private void setupStandardMocks() throws Exception {
Map<String, List<String>> externalGroups = new HashMap<>();
externalGroups.put(
EzSecurityConstant.EZ_INTERNAL_PROJECT,
Lists.newArrayList(EzSecurityConstant.EZ_INTERNAL_ADMIN_GROUP));
EzSecurityPrincipal principal = new EzSecurityPrincipal();
principal.setPrincipal(POC).setName(POC);
expect(
mockPool.getClient(
InternalNameServiceConstants.SERVICE_NAME, InternalNameService.Client.class))
.andReturn(insClientMock)
.anyTimes();
expect(
mockPool.getClient(
EzSecurityRegistrationConstants.SERVICE_NAME, EzSecurityRegistration.Client.class))
.andReturn(regClientMock)
.anyTimes();
expect(mockPool.getSecurityId(EzSecurityRegistrationConstants.SERVICE_NAME))
.andReturn("")
.anyTimes();
expect(mockPool.getSecurityId(EzDeployServiceConstants.SERVICE_NAME)).andReturn("").anyTimes();
expect(securityClientMock.fetchTokenForProxiedUser()).andReturn(ezTokenMock).anyTimes();
expect(securityClientMock.fetchTokenForProxiedUser("")).andReturn(ezTokenMock).anyTimes();
expect(insClientMock.getAppById("48454c4c4f-20-574f524c44", ezTokenMock))
.andReturn(getApplication());
expect(ezTokenMock.getExternalProjectGroups()).andReturn(externalGroups).anyTimes();
expect(ezTokenMock.getTokenPrincipal()).andReturn(principal).anyTimes();
mockPool.returnToPool(insClientMock);
expectLastCall().anyTimes();
mockPool.returnToPool(regClientMock);
expectLastCall().anyTimes();
}
public void run()
throws TException, EzSecurityTokenException, UserNotFoundException, IOException,
AppNotRegisteredException {
Properties config;
try {
config =
new EzConfiguration(new DirectoryConfigurationLoader(new File(this.config).toPath()))
.getProperties();
} catch (EzConfigurationLoaderException e) {
try {
config = new EzConfiguration(new ClasspathConfigurationLoader()).getProperties();
} catch (EzConfigurationLoaderException e1) {
throw new RuntimeException("Unable to load EzConfiguration");
}
}
if (config.get(EzBakePropertyConstants.ZOOKEEPER_CONNECTION_STRING) == null) {
config.setProperty(EzBakePropertyConstants.ZOOKEEPER_CONNECTION_STRING, this.zoo);
}
if (config.get(EzBakePropertyConstants.EZBAKE_CERTIFICATES_DIRECTORY) == null) {
config.setProperty(EzBakePropertyConstants.EZBAKE_CERTIFICATES_DIRECTORY, this.sslDir);
}
if (config.get(EzBakePropertyConstants.EZBAKE_SECURITY_ID) == null) {
config.setProperty(EzBakePropertyConstants.EZBAKE_SECURITY_ID, this.appId);
}
EzbakeSecurityClient client = new EzbakeSecurityClient(config);
switch (this.request) {
case User:
EzSecurityToken usertoken =
client.fetchTokenForProxiedUser(issuedTokenPrincipal(dn), this.target);
if (this.outputFile != null) {
writeTokenToFile(this.outputFile, usertoken);
}
break;
case App:
EzSecurityToken appToken = client.fetchAppToken(dn);
if (this.outputFile != null) {
writeTokenToFile(this.outputFile, appToken);
}
break;
case DN:
ProxyTokenRequest req = new ProxyTokenRequest();
req.setX509(new X509Info(dn));
req.setValidity(
new ValidityCaveats("EFE", "EzSecurity", System.currentTimeMillis() + 1000, ""));
EzSecurity.Client c = client.getClient();
ProxyTokenResponse principal = c.requestProxyToken(req);
client.returnClient(c);
System.out.println(principal.getToken());
System.out.println(principal.getSignature());
break;
case PROXY_DN:
ProxyTokenRequest proxyReq = new ProxyTokenRequest();
proxyReq.setX509(new X509Info(dn));
proxyReq.setValidity(
new ValidityCaveats("EFE", "EzSecurity", System.currentTimeMillis() + 1000, ""));
proxyReq.getValidity().setIssuedTime(System.currentTimeMillis());
EzSecurity.Client pc = client.getClient();
ProxyTokenResponse presp = pc.requestProxyToken(proxyReq);
client.returnClient(pc);
System.out.println(presp.getToken());
System.out.println(presp.getSignature());
break;
}
Closeables.close(client, true);
}
@Override
public void close() throws IOException {
if (security != null) {
security.close();
}
}
protected Optional<SecureMessage> decrypt(String topic, SecureMessage message)
throws IOException {
RSAKeyCrypto crypto = topicKeys.get(topic);
Optional<SecureMessage> decryptedPayload = Optional.absent();
try {
if (message.isSetKey()) {
if (crypto != null && crypto.hasPrivate()) {
Visibility visibility = message.getVisibility();
EzSecurityTokenWrapper token = security.fetchAppToken();
if (PermissionUtils.getPermissions(token.getAuthorizations(), visibility, true)
.contains(Permission.READ)) {
// Decrypt the symmetric key
byte[] symmetricKey = crypto.decrypt(message.getKey());
// Use the symmetric key to decrypt the message
SecretKey key = new SecretKeySpec(symmetricKey, ALGO);
Cipher cipher = Cipher.getInstance(ALGO);
cipher.init(Cipher.DECRYPT_MODE, key);
decryptedPayload =
Optional.of(
new SecureMessage(
visibility, ByteBuffer.wrap(cipher.doFinal(message.getContent()))));
} else {
log.warn(
"Pipeline is not authorized to read message with visibility of {}, dropping message.",
visibility);
}
} else {
String error =
"No private key found for broadcaster topic ["
+ topic
+ "]. Cannot decrypt messages. Please re-initialize the broadcaster with a private key to receive messages.";
log.error(error);
throw new RuntimeException(error);
}
} else {
log.debug("Message was not encrypted, or no key was set");
}
} catch (IllegalBlockSizeException | InvalidKeyException | BadPaddingException e) {
log.error("Encryption not set up properly, this error is fatal.", e);
throw new RuntimeException(e);
} catch (BadArgumentException e) {
log.error(
String.format(
"Visibility string %s not valid, message cannot be decrypted.",
message.getVisibility().getFormalVisibility()),
e);
throw new IOException(e);
} catch (NoSuchAlgorithmException e) {
log.error("Incorrect algorithm used to initialize crypto", e);
throw new RuntimeException(e);
} catch (NoSuchPaddingException e) {
log.error("Incorrect padding used to initialize crypto", e);
throw new RuntimeException(e);
} catch (PKeyCryptoException e) {
log.error("Invalid crypto object", e);
throw new RuntimeException(e);
} catch (EzSecurityTokenException e) {
log.error("Could not retrieve token from security service", e);
throw new RuntimeException(e);
}
return decryptedPayload;
}
