AthenZ · havetisyan · Aug 6, 2024 · Aug 4, 2024
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java
@@ -15,73 +15,23 @@
  */
 package com.yahoo.athenz.auth;
 
-import java.security.PrivateKey;
-
 public interface PrivateKeyStore {
 
-    /**
-     * Retrieve private key for this Athenz Server instance to sign its tokens
-     * The private key identifier must be updated in the privateKeyId out
-     * StringBuilder field.
-     * @param service Athenz service (zms or zts) requesting private key
-     * @param serverHostName hostname of the Athenz Server instance
-     * @param privateKeyId - out argument - must be updated to include key id
-     * @return private key for this ZMS Server instance.
-     */
-    @Deprecated
-    default PrivateKey getPrivateKey(String service, String serverHostName,
-            StringBuilder privateKeyId) {
-        return null;
-    }
-
     /**
      * Retrieve private key for this Athenz Server instance for the given
      * crypto algorithm to sign its tokens.
      * @param service Athenz service (zms or zts) requesting private key
      * @param serverHostName hostname of the Athenz Server instance
      * @param serverRegion Athenz server region
-     * @param algorithm Requested algorithm - rsa or ec
+     * @param algorithm Requested algorithm - rsa, ec, or null for default algorithm
+     *                  if the rsa and ec algorithms are not configured.
      * @return private key for this ZMS Server instance.
      */
     default ServerPrivateKey getPrivateKey(String service, String serverHostName,
             String serverRegion, String algorithm) {
         return null;
     }
 
-    /**
-     * Retrieve the application secret based on the configured key name.
-     * @deprecated
-     * This method should not be used to get application secrets.
-     * <p> Use {@link PrivateKeyStore#getSecret(String, String)} instead.</p>
-     *
-     * The application name specifies what component is this secret for;
-     * for example, jdbc for accessing the secret for the jdbc user.
-     * The default implementation assumes the key name is the secret.
-     * @param appName application name for the secret
-     * @param keyName configured value for the secret
-     * @return secret for the given key and application
-     */
-    @Deprecated
-    default String getApplicationSecret(String appName, String keyName) {
-        return keyName;
-    }
-
-    /**
-     * Retrieve the application secret based on the configured key name as char[].
-     * @deprecated
-     * The application name specifies what component is this secret for;
-     * for example, jdbc for accessing the secret for the jdbc user.
-     * The default implementation assumes the key name is the secret.
-     * @param appName application name for the secret
-     * @param keyName configured value for the secret
-     * @return secret for the given key and application as char[]
-     */
-    @Deprecated
-    default char[] getSecret(String appName, String keyName) {
-        final String secret = getApplicationSecret(appName, keyName);
-        return secret != null ? secret.toCharArray() : null;
-    }
-
     /**
      * Retrieve the application secret based on the configured key name as char[].
      * The application name specifies what component is this secret for;
@@ -93,6 +43,6 @@ default char[] getSecret(String appName, String keyName) {
      * @return secret for the given key, keygroup and application as char[]
      */
     default char[] getSecret(String appName, String keygroupName, String keyName) {
-        return getSecret(appName, keyName);
+        return keyName != null ? keyName.toCharArray() : null;
     }
 }
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStore.java
@@ -58,7 +58,7 @@ public ServerPrivateKey getPrivateKey(String service, String serverHostName,
             return null;
         }
 
-        if (!ALGO_RSA.equalsIgnoreCase(algorithm) && !ALGO_EC.equalsIgnoreCase(algorithm)) {
+        if (algorithm != null && (!ALGO_RSA.equalsIgnoreCase(algorithm) && !ALGO_EC.equalsIgnoreCase(algorithm))) {
             LOG.error("FilePrivateKeyStore: unknown algorithm: {}", algorithm);
             return null;
         }
@@ -68,9 +68,12 @@ public ServerPrivateKey getPrivateKey(String service, String serverHostName,
         if (ALGO_RSA.equalsIgnoreCase(algorithm)) {
             privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_RSA_KEY);
             privKeyId = System.getProperty(ATHENZ_PROP_PRIVATE_RSA_KEY_ID, "0");
-        } else {
+        } else if (ALGO_EC.equalsIgnoreCase(algorithm)) {
             privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_EC_KEY);
             privKeyId = System.getProperty(ATHENZ_PROP_PRIVATE_EC_KEY_ID, "0");
+        } else {
+            privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_KEY);
+            privKeyId = System.getProperty(ATHENZ_PROP_PRIVATE_KEY_ID, "0");
         }
 
         if (LOG.isDebugEnabled()) {
@@ -81,9 +84,6 @@ public ServerPrivateKey getPrivateKey(String service, String serverHostName,
             return null;
         }
 
-        // check to see if this is running in dev mode and thus it's
-        // a resource in our jar file
-
         File privKeyFile = new File(privKeyName);
         PrivateKey pkey = Crypto.loadPrivateKey(privKeyFile);
 
@@ -93,27 +93,4 @@ public ServerPrivateKey getPrivateKey(String service, String serverHostName,
         }
         return privateKey;
     }
-
-    @Override
-    public PrivateKey getPrivateKey(String service, String serverHostName,
-            StringBuilder privateKeyId) {
-
-        final String privKeyName = System.getProperty(ATHENZ_PROP_PRIVATE_KEY);
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("FilePrivateKeyStore: private key file={}", privKeyName);
-        }
-
-        if (privKeyName == null) {
-            return null;
-        }
-
-        File privKeyFile = new File(privKeyName);
-        PrivateKey pkey = Crypto.loadPrivateKey(privKeyFile);
-
-        if (pkey != null) {
-            privateKeyId.append(System.getProperty(ATHENZ_PROP_PRIVATE_KEY_ID, "0"));
-        }
-        return pkey;
-    }
 }
diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/PrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/PrivateKeyStoreTest.java
@@ -27,8 +27,8 @@ public void testPrivateKeyStore() {
         PrivateKeyStore keyStore = new PrivateKeyStore() {
         };
 
-        assertEquals("key1".toCharArray(), keyStore.getSecret("jdbc", "key1"));
-        assertNull(keyStore.getPrivateKey("service", "host1", null));
+        assertEquals("key1".toCharArray(), keyStore.getSecret("jdbc", "keygroup1", "key1"));
+        assertNull(keyStore.getPrivateKey("service", "host1", null, null));
         assertNull(keyStore.getPrivateKey("service", "host1", "us-west-2", "rsa"));
     }
 }
diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStoreTest.java
@@ -17,8 +17,6 @@
 
 import static org.testng.Assert.*;
 
-import java.security.PrivateKey;
-
 import com.yahoo.athenz.auth.ServerPrivateKey;
 import org.testng.annotations.Test;
 
@@ -33,7 +31,6 @@ public void testCreateStore() {
         assertNotNull(store);
     }
 
-    @SuppressWarnings("deprecation")
     @Test
     public void testRetrievePrivateKeyValid() {
 
@@ -44,8 +41,7 @@ public void testRetrievePrivateKeyValid() {
         System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY,
                 "src/test/resources/unit_test_zts_private_k0.key");
 
-        StringBuilder keyId = new StringBuilder(256);
-        PrivateKey privKey = store.getPrivateKey("zms", "localhost", keyId);
+        ServerPrivateKey privKey = store.getPrivateKey("zms", "localhost", "region", null);
         assertNotNull(privKey);
 
         if (saveProp == null) {
@@ -96,7 +92,7 @@ public void testRetrieveECPrivateKeyValid() {
     }
 
     @Test
-    public void testRetrieveAlgoPrivateKeyInalid() {
+    public void testRetrieveAlgoPrivateKeyInvalid() {
 
         FilePrivateKeyStoreFactory factory = new FilePrivateKeyStoreFactory();
         PrivateKeyStore store = factory.create();
@@ -120,7 +116,6 @@ public void testRetrieveAlgoPrivateKeyInalid() {
         }
     }
 
-    @SuppressWarnings("deprecation")
     @Test
     public void testRetrievePrivateKeyInValid() {
 
@@ -132,16 +127,13 @@ public void testRetrievePrivateKeyInValid() {
                 "src/test/resources/zts_private_k0_invalid.pem");
 
         try {
-            StringBuilder keyId = new StringBuilder(256);
-            store.getPrivateKey("zts", "localhost", keyId);
+            store.getPrivateKey("zts", "localhost", "region", null);
             fail();
-        } catch (Exception ex) {
-            assertTrue(true);
+        } catch (Exception ignored) {
         }
 
         System.clearProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY);
-        StringBuilder keyId = new StringBuilder(256);
-        assertNull(store.getPrivateKey("zts", "localhost", keyId));
+        assertNull(store.getPrivateKey("zts", "localhost", "region", null));
 
         if (saveProp == null) {
             System.clearProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY);

diff --git a/...modb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcher.java b/...modb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcher.java
@@ -18,20 +18,9 @@
 
 package com.yahoo.athenz.db.dynamodb;
 
-import com.yahoo.athenz.auth.PrivateKeyStore;
 import com.yahoo.athenz.zts.ZTSClientNotificationSender;
 
 public interface DynamoDBClientFetcher {
-    /**
-     * Returns a DynamoDBClient and the AWS credential provider used for authentication.
-     * The credentialProvider should be closed after DynamoDBClient is no longer needed.
-     * (GC might not run for a long period of time)
-     * @param ztsClientNotificationSender notification sender object
-     * @param keyStore private key store object for fetching any secrets
-     * @return DynamoDBClientAndCredentials which contains both a DynamoDB client and the credentialProvider used
-     */
-    @Deprecated
-    DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender, PrivateKeyStore keyStore);
 
     /**
      * Returns a DynamoDBClient and the AWS credential provider used for authentication.
@@ -41,5 +30,6 @@ public interface DynamoDBClientFetcher {
      * @param dynamoDBClientSettings contains private key store and client settings
      * @return DynamoDBClientAndCredentials which contains both a DynamoDB client and the credentialProvider used
      */
-    DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender, DynamoDBClientSettings dynamoDBClientSettings);
+    DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender,
+        DynamoDBClientSettings dynamoDBClientSettings);
 }
diff --git a/..._client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java b/..._client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientFetcherImpl.java
@@ -23,7 +23,6 @@
 import com.amazonaws.util.EC2MetadataUtils;
 import com.oath.auth.KeyRefresher;
 import com.oath.auth.Utils;
-import com.yahoo.athenz.auth.PrivateKeyStore;
 import com.yahoo.athenz.zts.AWSCredentialsProviderImpl;
 import com.yahoo.athenz.zts.AWSCredentialsProviderImplV2;
 import com.yahoo.athenz.zts.ZTSClientNotificationSender;
@@ -47,30 +46,9 @@ public DynamoDBClientFetcherImpl(String defaultAwsRegion) {
     }
 
     @Override
-    @Deprecated
-    public DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender, PrivateKeyStore keyStore) {
-        String keyPath = System.getProperty("athenz.zts.dynamodb_key_path", "");
-        String certPath = System.getProperty("athenz.zts.dynamodb_cert_path", "");
-        String domainName = System.getProperty("athenz.zts.dynamodb_aws_domain", "");
-        String roleName = System.getProperty("athenz.zts.dynamodb_aws_role", "");
-        String trustStore = System.getProperty("athenz.zts.dynamodb_trust_store_path", "");
-        String region = System.getProperty("athenz.zts.dynamodb_region", "");
-        String trustStorePassword = System.getProperty("athenz.zts.dynamodb_trust_store_password", "");
-        String appName = System.getProperty("athenz.zts.dynamodb_trust_store_app_name", "");
-        String ztsURL = System.getProperty("athenz.zts.dynamodb_zts_url", "");
-        String externalId = System.getProperty("athenz.zts.dynamodb_external_id", null);
-        String minExpiryTimeStr = System.getProperty("athenz.zts.dynamodb_min_expiry_time", "");
-        String maxExpiryTimeStr = System.getProperty("athenz.zts.dynamodb_max_expiry_time", "");
-        Integer minExpiryTime = minExpiryTimeStr.isEmpty() ? null : Integer.parseInt(minExpiryTimeStr);
-        Integer maxExpiryTime = maxExpiryTimeStr.isEmpty() ? null : Integer.parseInt(maxExpiryTimeStr);
-        String keygroupName = System.getProperty("athenz.zts.dynamodb_trust_store_keygroup_name", "");
-
-        DynamoDBClientSettings dynamoDBClientSettings = new DynamoDBClientSettings(certPath, domainName, roleName, trustStore, trustStorePassword, ztsURL, region, keyPath, appName, keyStore, externalId, minExpiryTime, maxExpiryTime, keygroupName);
-        return getDynamoDBClient(ztsClientNotificationSender, dynamoDBClientSettings);
-    }
+    public DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender,
+            DynamoDBClientSettings dynamoDBClientSettings) {
 
-    @Override
-    public DynamoDBClientAndCredentials getDynamoDBClient(ZTSClientNotificationSender ztsClientNotificationSender, DynamoDBClientSettings dynamoDBClientSettings) {
         // if we're given key/cert path settings then
         // we'll deal with aws temporary credentials otherwise
         // we'll assume we're running in aws thus our ec2 already
@@ -106,7 +84,8 @@ String getAWSRegion(final String settingRegion) {
     }
 
     private DynamoDBClientAndCredentials getAuthenticatedDynamoDBClient(DynamoDBClientSettings dynamoDBClientSettings,
-                                                          ZTSClientNotificationSender ztsClientNotificationSender) {
+            ZTSClientNotificationSender ztsClientNotificationSender) {
+
         SSLContext sslContext = null;
         try {
             KeyRefresher keyRefresher = Utils.generateKeyRefresher(

diff --git a/...odb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java b/...odb_client_factory/src/main/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientSettings.java
@@ -118,12 +118,7 @@ public Integer getMaxExpiryTime() {
         return maxExpiryTime;
     }
 
-    @Deprecated
-    public String getTrustStorePassword() {
-        return String.valueOf(getTrustStorePasswordChars());
-    }
-
-    char[] getTrustStorePasswordChars() {
+    public char[] getTrustStorePasswordChars() {
         if (keyStore == null) {
             return null;
         }

diff --git a/..._factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientAndCredentialsTest.java b/..._factory/src/test/java/com/yahoo/athenz/db/dynamodb/DynamoDBClientAndCredentialsTest.java
@@ -0,0 +1,45 @@
+/*
+ *
+ *  * Copyright The Athenz Authors
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *     http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package com.yahoo.athenz.db.dynamodb;
+
+import org.mockito.Mockito;
+import org.testng.annotations.Test;
+import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
+import com.yahoo.athenz.zts.AWSCredentialsProviderImpl;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+
+import static org.testng.Assert.assertEquals;
+
+public class DynamoDBClientAndCredentialsTest {
+
+    @Test
+    public void testDynamoDBClientAndCredentials() {
+
+        AmazonDynamoDB amazonDynamoDB = Mockito.mock(AmazonDynamoDB.class);
+        DynamoDbAsyncClient amazonDynamoAsyncDB = Mockito.mock(DynamoDbAsyncClient.class);
+        AWSCredentialsProviderImpl awsCredentialsProvider = Mockito.mock(AWSCredentialsProviderImpl.class);
+
+        DynamoDBClientAndCredentials dynamoDBClientAndCredentials = new DynamoDBClientAndCredentials(
+                amazonDynamoDB, amazonDynamoAsyncDB, awsCredentialsProvider);
+
+        assertEquals(amazonDynamoDB, dynamoDBClientAndCredentials.getAmazonDynamoDB());
+        assertEquals(amazonDynamoAsyncDB, dynamoDBClientAndCredentials.getAmazonDynamoAsyncDB());
+        assertEquals(awsCredentialsProvider, dynamoDBClientAndCredentials.getAwsCredentialsProvider());
+    }
+}