From 95c568e384a3a864a1c223137beaa2662e2a1299 Mon Sep 17 00:00:00 2001
From: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
Date: Wed, 29 May 2024 19:58:29 -0700
Subject: [PATCH] aws parameter store implementation for PrivateKeyStore
interface (#2631)
bcprov-ext-jdk18on is folded into bcprov-jdk18on from 1.78.1
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
---
containers/jetty/pom.xml | 5 -
libs/java/auth_core/pom.xml | 16 ++++
.../AWSParameterStorePrivateKeyStore.java | 93 +++++++++++++++++++
...SParameterStorePrivateKeyStoreFactory.java | 28 ++++++
...ameterStorePrivateKeyStoreFactoryTest.java | 32 +++++++
.../AWSParameterStorePrivateKeyStoreTest.java | 76 +++++++++++++++
libs/java/server_common/pom.xml | 5 -
7 files changed, 245 insertions(+), 10 deletions(-)
create mode 100644 libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
create mode 100644 libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactory.java
create mode 100644 libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactoryTest.java
create mode 100644 libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
diff --git a/containers/jetty/pom.xml b/containers/jetty/pom.xml
index f33233bc7a4..57097d146a4 100644
--- a/containers/jetty/pom.xml
+++ b/containers/jetty/pom.xml
@@ -155,11 +155,6 @@
bcpkix-jdk18on
${bouncycastle.version}
-
- org.bouncycastle
- bcprov-ext-jdk18on
- 1.78
-
jakarta.ws.rs
jakarta.ws.rs-api
diff --git a/libs/java/auth_core/pom.xml b/libs/java/auth_core/pom.xml
index be16fc39c74..47cf0b3df00 100644
--- a/libs/java/auth_core/pom.xml
+++ b/libs/java/auth_core/pom.xml
@@ -30,6 +30,18 @@
0.9007
+
+
+
+ software.amazon.awssdk
+ bom
+ ${aws2.version}
+ pom
+ import
+
+
+
+
org.slf4j
@@ -79,6 +91,10 @@
jjwt-api
${jjwt.version}
+
+ software.amazon.awssdk
+ ssm
+
io.jsonwebtoken
jjwt-impl
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
new file mode 100644
index 00000000000..b04ebdbd2c7
--- /dev/null
+++ b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStore.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.auth.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.ServerPrivateKey;
+import com.yahoo.athenz.auth.util.Crypto;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.services.ssm.SsmClient;
+
+import java.lang.invoke.MethodHandles;
+import java.security.PrivateKey;
+
+public class AWSParameterStorePrivateKeyStore implements PrivateKeyStore {
+
+ private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+ private static final String ZMS_SERVICE = "zms";
+ private static final String ZTS_SERVICE = "zts";
+ private static final String MSD_SERVICE = "msd";
+
+ private static final String ATHENZ_PROP_ZMS_KEY_NAME = "athenz.aws.zms.key_name";
+ private static final String ATHENZ_PROP_ZMS_KEY_ID_NAME = "athenz.aws.zms.key_id_name";
+ private static final String ATHENZ_PROP_ZTS_KEY_NAME = "athenz.aws.zts.key_name";
+ private static final String ATHENZ_PROP_ZTS_KEY_ID_NAME = "athenz.aws.zts.key_id_name";
+ private static final String ATHENZ_PROP_MSD_KEY_NAME = "athenz.aws.msd.key_name";
+ private static final String ATHENZ_PROP_MSD_KEY_ID_NAME = "athenz.aws.msd.key_id_name";
+
+ private static final String ATHENZ_DEFAULT_KEY_NAME = "service_private_key";
+ private static final String ATHENZ_DEFAULT_KEY_ID_NAME = "service_private_key_id";
+
+ private final SsmClient ssmClient;
+
+ AWSParameterStorePrivateKeyStore(SsmClient ssmClient) {
+ this.ssmClient = ssmClient;
+ }
+
+ @Override
+ public char[] getSecret(String appName, String keyName) {
+ return getSsmParameter(keyName).toCharArray();
+ }
+
+ @Override
+ public ServerPrivateKey getPrivateKey(String service, String serverHostName, String serverRegion, String algorithm) {
+ if (serverRegion == null || serverRegion.isEmpty()) {
+ LOG.error("server region not specified");
+ return null;
+ }
+ String keyName;
+ String keyIdName;
+ final String objectSuffix = "." + algorithm.toLowerCase();
+ if (ZMS_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_ZMS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_ZMS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else if (ZTS_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_ZTS_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_ZTS_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else if (MSD_SERVICE.equals(service)) {
+ keyName = System.getProperty(ATHENZ_PROP_MSD_KEY_NAME, ATHENZ_DEFAULT_KEY_NAME) + objectSuffix;
+ keyIdName = System.getProperty(ATHENZ_PROP_MSD_KEY_ID_NAME, ATHENZ_DEFAULT_KEY_ID_NAME) + objectSuffix;
+ } else {
+ LOG.error("Unknown service specified: {}", service);
+ return null;
+ }
+
+ PrivateKey pkey = null;
+ try {
+ pkey = Crypto.loadPrivateKey(getSsmParameter(keyName));
+ } catch (Exception ex) {
+ LOG.error("unable to load private key", ex);
+ }
+ return pkey == null ? null : new ServerPrivateKey(pkey, getSsmParameter(keyIdName));
+ }
+
+ private String getSsmParameter(final String keyName) {
+ return ssmClient.getParameter(r -> r.name(keyName).withDecryption(true)).parameter().value();
+ }
+
+}
diff --git a/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactory.java b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactory.java
new file mode 100644
index 00000000000..74a5228aec7
--- /dev/null
+++ b/libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactory.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.auth.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.PrivateKeyStoreFactory;
+import software.amazon.awssdk.services.ssm.SsmClient;
+
+public class AWSParameterStorePrivateKeyStoreFactory implements PrivateKeyStoreFactory {
+
+ @Override
+ public PrivateKeyStore create() {
+ return new AWSParameterStorePrivateKeyStore(SsmClient.create());
+ }
+}
diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactoryTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactoryTest.java
new file mode 100644
index 00000000000..50763be4d5c
--- /dev/null
+++ b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreFactoryTest.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.auth.impl;
+
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertTrue;
+
+public class AWSParameterStorePrivateKeyStoreFactoryTest {
+
+ @Test
+ public void createAWSParameterStorePrivateKeyStore() {
+ System.setProperty("aws.region", "us-west-2");
+ PrivateKeyStore privateKeyStore = new AWSParameterStorePrivateKeyStoreFactory().create();
+ assertTrue(privateKeyStore instanceof AWSParameterStorePrivateKeyStore);
+ System.clearProperty("aws.region");
+ }
+}
\ No newline at end of file
diff --git a/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
new file mode 100644
index 00000000000..16a451b6066
--- /dev/null
+++ b/libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/AWSParameterStorePrivateKeyStoreTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yahoo.athenz.auth.impl;
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import org.mockito.Mockito;
+import org.testng.annotations.Test;
+import software.amazon.awssdk.services.ssm.SsmClient;
+import software.amazon.awssdk.services.ssm.model.GetParameterResponse;
+import software.amazon.awssdk.services.ssm.model.Parameter;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.function.Consumer;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static org.testng.Assert.*;
+
+public class AWSParameterStorePrivateKeyStoreTest {
+
+ private AWSParameterStorePrivateKeyStoreFactory getFactory(final SsmClient ssmClient) {
+ return new AWSParameterStorePrivateKeyStoreFactory() {
+ @Override
+ public PrivateKeyStore create() {
+ return new AWSParameterStorePrivateKeyStore(ssmClient);
+ }
+ };
+ }
+
+ @Test
+ public void testGetSecret() {
+ SsmClient ssmClient = Mockito.mock(SsmClient.class);
+ when(ssmClient.getParameter(any(Consumer.class)))
+ .thenReturn(GetParameterResponse.builder().parameter(Parameter.builder().value("secret").build()).build());
+ AWSParameterStorePrivateKeyStore store = (AWSParameterStorePrivateKeyStore)getFactory(ssmClient).create();
+ assertEquals(store.getSecret("app1", "key1"), "secret".toCharArray());
+ }
+
+ @Test
+ public void testGetPrivateKey() throws IOException {
+ SsmClient ssmClient = Mockito.mock(SsmClient.class);
+ Path path = Paths.get("src/test/resources/unit_test_ec_private.key");
+ try (FileInputStream fis = new FileInputStream(path.toFile())) {
+ String secret = new String(fis.readAllBytes());
+ when(ssmClient.getParameter(any(Consumer.class)))
+ .thenReturn(GetParameterResponse.builder().parameter(Parameter.builder().value(secret).build()).build());
+ AWSParameterStorePrivateKeyStore store = (AWSParameterStorePrivateKeyStore)getFactory(ssmClient).create();
+ assertNotNull(store.getPrivateKey("zms", "host1", "region1", "EC"));
+ }
+ }
+
+ @Test
+ public void testGetPrivateKeyInvalidInputs() {
+ SsmClient ssmClient = Mockito.mock(SsmClient.class);
+ AWSParameterStorePrivateKeyStore store = (AWSParameterStorePrivateKeyStore)getFactory(ssmClient).create();
+ assertNull(store.getPrivateKey("unknown", "host1", "region1", "EC"));
+ assertNull(store.getPrivateKey("zms", "host1", "region1", "unknown"));
+ assertNull(store.getPrivateKey("zms", "host1", null, "RSA"));
+ }
+}
\ No newline at end of file
diff --git a/libs/java/server_common/pom.xml b/libs/java/server_common/pom.xml
index fbdbfe094fc..0a59a931a15 100644
--- a/libs/java/server_common/pom.xml
+++ b/libs/java/server_common/pom.xml
@@ -168,11 +168,6 @@
bcutil-jdk18on
${bouncycastle.version}
-
- org.bouncycastle
- bcprov-ext-jdk18on
- 1.78
-
com.fasterxml.jackson.core
jackson-databind