Merge pull request #20 from yahoo/keyservice

Specify key service when requesting private key
AthenZ · Feb 2, 2017 · e5a49c3 · e5a49c3
2 parents 319b8fc + b0cbedf
commit e5a49c3
Show file tree

Hide file tree

Showing 15 changed files with 27 additions and 31 deletions.
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
@@ -23,11 +23,13 @@ public interface PrivateKeyStore {
      * Retrieve private key for this Athenz Server instance to sign its tokens
      * The private key identifier must be updated in the privateKeyId out
      * StringBuilder field.
+     * @param service Athenz service (zms or zts) requesting private key
      * @param serverHostName hostname of the Athenz Server instance
      * @param privateKeyId - out argument - must be updated to include key id
      * @return private key for this ZMS Server instance.
      */
-    default PrivateKey getPrivateKey(String serverHostName, StringBuilder privateKeyId) {
+    default PrivateKey getPrivateKey(String service, String serverHostName,
+            StringBuilder privateKeyId) {
         return null;
     }
 }
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStore.java
@@ -38,7 +38,8 @@ public FilePrivateKeyStore() {
     }
 
     @Override
-    public PrivateKey getPrivateKey(String serverHostName, StringBuilder privateKeyId) {
+    public PrivateKey getPrivateKey(String service, String serverHostName,
+            StringBuilder privateKeyId) {
 
         String privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_KEY);
 

diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStoreTest.java
@@ -46,7 +46,7 @@ public void testRetrievePrivateKeyValid() {
                 "src/test/resources/zts_private_k0.key");
 
         StringBuilder keyId = new StringBuilder(256);
-        PrivateKey privKey = store.getPrivateKey("localhost", keyId);
+        PrivateKey privKey = store.getPrivateKey("zms", "localhost", keyId);
         assertNotNull(privKey);
 
         if (saveProp == null) {
@@ -68,7 +68,7 @@ public void testRetrievePrivateKeyInValid() {
 
         try {
             StringBuilder keyId = new StringBuilder(256);
-            store.getPrivateKey("localhost", keyId);
+            store.getPrivateKey("zts", "localhost", keyId);
             fail();
         } catch (Exception ex) {
             assertTrue(true);

diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/PrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/PrivateKeyStoreTest.java
@@ -31,7 +31,7 @@ public class PrivateKeyStoreInstance implements PrivateKeyStore {
         public void testGetPrivateKeyMulti() {
             PrivateKeyStoreInstance keystore = new PrivateKeyStoreInstance();
             StringBuilder sb = new StringBuilder();
-            PrivateKey key = keystore.getPrivateKey("hostname", sb);
+            PrivateKey key = keystore.getPrivateKey("zms", "hostname", sb);
             assertNull(key);
         }
     }

diff --git a/servers/zms/conf/container_settings b/servers/zms/conf/container_settings
@@ -11,9 +11,8 @@ CONTAINER_ADMINUSER="user.${USER}"
 # ** private/public key pair for zms instance - must be generated
 # ** using with default key id of 0
 CONTAINER_PRIVKEY="${ROOT}/var/zms_server/keys/zms_private.pem"
-CONTAINER_PUBKEY="${ROOT}/var/zms_server/keys/zms_public.pem"
 CONTAINER_PRIVKEY_ID="0"
-# CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS=
+# CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS=com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory
 
 # ** default ports for zms server. http support is disabled
 # ** https support enabled - must provide certificate for server

diff --git a/servers/zms/scripts/zms_debug.sh b/servers/zms/scripts/zms_debug.sh
@@ -10,7 +10,6 @@ export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.port=4080"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.private_key_store_factory_class=com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.privatekey=src/test/resources/zms_private.pem"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.privatekey.version=0"
-export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.publickey=src/test/resources/zms_public.pem"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.access_log_dir=./zms_logs"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.enable_stats=false"
 export ZMS_OPTS="${ZMS_OPTS} -Dathenz.zms.virtual_domain_support=true"

diff --git a/servers/zms/scripts/zms_start.sh b/servers/zms/scripts/zms_start.sh
@@ -47,10 +47,6 @@ if [ "x${CONTAINER_PRIVKEY_ID}" != "x" ]; then
     export JAVA_OPTS="${JAVA_OPTS} -Dathenz.auth.private_key_store.private_key_id=${CONTAINER_PRIVKEY_ID}"
 fi
 
-if [ "x${CONTAINER_PUBKEY}" != "x" ]; then
-    export JAVA_OPTS="${JAVA_OPTS} -Dathenz.zms.publickey=${CONTAINER_PUBKEY}"
-fi
-
 if [ "x${CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS}" != "x" ]; then
     export JAVA_OPTS="${JAVA_OPTS} -Dathenz.zms.private_key_store_factory_class=${CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS}"
 fi

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
@@ -89,7 +89,8 @@ public final class ZMSConsts {
 
     public static final String ZMS_UNKNOWN_DOMAIN     = "unknown_domain";
     public static final String ZMS_INVALID_DOMAIN     = "invalid_domain";
-
+    public static final String ZMS_SERVICE            = "zms";
+
     public static final int    ZMS_HTTPS_PORT_DEFAULT = 0;
     public static final int    ZMS_HTTP_PORT_DEFAULT  = 10080;
     public static final String ZMS_STATS_SCOREBOARD   = "zms_core";

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -99,7 +99,6 @@ public class ZMSImpl implements Authorizer, KeyStore, ZMSHandler {
     private static final String DOMAIN_FIELD = "domain";
 
     private static final String SYS_AUTH = "sys.auth";
-    private static final String ZMS_SERVICE = "zms";
     private static final String USER_TOKEN_DEFAULT_NAME = "_self_";
 
     // data validation types
@@ -447,7 +446,7 @@ void loadServerPublicKeys() {
 
         // retrieve our zms service identity object
 
-        ServiceIdentity identity = dbService.getServiceIdentity(SYS_AUTH, ZMS_SERVICE);
+        ServiceIdentity identity = dbService.getServiceIdentity(SYS_AUTH, ZMSConsts.ZMS_SERVICE);
         if (identity != null) {
 
             // process all the public keys and add them to the map
@@ -563,7 +562,7 @@ void initObjectStore() {
             final String publicKey = Crypto.convertToPEMFormat(Crypto.extractPublicKey(privateKey));
             pubKeys.add(new PublicKeyEntry().setId(privateKeyId).setKey(Crypto.ybase64EncodeString(publicKey)));
             ServiceIdentity id = new ServiceIdentity().setName("sys.auth.zms").setPublicKeys(pubKeys);
-            dbService.executePutServiceIdentity(null, SYS_AUTH, ZMS_SERVICE, id, null, caller);
+            dbService.executePutServiceIdentity(null, SYS_AUTH, ZMSConsts.ZMS_SERVICE, id, null, caller);
         } else {
             if (LOG.isWarnEnabled()) {
                 LOG.warn("init: Warning: no public key, cannot register sys.auth.zms identity");
@@ -5652,7 +5651,7 @@ DomainList listDomains(Integer limit, String skip, String prefix, Integer depth,
     }
 
     boolean isZMSService(String domain, String service) {
-        return (SYS_AUTH.equalsIgnoreCase(domain) && ZMS_SERVICE.equalsIgnoreCase(service));
+        return (SYS_AUTH.equalsIgnoreCase(domain) && ZMSConsts.ZMS_SERVICE.equalsIgnoreCase(service));
     }
 
     /**
@@ -6027,7 +6026,7 @@ public ServicePrincipal getServicePrincipal(ResourceContext ctx) {
                 .issueTime(sdToken.getTimestamp())
                 .expirationWindow(sdToken.getExpiryTime() - sdToken.getTimestamp())
                 .ip(sdToken.getIP()).keyId(privateKeyId).host(serverHostName)
-                .keyService(ZMS_SERVICE).build();
+                .keyService(ZMSConsts.ZMS_SERVICE).build();
             zmsToken.sign(privateKey);
             servicePrincipal = new ServicePrincipal();
             servicePrincipal.setDomain(principal.getDomain());

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSServerImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSServerImpl.java
@@ -51,7 +51,7 @@ public ZMSServerImpl(String serverHostName, PrivateKeyStoreFactory pkeyStoreFact
 
         StringBuilder privKeyId = new StringBuilder(256);
         PrivateKeyStore keyStore = pkeyStoreFactory.create();
-        PrivateKey pkey = keyStore.getPrivateKey(serverHostName, privKeyId);
+        PrivateKey pkey = keyStore.getPrivateKey(ZMSConsts.ZMS_SERVICE, serverHostName, privKeyId);
 
         // create our metric and increment our startup count
 

diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSTest.java
@@ -27,7 +27,7 @@
 
 public class ZMSTest {
 
-    public static final String ZMS_PROP_PUBLIC_KEY       = "athenz.zms.publickey";
+    public static final String ZMS_PROP_PUBLIC_KEY = "athenz.zms.publickey";
 
     @BeforeClass
     public void setUp() throws Exception {

diff --git a/servers/zts/conf/container_settings b/servers/zts/conf/container_settings
@@ -7,6 +7,7 @@ CONTAINER_AUTHORITY_CLASSES="com.yahoo.athenz.auth.impl.PrincipalAuthority,com.y
 # using with default key id of 0
 CONTAINER_PRIVKEY="${ROOT}/var/zts_server/keys/zts_private.pem"
 CONTAINER_PRIVKEY_ID="0"
+# CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS=com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory
 
 # default ports for zts server. http support is disabled
 # https support enabled - must provide certificate for server
@@ -62,7 +63,6 @@ CONTAINER_SELF_SIGNER_PRIVATE_KEY_FNAME="${ROOT}/var/zts_server/keys/zts_private
 
 # ** configure what implementation classes to use
 # CONTAINER_DATA_CHANGE_LOG_STORE_FACTORY_CLASS=
-# CONTAINER_PRIVATE_KEY_STORE_FACTORY_CLASS=
 # CONTAINER_HOST_SIGNER_SERVICE=
 # CONTAINER_CERTSIGN_BASE_URI=
 

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTS.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTS.java
@@ -307,7 +307,7 @@ public static ZTSJettyContainer createJettyContainer() {
         /// extract our official per-host ZTS private key
 
         StringBuilder privKeyId = new StringBuilder(256);
-        PrivateKey pkey = keyStore.getPrivateKey(serverHostName, privKeyId);
+        PrivateKey pkey = keyStore.getPrivateKey(ZTSConsts.ZTS_SERVICE, serverHostName, privKeyId);
 
         // create our cloud store if configured
 

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
@@ -88,9 +88,9 @@ public final class ZTSConsts {
     public static final String ZTS_PROP_INSTANCE_IDENTITY_STORE_FACTORY_CLASS = "athenz.zts.instance_identity_store_factory_class";
     public static final String ZTS_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS       = "athenz.zts.private_key_store_factory_class";
 
-    public static final String ZTS_PROP_USER_DOMAIN                = "athenz.user_domain";
-    public static final String ZTS_PROP_ATHENZ_CONF                = "athenz.athenz_conf";
-
+    public static final String ZTS_PROP_USER_DOMAIN   = "athenz.user_domain";
+    public static final String ZTS_PROP_ATHENZ_CONF   = "athenz.athenz_conf";
+    public static final String ZTS_SERVICE            = "zts";
     public static final String ZTS_UNKNOWN_DOMAIN     = "unknown_domain";
     public static final String ATHENZ_SYS_DOMAIN      = "sys.auth";
 

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/store/file/ZMSFileChangeLogStore.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/store/file/ZMSFileChangeLogStore.java
@@ -23,6 +23,7 @@
 import com.yahoo.athenz.zms.SignedDomains;
 import com.yahoo.athenz.zms.ZMSClient;
 import com.yahoo.athenz.zms.ZMSClientException;
+import com.yahoo.athenz.zts.ZTSConsts;
 import com.yahoo.athenz.zts.store.ChangeLogStore;
 import com.yahoo.rdl.*;
 
@@ -64,8 +65,6 @@ public class ZMSFileChangeLogStore implements ChangeLogStore {
     private static final String ATTR_TAG = "tag";
     private static final String LAST_MOD_FNAME = ".lastModTime";
     private static final String ATTR_LAST_MOD_TIME = "lastModTime";
-    private static final String ATHENZ_SYS_DOMAIN = "sys.auth";
-    private static final String ATHENZ_ZTS_SERVICE = "zts";
 
     private static final String ZTS_PROP_ZMS_URL_OVERRIDE = "athenz.zts.zms_url";
 
@@ -225,12 +224,12 @@ List<String> scan() {
 
     ZMSClient getZMSClient() {
 
-        PrincipalToken token = new PrincipalToken.Builder("S1", ATHENZ_SYS_DOMAIN, ATHENZ_ZTS_SERVICE)
-            .expirationWindow(24 * 60 * 60L).keyId(privateKeyId).build();
+        PrincipalToken token = new PrincipalToken.Builder("S1", ZTSConsts.ATHENZ_SYS_DOMAIN, ZTSConsts.ZTS_SERVICE)
+                .expirationWindow(24 * 60 * 60L).keyId(privateKeyId).build();
         token.sign(privateKey);
 
-        Principal principal = SimplePrincipal.create(ATHENZ_SYS_DOMAIN, ATHENZ_ZTS_SERVICE,
-                token.getSignedToken(), authority);
+        Principal principal = SimplePrincipal.create(ZTSConsts.ATHENZ_SYS_DOMAIN,
+                ZTSConsts.ZTS_SERVICE, token.getSignedToken(), authority);
 
         ZMSClient zmsClient = new ZMSClient(zmsUrl);
         zmsClient.addCredentials(principal);