = "athenz.zts.client.truststore_pwd_app_name";
+ public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME = "athenz.zts.client.truststore_pwd_keygroup_name";
public static final String ZTS_CLIENT_PROP_POOL_MAX_PER_ROUTE = "athenz.zts.client.http_pool_max_per_route";
public static final String ZTS_CLIENT_PROP_POOL_MAX_TOTAL = "athenz.zts.client.http_pool_max_total";
@@ -650,12 +653,14 @@ private SSLContext createSSLContext() {
keyStorePassword = keyStorePwd.toCharArray();
}
String keyStorePasswordAppName = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME);
+ String keyStorePasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME);
char[] keyManagerPassword = null;
String keyManagerPwd = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD);
if (!isEmpty(keyManagerPwd)) {
keyManagerPassword = keyManagerPwd.toCharArray();
}
String keyManagerPasswordAppName = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME);
+ String keyManagerPasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME);
// truststore
String trustStorePath = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PATH);
@@ -666,6 +671,7 @@ private SSLContext createSSLContext() {
trustStorePassword = trustStorePwd.toCharArray();
}
String trustStorePasswordAppName = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME);
+ String trustStorePasswordKeygroupName = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME);
// alias and protocol details
String certAlias = System.getProperty(ZTS_CLIENT_PROP_CERT_ALIAS);
@@ -687,12 +693,18 @@ private SSLContext createSSLContext() {
if (null != keyStorePasswordAppName) {
builder.keyStorePasswordAppName(keyStorePasswordAppName);
}
+ if (null != keyStorePasswordKeygroupName) {
+ builder.keyStorePasswordKeygroupName(keyStorePasswordKeygroupName);
+ }
if (null != keyManagerPassword) {
builder.keyManagerPassword(keyManagerPassword);
}
if (null != keyManagerPasswordAppName) {
builder.keyManagerPasswordAppName(keyManagerPasswordAppName);
}
+ if (null != keyManagerPasswordKeygroupName) {
+ builder.keyManagerPasswordKeygroupName(keyManagerPasswordKeygroupName);
+ }
if (!isEmpty(trustStorePath)) {
builder.trustStorePath(trustStorePath);
}
@@ -705,6 +717,9 @@ private SSLContext createSSLContext() {
if (null != trustStorePasswordAppName) {
builder.trustStorePasswordAppName(trustStorePasswordAppName);
}
+ if (null != trustStorePasswordKeygroupName) {
+ builder.trustStorePasswordKeygroupName(trustStorePasswordKeygroupName);
+ }
return builder.build();
}
diff --git a/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java b/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java
index 7edc61d5aa0..152c59de9dc 100644
--- a/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java
+++ b/clients/java/zts/src/test/java/com/yahoo/athenz/zts/ZTSClientTest.java
@@ -19,6 +19,7 @@
import static com.yahoo.athenz.zts.AccessTokenTestFileHelper.setupTokenFile;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertFalse;
import static org.testng.Assert.assertNotEquals;
@@ -39,17 +40,15 @@
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.nio.file.Paths;
-import java.security.PrivateKey;
-import java.security.PublicKey;
+import java.security.*;
import java.security.cert.*;
+import java.security.cert.Certificate;
import java.util.*;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
+import javax.net.ssl.*;
import org.mockito.ArgumentCaptor;
+import org.mockito.MockedStatic;
import org.mockito.Mockito;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeClass;
@@ -548,7 +547,7 @@ public void testUpdateServicePrincipal() {
@Test
public void testUpdateServicePrincipalException() {
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(Mockito.eq("iaas.athenz"),
+ when(siaProvider.getIdentity(Mockito.eq("iaas.athenz"),
Mockito.eq("ci"))).thenThrow(IllegalArgumentException.class);
ZTSClient client = new ZTSClient("http://localhost:4080/",
@@ -783,7 +782,7 @@ public void testGetRoleTokenWithSiaProvider() {
// the sia provider instead of principal given
SimpleServiceIdentityProvider siaProvider = Mockito.mock(SimpleServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity("user_domain", "user")).thenReturn(principal);
+ when(siaProvider.getIdentity("user_domain", "user")).thenReturn(principal);
ZTSClient client2 = new ZTSClient("http://localhost:4080", "user_domain", "user", siaProvider);
client2.setZTSRDLGeneratedClient(ztsClientMock);
@@ -814,7 +813,7 @@ public void testPrefetchRoleTokenShouldNotCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -913,7 +912,7 @@ public void testPrefetchRoleTokenWithUserDataShouldNotCallServer() throws Except
final Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -1026,7 +1025,7 @@ public void testPrefetchAwsCredShouldNotCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -1150,7 +1149,7 @@ public void testPrefetchShouldNotCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -1294,7 +1293,7 @@ public void testPrefetchRoleTokenShouldCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -1388,7 +1387,7 @@ public void testPrefetchAwsCredShouldCallServerNoNotification() throws Exception
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClientNotificationSender notificationSender = Mockito.mock(ZTSClientNotificationSender.class);
@@ -1504,7 +1503,7 @@ public void testPrefetchAwsCredShouldSendNotifications() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClientNotificationSender notificationSender = Mockito.mock(ZTSClientNotificationSender.class);
@@ -1591,7 +1590,7 @@ public void testPrefetchShouldCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -2243,7 +2242,7 @@ public void testHostnamVerifierDnsMatchStandard() throws SSLPeerUnverifiedExcept
Certificate[] certs1 = new Certificate[1];
X509Certificate cert1 = Mockito.mock(X509Certificate.class);
- Mockito.when(cert1.getSubjectAlternativeNames()).thenReturn(altNames1);
+ when(cert1.getSubjectAlternativeNames()).thenReturn(altNames1);
certs1[0] = cert1;
ArrayList> altNames2 = new ArrayList<>();
@@ -2259,10 +2258,10 @@ public void testHostnamVerifierDnsMatchStandard() throws SSLPeerUnverifiedExcept
Certificate[] certs2 = new Certificate[1];
X509Certificate cert2 = Mockito.mock(X509Certificate.class);
- Mockito.when(cert2.getSubjectAlternativeNames()).thenReturn(altNames2);
+ when(cert2.getSubjectAlternativeNames()).thenReturn(altNames2);
certs2[0] = cert2;
- Mockito.when(session.getPeerCertificates()).thenReturn(certs1).thenReturn(certs2);
+ when(session.getPeerCertificates()).thenReturn(certs1).thenReturn(certs2);
assertTrue(hostnameVerifier.verify("host1", session));
assertFalse(hostnameVerifier.verify("host1", session));
@@ -2612,7 +2611,7 @@ public void testHostNameVerifierVerifyCertNull() throws SSLPeerUnverifiedExcepti
ZTSClient.AWSHostNameVerifier hostnameVerifier = new ZTSClient.AWSHostNameVerifier("host1");
SSLSession session = Mockito.mock(SSLSession.class);
- Mockito.when(session.getPeerCertificates()).thenReturn(null);
+ when(session.getPeerCertificates()).thenReturn(null);
assertFalse(hostnameVerifier.verify("host1", session));
@@ -2664,7 +2663,7 @@ public void testHostNameVerifierVerifyCert() throws CertificateException, IOExce
certs[0] = cert;
SSLSession session = Mockito.mock(SSLSession.class);
- Mockito.when(session.getPeerCertificates()).thenReturn(certs);
+ when(session.getPeerCertificates()).thenReturn(certs);
assertFalse(hostnameVerifier.verify("unknown", session));
client.close();
@@ -3545,7 +3544,7 @@ public void testPrefetchAccessTokenShouldNotCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -3683,7 +3682,7 @@ public void testGetInfo() throws IOException, URISyntaxException {
.setImplementationTitle("title")
.setImplementationVendor("vendor")
.setImplementationVersion("version");
- Mockito.when(c.getInfo()).thenReturn(info)
+ when(c.getInfo()).thenReturn(info)
.thenThrow(new ZTSClientException(401, "fail"))
.thenThrow(new IllegalArgumentException("other-error"));
@@ -4004,7 +4003,7 @@ public void testPrefetchIdTokenShouldNotCallServer() throws Exception {
"auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
- Mockito.when(siaProvider.getIdentity(any(),
+ when(siaProvider.getIdentity(any(),
any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain",
@@ -4083,7 +4082,7 @@ public void testPostExternalCredentialsRequest() throws IOException, URISyntaxEx
.setClientId("athenz.api")
.setExpiryTime(3600);
ExternalCredentialsResponse response = new ExternalCredentialsResponse();
- Mockito.when(c.postExternalCredentialsRequest(anyString(), anyString(), any()))
+ when(c.postExternalCredentialsRequest(anyString(), anyString(), any()))
.thenReturn(response)
.thenThrow(new ZTSClientException(401, "fail"))
.thenThrow(new IllegalArgumentException("other-error"));
@@ -4222,4 +4221,35 @@ public void testGetExceptionCode() {
client.close();
}
+
+ @Test
+ public void testZTSClientSslContext() {
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME, "athenz");
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME, "athenz");
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME, "athenz");
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PASSWORD, "changeit");
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD, "changeit");
+ System.setProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PATH, "src/test/resources/unit.jks");
+ try (MockedStatic keyStoreMockedStatic = Mockito.mockStatic(KeyStore.class);
+ MockedStatic keyManagerFactoryMockedStatic = Mockito.mockStatic(KeyManagerFactory.class)) {
+ KeyStore ksMock = Mockito.mock(KeyStore.class);
+ when(KeyStore.getInstance(any())).thenReturn(ksMock);
+ KeyManager kmMock = Mockito.mock(KeyManager.class);
+ KeyManagerFactory kmf = Mockito.mock(KeyManagerFactory.class);
+ when(kmf.getInstance(any())).thenReturn(kmf);
+ when(kmf.getKeyManagers()).thenReturn(new KeyManager[]{kmMock});
+
+ ZTSClient client = new ZTSClient();
+ client.close();
+ } catch (KeyStoreException | NoSuchAlgorithmException ignored) {
+ fail();
+ } finally {
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PWD_KEYGROUP_NAME);
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PWD_KEYGROUP_NAME);
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_TRUSTSTORE_PWD_KEYGROUP_NAME);
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PASSWORD);
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD);
+ System.clearProperty(ZTSClient.ZTS_CLIENT_PROP_KEYSTORE_PATH);
+ }
+ }
}
diff --git a/clients/java/zts/src/test/resources/unit.cert.pem b/clients/java/zts/src/test/resources/unit.cert.pem
new file mode 100644
index 00000000000..13c892a9159
--- /dev/null
+++ b/clients/java/zts/src/test/resources/unit.cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIClDCCAhqgAwIBAgIULAkStVe95W+lNCWvAp9Yn/+uvQkwCgYIKoZIzj0EAwIw
+TjELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FWIENvcnAgTExDMRQwEgYDVQQLDAtB
+Vi1TZWN1cml0eTETMBEGA1UEAwwKQVYgUk9PVCBDQTAeFw0yNDA1MzAyMzQwMDZa
+Fw0zNDA1MjgyMzQwMDZaMFAxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBViBDb3Jw
+IExMQzEUMBIGA1UECwwLQVYtU2VjdXJpdHkxFTATBgNVBAMMDGF0aGVuei5sb2Nh
+bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDwigkLhEofKoaCqhx9M3xGJGVuH
+qJQLCb8IKucDURnfB35PlVvss7IiBw1Swiu8W5C0ljLyVFCxrNyGBlqRjsyjgdMw
+gdAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMB8GA1UdIwQYMBaAFIGOvLHSa501Egx6dpFUibAmvgosMFcGA1Ud
+EQRQME6CDGF0aGVuei5sb2NhbIIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAA
+AAAAAAABhhtzcGlmZmU6Ly9hdGhlbnouaW8vc2EvbG9jYWwwHQYDVR0OBBYEFDiz
+KF6ZjI8tCFDdd14P81mdbe2zMAoGCCqGSM49BAMCA2gAMGUCMGiLdKeXKfVDYo0j
+Ns1J/kFg5rgfpjRMTIUdVlen/0CBiVGsuiiC8gHucS70XWTk9AIxAI0X4bbI9LF6
++PUHVa+2ijcw8lnvn6nJ638LhMsPpslX4Sfkv9GKSGMI1v4IKXeUTQ==
+-----END CERTIFICATE-----
diff --git a/clients/java/zts/src/test/resources/unit.jks b/clients/java/zts/src/test/resources/unit.jks
new file mode 100644
index 0000000000000000000000000000000000000000..64fee8848e0848dbbba566da34b23156c3fae7b5
GIT binary patch
literal 933
zcmezO_TO6u1_mY|W&~rF(!9(PAgBLKX6jL($O(hSqXv9zT-t1mER0%Af{cu;3@nYC
z*d;3UW?3>{+5L7&(IdtB74QGo{Xg-yJv6g%)`zxj=1Z@=d!16XD?eEIpo+0JtqQ
zy}Fw7ak|*aI_}2M`)8&YZ2#paaVkIh^`UZ|*}i|cz`kRR&@(l#1p0S|K@-yyAeLId
z%*4pVB%;G9v^9M1)BL3-s_U8NN6i1fZZD?+7aNCGo5wj@7G@>`KSOQg>Wc&f@K
zhIDRF+sCD25Drox$P!@S*M#DuCQh)&GV+T{+F9y>X|`Pe7|FJveqD}$yXA5GpCjkyzTJ!*{mdB*2B}O28Qmqz
zr)z$7PU=-QJL~z+G2z(``DG?PKCQB0;miL!Gb-j~>vCtsKh8G6MZ
zZaeX1W7UtZ?4j$ob(tG{ihMtR<;mCe+%2d1mz@lMsQzUC#V(Izj%)uoG|Q*>Zpz}E
V%eG}=pSx?yJgMM-kot``gaN#MHk<$e
literal 0
HcmV?d00001
diff --git a/clients/java/zts/src/test/resources/unit.key.pem b/clients/java/zts/src/test/resources/unit.key.pem
new file mode 100644
index 00000000000..484e2d3cba4
--- /dev/null
+++ b/clients/java/zts/src/test/resources/unit.key.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIE/VlPZw8q+/Hk3vPnSDruIE00/TLt9E1OU3Hp5ZVs0loAoGCCqGSM49
+AwEHoUQDQgAEPCKCQuESh8qhoKqHH0zfEYkZW4eolAsJvwgq5wNRGd8Hfk+VW+yz
+siIHDVLCK7xbkLSWMvJUULGs3IYGWpGOzA==
+-----END EC PRIVATE KEY-----
diff --git a/clients/java/zts/src/test/resources/unit.p12 b/clients/java/zts/src/test/resources/unit.p12
new file mode 100644
index 0000000000000000000000000000000000000000..831ffd9e4b9d50d7bb16093a7abddc13b73f608e
GIT binary patch
literal 1385
zcmXqLVohaYWHxAGm1g7AYV&CO&dbQoxS)xZhoy;?11QX5(8N3oA;q?!iMbmn)Xv1n
z0HhiaGK>cCa1JZ4L6CtVg3Du|!Xm)awm9hfl1BbD?&1nZ-sj;T-|uobh;+j>C~n-^V#nTFKZ2X
za55_JkYDMnexEXPmd;i2N8)_ywl8d)sdFjBN$c|7YkMzk{o5L!{ETn;Y8BrsBS)>7
zyD|lSeB)XDROUwGK}O?}Sz8P4sC`iX;Ud4)hv)0@(79hD8D=gmpO;o~eXp$Q
z={F4;e~!;Qclh7tX?~IaGbc*yFU!}BR{3#^WxvQ}pDDqN`TPQFT4TAqwyK%Fdh_P5
z>pjh5e~PjvEOb}Qw-GrQ(lu>He@*h9Bi%CJcdsg8@0h$iDLT()xtyUeTc4wuv(oOg
zo{z7dJ3al()XQ49T9Vf>FJ!9g(Pf%JY-^fDoBK5Q`ZxY`*p(oqJ!jIJ#mt)@PN{U4
zUYWPLq?hU7A3H0NBzd!dw93uY-xouBxmCu^BbLGILDi!^_WE8T25@;rNK{mc#O
z;wQD(L#C7!M6LGAXG*s2yqHq3RlMumCa0=-x*PQ$UduYi=k)W%`x}95s&5*_)sFs3
zek!V>;LEZ}sm$Wi%DcVu)|?F~`?<3F&ihb-ol}}77&|-;m^kVxb?^}g$cP6
z=Cp|f*v&WP}@c|v*qeywi%u6d05$!@E@I8*|qP!
z-dt>%(2}{hw6|zB*PGqTe}6t~n4G#YW^KmdcWZL{{0y2Hli>LblyMn@S(+IAfx_NE
z?9Rpw&C@(wj7$p}zZ*1uA(TxwJh~)*Vdue1Q)lNYS4Fj6BbZGq|7?D3+0p7h)9Jx}
zK9^h(mc|K}ewOyUl@g20Q_4}5{`uD7#bnD{LHzAvx;2g>5p^0qGnTghGnmL@E$U{p
zM^K^@m#4KQ^C4jKBjK}c0SW|==<6uC^YBK
zsmq3T2IBBg;uJCDlH*_~WyoX5WGFFEMo5Snim`}@oQjOx{c4h+g?aeBM}JRGKC(7<
zmVu*zp#d+vaAIO)WnfVd`@ZZ*+D2=)d8_91u-eJz7g?G7+U38+yyUoZqWI!j9V{Fr
O8Es2uYMN{T1t9=-uu(Yx
literal 0
HcmV?d00001
diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java
index f282d899111..07031e1c6ea 100644
--- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java
+++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java
@@ -93,8 +93,13 @@ public final class AthenzConsts {
public static final String ATHENZ_PKEY_STORE_FACTORY_CLASS = "com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory";
public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname";
+ public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_store_password_keygroupname";
+
public static final String ATHENZ_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.ssl_key_manager_password_appname";
+ public static final String ATHENZ_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_manager_password_keygroupname";
+
public static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname";
+ public static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_trust_store_password_keygroupname";
public static final String ATHENZ_PROP_GRACEFUL_SHUTDOWN = "athenz.graceful_shutdown";
public static final String ATHENZ_PROP_GRACEFUL_SHUTDOWN_TIMEOUT = "athenz.graceful_shutdown_timeout";
diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
index 1c9ea46af05..c69372ce038 100644
--- a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
+++ b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
@@ -351,13 +351,16 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) {
final String keyStorePath = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PATH);
final String keyStorePasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME);
+ final String keyStorePasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME);
final String keyStorePassword = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_PASSWORD);
final String keyStoreType = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYSTORE_TYPE, "PKCS12");
final String keyManagerPassword = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD);
final String keyManagerPasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD_APPNAME);
+ final String keyManagerPasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME);
final String trustStorePath = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PATH);
final String trustStorePassword = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD);
final String trustStorePasswordAppName = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME);
+ final String trustStorePasswordKeygroupName = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME);
final String trustStoreType = System.getProperty(AthenzConsts.ATHENZ_PROP_TRUSTSTORE_TYPE, "PKCS12");
final String includedCipherSuites = System.getProperty(AthenzConsts.ATHENZ_PROP_INCLUDED_CIPHER_SUITES);
final String excludedCipherSuites = System.getProperty(AthenzConsts.ATHENZ_PROP_EXCLUDED_CIPHER_SUITES);
@@ -373,19 +376,19 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) {
}
if (!StringUtil.isEmpty(keyStorePassword)) {
//default implementation should just return the same
- sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword)));
+ sslContextFactory.setKeyStorePassword(String.valueOf(this.privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePasswordKeygroupName, keyStorePassword)));
}
sslContextFactory.setKeyStoreType(keyStoreType);
if (!StringUtil.isEmpty(keyManagerPassword)) {
- sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, null, keyManagerPassword)));
+ sslContextFactory.setKeyManagerPassword(String.valueOf(this.privateKeyStore.getSecret(keyManagerPasswordAppName, keyManagerPasswordKeygroupName, keyManagerPassword)));
}
if (!StringUtil.isEmpty(trustStorePath)) {
LOG.info("Using SSL TrustStore path: {}", trustStorePath);
sslContextFactory.setTrustStorePath(trustStorePath);
}
if (!StringUtil.isEmpty(trustStorePassword)) {
- sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, null, trustStorePassword)));
+ sslContextFactory.setTrustStorePassword(String.valueOf(this.privateKeyStore.getSecret(trustStorePasswordAppName, trustStorePasswordKeygroupName, trustStorePassword)));
}
sslContextFactory.setTrustStoreType(trustStoreType);
diff --git a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
index b1944495c27..abb0de680e7 100644
--- a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
+++ b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java
@@ -39,6 +39,9 @@ public static class ClientSSLContextBuilder {
private String keyManagerPasswordAppName;
private String trustStorePasswordAppName;
private String certAlias;
+ private String keyStorePasswordKeygroupName;
+ private String keyManagerPasswordKeygroupName;
+ private String trustStorePasswordKeygroupName;
public ClientSSLContextBuilder(final String sslProtocol) {
this.sslProtocol = sslProtocol;
@@ -103,6 +106,21 @@ public ClientSSLContextBuilder certAlias(final String certAlias) {
this.certAlias = certAlias;
return this;
}
+
+ public ClientSSLContextBuilder keyStorePasswordKeygroupName(final String keyStorePasswordKeygroupName) {
+ this.keyStorePasswordKeygroupName = keyStorePasswordKeygroupName;
+ return this;
+ }
+
+ public ClientSSLContextBuilder keyManagerPasswordKeygroupName(final String keyManagerPasswordKeygroupName) {
+ this.keyManagerPasswordKeygroupName = keyManagerPasswordKeygroupName;
+ return this;
+ }
+
+ public ClientSSLContextBuilder trustStorePasswordKeygroupName(final String trustStorePasswordKeygroupName) {
+ this.trustStorePasswordKeygroupName = trustStorePasswordKeygroupName;
+ return this;
+ }
public SSLContext build() {
SSLContext context;
@@ -120,18 +138,15 @@ public SSLContext build() {
try {
if (keyStorePath != null) {
LOGGER.info("createSSLContextObject: using SSL KeyStore path: {}", keyStorePath);
- keyStore = loadStore(keyStorePath, keyStoreType, getPassword(keyStorePassword, privateKeyStore, keyStorePasswordAppName));
+ keyStore = loadStore(keyStorePath, keyStoreType, getPassword(keyStorePassword, privateKeyStore, keyStorePasswordAppName, keyStorePasswordKeygroupName));
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- if (keyManagerPassword == null) {
- throw new IllegalArgumentException("Missing key manager password for the key store: " + keyStorePath);
- }
- keyManagerPassword = getPassword(keyManagerPassword, privateKeyStore, keyManagerPasswordAppName);
+ keyManagerPassword = getPassword(keyManagerPassword, privateKeyStore, keyManagerPasswordAppName, keyManagerPasswordKeygroupName);
kmf.init(keyStore, keyStorePassword);
keyManagers = getAliasedKeyManagers(kmf.getKeyManagers(), certAlias);
}
if (trustStorePath != null) {
LOGGER.info("createSSLContextObject: using SSL TrustStore path: {}", trustStorePath);
- trustStore = loadStore(trustStorePath, trustStoreType, getPassword(trustStorePassword, privateKeyStore, trustStorePasswordAppName));
+ trustStore = loadStore(trustStorePath, trustStoreType, getPassword(trustStorePassword, privateKeyStore, trustStorePasswordAppName, trustStorePasswordKeygroupName));
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
trustManagers = tmf.getTrustManagers();
@@ -146,10 +161,10 @@ public SSLContext build() {
return context;
}
- private static char[] getPassword(char[] password, final PrivateKeyStore privateKeyStore, String appName) {
+ private static char[] getPassword(char[] password, final PrivateKeyStore privateKeyStore, String appName, String keygroupName) {
if (password != null) {
if (null != privateKeyStore) {
- password = privateKeyStore.getSecret(appName, null, String.valueOf(password));
+ password = privateKeyStore.getSecret(appName, keygroupName, String.valueOf(password));
}
}
return password;
diff --git a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java
index 3cb49c7a8c5..966c033eac2 100644
--- a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java
+++ b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java
@@ -75,6 +75,9 @@ public class SSLUtilsTest {
private static final String KEY_MANAGER_PASSWORD_APP_NAME = "testKeyManager";
private static final String TRUSTSTORE_PASSWORD_APP_NAME = "testTruststorePassword";
private static final String TRUSTSTORE_PATH = "src/test/resources/testKeyStore.pkcs12";
+ private static final String KEYSTORE_PASSWORD_KEYGROUP_NAME = "testKeystorePasswordKG";
+ private static final String KEY_MANAGER_PASSWORD_KEYGROUP_NAME = "testKeyManagerKG";
+ private static final String TRUSTSTORE_PASSWORD_KEYGROUP_NAME = "testTruststorePasswordKG";
@Test
public void testEmptyConstructor() {
@@ -94,6 +97,9 @@ public void testClientSSLContextBuilder() {
.keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME)
.keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME)
.trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME)
+ .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME)
+ .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME)
+ .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME)
.privateKeyStore(new FilePrivateKeyStore())
.certAlias("test")
.build();
@@ -102,16 +108,19 @@ public void testClientSSLContextBuilder() {
sslContext = new SSLUtils.ClientSSLContextBuilder(protocol).build();
Assert.assertNull(sslContext);
- //key manager password is null
+ //key store password is null
assertThrows(RuntimeException.class, () -> new ClientSSLContextBuilder(protocol)
.keyStorePath(DEFAULT_SERVER_KEY_STORE)
- .keyManagerPassword(null)
- .keyStorePassword(DEFAULT_CERT_PWD.toCharArray())
+ .keyManagerPassword(DEFAULT_CERT_PWD.toCharArray())
+ .keyStorePassword(null)
.keyStoreType(DEFAULT_KEY_STORE_TYPE)
.trustStoreType(DEFAULT_TRUST_STORE_TYPE)
.keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME)
.keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME)
.trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME)
+ .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME)
+ .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME)
+ .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME)
.privateKeyStore(new FilePrivateKeyStore())
.build());
@@ -125,6 +134,9 @@ public void testClientSSLContextBuilder() {
.keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME)
.keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME)
.trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME)
+ .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME)
+ .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME)
+ .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME)
.trustStorePassword(null)
.trustStorePath(TRUSTSTORE_PATH)
.privateKeyStore(new FilePrivateKeyStore())
@@ -139,6 +151,9 @@ public void testClientSSLContextBuilder() {
.keyStorePasswordAppName(KEYSTORE_PASSWORD_APP_NAME)
.keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME)
.trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME)
+ .keyStorePasswordKeygroupName(KEYSTORE_PASSWORD_KEYGROUP_NAME)
+ .keyManagerPasswordKeygroupName(KEY_MANAGER_PASSWORD_KEYGROUP_NAME)
+ .trustStorePasswordKeygroupName(TRUSTSTORE_PASSWORD_KEYGROUP_NAME)
.trustStorePassword(null)
.trustStorePath(TRUSTSTORE_PATH)
.privateKeyStore(new FilePrivateKeyStore())
diff --git a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java
index 6ea111028a7..cf959e683f0 100644
--- a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java
+++ b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java
@@ -63,8 +63,9 @@ public DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSende
String maxExpiryTimeStr = System.getProperty("athenz.zts.dynamodb_max_expiry_time", "");
Integer minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr);
Integer maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr);
+ String keygroupName = System.getProperty("athenz.zts.dynamodb_trust_store_keygroup_name", "");
- DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime);
+ DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName);
return getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings);
}
diff --git a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
index a8acfa27f8e..fea4fc41841 100644
--- a/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
+++ b/libs/java/dynamodb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
@@ -34,6 +34,7 @@ public class DynamoDBClientSettings {
private final String externalId;
private final Integer minExpiryTime;
private final Integer maxExpiryTime;
+ private final String keygroupName;
public DynamoDBClientSettings(String certPath,
String domainName,
@@ -47,7 +48,8 @@ public DynamoDBClientSettings(String certPath,
PrivateKeyStore keyStore,
String externalId,
Integer minExpiryTime,
- Integer maxExpiryTime) {
+ Integer maxExpiryTime,
+ String keygroupName) {
this.certPath = certPath;
this.domainName = domainName;
this.roleName = roleName;
@@ -61,6 +63,7 @@ public DynamoDBClientSettings(String certPath,
this.externalId = externalId;
this.minExpiryTime = minExpiryTime;
this.maxExpiryTime = maxExpiryTime;
+ this.keygroupName = keygroupName;
}
public boolean areCredentialsProvided() {
@@ -125,6 +128,6 @@ char[] getTrustStorePasswordChars() {
return null;
}
- return keyStore.getSecret(appName, null, trustStorePassword);
+ return keyStore.getSecret(appName, keygroupName, trustStorePassword);
}
}
diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
index 709950c8b7a..26ec7b0a899 100644
--- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
+++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImplTest.java
@@ -50,7 +50,7 @@ public void testGetClientWitSpecifiedRegion() {
ZTSClientNotificationSender ztsClientNotificationSender = Mockito.mock(ZTSClientNotificationSender.class);
AmazonDynamoDB dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
- DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "test.region", null, null, keyStore, null, null, null);
+ DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "test.region", null, null, keyStore, null, null, null, null);
dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
System.clearProperty(ZTS_PROP_DYNAMODB_REGION);
@@ -63,7 +63,7 @@ public void testGetClientWithDefaultRegion() {
ZTSClientNotificationSender ztsClientNotificationSender = Mockito.mock(ZTSClientNotificationSender.class);
AmazonDynamoDB dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
- DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "testRegion", null, null, keyStore, null, null, null);
+ DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(null, null, null, null, null, null, "testRegion", null, null, keyStore, null, null, null, null);
dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
}
@@ -95,7 +95,7 @@ public void testGetAuthenticatedClient() {
dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, keyStore).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
- DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, "test.domain", "test.role", "test.truststore", "test.truststore.password", "https://dev.zts.athenzcompany.com:4443/zts/v1", "test.region", keyPath, null, keyStore, null, null, null);
+ DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, "test.domain", "test.role", "test.truststore", "test.truststore.password", "https://dev.zts.athenzcompany.com:4443/zts/v1", "test.region", keyPath, null, keyStore, null, null, null, null);
dynamoDBClient = dynamoDBClientFetcher.getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings).getAmazonDynamoDB();
assertNotNull(dynamoDBClient);
diff --git a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
index 196cf0ebf75..2891f392557 100644
--- a/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
+++ b/libs/java/dynamodb_client_factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettingsTest.java
@@ -42,6 +42,7 @@ public void credentialsNotProvided() {
keyStore,
null,
null,
+ null,
null);
assertFalse(dynamoDBClientSettings.areCredentialsProvided());
@@ -63,7 +64,7 @@ public void testCredentialsProvided() {
when(keyStore.getSecret(Mockito.eq("test.appname"), Mockito.eq(null), Mockito.eq("test.truststore.password")))
.thenReturn("decryptedPassword".toCharArray());
- DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, keyStore, null, null, null);
+ DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, keyStore, null, null, null, null);
assertTrue(dynamoDBClientSettings.areCredentialsProvided());
assertEquals("test.keypath", dynamoDBClientSettings.getKeyPath());
@@ -76,7 +77,7 @@ public void testCredentialsProvided() {
assertEquals("test.ztsurl", dynamoDBClientSettings.getZtsURL());
// Now verify that when keyStore isn't provided, trustStorePassword will be null
- dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, null, null, null, null);
+ dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domain, role, trustStore, trustStorePassword, ztsUrl, region, keyPath, appName, null, null, null, null, null);
assertNull(dynamoDBClientSettings.getTrustStorePasswordChars());
}
}
\ No newline at end of file
diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
index ded2a7cb12b..e251974440b 100644
--- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
+++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/ZMSFileChangeLogStoreFactory.java
@@ -38,9 +38,10 @@ public class ZMSFileChangeLogStoreFactory implements ChangeLogStoreFactory {
// truststore path and password settings
- private static final String ZTS_SERVER_PROP_TRUSTORE_PATH = "athenz.common.server.clog.zts_server_trust_store_path";
- private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_NAME = "athenz.common.server.clog.zts_server_trust_store_password_name";
- private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_APP = "athenz.common.server.clog.zts_server_trust_store_password_app";
+ private static final String ZTS_SERVER_PROP_TRUSTORE_PATH = "athenz.common.server.clog.zts_server_trust_store_path";
+ private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_NAME = "athenz.common.server.clog.zts_server_trust_store_password_name";
+ private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_APP = "athenz.common.server.clog.zts_server_trust_store_password_app";
+ private static final String ZTS_SERVER_PROP_TRUSTORE_PWD_KEYGROUP = "athenz.common.server.clog.zts_server_trust_store_password_keygroup";
// default truststore password used by the jdk, added as a char array directly to not have the string literal available.
private static final char[] DEFAULT_JDK_TRUSTSTORE_PWD = new char[] {'c', 'h', 'a', 'n', 'g', 'e', 'i', 't'};
@@ -86,8 +87,9 @@ ChangeLogStore mtlsClientChangeLogStore(final String rootDirectory) {
final String trustStorePwdName = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_NAME, "");
if (!trustStorePwdName.isEmpty()) {
final String trustStorePwdApp = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_APP);
+ final String trustStorePwdKeygroup = System.getProperty(ZTS_SERVER_PROP_TRUSTORE_PWD_KEYGROUP);
trustStorePassword = (privateKeyStore == null) ? trustStorePwdName.toCharArray() :
- privateKeyStore.getSecret(trustStorePwdApp, null, trustStorePwdName);
+ privateKeyStore.getSecret(trustStorePwdApp, trustStorePwdKeygroup, trustStorePwdName);
}
// catch any exceptions thrown from the change log store and instead
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
index d868ae09346..5f144fb9575 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
@@ -53,6 +53,7 @@ public final class ZMSConsts {
public static final String ZMS_PROP_JDBC_RO_USER = "athenz.zms.jdbc_ro_user";
public static final String ZMS_PROP_JDBC_RO_PASSWORD = "athenz.zms.jdbc_ro_password";
public static final String ZMS_PROP_JDBC_APP_NAME = "athenz.zms.jdbc_app_name";
+ public static final String ZMS_PROP_JDBC_KEYGROUP_NAME = "athenz.zms.jdbc_keygroup_name";
public static final String ZMS_PROP_JDBC_VERIFY_SERVER_CERT = "athenz.zms.jdbc_verify_server_certificate";
public static final String ZMS_PROP_JDBC_USE_SSL = "athenz.zms.jdbc_use_ssl";
public static final String ZMS_PROP_JDBC_TLS_VERSIONS = "athenz.zms.jdbc_tls_versions";
@@ -390,6 +391,7 @@ public final class ZMSConsts {
public static final String ZMS_PROP_PROVIDER_TRUST_STORE = "athenz.zms.provider.client.truststore";
public static final String ZMS_PROP_PROVIDER_TRUST_STORE_PASSWORD = "athenz.zms.provider.client.truststore_password";
public static final String ZMS_PROP_PROVIDER_APP_NAME = "athenz.zms.provider.client.app_name";
+ public static final String ZMS_PROP_PROVIDER_KEYGROUP_NAME = "athenz.zms.provider.client.keygroup_name";
public static final String ZMS_PROP_PROVIDER_CERT_PATH = "athenz.zms.provider.client.cert_path";
public static final String ZMS_PROP_PROVIDER_KEY_PATH = "athenz.zms.provider.client.key_path";
public static final String ZMS_PROP_PROVIDER_MAX_POOL_ROUTE = "athenz.zms.provider.client.max_pool_route";
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
index 1ee557fa444..cee722443b3 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/provider/ServiceProviderClient.java
@@ -108,6 +108,7 @@ private SSLContext getDomainDependencyProviderSSLContext(PrivateKeyStore keyStor
final String appName = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_APP_NAME, "");
final String certPath = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_CERT_PATH, "");
final String keyPath = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_KEY_PATH, "");
+ final String keygroupName = System.getProperty(ZMSConsts.ZMS_PROP_PROVIDER_KEYGROUP_NAME, "");
if (StringUtil.isEmpty(trustStore) || StringUtil.isEmpty(certPath) ||
StringUtil.isEmpty(keyPath) || StringUtil.isEmpty(trustStorePassword)) {
@@ -116,7 +117,7 @@ private SSLContext getDomainDependencyProviderSSLContext(PrivateKeyStore keyStor
}
KeyRefresher keyRefresher = Utils.generateKeyRefresher(
trustStore,
- keyStore.getSecret(appName, null, trustStorePassword),
+ keyStore.getSecret(appName, keygroupName, trustStorePassword),
certPath,
keyPath);
keyRefresher.startup();
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
index 48a2dc5bd92..b217655234d 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactory.java
@@ -38,7 +38,8 @@ public ObjectStore create(PrivateKeyStore keyStore) {
final String jdbcUser = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_USER);
final String password = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_RW_PASSWORD, "");
final String jdbcAppName = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_APP_NAME, JDBC_APP_NAME);
- Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, null, password));
+ final String jdbcKeygroupName = System.getProperty(ZMSConsts.ZMS_PROP_JDBC_KEYGROUP_NAME, "");
+ Properties readWriteProperties = getProperties(jdbcUser, keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password));
PoolableDataSource readWriteSrc = DataSourceFactory.create(jdbcStore, readWriteProperties);
// now check to see if we also have a read-only jdbc store configured
@@ -50,7 +51,7 @@ public ObjectStore create(PrivateKeyStore keyStore) {
if (jdbcReadOnlyStore != null && jdbcReadOnlyStore.startsWith(JDBC_APP_NAME)) {
final String jdbcReadOnlyUser = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_USER, jdbcUser);
final String readOnlyPassword = getDefaultSetting(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD, password);
- Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, null, readOnlyPassword));
+ Properties readOnlyProperties = getProperties(jdbcReadOnlyUser, keyStore.getSecret(jdbcAppName, jdbcKeygroupName, readOnlyPassword));
readOnlySrc = DataSourceFactory.create(jdbcReadOnlyStore, readOnlyProperties);
}
return new JDBCObjectStore(readWriteSrc, readOnlySrc);
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
index 7f514e96bda..77b903d802e 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/JDBCObjectStoreFactoryTest.java
@@ -37,7 +37,7 @@ public void testCreateWriteOnly() {
System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD);
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password");
JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory();
ObjectStore store = factory.create(keyStore);
@@ -57,10 +57,17 @@ public void testCreateReadWrite() {
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
char[] passwordMock = new char[]{'p','a','s','s','w','o','r','d'};
- Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", null, "password");
+ Mockito.doReturn(passwordMock).when(keyStore).getSecret("jdbc", "", "password");
JDBCObjectStoreFactory factory = new JDBCObjectStoreFactory();
ObjectStore store = factory.create(keyStore);
assertNotNull(store);
+
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_STORE);
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_USER);
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_PASSWORD);
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_STORE);
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_USER);
+ System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_PASSWORD);
}
}
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
index b5d9e0f0c71..f4d41978a6f 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
@@ -30,12 +30,16 @@ public final class ZTSConsts {
public static final String ZTS_PROP_ROOT_DIR = "athenz.zts.root_dir";
public static final String ZTS_PROP_HOSTNAME = "athenz.zts.hostname";
- public static final String ZTS_PROP_KEYSTORE_PASSWORD = "athenz.zts.ssl_key_store_password";
- public static final String ZTS_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_key_store_password_appname";
- public static final String ZTS_PROP_KEYMANAGER_PASSWORD = "athenz.zts.ssl_key_manager_password";
- public static final String ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.zts.ssl_key_manager_password_appname";
- public static final String ZTS_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.ssl_trust_store_password";
- public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_trust_store_password_appname";
+ public static final String ZTS_PROP_KEYSTORE_PASSWORD = "athenz.zts.ssl_key_store_password";
+ public static final String ZTS_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_key_store_password_appname";
+ public static final String ZTS_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_key_store_password_keygroupname";
+ public static final String ZTS_PROP_KEYMANAGER_PASSWORD = "athenz.zts.ssl_key_manager_password";
+ public static final String ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME = "athenz.zts.ssl_key_manager_password_appname";
+ public static final String ZTS_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_key_manager_password_keygroupname";
+ public static final String ZTS_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.ssl_trust_store_password";
+ public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.ssl_trust_store_password_appname";
+ public static final String ZTS_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.ssl_trust_store_password_keygroupname";
+
public static final String ZTS_PROP_KEYSTORE_PATH = "athenz.zts.ssl_key_store";
public static final String ZTS_PROP_KEYSTORE_TYPE = "athenz.zts.ssl_key_store_type";
@@ -105,6 +109,7 @@ public final class ZTSConsts {
public static final String ZTS_PROP_CERT_JDBC_USER = "athenz.zts.cert_jdbc_user";
public static final String ZTS_PROP_CERT_JDBC_PASSWORD = "athenz.zts.cert_jdbc_password";
public static final String ZTS_PROP_CERT_JDBC_APP_NAME = "athenz.zts.cert_jdbc_app_name";
+ public static final String ZTS_PROP_CERT_JDBC_KEYGROUP_NAME = "athenz.zts.cert_jdbc_keygroup_name";
public static final String ZTS_PROP_CERT_JDBC_VERIFY_SERVER_CERT = "athenz.zts.cert_jdbc_verify_server_certificate";
public static final String ZTS_PROP_CERT_JDBC_USE_SSL = "athenz.zts.cert_jdbc_use_ssl";
public static final String ZTS_PROP_CERT_OP_TIMEOUT = "athenz.zts.cert_op_timeout";
@@ -118,23 +123,25 @@ public final class ZTSConsts {
public static final String ZTS_PROP_CERT_DYNAMODB_RETRIES = "athenz.zts.cert_dynamodb_retries";
public static final String ZTS_PROP_CERT_DYNAMODB_RETRIES_SLEEP_MILLIS = "athenz.zts.cert_dynamodb_retries_sleep_millis";
- public static final String ZTS_PROP_DYNAMODB_KEY_PATH = "athenz.zts.dynamodb_key_path";
- public static final String ZTS_PROP_DYNAMODB_CERT_PATH = "athenz.zts.dynamodb_cert_path";
- public static final String ZTS_PROP_DYNAMODB_DOMAIN = "athenz.zts.dynamodb_aws_domain";
- public static final String ZTS_PROP_DYNAMODB_ROLE = "athenz.zts.dynamodb_aws_role";
- public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE = "athenz.zts.dynamodb_trust_store_path";
- public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "athenz.zts.dynamodb_trust_store_password";
- public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME = "athenz.zts.dynamodb_trust_store_app_name";
- public static final String ZTS_PROP_DYNAMODB_REGION = "athenz.zts.dynamodb_region";
- public static final String ZTS_PROP_DYNAMODB_ZTS_URL = "athenz.zts.dynamodb_zts_url";
- public static final String ZTS_PROP_DYNAMODB_EXTERNAL_ID = "athenz.zts.dynamodb_external_id";
- public static final String ZTS_PROP_DYNAMODB_MIN_EXPIRY_TIME = "athenz.zts.dynamodb_min_expiry_time";
- public static final String ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME = "athenz.zts.dynamodb_max_expiry_time";
+ public static final String ZTS_PROP_DYNAMODB_KEY_PATH = "athenz.zts.dynamodb_key_path";
+ public static final String ZTS_PROP_DYNAMODB_CERT_PATH = "athenz.zts.dynamodb_cert_path";
+ public static final String ZTS_PROP_DYNAMODB_DOMAIN = "athenz.zts.dynamodb_aws_domain";
+ public static final String ZTS_PROP_DYNAMODB_ROLE = "athenz.zts.dynamodb_aws_role";
+ public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE = "athenz.zts.dynamodb_trust_store_path";
+ public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "athenz.zts.dynamodb_trust_store_password";
+ public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_APPNAME = "athenz.zts.dynamodb_trust_store_app_name";
+ public static final String ZTS_PROP_DYNAMODB_REGION = "athenz.zts.dynamodb_region";
+ public static final String ZTS_PROP_DYNAMODB_ZTS_URL = "athenz.zts.dynamodb_zts_url";
+ public static final String ZTS_PROP_DYNAMODB_EXTERNAL_ID = "athenz.zts.dynamodb_external_id";
+ public static final String ZTS_PROP_DYNAMODB_MIN_EXPIRY_TIME = "athenz.zts.dynamodb_min_expiry_time";
+ public static final String ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME = "athenz.zts.dynamodb_max_expiry_time";
+ public static final String ZTS_PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME = "athenz.zts.dynamodb_trust_store_app_name";
public static final String ZTS_PROP_SSH_JDBC_STORE = "athenz.zts.ssh_jdbc_store";
public static final String ZTS_PROP_SSH_JDBC_USER = "athenz.zts.ssh_jdbc_user";
public static final String ZTS_PROP_SSH_JDBC_PASSWORD = "athenz.zts.ssh_jdbc_password";
public static final String ZTS_PROP_SSH_JDBC_APP_NAME = "athenz.zts.ssh_jdbc_app_name";
+ public static final String ZTS_PROP_SSH_JDBC_KEYGROUP_NAME = "athenz.zts.ssh_jdbc_keygroup_name";
public static final String ZTS_PROP_SSH_JDBC_USE_SSL = "athenz.zts.ssh_jdbc_use_ssl";
public static final String ZTS_PROP_SSH_JDBC_VERIFY_SERVER_CERT = "athenz.zts.ssh_jdbc_verify_server_certificate";
public static final String ZTS_PROP_SSH_FILE_STORE_PATH = "athenz.zts.ssh_file_store_path";
@@ -148,6 +155,7 @@ public final class ZTSConsts {
public static final String ZTS_PROP_WORKLOAD_JDBC_USER = "athenz.zts.workload_jdbc_user";
public static final String ZTS_PROP_WORKLOAD_JDBC_PASSWORD = "athenz.zts.workload_jdbc_password";
public static final String ZTS_PROP_WORKLOAD_JDBC_APP_NAME = "athenz.zts.workload_jdbc_app_name";
+ public static final String ZTS_PROP_WORKLOAD_JDBC_KEYGROUP_NAME = "athenz.zts.workload_jdbc_keygroup_name";
public static final String ZTS_PROP_WORKLOAD_JDBC_USE_SSL = "athenz.zts.workload_jdbc_use_ssl";
public static final String ZTS_PROP_WORKLOAD_JDBC_VERIFY_SERVER_CERT = "athenz.zts.workload_jdbc_verify_server_certificate";
public static final String ZTS_PROP_WORKLOAD_FILE_STORE_PATH = "athenz.zts.workload_file_store_path";
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
index de55c5a5159..fd42e3021c6 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactory.java
@@ -35,10 +35,11 @@ public CertRecordStore create(PrivateKeyStore keyStore) {
final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_USER);
final String password = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_PASSWORD, "");
final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_APP_NAME, JDBC);
+ final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_KEYGROUP_NAME, "");
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
index 0f897ef6249..63b3f611349 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactory.java
@@ -35,10 +35,11 @@ public SSHRecordStore create(PrivateKeyStore keyStore) {
final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_USER);
final String password = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_PASSWORD, "");
final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_APP_NAME, JDBC);
+ final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_KEYGROUP_NAME, "");
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java
index d98217839b1..746855749e8 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/ZTSDynamoDBClientSettingsFactory.java
@@ -37,6 +37,7 @@ public class ZTSDynamoDBClientSettingsFactory {
private final String externalId;
private final Integer minExpiryTime;
private final Integer maxExpiryTime;
+ private final String keygroupName;
public ZTSDynamoDBClientSettingsFactory(PrivateKeyStore keyStore) {
keyPath = System.getProperty(ZTS_PROP_DYNAMODB_KEY_PATH, "");
@@ -53,11 +54,12 @@ public ZTSDynamoDBClientSettingsFactory(PrivateKeyStore keyStore) {
String maxExpiryTimeStr = System.getProperty(ZTS_PROP_DYNAMODB_MAX_EXPIRY_TIME, "");
minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr);
maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr);
+ keygroupName = System.getProperty(ZTS_PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME, "");
this.keyStore = keyStore;
}
public DynamoDBClientSettings getDynamoDBClientSettings() {
- return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime);
+ return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName);
}
}
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
index 83ec4436c29..3b7b2842971 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
@@ -64,21 +64,24 @@ public class ZTSUtils {
public static final long CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY = Long.parseLong(System.getProperty(ZTSConsts.ZTS_PROP_CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY, ZTSConsts.ZTS_CERT_PRIORITY_MIN_PERCENT_LOW_PRIORITY_DEFAULT));
public static final long CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY = Long.parseLong(System.getProperty(ZTSConsts.ZTS_PROP_CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY, ZTSConsts.ZTS_CERT_PRIORITY_MAX_PERCENT_HIGH_PRIORITY_DEFAULT));
- private static final String ATHENZ_PROP_KEYSTORE_PATH = "athenz.ssl_key_store";
- private static final String ATHENZ_PROP_KEYSTORE_TYPE = "athenz.ssl_key_store_type";
- private static final String ATHENZ_PROP_KEYSTORE_PASSWORD = "athenz.ssl_key_store_password";
- private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname";
-
- private static final String ATHENZ_PROP_TRUSTSTORE_PATH = "athenz.ssl_trust_store";
- private static final String ATHENZ_PROP_TRUSTSTORE_TYPE = "athenz.ssl_trust_store_type";
- private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD = "athenz.ssl_trust_store_password";
- private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname";
-
- private static final String ATHENZ_PROP_PROVIDER_CLIENT_PUBLIC_CERT_PATH = "athenz.zts.provider.ssl_client_public_cert_path";
- private static final String ATHENZ_PROP_PROVIDER_CLIENT_PRIVATE_KEY_PATH = "athenz.zts.provider.ssl_client_private_key_path";
- private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PATH = "athenz.zts.provider.ssl_client_trust_store";
- private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD = "athenz.zts.provider.ssl_client_trust_store_password";
- private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.provider.ssl_client_trust_store_password_appname";
+ private static final String ATHENZ_PROP_KEYSTORE_PATH = "athenz.ssl_key_store";
+ private static final String ATHENZ_PROP_KEYSTORE_TYPE = "athenz.ssl_key_store_type";
+ private static final String ATHENZ_PROP_KEYSTORE_PASSWORD = "athenz.ssl_key_store_password";
+ private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME = "athenz.ssl_key_store_password_appname";
+ private static final String ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_key_store_password_keygroupname";
+
+ private static final String ATHENZ_PROP_TRUSTSTORE_PATH = "athenz.ssl_trust_store";
+ private static final String ATHENZ_PROP_TRUSTSTORE_TYPE = "athenz.ssl_trust_store_type";
+ private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD = "athenz.ssl_trust_store_password";
+ private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME = "athenz.ssl_trust_store_password_appname";
+ private static final String ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.ssl_trust_store_password_keygroupname";
+
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_PUBLIC_CERT_PATH = "athenz.zts.provider.ssl_client_public_cert_path";
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_PRIVATE_KEY_PATH = "athenz.zts.provider.ssl_client_private_key_path";
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PATH = "athenz.zts.provider.ssl_client_trust_store";
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD = "athenz.zts.provider.ssl_client_trust_store_password";
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME = "athenz.zts.provider.ssl_client_trust_store_password_appname";
+ private static final String ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_KEYGROUPNAME = "athenz.zts.provider.ssl_client_trust_store_password_keygroupname";
private final static char[] EMPTY_PASSWORD = "".toCharArray();
@@ -87,14 +90,18 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli
String keyStorePath = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PATH);
String keyStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_APPNAME);
+ String keyStorePasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME);
String keyStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD);
String keyStoreType = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_TYPE, "PKCS12");
+
String keyManagerPassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD);
String keyManagerPasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME);
+ String keyManagerPasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_KEYGROUPNAME);
String trustStorePath = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PATH);
String trustStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD);
String trustStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME);
+ String trustStorePasswordKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME);
String trustStoreType = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_TYPE, "PKCS12");
String excludedCipherSuites = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_CIPHER_SUITES,
@@ -109,13 +116,13 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli
}
if (!StringUtil.isEmpty(keyStorePassword)) {
- keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword);
+ keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keyStorePasswordKeygroupName);
sslContextFactory.setKeyStorePassword(keyStorePassword);
}
sslContextFactory.setKeyStoreType(keyStoreType);
if (!StringUtil.isEmpty(keyManagerPassword)) {
- keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword);
+ keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword, keyManagerPasswordKeygroupName);
sslContextFactory.setKeyManagerPassword(keyManagerPassword);
}
@@ -124,7 +131,7 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli
sslContextFactory.setTrustStorePath(trustStorePath);
}
if (!StringUtil.isEmpty(trustStorePassword)) {
- trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword);
+ trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName);
sslContextFactory.setTrustStorePassword(trustStorePassword);
}
sslContextFactory.setTrustStoreType(trustStoreType);
@@ -140,17 +147,17 @@ public static SslContextFactory.Client createSSLContextObject(final String[] cli
}
static String getApplicationSecret(final PrivateKeyStore privateKeyStore,
- final String keyStorePasswordAppName, final String keyStorePassword) {
- return String.valueOf(getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword));
+ final String keyStorePasswordAppName, final String keyStorePassword, final String keygroupName) {
+ return String.valueOf(getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keygroupName));
}
static char[] getSecret(final PrivateKeyStore privateKeyStore,
- final String keyStorePasswordAppName, final String keyStorePassword) {
+ final String keyStorePasswordAppName, final String keyStorePassword, final String keyStorePasswordKeygroupName) {
if (privateKeyStore == null) {
return keyStorePassword.toCharArray();
}
- return privateKeyStore.getSecret(keyStorePasswordAppName, null, keyStorePassword);
+ return privateKeyStore.getSecret(keyStorePasswordAppName, keyStorePasswordKeygroupName, keyStorePassword);
}
public static boolean emitMonmetricError(int errorCode, String caller,
@@ -329,8 +336,11 @@ public static SSLContext getAthenzProviderClientSSLContext(PrivateKeyStore priva
final String serverTrustStorePasswordAppName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME);
final String trustStorePasswordAppName = System.getProperty(ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_APPNAME,
serverTrustStorePasswordAppName);
+ final String serverTrustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME);
+ final String trustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_PROVIDER_CLIENT_TRUSTSTORE_PASSWORD_KEYGROUPNAME,
+ serverTrustStorePasswordKeygroupName);
try {
- final char[] passwordChars = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword);
+ final char[] passwordChars = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName);
KeyRefresher keyRefresher = Utils.generateKeyRefresher(trustStorePath, passwordChars, certPath, keyPath);
keyRefresher.startup();
return Utils.buildSSLContext(keyRefresher.getKeyManagerProxy(), keyRefresher.getTrustManagerProxy());
@@ -347,6 +357,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto
return null;
}
final String keyStorePasswordAppName = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME);
+ final String keyStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME);
final String keyStorePassword = System.getProperty(ATHENZ_PROP_KEYSTORE_PASSWORD);
final String keyStoreType = System.getProperty(ATHENZ_PROP_KEYSTORE_TYPE, "PKCS12");
@@ -358,6 +369,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto
final String trustStorePassword = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD);
final String trustStorePasswordAppName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_APPNAME);
+ final String trustStorePasswordKeygroupName = System.getProperty(ATHENZ_PROP_TRUSTSTORE_PASSWORD_KEYGROUPNAME);
final String trustStoreType = System.getProperty(ATHENZ_PROP_TRUSTSTORE_TYPE, "PKCS12");
SSLContext sslcontext = null;
@@ -365,7 +377,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
try (FileInputStream instream = new FileInputStream(trustStorePath)) {
KeyStore trustStore = KeyStore.getInstance(trustStoreType);
- final char[] password = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword);
+ final char[] password = getSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword, trustStorePasswordKeygroupName);
trustStore.load(instream, password != null ? password : EMPTY_PASSWORD);
tmfactory.init(trustStore);
}
@@ -373,7 +385,7 @@ public static SSLContext getAthenzServerSSLContext(PrivateKeyStore privateKeySto
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
try (FileInputStream instream = new FileInputStream(keyStorePath)) {
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
- final char[] password = getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword);
+ final char[] password = getSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword, keyStorePasswordKeygroupName);
keyStore.load(instream, password != null ? password : EMPTY_PASSWORD);
kmfactory.init(keyStore, password != null ? password : EMPTY_PASSWORD);
}
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
index 1e92a2cfb37..c2c3eadd31e 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactory.java
@@ -35,10 +35,11 @@ public WorkloadRecordStore create(PrivateKeyStore keyStore) {
final String jdbcUser = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_USER);
final String password = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD, "");
final String jdbcAppName = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_APP_NAME, JDBC);
+ final String jdbcKeygroupName = System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_KEYGROUP_NAME, "");
Properties props = new Properties();
props.setProperty(ZTSConsts.DB_PROP_USER, jdbcUser);
- props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, null, password)));
+ props.setProperty(ZTSConsts.DB_PROP_PASSWORD, String.valueOf(keyStore.getSecret(jdbcAppName, jdbcKeygroupName, password)));
props.setProperty(ZTSConsts.DB_PROP_VERIFY_SERVER_CERT,
System.getProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_VERIFY_SERVER_CERT, "false"));
props.setProperty(ZTSConsts.DB_PROP_USE_SSL,
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
index 23f9e1aa6cf..b08302c2708 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCCertRecordStoreFactoryTest.java
@@ -34,7 +34,7 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_CERT_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password");
JDBCCertRecordStoreFactory factory = new JDBCCertRecordStoreFactory();
CertRecordStore store = factory.create(keyStore);
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
index 4d97c7ccef5..64776fc4747 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/impl/JDBCSSHRecordStoreFactoryTest.java
@@ -33,7 +33,7 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_SSH_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password");
JDBCSSHRecordStoreFactory factory = new JDBCSSHRecordStoreFactory();
SSHRecordStore store = factory.create(keyStore);
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
index b889dac1ad3..89e830aa8ac 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
@@ -319,14 +319,14 @@ public void testValidateCertReqCommonNameException() {
@Test
public void testGetApplicationSecret() {
- assertEquals(ZTSUtils.getApplicationSecret(null, "appname", "pass"), "pass");
+ assertEquals(ZTSUtils.getApplicationSecret(null, "appname", "pass", null), "pass");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
Mockito.when(keyStore.getSecret(null, null, "pass")).thenReturn("app234".toCharArray());
- assertEquals(ZTSUtils.getSecret(keyStore, null, "pass"), "app234".toCharArray());
+ assertEquals(ZTSUtils.getSecret(keyStore, null, "pass", null), "app234".toCharArray());
Mockito.when(keyStore.getSecret("appname", null, "passname")).thenReturn("app123".toCharArray());
- assertEquals(ZTSUtils.getSecret(keyStore, "appname", "passname"), "app123".toCharArray());
+ assertEquals(ZTSUtils.getSecret(keyStore, "appname", "passname", null), "app123".toCharArray());
}
@Test
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
index 49c4a8a24c5..05e87e99c5a 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/workload/impl/JDBCWorkloadRecordStoreFactoryTest.java
@@ -33,10 +33,13 @@ public void testCreate() {
System.setProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD, "password");
PrivateKeyStore keyStore = Mockito.mock(PrivateKeyStore.class);
- Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", null, "password");
+ Mockito.doReturn("password".toCharArray()).when(keyStore).getSecret("jdbc", "", "password");
JDBCWorkloadRecordStoreFactory factory = new JDBCWorkloadRecordStoreFactory();
WorkloadRecordStore store = factory.create(keyStore);
Assert.assertNotNull(store);
+ System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_STORE);
+ System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_USER);
+ System.clearProperty(ZTSConsts.ZTS_PROP_WORKLOAD_JDBC_PASSWORD);
}
}
\ No newline at end of file
diff --git a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java
index 9573837c86d..6557f66e8ab 100644
--- a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java
+++ b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/AuthHistorySyncerConsts.java
@@ -22,19 +22,20 @@ public class AuthHistorySyncerConsts {
private AuthHistorySyncerConsts() {
}
- public static final String PROP_DYNAMODB_KEY_PATH = "auth_history_syncer.dynamodb_key_path";
- public static final String PROP_DYNAMODB_CERT_PATH = "auth_history_syncer.dynamodb_cert_path";
- public static final String PROP_DYNAMODB_DOMAIN = "auth_history_syncer.dynamodb_aws_domain";
- public static final String PROP_DYNAMODB_ROLE = "auth_history_syncer.dynamodb_aws_role";
- public static final String PROP_DYNAMODB_TRUSTSTORE = "auth_history_syncer.dynamodb_trust_store_path";
- public static final String PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "auth_history_syncer.dynamodb_trust_store_password";
- public static final String PROP_DYNAMODB_TRUSTSTORE_APPNAME = "auth_history_syncer.dynamodb_trust_store_app_name";
- public static final String PROP_DYNAMODB_REGION = "auth_history_syncer.dynamodb_region";
- public static final String PROP_DYNAMODB_ZTS_URL = "auth_history_syncer.dynamodb_zts_url";
- public static final String PROP_DYNAMODB_EXTERNAL_ID = "auth_history_syncer.dynamodb_external_id";
- public static final String PROP_DYNAMODB_MIN_EXPIRY_TIME = "auth_history_syncer.dynamodb_min_expiry_time";
- public static final String PROP_DYNAMODB_MAX_EXPIRY_TIME = "auth_history_syncer.dynamodb_max_expiry_time";
+ public static final String PROP_DYNAMODB_KEY_PATH = "auth_history_syncer.dynamodb_key_path";
+ public static final String PROP_DYNAMODB_CERT_PATH = "auth_history_syncer.dynamodb_cert_path";
+ public static final String PROP_DYNAMODB_DOMAIN = "auth_history_syncer.dynamodb_aws_domain";
+ public static final String PROP_DYNAMODB_ROLE = "auth_history_syncer.dynamodb_aws_role";
+ public static final String PROP_DYNAMODB_TRUSTSTORE = "auth_history_syncer.dynamodb_trust_store_path";
+ public static final String PROP_DYNAMODB_TRUSTSTORE_PASSWORD = "auth_history_syncer.dynamodb_trust_store_password";
+ public static final String PROP_DYNAMODB_TRUSTSTORE_APPNAME = "auth_history_syncer.dynamodb_trust_store_app_name";
+ public static final String PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME = "auth_history_syncer.dynamodb_trust_store_keygroup_name";
+ public static final String PROP_DYNAMODB_REGION = "auth_history_syncer.dynamodb_region";
+ public static final String PROP_DYNAMODB_ZTS_URL = "auth_history_syncer.dynamodb_zts_url";
+ public static final String PROP_DYNAMODB_EXTERNAL_ID = "auth_history_syncer.dynamodb_external_id";
+ public static final String PROP_DYNAMODB_MIN_EXPIRY_TIME = "auth_history_syncer.dynamodb_min_expiry_time";
+ public static final String PROP_DYNAMODB_MAX_EXPIRY_TIME = "auth_history_syncer.dynamodb_max_expiry_time";
- public static final String PROP_CLOUDWATCH_ZMS_LOG_GROUP = "auth_history_syncer.cloudwatch_zms_log_group";
- public static final String PROP_CLOUDWATCH_ZTS_LOG_GROUP = "auth_history_syncer.cloudwatch_zts_log_group";
+ public static final String PROP_CLOUDWATCH_ZMS_LOG_GROUP = "auth_history_syncer.cloudwatch_zms_log_group";
+ public static final String PROP_CLOUDWATCH_ZTS_LOG_GROUP = "auth_history_syncer.cloudwatch_zts_log_group";
}
diff --git a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java
index b183150c041..3fdc72804d2 100644
--- a/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java
+++ b/syncers/auth_history_syncer/src/main/java/com/yahoo/athenz/syncer/auth/history/impl/DynamoDBAuthHistorySenderFactory.java
@@ -56,7 +56,8 @@ private DynamoDBClientSettings getClientSettings(PrivateKeyStore pkeyStore) {
String maxExpiryTimeStr = System.getProperty(PROP_DYNAMODB_MAX_EXPIRY_TIME, "");
Integer minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr);
Integer maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr);
+ String keygroupName = System.getProperty(PROP_DYNAMODB_TRUSTSTORE_KEYGROUPNAME, "");
- return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, pkeyStore, externalId, minExpiryTime, maxExpiryTime);
+ return new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, pkeyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName);
}
}