Skip to content

Commit

Permalink
Moreexample (#355)
Browse files Browse the repository at this point in the history
* #350 zts role token restriction on appid move to authz service

* AWS Temp Credentials Example
  • Loading branch information
havetisyan authored Dec 15, 2017
1 parent 8b40d3c commit c63ce3d
Show file tree
Hide file tree
Showing 4 changed files with 210 additions and 1 deletion.
31 changes: 30 additions & 1 deletion clients/java/zts/examples/tls-support/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Athenz ZTS TLS Client Example
# Athenz ZTS TLS Client Examples

An example showing the use of ZTS Client with Athenz CA issued client certificates.

Expand All @@ -7,6 +7,8 @@ the client X.509 certificate for their service. The private key is
stored in the current directory in `key.pem` file while the corresponding
certificate in the `cert.pem` file.

Example 1:

The example retrieves the public key for a given service from Athenz ZTS
Service. The utility supports the following command line options:

Expand All @@ -30,6 +32,33 @@ directory path and `<java-home>` with your java home directory path.
java -cp <cwd>/target/example-zts-tls-java-client-1.0.jar:<cwd>/target/dependency/* com.yahoo.athenz.example.zts.tls.client.ZTSTLSClient -d sys.auth -s zms -i 0 -k <cwd>/key.pem -c <cwd>/cert.pem -t <java-home>/jre/lib/security/cacerts -p changeit -z https://<athenz-zts-server-host>:4443/zts/v1
```

Example 2:

The example retrieves configured AWS temporary credentials
for the given Athenz Service. The utility supports the following
command line options:

```
usage: zts-aws-creds-client
-c,--cert <arg> certficate path
-d,--domain <arg> domain name
-k,--key <arg> private key path
-p,--trustStorePassword <arg> CA TrustStore password
-r,--role <arg> role name
-t,--trustStorePath <arg> CA TrustStore path
-z,--ztsurl <arg> ZTS Server url
```

First build the example by executing `mvn clean package` and then run
from the current directory by replacing `<cwd>` with your current working
directory path and `<java-home>` with your java home directory path.
In this example, we assume the domain is sports and the aws role defined
in this account is called deployment:

```
java -cp <cwd>/target/example-zts-tls-java-client-1.0.jar:<cwd>/target/dependency/* com.yahoo.athenz.example.zts.tls.client.ZTSAWSCredsClient -d sports -r deployment -k <cwd>/key.pem -c <cwd>/cert.pem -t <java-home>/jre/lib/security/cacerts -p changeit -z https://<athenz-zts-server-host>:4443/zts/v1
```

Copyright 2017 Yahoo Holdings, Inc.

Licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)
19 changes: 19 additions & 0 deletions clients/java/zts/examples/tls-support/logback.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<?xml version="1.0" encoding="UTF-8" ?>
<configuration scan="true">
<property name="LOG_DIR" value="/var/log/zts_server" />

<appender name="SERVER" class="ch.qos.logback.core.ConsoleAppender">
<!-- encoders are assigned the type
ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
<encoder>
<pattern>[ZTS-CLIENT] %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
</encoder>
</appender>

<logger name="org.eclipse" level="INFO"/>

<root>
<level value="DEBUG" />
<appender-ref ref="SERVER" />
</root>
</configuration>
5 changes: 5 additions & 0 deletions clients/java/zts/examples/tls-support/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@
<artifactId>commons-cli</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
/**
* Copyright 2017 Yahoo Holdings, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.yahoo.athenz.example.zts.tls.client;

import javax.net.ssl.SSLContext;

import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.yahoo.athenz.zts.PublicKeyEntry;
import com.yahoo.athenz.zts.ZTSClient;
import com.yahoo.athenz.zts.ZTSClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.oath.auth.KeyRefresher;
import com.oath.auth.Utils;

public class ZTSAWSCredsClient {

private static final Logger LOG = LoggerFactory.getLogger(ZTSAWSCredsClient.class);

public ZTSAWSCredsClient() {
}

public static void main(String[] args) {

// parse our command line to retrieve required input

CommandLine cmd = parseCommandLine(args);

final String domainName = cmd.getOptionValue("domain").toLowerCase();
final String roleName = cmd.getOptionValue("role").toLowerCase();
final String ztsUrl = cmd.getOptionValue("ztsurl");
final String keyPath = cmd.getOptionValue("key");
final String certPath = cmd.getOptionValue("cert");
final String trustStorePath = cmd.getOptionValue("trustStorePath");
final String trustStorePassword = cmd.getOptionValue("trustStorePassword");

// we are going to setup our service private key and
// certificate into a ssl context that we can use with
// our zts client

try {
KeyRefresher keyRefresher = Utils.generateKeyRefresher(trustStorePath, trustStorePassword,
certPath, keyPath);
SSLContext sslContext = Utils.buildSSLContext(keyRefresher.getKeyManagerProxy(),
keyRefresher.getTrustManagerProxy());

// we must not close this client as long as we're using the
// AWS credentials provider since it needs this client to
// refresh the certs when required

ZTSClient ztsClient = new ZTSClient(ztsUrl, sslContext);

// retrieve and display aws temporary creds

retrieveAWSTempCreds(ztsClient, domainName, roleName);

// we're done with our provider so we can close our client

ztsClient.close();

} catch (Exception ex) {
System.out.println("Exception: " + ex.getMessage());
ex.printStackTrace();
System.exit(1);
}
}

private static boolean retrieveAWSTempCreds(ZTSClient ztsClient, final String domainName,
final String roleName) {

try {
AWSCredentialsProvider awsCredProvider = ztsClient.getAWSCredentialProvider(domainName, roleName);
AWSCredentials awsCreds = awsCredProvider.getCredentials();
if (awsCreds == null) {
System.out.println("Error: AWS Credentials are not available");
return false;
}
System.out.println("AWS Temporary Credentials:\n");
System.out.println("\tAccess Key Id : " + awsCreds.getAWSAccessKeyId());
System.out.println("\tSecret Key : " + awsCreds.getAWSSecretKey());
} catch (ZTSClientException ex) {
System.out.println("Unable to retrieve AWS credentials: " + ex.getMessage());
return false;
}
return true;
}

private static CommandLine parseCommandLine(String[] args) {

Options options = new Options();

Option domain = new Option("d", "domain", true, "domain name");
domain.setRequired(true);
options.addOption(domain);

Option role = new Option("r", "role", true, "role name");
role.setRequired(true);
options.addOption(role);

Option key = new Option("k", "key", true, "private key path");
key.setRequired(true);
options.addOption(key);

Option cert = new Option("c", "cert", true, "certficate path");
cert.setRequired(true);
options.addOption(cert);

Option trustStore = new Option("t", "trustStorePath", true, "CA TrustStore path");
trustStore.setRequired(true);
options.addOption(trustStore);

Option trustStorePassword = new Option("p", "trustStorePassword", true, "CA TrustStore password");
trustStorePassword.setRequired(true);
options.addOption(trustStorePassword);

Option ztsUrl = new Option("z", "ztsurl", true, "ZTS Server url");
ztsUrl.setRequired(true);
options.addOption(ztsUrl);

CommandLineParser parser = new DefaultParser();
HelpFormatter formatter = new HelpFormatter();
CommandLine cmd = null;

try {
cmd = parser.parse(options, args);
} catch (ParseException e) {
System.out.println(e.getMessage());
formatter.printHelp("zts-aws-creds-client", options);
System.exit(1);
}

return cmd;
}
}

0 comments on commit c63ce3d

Please sign in to comment.