diff --git a/.tidelift.yml b/.tidelift.yml
new file mode 100644
index 00000000000..b750fa559bf
--- /dev/null
+++ b/.tidelift.yml
@@ -0,0 +1,9 @@
+ci:
+ tests:
+ removed: fail
+ deprecated: warn
+ unmaintained: warn
+ unlicensed: warn
+ outdated: warn
+ vulnerable: fail
+ inactive_stream: fail
diff --git a/clients/java/zts/core/examples/tls-support/pom.xml b/clients/java/zts/core/examples/tls-support/pom.xml
index 627e62f29dd..67c742e0d44 100644
--- a/clients/java/zts/core/examples/tls-support/pom.xml
+++ b/clients/java/zts/core/examples/tls-support/pom.xml
@@ -27,7 +27,7 @@
UTF-8
UTF-8
- 1.8.30
+ 1.8.31
@@ -44,17 +44,17 @@
commons-cli
commons-cli
- 1.3.1
+ 1.4
org.slf4j
slf4j-api
- 1.7.25
+ 1.7.28
ch.qos.logback
logback-classic
- 1.1.3
+ 1.2.3
diff --git a/examples/java/centralized-use-case/client/pom.xml b/examples/java/centralized-use-case/client/pom.xml
index 63b9f538b57..f3f69b2ab1f 100644
--- a/examples/java/centralized-use-case/client/pom.xml
+++ b/examples/java/centralized-use-case/client/pom.xml
@@ -27,7 +27,7 @@
UTF-8
UTF-8
- 1.8.3
+ 1.8.31
diff --git a/examples/java/centralized-use-case/servlet/pom.xml b/examples/java/centralized-use-case/servlet/pom.xml
index 4252affa7de..793a390ef86 100644
--- a/examples/java/centralized-use-case/servlet/pom.xml
+++ b/examples/java/centralized-use-case/servlet/pom.xml
@@ -27,7 +27,7 @@
UTF-8
UTF-8
- 1.8.3
+ 1.8.31
diff --git a/examples/java/instance-provider/client/pom.xml b/examples/java/instance-provider/client/pom.xml
index 0ace69daa0e..5eee68ad28d 100644
--- a/examples/java/instance-provider/client/pom.xml
+++ b/examples/java/instance-provider/client/pom.xml
@@ -27,9 +27,9 @@
UTF-8
UTF-8
- 1.8.15
+ 1.8.31
2.9.9
- 2.27
+ 2.29
@@ -56,17 +56,17 @@
io.jsonwebtoken
jjwt
- 0.9.0
+ 0.9.1
com.fasterxml.jackson.core
jackson-annotations
- ${jackson.version}
+ 2.9.9
com.fasterxml.jackson.core
jackson-databind
- ${jackson.version}
+ 2.9.9.3
org.glassfish.jersey.media
diff --git a/examples/java/instance-provider/provider/pom.xml b/examples/java/instance-provider/provider/pom.xml
index 774fce12134..42a396a34f0 100644
--- a/examples/java/instance-provider/provider/pom.xml
+++ b/examples/java/instance-provider/provider/pom.xml
@@ -25,11 +25,10 @@
Athenz Instance Provider Example
- 9.4.9.v20180320
- 2.25.1
- 2.9.9
- 1.8.3
- 1.60
+ 9.4.20.v20190813
+ 2.29
+ 1.8.31
+ 1.62
UTF-8
UTF-8
@@ -53,7 +52,7 @@
com.yahoo.rdl
rdl-java
- 1.5.1
+ 1.5.2
com.fasterxml.jackson.core
@@ -72,7 +71,7 @@
org.slf4j
slf4j-api
- 1.7.25
+ 1.7.28
org.eclipse.jetty
@@ -143,17 +142,17 @@
com.fasterxml.jackson.core
jackson-annotations
- ${jackson.version}
+ 2.9.9
com.fasterxml.jackson.core
jackson-databind
- ${jackson.version}
+ 2.9.9.3
io.jsonwebtoken
jjwt
- 0.9.0
+ 0.9.1
diff --git a/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java b/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java
index a9dbaa718b2..c409bb0b355 100644
--- a/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java
+++ b/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java
@@ -26,7 +26,7 @@
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
-import org.glassfish.hk2.utilities.binding.AbstractBinder;
+import org.glassfish.jersey.internal.inject.AbstractBinder;
import org.glassfish.jersey.server.ResourceConfig;
import org.glassfish.jersey.servlet.ServletContainer;
diff --git a/libs/java/cert_refresher/examples/tls-support/pom.xml b/libs/java/cert_refresher/examples/tls-support/pom.xml
index 317c6ebf210..f8b982d9f33 100644
--- a/libs/java/cert_refresher/examples/tls-support/pom.xml
+++ b/libs/java/cert_refresher/examples/tls-support/pom.xml
@@ -27,7 +27,7 @@
UTF-8
UTF-8
- 1.7.33
+ 1.8.31
@@ -39,12 +39,12 @@
commons-cli
commons-cli
- 1.3.1
+ 1.4
ch.qos.logback
logback-classic
- 1.1.3
+ 1.2.3
diff --git a/utils/athenz-conf/athenz-conf.go b/utils/athenz-conf/athenz-conf.go
index 52a6e9b59f1..59fde1ebaea 100644
--- a/utils/athenz-conf/athenz-conf.go
+++ b/utils/athenz-conf/athenz-conf.go
@@ -302,6 +302,7 @@ func getHttpTransport(socksProxy, keyFile, certFile, caCertFile *string, skipVer
if skipVerify {
config.InsecureSkipVerify = skipVerify
}
+ tr.Proxy = http.ProxyFromEnvironment
tr.TLSClientConfig = config
}
return &tr
diff --git a/utils/zts-accesstoken/zts-accesstoken.go b/utils/zts-accesstoken/zts-accesstoken.go
index 012cac2bbe3..8cfbaa79e6c 100644
--- a/utils/zts-accesstoken/zts-accesstoken.go
+++ b/utils/zts-accesstoken/zts-accesstoken.go
@@ -36,7 +36,7 @@ func main() {
flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service")
flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name")
flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes")
- flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request")
+ flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
flag.Parse()
fetchAccessToken(domain, service, roles, ztsURL, svcKeyFile, svcCertFile, ntokenFile, hdr, proxy, expireTime)
diff --git a/utils/zts-rolecert/zts-rolecert.go b/utils/zts-rolecert/zts-rolecert.go
index 56a0c4e8684..940a70b8295 100644
--- a/utils/zts-rolecert/zts-rolecert.go
+++ b/utils/zts-rolecert/zts-rolecert.go
@@ -7,7 +7,6 @@ import (
"bytes"
"crypto"
"crypto/rand"
- "crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
@@ -16,11 +15,11 @@ import (
"io/ioutil"
"log"
"net"
- "net/http"
"net/url"
"strings"
"github.com/yahoo/athenz/clients/go/zts"
+ "github.com/yahoo/athenz/libs/go/athenzutils"
)
type signer struct {
@@ -33,7 +32,7 @@ func main() {
var ztsURL, svcKeyFile, svcCertFile, roleKeyFile, dom, svc string
var caCertFile, roleCertFile, roleDomain, roleName, dnsDomain string
var subjC, subjO, subjOU, ip, uri string
- var spiffe, csr bool
+ var spiffe, csr, proxy bool
var expiryTime int
flag.StringVar(&roleKeyFile, "role-key-file", "", "role cert private key file (default: service identity private key)")
@@ -54,6 +53,7 @@ func main() {
flag.BoolVar(&spiffe, "spiffe", false, "include spiffe uri in csr")
flag.BoolVar(&csr, "csr", false, "request csr only")
flag.IntVar(&expiryTime, "expiry-time", 0, "expiry time in minutes")
+ flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
flag.Parse()
@@ -116,7 +116,7 @@ func main() {
return
}
- client, err := ztsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile)
+ client, err := athenzutils.ZtsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile, proxy)
if err != nil {
log.Fatalf("Unable to initialize ZTS Client for %s, err: %v\n", ztsURL, err)
}
@@ -197,83 +197,6 @@ func getRoleCertificate(client *zts.ZTSClient, csr, roleDomain, roleName, roleCe
}
}
-func ztsClient(ztsURL, keyFile, certFile, caFile string) (*zts.ZTSClient, error) {
- config, err := tlsConfiguration(keyFile, certFile, caFile)
- if err != nil {
- return nil, err
- }
- tr := &http.Transport{
- TLSClientConfig: config,
- }
- client := zts.NewClient(ztsURL, tr)
- return &client, nil
-}
-
-func tlsConfiguration(keyFile, certFile, caFile string) (*tls.Config, error) {
- var capem []byte
- var err error
- if caFile != "" {
- capem, err = ioutil.ReadFile(caFile)
- if err != nil {
- return nil, err
- }
- }
- var keypem []byte
- var certpem []byte
- if keyFile != "" && certFile != "" {
- keypem, err = ioutil.ReadFile(keyFile)
- if err != nil {
- return nil, err
- }
- certpem, err = ioutil.ReadFile(certFile)
- if err != nil {
- return nil, err
- }
- }
- return tlsConfigurationFromPEM(keypem, certpem, capem)
-}
-
-func tlsConfigurationFromPEM(keypem, certpem, capem []byte) (*tls.Config, error) {
- config := &tls.Config{}
-
- certPool := x509.NewCertPool()
- if capem != nil {
- if !certPool.AppendCertsFromPEM(capem) {
- return nil, fmt.Errorf("Failed to append certs to pool")
- }
- config.RootCAs = certPool
- }
-
- if certpem != nil && keypem != nil {
- mycert, err := tls.X509KeyPair(certpem, keypem)
- if err != nil {
- return nil, err
- }
- config.Certificates = make([]tls.Certificate, 1)
- config.Certificates[0] = mycert
-
- config.ClientCAs = certPool
- config.ClientAuth = tls.VerifyClientCertIfGiven
- }
-
- //Use only modern ciphers
- config.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA,
- tls.TLS_RSA_WITH_AES_256_CBC_SHA,
- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
-
- //Use only TLS v1.2
- config.MinVersion = tls.VersionTLS12
-
- //Don't allow session resumption
- config.SessionTicketsDisabled = true
- return config, nil
-}
-
func newSigner(privateKeyPEM []byte) (*signer, error) {
block, _ := pem.Decode(privateKeyPEM)
if block == nil {
diff --git a/utils/zts-roletoken/zts-roletoken.go b/utils/zts-roletoken/zts-roletoken.go
index 2af98f62418..aa7ecebdb16 100644
--- a/utils/zts-roletoken/zts-roletoken.go
+++ b/utils/zts-roletoken/zts-roletoken.go
@@ -40,7 +40,7 @@ func main() {
flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service")
flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name")
flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes")
- flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request")
+ flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
flag.BoolVar(&validate, "validate", false, "validate role token")
flag.StringVar(&roleToken, "role-token", "", "role token to validate")
flag.StringVar(&conf, "conf", "/home/athenz/conf/athenz.conf", "path to configuration file with public keys")