diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java index d808c305ea5..79c90398652 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java @@ -558,12 +558,8 @@ AuditLogMsgBuilder getAuditLogMsgBuilder(ResourceContext ctx, String domainName, Principal princ = ((RsrcCtxWrapper) ctx).principal(); if (princ != null) { - String unsignedCreds = princ.getUnsignedCredentials(); - if (unsignedCreds == null) { - msgBldr.who(princ.getFullName()); - } else { - msgBldr.who(unsignedCreds); - } + final String unsignedCreds = princ.getUnsignedCredentials(); + msgBldr.who(unsignedCreds == null ? princ.getFullName() : unsignedCreds); } // get the client IP @@ -1392,8 +1388,8 @@ public RoleAccess getRoleAccess(ResourceContext ctx, String domainName, String p } @Override - public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainName, String roleName, - RoleCertificateRequest req) { + public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainName, + String roleName, RoleCertificateRequest req) { final String caller = "postrolecertificaterequest"; final String callerTiming = "postrolecertificaterequest_timing"; @@ -1472,8 +1468,11 @@ public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainNa // validate request/csr details + X509Certificate cert = principal.getX509Certificate(); + final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request()); + if (!validateRoleCertificateRequest(req.getCsr(), domainName, roles, principalName, - validCertSubjectOrgValues)) { + cert, ipAddress, validCertSubjectOrgValues)) { throw requestError("postRoleCertificateRequest: Unable to validate cert request", caller, domainName); } @@ -1491,7 +1490,8 @@ public RoleToken postRoleCertificateRequest(ResourceContext ctx, String domainNa } boolean validateRoleCertificateRequest(final String csr, final String domainName, - Set roles, final String principal, Set validOrgValues) { + Set roles, final String principal, X509Certificate cert, + final String ip, Set validOrgValues) { X509RoleCertRequest certReq; try { @@ -1501,7 +1501,13 @@ boolean validateRoleCertificateRequest(final String csr, final String domainName return false; } - return certReq.validate(roles, domainName, principal, validOrgValues); + if (!certReq.validate(roles, domainName, principal, validOrgValues)) { + return false; + } + + // validate the ip address if any provided + + return certReq.validateIPAddress(cert, ip); } boolean isAuthorizedServicePrincipal(final Principal principal) { @@ -2406,14 +2412,21 @@ public Identity postInstanceRefreshRequest(ResourceContext ctx, String domain, if (!x509CertReq.validatePublicKeys(publicKey)) { throw requestError("Invalid CSR - public key mismatch", caller, domain); } - + + // verify the IP address in the request matches where the connection + // is coming from + + final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request()); + if (!x509CertReq.validateIPAddress(ipAddress)) { + throw requestError("Invalid CSR - IP address mismatch", caller, domain); + } + // if this is not a user request and the principal authority is the // certificate authority then we're refreshing our certificate as // opposed to requesting a new one for the service so we're going // to do further validation based on the certificate we authenticated if (refreshOperation) { - final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request()); ServiceX509RefreshRequestStatus status = validateServiceX509RefreshRequest(principal, x509CertReq, ipAddress); if (status == ServiceX509RefreshRequestStatus.IP_NOT_ALLOWED) { diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509CertRequest.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509CertRequest.java index 26e0429de4c..959299586cc 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509CertRequest.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509CertRequest.java @@ -251,6 +251,28 @@ public boolean validatePublicKeys(X509Certificate cert) { return true; } + public boolean validateIPAddress(final String ip) { + + // if we have no IP addresses in the request, then we're good + + if (ipAddresses.isEmpty()) { + return true; + } + + // if we have more than 1 IP address in the request then + // we're going to reject it as we can't validate if those + // multiple addresses are from the same host. In this + // scenario a provider model must be used which supports + // multiple IPs in a request + + if (ipAddresses.size() != 1) { + LOGGER.error("Cert request contains multiple IP: {} addresses", ipAddresses.size()); + return false; + } + + return ipAddresses.get(0).equals(ip); + } + boolean validateSpiffeURI(final String domain, final String name, final String value) { // first extract the URI list from the request diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509RoleCertRequest.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509RoleCertRequest.java index c0db9b0c515..8186855119e 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509RoleCertRequest.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509RoleCertRequest.java @@ -21,6 +21,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.security.cert.X509Certificate; import java.util.List; import java.util.Set; @@ -107,4 +108,31 @@ public boolean validate(Set roles, final String domainName, return validateSpiffeURI(domainName, "role", roleName); } + + public boolean validateIPAddress(X509Certificate cert, final String ip) { + + // if we have no IP addresses in the request, then we're good + + if (ipAddresses.isEmpty()) { + return true; + } + + // if we have a certificate then we need to make sure + // that all the ip addresses in the request match + // the ip addresses in the certificate + + if (cert != null) { + + List certIPs = Crypto.extractX509CertIPAddresses(cert); + + // if the certificate has no ip then we'll do + // validation based on the connection ip + + if (!certIPs.isEmpty()) { + return certIPs.containsAll(ipAddresses); + } + } + + return validateIPAddress(ip); + } } diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java index 2ff5208bc84..90608eb0cb4 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java @@ -24,6 +24,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import com.yahoo.athenz.auth.impl.PrincipalAuthority; +import com.yahoo.athenz.auth.impl.SimplePrincipal; import org.mockito.Mockito; import org.testng.annotations.Test; import com.yahoo.athenz.common.metrics.Metric; @@ -33,7 +35,7 @@ public class RsrcCtxWrapperTest { @Test - public void TestRsrcCtxWrapperSimpleAssertion() { + public void testRsrcCtxWrapperSimpleAssertion() { HttpServletRequest reqMock = Mockito.mock(HttpServletRequest.class); HttpServletResponse resMock = Mockito.mock(HttpServletResponse.class); @@ -52,7 +54,8 @@ public void TestRsrcCtxWrapperSimpleAssertion() { Mockito.when(reqMock.getMethod()).thenReturn("POST"); authListMock.add(authMock); - RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock); + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, + authorizerMock, metricMock); assertNotNull(wrapper.context()); @@ -77,7 +80,7 @@ public void TestRsrcCtxWrapperSimpleAssertion() { } @Test - public void TestAuthorize() { + public void testAuthorize() { HttpServletRequest reqMock = Mockito.mock(HttpServletRequest.class); HttpServletResponse resMock = Mockito.mock(HttpServletResponse.class); @@ -109,7 +112,7 @@ public void TestAuthorize() { } @Test(expectedExceptions = { ResourceException.class }) - public void TestAuthorizeInvalid() { + public void testAuthorizeInvalid() { HttpServletRequest reqMock = Mockito.mock(HttpServletRequest.class); HttpServletResponse resMock = Mockito.mock(HttpServletResponse.class); @@ -130,4 +133,54 @@ public void TestAuthorizeInvalid() { // when not set authority wrapper.authorize("add-domain", "test", "test"); } + + @Test + public void testLogPrincipal() { + + HttpServletRequest servletRequest = new MockHttpServletRequest(); + HttpServletResponse servletResponse = Mockito.mock(HttpServletResponse.class); + + AuthorityList authListMock = new AuthorityList(); + Authorizer authorizerMock = Mockito.mock(Authorizer.class); + Metric metricMock = Mockito.mock(Metric.class); + + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(servletRequest, servletResponse, + authListMock, false, authorizerMock, metricMock); + + wrapper.logPrincipal((Principal) null); + assertNull(servletRequest.getAttribute("com.yahoo.athenz.auth.principal")); + + wrapper.logPrincipal((String) null); + assertNull(servletRequest.getAttribute("com.yahoo.athenz.auth.principal")); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("hockey", "kings", + "v=S1,d=hockey;n=kings;s=sig", 0, new PrincipalAuthority()); + + wrapper.logPrincipal(principal); + assertEquals(servletRequest.getAttribute("com.yahoo.athenz.auth.principal"), "hockey.kings"); + } + + @Test + public void testThrowZtsException() { + + HttpServletRequest servletRequest = new MockHttpServletRequest(); + HttpServletResponse servletResponse = Mockito.mock(HttpServletResponse.class); + + AuthorityList authListMock = new AuthorityList(); + Authorizer authorizerMock = Mockito.mock(Authorizer.class); + Metric metricMock = Mockito.mock(Metric.class); + + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(servletRequest, servletResponse, + authListMock, false, authorizerMock, metricMock); + + com.yahoo.athenz.common.server.rest.ResourceException restExc = + new com.yahoo.athenz.common.server.rest.ResourceException(503, null); + + try { + wrapper.throwZtsException(restExc); + fail(); + } catch (ResourceException ex) { + assertEquals(503, ex.getCode()); + } + } } diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java index 77af0e36121..303429c7888 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java @@ -17,6 +17,8 @@ import java.io.File; import java.io.IOException; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -28,10 +30,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Response; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import com.yahoo.athenz.common.server.log.AuditLogMsgBuilder; import org.mockito.ArgumentMatchers; import org.mockito.Mock; import org.mockito.Mockito; @@ -50,7 +51,6 @@ import com.yahoo.athenz.auth.impl.UserAuthority; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.common.metrics.Metric; -import com.yahoo.athenz.common.server.cert.CertSigner; import com.yahoo.athenz.common.server.log.AuditLogger; import com.yahoo.athenz.common.server.log.impl.DefaultAuditLogger; import com.yahoo.athenz.common.utils.SignUtils; @@ -73,7 +73,6 @@ import com.yahoo.athenz.zts.cert.InstanceCertManager; import com.yahoo.athenz.zts.cert.X509CertRecord; import com.yahoo.athenz.zts.cert.X509CertRequest; -import com.yahoo.athenz.zts.cert.impl.SelfCertSigner; import com.yahoo.athenz.zts.store.ChangeLogStore; import com.yahoo.athenz.zts.store.CloudStore; import com.yahoo.athenz.zts.store.DataStore; @@ -2273,7 +2272,27 @@ public void testGetTenantDomainsSingleDomain() { assertEquals(tenantDomains.getTenantDomainNames().size(), 1); assertEquals(tenantDomains.getTenantDomainNames().get(0), "weather.frontpage"); } - + + @Test + public void testGetTenantDomainsSingleDomainRoleSvcName() { + + SignedDomain signedDomain = createSignedDomain("athenz.product", "weather.frontpage", "storage", true); + store.processDomain(signedDomain, false); + + signedDomain = createTenantSignedDomain("weather.frontpage", "athenz.product", "storage"); + store.processDomain(signedDomain, false); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("hockey", "kings", + "v=S1,d=hockey;n=kings;s=sig", 0, new PrincipalAuthority()); + ResourceContext context = createResourceContext(principal); + + TenantDomains tenantDomains = zts.getTenantDomains(context, "athenz.product", + "user_domain.user100", "storage.tenant.weather.frontpage.admin", "storage"); + assertNotNull(tenantDomains); + assertEquals(tenantDomains.getTenantDomainNames().size(), 1); + assertEquals(tenantDomains.getTenantDomainNames().get(0), "weather.frontpage"); + } + @Test public void testGetTenantDomainsMultipleDomains() { @@ -2291,7 +2310,8 @@ public void testGetTenantDomainsMultipleDomains() { "v=S1,d=hockey;n=kings;s=sig", 0, new PrincipalAuthority()); ResourceContext context = createResourceContext(principal); - TenantDomains tenantDomains = zts.getTenantDomains(context, "athenz.multiple", "user_domain.user100", null, null); + TenantDomains tenantDomains = zts.getTenantDomains(context, "athenz.multiple", + "user_domain.user100", null, null); assertNotNull(tenantDomains); assertEquals(tenantDomains.getTenantDomainNames().size(), 2); assertTrue(tenantDomains.getTenantDomainNames().contains("hockey.kings")); @@ -2872,7 +2892,199 @@ public void testPostOSTKInstanceInformationInvalidCsr() { assertEquals(ex.getCode(), 400); } } - + + @Test + public void testPostOSTKInstanceInformation() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataCache dataCacheSys = new DataCache(); + + DataStore store = Mockito.mock(DataStore.class); + Mockito.when(store.getDataCache("sys.auth")).thenReturn(dataCacheSys); + Mockito.when(store.getPublicKey("sys.auth", "hostsignd", "0")).thenReturn("key"); + + Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + OSTKInstanceInformation info = new OSTKInstanceInformation() + .setCsr(certCsr) + .setDocument("Test Document") + .setSignature("Test Signature") + .setKeyId("0") + .setDomain("athenz") + .setService("production"); + + Mockito.when(mockCloudStore.verifyInstanceDocument(info, "key")).thenReturn(true); + + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(null, servletRequest); + + Identity identity = ztsImpl.postOSTKInstanceInformation(context, info); + assertNotNull(identity); + } + + @Test + public void testPostOSTKInstanceInformationInvalidConfig() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataCache dataCacheSys = new DataCache(); + + DataStore store = Mockito.mock(DataStore.class); + Mockito.when(store.getDataCache("sys.auth")).thenReturn(dataCacheSys); + Mockito.when(store.getPublicKey("sys.auth", "hostsignd", "0")).thenReturn("key"); + + Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + OSTKInstanceInformation info = new OSTKInstanceInformation() + .setCsr(certCsr) + .setDocument("Test Document") + .setSignature("Test Signature") + .setKeyId("0") + .setDomain("athenz") + .setService("production"); + + Mockito.when(mockCloudStore.verifyInstanceDocument(info, "key")).thenReturn(true); + + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + ztsImpl.ostkHostSignerDomain = null; + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(null, servletRequest); + + try { + ztsImpl.postOSTKInstanceInformation(context, info); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 500); + } + } + + @Test + public void testPostOSTKInstanceInformationVerifyFailed() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataCache dataCacheSys = new DataCache(); + + DataStore store = Mockito.mock(DataStore.class); + Mockito.when(store.getDataCache("sys.auth")).thenReturn(dataCacheSys); + Mockito.when(store.getPublicKey("sys.auth", "hostsignd", "0")).thenReturn("key"); + + Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + OSTKInstanceInformation info = new OSTKInstanceInformation() + .setCsr(certCsr) + .setDocument("Test Document") + .setSignature("Test Signature") + .setKeyId("0") + .setDomain("athenz") + .setService("production"); + + Mockito.when(mockCloudStore.verifyInstanceDocument(info, "key")).thenReturn(false); + + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(null, servletRequest); + + try { + ztsImpl.postOSTKInstanceInformation(context, info); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 400); + } + } + + @Test + public void testPostOSTKInstanceInformationInvalidDomain() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataCache dataCacheSys = new DataCache(); + + DataStore store = Mockito.mock(DataStore.class); + Mockito.when(store.getDataCache("sys.auth")).thenReturn(null); + Mockito.when(store.getPublicKey("sys.auth", "hostsignd", "0")).thenReturn("key"); + + Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + OSTKInstanceInformation info = new OSTKInstanceInformation() + .setCsr(certCsr) + .setDocument("Test Document") + .setSignature("Test Signature") + .setKeyId("0") + .setDomain("athenz") + .setService("production"); + + Mockito.when(mockCloudStore.verifyInstanceDocument(info, "key")).thenReturn(true); + + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(null, servletRequest); + + try { + ztsImpl.postOSTKInstanceInformation(context, info); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 404); + } + } + + @Test + public void testPostOSTKInstanceInformationInvalidKey() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataCache dataCacheSys = new DataCache(); + + DataStore store = Mockito.mock(DataStore.class); + Mockito.when(store.getDataCache("sys.auth")).thenReturn(dataCacheSys); + Mockito.when(store.getPublicKey("sys.auth", "hostsignd", "0")).thenReturn(null); + + Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + OSTKInstanceInformation info = new OSTKInstanceInformation() + .setCsr(certCsr) + .setDocument("Test Document") + .setSignature("Test Signature") + .setKeyId("0") + .setDomain("athenz") + .setService("production"); + + Mockito.when(mockCloudStore.verifyInstanceDocument(info, "key")).thenReturn(true); + + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(null, servletRequest); + + try { + ztsImpl.postOSTKInstanceInformation(context, info); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 404); + } + } + @Test public void testPostOSTKInstanceRefreshRequest() throws IOException { Path path = Paths.get("src/test/resources/athenz.instanceid.csr"); @@ -3202,8 +3414,86 @@ public void testPostInstanceRefreshRequest() throws IOException { X509Certificate cert = Crypto.loadX509Certificate(identity.getCertificate()); assertNotNull(cert); + + // request same identity with expiry time + + req.setExpiryTime(1000); + identity = zts.postInstanceRefreshRequest(context, "athenz", "syncer", req); + assertNotNull(identity); } - + + @Test + public void testPostInstanceRefreshRequestSubjOMismatch() throws IOException { + + Set origOrgValues = zts.validCertSubjectOrgValues; + Set newOrgValues = new HashSet<>(); + newOrgValues.add("Mismatch Org"); + zts.validCertSubjectOrgValues = newOrgValues; + + Path path = Paths.get("src/test/resources/valid.csr"); + String certCsr = new String(Files.readAllBytes(path)); + + InstanceRefreshRequest req = new InstanceRefreshRequest().setCsr(certCsr); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", + "syncer", "v=S1,d=athenz;n=syncer;s=sig", 0, new PrincipalAuthority()); + principal.setKeyId("0"); + String publicKeyName = "athenz.syncer_0"; + final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n" + + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrvfvBgXWqWAorw5hYJu3dpOJe0gp3n\n" + + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ==\n" + + "-----END PUBLIC KEY-----"; + zts.dataStore.getPublicKeyCache().put(publicKeyName, ztsPublicKey); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + + ResourceContext context = createResourceContext(principal, servletRequest); + + try { + zts.postInstanceRefreshRequest(context, "athenz", "syncer", req); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 400); + } + + // reset our original org values + + zts.validCertSubjectOrgValues = origOrgValues; + } + + @Test + public void testPostInstanceRefreshRequestMismatchIP() throws IOException { + + Path path = Paths.get("src/test/resources/athenz.single_ip.csr"); + String certCsr = new String(Files.readAllBytes(path)); + + InstanceRefreshRequest req = new InstanceRefreshRequest().setCsr(certCsr); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", + "production", "v=S1,d=athenz;n=production;s=sig", 0, new PrincipalAuthority()); + principal.setKeyId("0"); + String publicKeyName = "athenz.production_0"; + final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n" + + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMCfPNQO/3+rIwR4B1Ulr4w/CZR2i3LY\n" + + "XH/dNcm+DCxpmEUtMVsnbYAJm2uVUVKk0UX1mxu5L8pDepBY+X1LEHsCAwEAAQ==\n" + + "-----END PUBLIC KEY-----"; + zts.dataStore.getPublicKeyCache().put(publicKeyName, ztsPublicKey); + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + Mockito.when(servletRequest.getRemoteAddr()).thenReturn("10.0.0.1"); + + ResourceContext context = createResourceContext(principal, servletRequest); + + try { + zts.postInstanceRefreshRequest(context, "athenz", "production", req); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 400); + } + } + @Test public void testPostInstanceRefreshRequestHcaCNMismatch() throws IOException { Path path = Paths.get("src/test/resources/valid.csr"); @@ -3226,7 +3516,6 @@ public void testPostInstanceRefreshRequestHcaCNMismatch() throws IOException { } } - @Test public void testPostInstanceRefreshRequestHcaPrincipalMismatch() throws IOException { Path path = Paths.get("src/test/resources/valid.csr"); @@ -3680,7 +3969,7 @@ public void testValidateRoleCertificateRequestMismatchRole() throws IOException Set roles = new HashSet<>(); roles.add("writer"); - assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null)); + assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null, "10.0.0.1", null)); } @Test @@ -3691,7 +3980,7 @@ public void testValidateRoleCertificateRequestMismatchEmail() throws IOException Set roles = new HashSet<>(); roles.add("readers"); - assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.standings", null)); + assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.standings", null, "10.0.0.1", null)); } @Test @@ -3702,7 +3991,7 @@ public void testValidateRoleCertificateRequestNoEmail() throws IOException { Set roles = new HashSet<>(); roles.add("readers"); - assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "no-email", null)); + assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "no-email", null, "10.0.0.1", null)); } @Test @@ -3716,7 +4005,7 @@ public void testValidateRoleCertificateRequestInvalidOField() throws IOException Set validOValues = new HashSet<>(); validOValues.add("InvalidCompany"); - assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", validOValues)); + assertFalse(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null, "10.0.0.1", validOValues)); } @Test @@ -3727,15 +4016,15 @@ public void testValidateRoleCertificateRequest() throws IOException { Set roles = new HashSet<>(); roles.add("readers"); - assertTrue(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null)); + assertTrue(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null, "10.0.0.1", null)); Set validOValues = new HashSet<>(); validOValues.add("Athenz"); - assertTrue(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", validOValues)); + assertTrue(zts.validateRoleCertificateRequest(csr, "sports", roles, "sports.scores", null, "10.0.0.1", validOValues)); } @Test - public void testGetRoleTokenCert() { + public void testPostRoleCertificateRequest() { // this csr is for sports:role.readers role RoleCertificateRequest req = new RoleCertificateRequest() @@ -3757,9 +4046,41 @@ public void testGetRoleTokenCert() { assertNotNull(roleToken); assertEquals(roleToken.getExpiryTime(), TimeUnit.SECONDS.convert(30, TimeUnit.DAYS)); } - + + @Test + public void testPostRoleCertificateRequestNullCertReturn() { + + // this csr is for sports:role.readers role + RoleCertificateRequest req = new RoleCertificateRequest() + .setCsr(ROLE_CERT_CORETECH_REQUEST).setExpiryTime(3600L); + + SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true); + store.processDomain(signedDomain, false); + + CloudStore cloudStore = new MockCloudStore(); + store.setCloudStore(cloudStore); + zts.cloudStore = cloudStore; + + Principal principal = SimplePrincipal.create("user_domain", "user1", + "v=U1;d=user_domain;n=user;s=signature", 0, null); + ResourceContext context = createResourceContext(principal); + + InstanceCertManager certManager = Mockito.mock(InstanceCertManager.class); + Mockito.when(certManager.generateIdentity(ROLE_CERT_CORETECH_REQUEST, "coretech.weathers", + "client", 3600)).thenReturn(null); + zts.instanceCertManager = certManager; + + try { + zts.postRoleCertificateRequest(context, "coretech", "readers", req); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 500); + assertTrue(ex.getMessage().contains("Unable to create certificate from the cert signer")); + } + } + @Test - public void testGetRoleTokenCertInvalidRequests() { + public void testPostRoleCertificateRequestInvalidRequests() { // this csr is for sports:role.readers role @@ -3804,7 +4125,7 @@ public void testGetRoleTokenCertInvalidRequests() { } @Test - public void testGetRoleTokenCertMismatchDomain() { + public void testPostRoleCertificateRequestMismatchDomain() { RoleCertificateRequest req = new RoleCertificateRequest() .setCsr(ROLE_CERT_DB_REQUEST).setExpiryTime(3600L); @@ -3825,7 +4146,32 @@ public void testGetRoleTokenCertMismatchDomain() { assertEquals(ex.getCode(), 400); } } - + + @Test + public void testPostRoleCertificateRequestAuthorizedPrincipal() { + + RoleCertificateRequest req = new RoleCertificateRequest() + .setCsr(ROLE_CERT_DB_REQUEST).setExpiryTime(3600L); + + SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true); + store.processDomain(signedDomain, false); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("user_domain", "user1", + "v=U1;d=user_domain;n=user;s=signature", 0, null); + principal.setAuthorizedService("athenz.api"); + ResourceContext context = createResourceContext(principal); + + // this time we're passing an invalid role name + + try { + zts.postRoleCertificateRequest(context, "coretech", "readers", req); + fail(); + } catch (ResourceException ex) { + assertEquals(ex.getCode(), 403); + assertTrue(ex.getMessage().contains("Authorized Service Principals not allowed")); + } + } + @Test public void testLogPrincipalEmpty() { MockHttpServletRequest request = new MockHttpServletRequest(); @@ -3853,7 +4199,7 @@ public void testMemberNameMatch() { } @Test - public void testConverToLowerCaseInstanceRegisterInformation() { + public void testConverToLowerCase() { InstanceRegisterInformation info = new InstanceRegisterInformation() .setDomain("Domain").setService("Service").setProvider("Provider.Service"); @@ -3862,6 +4208,17 @@ public void testConverToLowerCaseInstanceRegisterInformation() { assertEquals(info.getService(), "service"); assertEquals(info.getDomain(), "domain"); assertEquals(info.getProvider(), "provider.service"); + + List list = new ArrayList<>(); + list.add("Domain"); + list.add("service"); + + AthenzObject.LIST.convertToLowerCase(list); + assertEquals("domain", list.get(0)); + assertEquals("service", list.get(1)); + + // should not cause any exceptions + AthenzObject.LIST.convertToLowerCase(null); } private SignedDomain signedAuthorizedProviderDomain() { @@ -6562,6 +6919,58 @@ public void testPostInstanceRefreshRequestByServiceCertValidateFail() throws IOE } } + @Test + public void testPostInstanceRefreshRequestByServiceCertValidateIPFail() throws IOException { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataStore store = new DataStore(structStore, null); + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + Path path = Paths.get("src/test/resources/valid_provider_refresh.csr"); + String certCsr = new String(Files.readAllBytes(path)); + + InstanceRefreshRequest req = new InstanceRefreshRequest().setCsr(certCsr) + .setKeyId("v0"); + + path = Paths.get("src/test/resources/valid_provider_refresh.pem"); + String pem = new String(Files.readAllBytes(path)); + X509Certificate cert = Crypto.loadX509Certificate(pem); + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", + "syncer", "v=S1,d=athenz;n=syncer;s=sig", 0, new CertificateAuthority()); + principal.setX509Certificate(cert); + + String publicKeyName = "athenz.syncer_v0"; + final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n" + + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMp9ZHVDK2s/FyinpKpD7lSsU+d6TSRE\n" + + "NVo6sdLrEpOaCJETsh+0Qc0knhALxBD1+B9gS5F2rAFgtug0R6savvMCAwEAAQ==\n" + + "-----END PUBLIC KEY-----"; + ztsImpl.dataStore.getPublicKeyCache().put(publicKeyName, ztsPublicKey); + + ZTSAuthorizer authorizer = Mockito.mock(ZTSAuthorizer.class); + Mockito.when(authorizer.access("update", "athenz:service", principal, null)).thenReturn(true); + ztsImpl.authorizer = authorizer; + + HttpServletRequest servletRequest = Mockito.mock(HttpServletRequest.class); + Mockito.when(servletRequest.isSecure()).thenReturn(true); + Mockito.when(servletRequest.getRemoteAddr()).thenReturn("10.0.0.1"); + + InstanceCertManager instanceManager = Mockito.spy(ztsImpl.instanceCertManager); + Mockito.when(instanceManager.verifyCertRefreshIPAddress("10.0.0.1")).thenReturn(false); + ztsImpl.instanceCertManager = instanceManager; + + ResourceContext context = createResourceContext(principal, servletRequest); + + try { + ztsImpl.postInstanceRefreshRequest(context, "athenz", "syncer", req); + fail(); + } catch (ResourceException ex) { + assertEquals(403, ex.getCode()); + } + } + @Test public void testPostInstanceRefreshRequestByUserInvalidCsr() { @@ -6861,4 +7270,109 @@ public void testPostSSHRequestException() throws IOException { assertTrue(ex.getMessage().contains("Failed to get ssh certs")); } } + + @Test + public void testGetServerHostname() throws UnknownHostException { + + InetAddress localhost = java.net.InetAddress.getLocalHost(); + final String serverHostName = localhost.getCanonicalHostName(); + + assertEquals(serverHostName, ZTSImpl.getServerHostName()); + + System.setProperty(ZTSConsts.ZTS_PROP_HOSTNAME, "server1.athenz"); + assertEquals("server1.athenz", ZTSImpl.getServerHostName()); + + System.clearProperty(ZTSConsts.ZTS_PROP_HOSTNAME); + } + + @Test + public void testLoadInvalidClasses() { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataStore store = new DataStore(structStore, null); + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + System.setProperty(ZTSConsts.ZTS_PROP_CHANGE_LOG_STORE_FACTORY_CLASS, "invalid.class"); + assertNull(ztsImpl.getChangeLogStore("/tmp/zts_server_unit_tests/zts_root")); + System.clearProperty(ZTSConsts.ZTS_PROP_CHANGE_LOG_STORE_FACTORY_CLASS); + + System.setProperty(ZTSConsts.ZTS_PROP_METRIC_FACTORY_CLASS, "invalid.class"); + try { + ztsImpl.loadMetricObject(); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Invalid metric class")); + } + System.clearProperty(ZTSConsts.ZTS_PROP_METRIC_FACTORY_CLASS); + + System.setProperty(ZTSConsts.ZTS_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS, "invalid.class"); + try { + ztsImpl.loadServicePrivateKey(); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Invalid private key store")); + } + System.clearProperty(ZTSConsts.ZTS_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS); + + System.setProperty(ZTSConsts.ZTS_PROP_AUDIT_LOGGER_FACTORY_CLASS, "invalid.class"); + try { + ztsImpl.loadAuditLogger(); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Invalid audit logger class")); + } + System.clearProperty(ZTSConsts.ZTS_PROP_AUDIT_LOGGER_FACTORY_CLASS); + + assertNull(ztsImpl.getAuthority("invalid.class")); + + System.setProperty(ZTSConsts.ZTS_PROP_AUTHORITY_CLASSES, "invalid.class"); + try { + ztsImpl.loadAuthorities(); + fail(); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("Invalid authority")); + } + System.clearProperty(ZTSConsts.ZTS_PROP_AUTHORITY_CLASSES); + } + + @Test + public void testValidateRoleCertificateRequestInvalidCSR() { + + ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", + privateKey, "0"); + + DataStore store = new DataStore(structStore, null); + ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store); + + assertFalse((ztsImpl.validateRoleCertificateRequest("invalid-csr", null, + null, null, null, "10.0.0.1", null))); + } + + @Test + public void testGetAuditLogMsgBuilderUnsignedCreds() { + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", + "v=S1;d=athenz;n=production;s=signature", 0, null); + principal.setUnsignedCreds("unsigned-creds"); + + ResourceContext context = createResourceContext(principal); + + AuditLogMsgBuilder msgBuilder = zts.getAuditLogMsgBuilder(context, "athenz", "test", "test"); + assertEquals(msgBuilder.who(), "unsigned-creds"); + } + + @Test + public void testGetAuditLogMsgBuilderPrincipalName() { + + SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "production", + "v=S1;d=athenz;n=production;s=signature", 0, null); + principal.setUnsignedCreds(null); + + ResourceContext context = createResourceContext(principal); + + AuditLogMsgBuilder msgBuilder = zts.getAuditLogMsgBuilder(context, "athenz", "test", "test"); + assertEquals(msgBuilder.who(), "athenz.production"); + } } diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/X509CertRequestTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/X509CertRequestTest.java index 30e8a202dab..76cfe100142 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/X509CertRequestTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/X509CertRequestTest.java @@ -624,4 +624,126 @@ public void testValidateSpiffeServiceCertMismatch() throws IOException { assertFalse(certReq.validate(provider, "athenz", "production", "1001", validOrgs, null, errorMsg)); } + + @Test + public void testValidateIPAddressMultipleIPs() throws IOException { + + Path path = Paths.get("src/test/resources/multiple_ips.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr); + assertNotNull(certReq); + + assertFalse(certReq.validateIPAddress("10.11.12.14")); + } + + @Test + public void testValidateIPAddressNoIPs() throws IOException { + + Path path = Paths.get("src/test/resources/valid.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr); + assertNotNull(certReq); + + assertTrue(certReq.validateIPAddress("10.11.12.14")); + } + + @Test + public void testValidateIPAddressMismatchIPs() throws IOException { + + Path path = Paths.get("src/test/resources/athenz.single_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr); + assertNotNull(certReq); + + assertFalse(certReq.validateIPAddress("10.11.12.14")); + } + + @Test + public void testValidateIPAddress() throws IOException { + + Path path = Paths.get("src/test/resources/athenz.single_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr); + assertNotNull(certReq); + + assertTrue(certReq.validateIPAddress("10.11.12.13")); + } + + @Test + public void testValidateRoleIPAddressNoIPs() throws IOException { + + Path path = Paths.get("src/test/resources/spiffe_role.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509RoleCertRequest certReq = new X509RoleCertRequest(csr); + assertTrue(certReq.validateIPAddress(null, "10.10.11.12")); + } + + @Test + public void testValidateRoleIPAddressNoCert() throws IOException { + + Path path = Paths.get("src/test/resources/role_single_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + X509RoleCertRequest certReq = new X509RoleCertRequest(csr); + assertTrue(certReq.validateIPAddress(null, "10.11.12.13")); + assertFalse(certReq.validateIPAddress(null, "10.10.11.12")); + } + + @Test + public void testValidateRoleIPAddressCertNoIPs() throws IOException { + + Path path = Paths.get("src/test/resources/role_single_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + path = Paths.get("src/test/resources/athenz.instanceid.pem"); + String pem = new String(Files.readAllBytes(path)); + X509Certificate cert = Crypto.loadX509Certificate(pem); + + X509RoleCertRequest certReq = new X509RoleCertRequest(csr); + assertTrue(certReq.validateIPAddress(cert, "10.11.12.13")); + assertFalse(certReq.validateIPAddress(cert, "10.10.11.12")); + } + + @Test + public void testValidateRoleIPAddressCertIPs() throws IOException { + + Path path = Paths.get("src/test/resources/role_single_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + path = Paths.get("src/test/resources/svc_single_ip.pem"); + String pem = new String(Files.readAllBytes(path)); + X509Certificate cert1 = Crypto.loadX509Certificate(pem); + + path = Paths.get("src/test/resources/svc_multiple_ip.pem"); + pem = new String(Files.readAllBytes(path)); + X509Certificate cert2 = Crypto.loadX509Certificate(pem); + + X509RoleCertRequest certReq = new X509RoleCertRequest(csr); + assertTrue(certReq.validateIPAddress(cert1, "10.11.12.13")); + assertTrue(certReq.validateIPAddress(cert2, "10.11.12.13")); + } + + @Test + public void testValidateRoleIPAddressCertMultipleIPs() throws IOException { + + Path path = Paths.get("src/test/resources/role_multiple_ip.csr"); + String csr = new String(Files.readAllBytes(path)); + + path = Paths.get("src/test/resources/svc_single_ip.pem"); + String pem = new String(Files.readAllBytes(path)); + X509Certificate cert1 = Crypto.loadX509Certificate(pem); + + path = Paths.get("src/test/resources/svc_multiple_ip.pem"); + pem = new String(Files.readAllBytes(path)); + X509Certificate cert2 = Crypto.loadX509Certificate(pem); + + X509RoleCertRequest certReq = new X509RoleCertRequest(csr); + assertFalse(certReq.validateIPAddress(cert1, "10.11.12.13")); + assertTrue(certReq.validateIPAddress(cert2, "10.11.12.13")); + } } diff --git a/servers/zts/src/test/resources/athenz.single_ip.csr b/servers/zts/src/test/resources/athenz.single_ip.csr new file mode 100644 index 00000000000..135e0a6771e --- /dev/null +++ b/servers/zts/src/test/resources/athenz.single_ip.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBWTCCAQMCAQAwLTEPMA0GA1UEChMGQXRoZW56MRowGAYDVQQDExFhdGhlbnou +cHJvZHVjdGlvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDAnzzUDv9/qyMEeAdV +Ja+MPwmUdoty2Fx/3TXJvgwsaZhFLTFbJ22ACZtrlVFSpNFF9ZsbuS/KQ3qQWPl9 +SxB7AgMBAAGgcTBvBgkqhkiG9w0BCQ4xYjBgMF4GA1UdEQRXMFWCI3Byb2R1Y3Rp +b24uYXRoZW56Lm9zdGsuYXRoZW56LmNsb3VkgigxMDAxLmluc3RhbmNlaWQuYXRo +ZW56Lm9zdGsuYXRoZW56LmNsb3VkhwQKCwwNMA0GCSqGSIb3DQEBCwUAA0EADe0j +leNB7uCrcmTaxzeuAEYfoz0QtmmPTmr53MgRuZ8Vdy6i7scwg20sQvlEu2It++XH ++/NA5RLr/VFZx3spFA== +-----END CERTIFICATE REQUEST----- diff --git a/servers/zts/src/test/resources/role_multiple_ip.csr b/servers/zts/src/test/resources/role_multiple_ip.csr new file mode 100644 index 00000000000..b87cecf9db6 --- /dev/null +++ b/servers/zts/src/test/resources/role_multiple_ip.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBhjCCATACAQAwLzEPMA0GA1UEChMGQXRoZW56MRwwGgYDVQQDExNhdGhlbno6 +cm9sZS53cml0ZXJzMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANSVPZysMo9FNv0N +ASZRdtO0Cworhhiions/vr3JJiejYBz92CiU4IKsWCnHquR7i12VE1okEV1zESVt +IZJLBpECAwEAAaCBmzCBmAYJKoZIhvcNAQkOMYGKMIGHMIGEBgNVHREEfTB7giNw +cm9kdWN0aW9uLmF0aGVuei5vc3RrLmF0aGVuei5jbG91ZIIoMTAwMS5pbnN0YW5j +ZWlkLmF0aGVuei5vc3RrLmF0aGVuei5jbG91ZIcECgsMDYcECgsMDoEeYXRoZW56 +LnByb2R1Y3Rpb25AYXRoZW56LmNsb3VkMA0GCSqGSIb3DQEBCwUAA0EA1BgwfZ9z +J3JckIkJ0YVqP7HMDBC47aT7W2NgJFhibTHG1l30hYZSFzwjBYXPFX0gYjqIqFkt +nLltcTRtENSABA== +-----END CERTIFICATE REQUEST----- diff --git a/servers/zts/src/test/resources/role_single_ip.csr b/servers/zts/src/test/resources/role_single_ip.csr new file mode 100644 index 00000000000..bfde3585059 --- /dev/null +++ b/servers/zts/src/test/resources/role_single_ip.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBfzCCASkCAQAwLzEPMA0GA1UEChMGQXRoZW56MRwwGgYDVQQDExNhdGhlbno6 +cm9sZS53cml0ZXJzMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJzgKc/LjtzRV5pF +R/q2dDzB3i5vAYykE3IWEWP9bf7l22HubMXqMJtwY1KkUp8suYzETwBoS73WVylP +bX/7UdkCAwEAAaCBlDCBkQYJKoZIhvcNAQkOMYGDMIGAMH4GA1UdEQR3MHWCI3By +b2R1Y3Rpb24uYXRoZW56Lm9zdGsuYXRoZW56LmNsb3VkgigxMDAxLmluc3RhbmNl +aWQuYXRoZW56Lm9zdGsuYXRoZW56LmNsb3VkhwQKCwwNgR5hdGhlbnoucHJvZHVj +dGlvbkBhdGhlbnouY2xvdWQwDQYJKoZIhvcNAQELBQADQQAXg0/FCC2wGAK7vHx5 +aBZxSXd20aUtywQlOqoKQ88L+oOSrNJKofxUQTtcsffqE5nJ491gd9ufYhHLneac +WlGx +-----END CERTIFICATE REQUEST----- diff --git a/servers/zts/src/test/resources/svc_multiple_ip.pem b/servers/zts/src/test/resources/svc_multiple_ip.pem new file mode 100644 index 00000000000..22d89acdec1 --- /dev/null +++ b/servers/zts/src/test/resources/svc_multiple_ip.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwTCCAWugAwIBAgIJAIVOcqEq1CFeMA0GCSqGSIb3DQEBCwUAMC0xDzANBgNV +BAoTBkF0aGVuejEaMBgGA1UEAxMRYXRoZW56LnByb2R1Y3Rpb24wHhcNMTgxMDA1 +MDUwMjU0WhcNMjgxMDAyMDUwMjU0WjAtMQ8wDQYDVQQKEwZBdGhlbnoxGjAYBgNV +BAMTEWF0aGVuei5wcm9kdWN0aW9uMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOp8 +MEZd0MfZERbdvuuVFoXYJklnDSotzpK4zaJdph00tVigaejJWLqs+xjVVABpxhIc +OtIhOJ8sIkmRiYfFx8UCAwEAAaNuMGwwagYDVR0RBGMwYYIjcHJvZHVjdGlvbi5h +dGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEwMDEuaW5zdGFuY2VpZC5hdGhlbnou +b3N0ay5hdGhlbnouY2xvdWSHBAoLDA2HBAoLDA6HBAoLDA8wDQYJKoZIhvcNAQEL +BQADQQAIzRoSJuwQ7FFQnEKILaKHLTLbNvoSgAL7mU5l5xorzYZ0F7gkUjrShwIN +sv6B4i7HrhUjpfjwB3Hb4ubgzPwL +-----END CERTIFICATE----- diff --git a/servers/zts/src/test/resources/svc_single_ip.pem b/servers/zts/src/test/resources/svc_single_ip.pem new file mode 100644 index 00000000000..8df5fdba0b8 --- /dev/null +++ b/servers/zts/src/test/resources/svc_single_ip.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtTCCAV+gAwIBAgIJAMxybUi4f2trMA0GCSqGSIb3DQEBCwUAMC0xDzANBgNV +BAoTBkF0aGVuejEaMBgGA1UEAxMRYXRoZW56LnByb2R1Y3Rpb24wHhcNMTgxMDA1 +MDUwMzU3WhcNMjgxMDAyMDUwMzU3WjAtMQ8wDQYDVQQKEwZBdGhlbnoxGjAYBgNV +BAMTEWF0aGVuei5wcm9kdWN0aW9uMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKAu +YG1Sa2E+sCScqjjvhzC/7wIF3rgngbw3Irb3KNmFJjio/Q2oX2jDrKLv6Guun6LA +rAJQjxU1BUKsyoMDwRECAwEAAaNiMGAwXgYDVR0RBFcwVYIjcHJvZHVjdGlvbi5h +dGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEwMDEuaW5zdGFuY2VpZC5hdGhlbnou +b3N0ay5hdGhlbnouY2xvdWSHBAoLDA0wDQYJKoZIhvcNAQELBQADQQCDauLGD+ly +cM63MDe7sqM79O+r1eP9ysVHhgmBEDehdwPDQRwVRV9L+wacTX118tCQEXwJtLrU +gjW6cYdn4Os/ +-----END CERTIFICATE----- \ No newline at end of file