From a73a8575db9d46d7dca8d5ee6e58e4db4780fa20 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Mon, 9 Sep 2019 09:17:32 -0700 Subject: [PATCH] support proxy for all go utilties (#772) * support proxy for all go utilties * dependency updates with tidelift yml file * more dependency update for tidelift warnings --- .tidelift.yml | 9 ++ .../zts/core/examples/tls-support/pom.xml | 8 +- .../java/centralized-use-case/client/pom.xml | 2 +- .../java/centralized-use-case/servlet/pom.xml | 2 +- .../java/instance-provider/client/pom.xml | 10 +-- .../java/instance-provider/provider/pom.xml | 19 ++--- .../provider/InstanceProviderContainer.java | 2 +- .../examples/tls-support/pom.xml | 6 +- utils/athenz-conf/athenz-conf.go | 1 + utils/zts-accesstoken/zts-accesstoken.go | 2 +- utils/zts-rolecert/zts-rolecert.go | 85 +------------------ utils/zts-roletoken/zts-roletoken.go | 2 +- 12 files changed, 40 insertions(+), 108 deletions(-) create mode 100644 .tidelift.yml diff --git a/.tidelift.yml b/.tidelift.yml new file mode 100644 index 00000000000..b750fa559bf --- /dev/null +++ b/.tidelift.yml @@ -0,0 +1,9 @@ +ci: + tests: + removed: fail + deprecated: warn + unmaintained: warn + unlicensed: warn + outdated: warn + vulnerable: fail + inactive_stream: fail diff --git a/clients/java/zts/core/examples/tls-support/pom.xml b/clients/java/zts/core/examples/tls-support/pom.xml index 627e62f29dd..67c742e0d44 100644 --- a/clients/java/zts/core/examples/tls-support/pom.xml +++ b/clients/java/zts/core/examples/tls-support/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.8.30 + 1.8.31 @@ -44,17 +44,17 @@ commons-cli commons-cli - 1.3.1 + 1.4 org.slf4j slf4j-api - 1.7.25 + 1.7.28 ch.qos.logback logback-classic - 1.1.3 + 1.2.3 diff --git a/examples/java/centralized-use-case/client/pom.xml b/examples/java/centralized-use-case/client/pom.xml index 63b9f538b57..f3f69b2ab1f 100644 --- a/examples/java/centralized-use-case/client/pom.xml +++ b/examples/java/centralized-use-case/client/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.8.3 + 1.8.31 diff --git a/examples/java/centralized-use-case/servlet/pom.xml b/examples/java/centralized-use-case/servlet/pom.xml index 4252affa7de..793a390ef86 100644 --- a/examples/java/centralized-use-case/servlet/pom.xml +++ b/examples/java/centralized-use-case/servlet/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.8.3 + 1.8.31 diff --git a/examples/java/instance-provider/client/pom.xml b/examples/java/instance-provider/client/pom.xml index 0ace69daa0e..5eee68ad28d 100644 --- a/examples/java/instance-provider/client/pom.xml +++ b/examples/java/instance-provider/client/pom.xml @@ -27,9 +27,9 @@ UTF-8 UTF-8 - 1.8.15 + 1.8.31 2.9.9 - 2.27 + 2.29 @@ -56,17 +56,17 @@ io.jsonwebtoken jjwt - 0.9.0 + 0.9.1 com.fasterxml.jackson.core jackson-annotations - ${jackson.version} + 2.9.9 com.fasterxml.jackson.core jackson-databind - ${jackson.version} + 2.9.9.3 org.glassfish.jersey.media diff --git a/examples/java/instance-provider/provider/pom.xml b/examples/java/instance-provider/provider/pom.xml index 774fce12134..42a396a34f0 100644 --- a/examples/java/instance-provider/provider/pom.xml +++ b/examples/java/instance-provider/provider/pom.xml @@ -25,11 +25,10 @@ Athenz Instance Provider Example - 9.4.9.v20180320 - 2.25.1 - 2.9.9 - 1.8.3 - 1.60 + 9.4.20.v20190813 + 2.29 + 1.8.31 + 1.62 UTF-8 UTF-8 @@ -53,7 +52,7 @@ com.yahoo.rdl rdl-java - 1.5.1 + 1.5.2 com.fasterxml.jackson.core @@ -72,7 +71,7 @@ org.slf4j slf4j-api - 1.7.25 + 1.7.28 org.eclipse.jetty @@ -143,17 +142,17 @@ com.fasterxml.jackson.core jackson-annotations - ${jackson.version} + 2.9.9 com.fasterxml.jackson.core jackson-databind - ${jackson.version} + 2.9.9.3 io.jsonwebtoken jjwt - 0.9.0 + 0.9.1 diff --git a/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java b/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java index a9dbaa718b2..c409bb0b355 100644 --- a/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java +++ b/examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java @@ -26,7 +26,7 @@ import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; -import org.glassfish.hk2.utilities.binding.AbstractBinder; +import org.glassfish.jersey.internal.inject.AbstractBinder; import org.glassfish.jersey.server.ResourceConfig; import org.glassfish.jersey.servlet.ServletContainer; diff --git a/libs/java/cert_refresher/examples/tls-support/pom.xml b/libs/java/cert_refresher/examples/tls-support/pom.xml index 317c6ebf210..f8b982d9f33 100644 --- a/libs/java/cert_refresher/examples/tls-support/pom.xml +++ b/libs/java/cert_refresher/examples/tls-support/pom.xml @@ -27,7 +27,7 @@ UTF-8 UTF-8 - 1.7.33 + 1.8.31 @@ -39,12 +39,12 @@ commons-cli commons-cli - 1.3.1 + 1.4 ch.qos.logback logback-classic - 1.1.3 + 1.2.3 diff --git a/utils/athenz-conf/athenz-conf.go b/utils/athenz-conf/athenz-conf.go index 52a6e9b59f1..59fde1ebaea 100644 --- a/utils/athenz-conf/athenz-conf.go +++ b/utils/athenz-conf/athenz-conf.go @@ -302,6 +302,7 @@ func getHttpTransport(socksProxy, keyFile, certFile, caCertFile *string, skipVer if skipVerify { config.InsecureSkipVerify = skipVerify } + tr.Proxy = http.ProxyFromEnvironment tr.TLSClientConfig = config } return &tr diff --git a/utils/zts-accesstoken/zts-accesstoken.go b/utils/zts-accesstoken/zts-accesstoken.go index 012cac2bbe3..8cfbaa79e6c 100644 --- a/utils/zts-accesstoken/zts-accesstoken.go +++ b/utils/zts-accesstoken/zts-accesstoken.go @@ -36,7 +36,7 @@ func main() { flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service") flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name") flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes") - flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request") + flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request") flag.Parse() fetchAccessToken(domain, service, roles, ztsURL, svcKeyFile, svcCertFile, ntokenFile, hdr, proxy, expireTime) diff --git a/utils/zts-rolecert/zts-rolecert.go b/utils/zts-rolecert/zts-rolecert.go index 56a0c4e8684..940a70b8295 100644 --- a/utils/zts-rolecert/zts-rolecert.go +++ b/utils/zts-rolecert/zts-rolecert.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -16,11 +15,11 @@ import ( "io/ioutil" "log" "net" - "net/http" "net/url" "strings" "github.com/yahoo/athenz/clients/go/zts" + "github.com/yahoo/athenz/libs/go/athenzutils" ) type signer struct { @@ -33,7 +32,7 @@ func main() { var ztsURL, svcKeyFile, svcCertFile, roleKeyFile, dom, svc string var caCertFile, roleCertFile, roleDomain, roleName, dnsDomain string var subjC, subjO, subjOU, ip, uri string - var spiffe, csr bool + var spiffe, csr, proxy bool var expiryTime int flag.StringVar(&roleKeyFile, "role-key-file", "", "role cert private key file (default: service identity private key)") @@ -54,6 +53,7 @@ func main() { flag.BoolVar(&spiffe, "spiffe", false, "include spiffe uri in csr") flag.BoolVar(&csr, "csr", false, "request csr only") flag.IntVar(&expiryTime, "expiry-time", 0, "expiry time in minutes") + flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request") flag.Parse() @@ -116,7 +116,7 @@ func main() { return } - client, err := ztsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile) + client, err := athenzutils.ZtsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile, proxy) if err != nil { log.Fatalf("Unable to initialize ZTS Client for %s, err: %v\n", ztsURL, err) } @@ -197,83 +197,6 @@ func getRoleCertificate(client *zts.ZTSClient, csr, roleDomain, roleName, roleCe } } -func ztsClient(ztsURL, keyFile, certFile, caFile string) (*zts.ZTSClient, error) { - config, err := tlsConfiguration(keyFile, certFile, caFile) - if err != nil { - return nil, err - } - tr := &http.Transport{ - TLSClientConfig: config, - } - client := zts.NewClient(ztsURL, tr) - return &client, nil -} - -func tlsConfiguration(keyFile, certFile, caFile string) (*tls.Config, error) { - var capem []byte - var err error - if caFile != "" { - capem, err = ioutil.ReadFile(caFile) - if err != nil { - return nil, err - } - } - var keypem []byte - var certpem []byte - if keyFile != "" && certFile != "" { - keypem, err = ioutil.ReadFile(keyFile) - if err != nil { - return nil, err - } - certpem, err = ioutil.ReadFile(certFile) - if err != nil { - return nil, err - } - } - return tlsConfigurationFromPEM(keypem, certpem, capem) -} - -func tlsConfigurationFromPEM(keypem, certpem, capem []byte) (*tls.Config, error) { - config := &tls.Config{} - - certPool := x509.NewCertPool() - if capem != nil { - if !certPool.AppendCertsFromPEM(capem) { - return nil, fmt.Errorf("Failed to append certs to pool") - } - config.RootCAs = certPool - } - - if certpem != nil && keypem != nil { - mycert, err := tls.X509KeyPair(certpem, keypem) - if err != nil { - return nil, err - } - config.Certificates = make([]tls.Certificate, 1) - config.Certificates[0] = mycert - - config.ClientCAs = certPool - config.ClientAuth = tls.VerifyClientCertIfGiven - } - - //Use only modern ciphers - config.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} - - //Use only TLS v1.2 - config.MinVersion = tls.VersionTLS12 - - //Don't allow session resumption - config.SessionTicketsDisabled = true - return config, nil -} - func newSigner(privateKeyPEM []byte) (*signer, error) { block, _ := pem.Decode(privateKeyPEM) if block == nil { diff --git a/utils/zts-roletoken/zts-roletoken.go b/utils/zts-roletoken/zts-roletoken.go index 2af98f62418..aa7ecebdb16 100644 --- a/utils/zts-roletoken/zts-roletoken.go +++ b/utils/zts-roletoken/zts-roletoken.go @@ -40,7 +40,7 @@ func main() { flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service") flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name") flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes") - flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request") + flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request") flag.BoolVar(&validate, "validate", false, "validate role token") flag.StringVar(&roleToken, "role-token", "", "role token to validate") flag.StringVar(&conf, "conf", "/home/athenz/conf/athenz.conf", "path to configuration file with public keys")