From c63ce3de8f6d525ef03d80a2b9a35c4b11e53595 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Fri, 15 Dec 2017 13:11:49 -0800 Subject: [PATCH] Moreexample (#355) * #350 zts role token restriction on appid move to authz service * AWS Temp Credentials Example --- .../java/zts/examples/tls-support/README.md | 31 +++- .../java/zts/examples/tls-support/logback.xml | 19 +++ clients/java/zts/examples/tls-support/pom.xml | 5 + .../zts/tls/client/ZTSAWSCredsClient.java | 156 ++++++++++++++++++ 4 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 clients/java/zts/examples/tls-support/logback.xml create mode 100644 clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSAWSCredsClient.java diff --git a/clients/java/zts/examples/tls-support/README.md b/clients/java/zts/examples/tls-support/README.md index 017702aeee3..81112db35d6 100644 --- a/clients/java/zts/examples/tls-support/README.md +++ b/clients/java/zts/examples/tls-support/README.md @@ -1,4 +1,4 @@ -# Athenz ZTS TLS Client Example +# Athenz ZTS TLS Client Examples An example showing the use of ZTS Client with Athenz CA issued client certificates. @@ -7,6 +7,8 @@ the client X.509 certificate for their service. The private key is stored in the current directory in `key.pem` file while the corresponding certificate in the `cert.pem` file. +Example 1: + The example retrieves the public key for a given service from Athenz ZTS Service. The utility supports the following command line options: @@ -30,6 +32,33 @@ directory path and `` with your java home directory path. java -cp /target/example-zts-tls-java-client-1.0.jar:/target/dependency/* com.yahoo.athenz.example.zts.tls.client.ZTSTLSClient -d sys.auth -s zms -i 0 -k /key.pem -c /cert.pem -t /jre/lib/security/cacerts -p changeit -z https://:4443/zts/v1 ``` +Example 2: + +The example retrieves configured AWS temporary credentials +for the given Athenz Service. The utility supports the following +command line options: + +``` +usage: zts-aws-creds-client + -c,--cert certficate path + -d,--domain domain name + -k,--key private key path + -p,--trustStorePassword CA TrustStore password + -r,--role role name + -t,--trustStorePath CA TrustStore path + -z,--ztsurl ZTS Server url +``` + +First build the example by executing `mvn clean package` and then run +from the current directory by replacing `` with your current working +directory path and `` with your java home directory path. +In this example, we assume the domain is sports and the aws role defined +in this account is called deployment: + +``` +java -cp /target/example-zts-tls-java-client-1.0.jar:/target/dependency/* com.yahoo.athenz.example.zts.tls.client.ZTSAWSCredsClient -d sports -r deployment -k /key.pem -c /cert.pem -t /jre/lib/security/cacerts -p changeit -z https://:4443/zts/v1 +``` + Copyright 2017 Yahoo Holdings, Inc. Licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) diff --git a/clients/java/zts/examples/tls-support/logback.xml b/clients/java/zts/examples/tls-support/logback.xml new file mode 100644 index 00000000000..0f14952fcea --- /dev/null +++ b/clients/java/zts/examples/tls-support/logback.xml @@ -0,0 +1,19 @@ + + + + + + + + [ZTS-CLIENT] %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + + + + diff --git a/clients/java/zts/examples/tls-support/pom.xml b/clients/java/zts/examples/tls-support/pom.xml index 8749e21e4ba..be80ea1669e 100644 --- a/clients/java/zts/examples/tls-support/pom.xml +++ b/clients/java/zts/examples/tls-support/pom.xml @@ -51,6 +51,11 @@ commons-cli 1.3.1 + + org.slf4j + slf4j-api + 1.7.25 + ch.qos.logback logback-classic diff --git a/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSAWSCredsClient.java b/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSAWSCredsClient.java new file mode 100644 index 00000000000..a5f909a3028 --- /dev/null +++ b/clients/java/zts/examples/tls-support/src/main/java/com/yahoo/athenz/example/zts/tls/client/ZTSAWSCredsClient.java @@ -0,0 +1,156 @@ +/** + * Copyright 2017 Yahoo Holdings, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.yahoo.athenz.example.zts.tls.client; + +import javax.net.ssl.SSLContext; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.DefaultParser; +import org.apache.commons.cli.HelpFormatter; +import org.apache.commons.cli.Option; +import org.apache.commons.cli.Options; +import org.apache.commons.cli.ParseException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.yahoo.athenz.zts.PublicKeyEntry; +import com.yahoo.athenz.zts.ZTSClient; +import com.yahoo.athenz.zts.ZTSClientException; +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.auth.AWSCredentialsProvider; +import com.oath.auth.KeyRefresher; +import com.oath.auth.Utils; + +public class ZTSAWSCredsClient { + + private static final Logger LOG = LoggerFactory.getLogger(ZTSAWSCredsClient.class); + + public ZTSAWSCredsClient() { + } + + public static void main(String[] args) { + + // parse our command line to retrieve required input + + CommandLine cmd = parseCommandLine(args); + + final String domainName = cmd.getOptionValue("domain").toLowerCase(); + final String roleName = cmd.getOptionValue("role").toLowerCase(); + final String ztsUrl = cmd.getOptionValue("ztsurl"); + final String keyPath = cmd.getOptionValue("key"); + final String certPath = cmd.getOptionValue("cert"); + final String trustStorePath = cmd.getOptionValue("trustStorePath"); + final String trustStorePassword = cmd.getOptionValue("trustStorePassword"); + + // we are going to setup our service private key and + // certificate into a ssl context that we can use with + // our zts client + + try { + KeyRefresher keyRefresher = Utils.generateKeyRefresher(trustStorePath, trustStorePassword, + certPath, keyPath); + SSLContext sslContext = Utils.buildSSLContext(keyRefresher.getKeyManagerProxy(), + keyRefresher.getTrustManagerProxy()); + + // we must not close this client as long as we're using the + // AWS credentials provider since it needs this client to + // refresh the certs when required + + ZTSClient ztsClient = new ZTSClient(ztsUrl, sslContext); + + // retrieve and display aws temporary creds + + retrieveAWSTempCreds(ztsClient, domainName, roleName); + + // we're done with our provider so we can close our client + + ztsClient.close(); + + } catch (Exception ex) { + System.out.println("Exception: " + ex.getMessage()); + ex.printStackTrace(); + System.exit(1); + } + } + + private static boolean retrieveAWSTempCreds(ZTSClient ztsClient, final String domainName, + final String roleName) { + + try { + AWSCredentialsProvider awsCredProvider = ztsClient.getAWSCredentialProvider(domainName, roleName); + AWSCredentials awsCreds = awsCredProvider.getCredentials(); + if (awsCreds == null) { + System.out.println("Error: AWS Credentials are not available"); + return false; + } + System.out.println("AWS Temporary Credentials:\n"); + System.out.println("\tAccess Key Id : " + awsCreds.getAWSAccessKeyId()); + System.out.println("\tSecret Key : " + awsCreds.getAWSSecretKey()); + } catch (ZTSClientException ex) { + System.out.println("Unable to retrieve AWS credentials: " + ex.getMessage()); + return false; + } + return true; + } + + private static CommandLine parseCommandLine(String[] args) { + + Options options = new Options(); + + Option domain = new Option("d", "domain", true, "domain name"); + domain.setRequired(true); + options.addOption(domain); + + Option role = new Option("r", "role", true, "role name"); + role.setRequired(true); + options.addOption(role); + + Option key = new Option("k", "key", true, "private key path"); + key.setRequired(true); + options.addOption(key); + + Option cert = new Option("c", "cert", true, "certficate path"); + cert.setRequired(true); + options.addOption(cert); + + Option trustStore = new Option("t", "trustStorePath", true, "CA TrustStore path"); + trustStore.setRequired(true); + options.addOption(trustStore); + + Option trustStorePassword = new Option("p", "trustStorePassword", true, "CA TrustStore password"); + trustStorePassword.setRequired(true); + options.addOption(trustStorePassword); + + Option ztsUrl = new Option("z", "ztsurl", true, "ZTS Server url"); + ztsUrl.setRequired(true); + options.addOption(ztsUrl); + + CommandLineParser parser = new DefaultParser(); + HelpFormatter formatter = new HelpFormatter(); + CommandLine cmd = null; + + try { + cmd = parser.parse(options, args); + } catch (ParseException e) { + System.out.println(e.getMessage()); + formatter.printHelp("zts-aws-creds-client", options); + System.exit(1); + } + + return cmd; + } +}