extractServicePrincipal api for java/go (AthenZ#593)

Author: havetisyan

libs/go/ztsclientutil/Makefile libs/go/athenzutils/Makefile

@@ -6,7 +6,7 @@
 # Licensed under the Apache License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0
 #
 
-GOPKGNAME = github.com/yahoo/athenz/libs/go/ztsclientutil
+GOPKGNAME = github.com/yahoo/athenz/libs/go/athenzutils
 
 # check to see if go utility is installed
 GO := $(shell command -v go 2> /dev/null)
@@ -43,7 +43,7 @@ fmt:
 	gofmt -l .
 
 build:
-	@echo "Building ztsclientutil library..."
+	@echo "Building athenzutils library..."
 	go install -v $(GOPKGNAME)
 
 test:

libs/go/ztsclientutil/README.md libs/go/athenzutils/README.md

@@ -1,4 +1,4 @@
-ztsclientutil
+athenzutils
 ===========
 
 Go library to return zts client given private key and certificate.

libs/go/athenzutils/data/invalid_email_x509.cert

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVzCCAgGgAwIBAgIJAPnPBCVtXBIQMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjAe
+Fw0xODExMDkwMTI0NDdaFw0yODExMDYwMTI0NDdaMGUxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5UZXN0aW5nIERv
+bWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDDpJJEX7QFGTynqGYn7CxIKxVYU7YXBYF4XYmVJM5/bBa1
+jP9uslVbMxEiaPZVq1vgVdKVZAKoOg2/sp/RvlDXAgMBAAGjgZMwgZAwgY0GA1Ud
+EQSBhTCBgoIjcHJvZHVjdGlvbi5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEw
+MDEuaW5zdGFuY2VpZC5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSHBAoLDA2HBAoL
+DA6GFnNwaWZmZTovL2F0aGVuei9zYS9hcGmBDWF0aGVuei5zeW5jZXIwDQYJKoZI
+hvcNAQELBQADQQB8feFwhj2hAhJngIEckh5Hq1kwTH4BZH9gEXNp3fQ/a1CxbveS
+xfjMGaZKGglVtzDICXxv86QAytgjDPBTRCy9
+-----END CERTIFICATE-----

libs/go/athenzutils/data/multiple_email_x509.cert

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAjOgAwIBAgIJALYCFietAJw2MA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjAe
+Fw0xODExMDkwMTIzMDdaFw0yODExMDYwMTIzMDdaMGUxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5UZXN0aW5nIERv
+bWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQC06s0rPkxZHvgeCNkzOf66AyP+96yWnojraO7Dus9tAGZ9
+6Lx7GcTBaXwlqE6wSITegi8YCOZJTnD8k6nKAQjBAgMBAAGjgcUwgcIwgb8GA1Ud
+EQSBtzCBtIIjcHJvZHVjdGlvbi5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEw
+MDEuaW5zdGFuY2VpZC5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSHBAoLDA2HBAoL
+DA6GFnNwaWZmZTovL2F0aGVuei9zYS9hcGmBHmF0aGVuei5zeW5jZXJAenRzLmF0
+aGVuei5jbG91ZIEfYXRoZW56LnN5bmNlcjJAenRzLmF0aGVuei5jbG91ZDANBgkq
+hkiG9w0BAQsFAANBAKIO6IZu+dg/QDN3RPAW4J+mwODZRFwF6eoRRPZwisOSw0m0
+InN3TNCbJXaMkCDHklRC+Dw8d61fH+Jd7f5XrW4=
+-----END CERTIFICATE-----

libs/go/athenzutils/data/no_cn_x509.cert

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaygAwIBAgIJAKVAwSLBk5aQMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjAeFw0xODExMDkwMTIwNDFaFw0yODExMDYwMTIwNDFaMEQx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYD
+VQQLEw5UZXN0aW5nIERvbWFpbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDKPeQm
+YFqHgwjZEeeN06E2DG3J2f6UN/7HzOkxymRPnz1D0LqEPoPZFuPljyCWLIKLQntK
+TioluTbhF0UrZi2vAgMBAAGjgYAwfjB8BgNVHREEdTBzgiNwcm9kdWN0aW9uLmF0
+aGVuei5vc3RrLmF0aGVuei5jbG91ZIIoMTAwMS5pbnN0YW5jZWlkLmF0aGVuei5v
+c3RrLmF0aGVuei5jbG91ZIcECgsMDYcECgsMDoYWc3BpZmZlOi8vYXRoZW56L3Nh
+L2FwaTANBgkqhkiG9w0BAQsFAANBACQLqyjGuhWhtj4c8gDOpQy6JQch4NbgK6eW
+lVxjPLkN/N5okddDAUNJBeI6b4K2Jqhi9dGs1SMKowEpVXFBTmc=
+-----END CERTIFICATE-----

libs/go/athenzutils/data/no_email_x509.cert

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRDCCAe6gAwIBAgIJAOjFRfavoMeyMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjAe
+Fw0xODExMDkwMTIxNTFaFw0yODExMDYwMTIxNTFaMGUxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5UZXN0aW5nIERv
+bWFpbjEfMB0GA1UEAxMWYXRoZW56OnJvbGUucHJvZHVjdGlvbjBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQD9CDZYikP0sK08fGZkfM1JrVcxUOgxDjPkcxQfxdJ5Cr0v
+URytQ1or8Ziq6OtL4DlUoj5HT6Eudi38Ik88H1sDAgMBAAGjgYAwfjB8BgNVHREE
+dTBzgiNwcm9kdWN0aW9uLmF0aGVuei5vc3RrLmF0aGVuei5jbG91ZIIoMTAwMS5p
+bnN0YW5jZWlkLmF0aGVuei5vc3RrLmF0aGVuei5jbG91ZIcECgsMDYcECgsMDoYW
+c3BpZmZlOi8vYXRoZW56L3NhL2FwaTANBgkqhkiG9w0BAQsFAANBAGh9Yd09DX/X
+OPHE9oBvP1X2x8MBos8Iw98Uja2Ul669ym/6DTGE+3+BBVXn84ZncBMfK2NmoKGL
+Vf6ohlA02M4=
+-----END CERTIFICATE-----

libs/go/athenzutils/data/service_identity1.cert

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6zCCAZWgAwIBAgIJAOHhVUnRILR3MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjEaMBgGA1UEAxMRYXRoZW56LnByb2R1Y3Rpb24wHhcNMTgw
+OTIwMjIyODMyWhcNMjgwOTE3MjIyODMyWjBgMQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCQ0ExDzANBgNVBAoTBkF0aGVuejEXMBUGA1UECxMOVGVzdGluZyBEb21haW4x
+GjAYBgNVBAMTEWF0aGVuei5wcm9kdWN0aW9uMFwwDQYJKoZIhvcNAQEBBQADSwAw
+SAJBAMHYmM1iXRMiA9SWhUWR/l09b0RBR2z50NdUVQ0251jmwrcqudAH93dc8WPo
+4N8o0/pmLpj8MxkZpYBNlr6fns0CAwEAAaMyMDAwLgYDVR0RAQH/BCQwIoYgc3Bp
+ZmZlOi8vYXRoZW56L2RvbWFpbjEvc2VydmljZTEwDQYJKoZIhvcNAQELBQADQQCf
+V/b+rXPQHJuFR8OzwJ8YciAcdNn0ujXck+rAvxylN75tcolXW2JqxOwO4GIONJFn
+E/iThKWdVOkpccxuJKf0
+-----END CERTIFICATE-----

libs/go/athenzutils/data/service_identity2.cert

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICejCCAiKgAwIBAgIJAKxhW5mQ2i8xMAkGByqGSM49BAEwYDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxGDAWBgNVBAoTD015
+IFRlc3QgQ29tcGFueTEWMBQGA1UEAxMNYXRoZW56LnN5bmNlcjAeFw0xNjEyMDky
+MjA0NTdaFw0xNzEyMDkyMjA0NTdaMGAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
+QTESMBAGA1UEBxMJU3Vubnl2YWxlMRgwFgYDVQQKEw9NeSBUZXN0IENvbXBhbnkx
+FjAUBgNVBAMTDWF0aGVuei5zeW5jZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AASNMesBFJOU9IbJWk/NwzVcua/fF5xuxwI0Mp4wq3HQngE3Vdnm6Xn6gZYv0l2c
+Ly9/uzog9zE68hm0fs0UhWf7o4HFMIHCMB0GA1UdDgQWBBRzUG6PZe6W5zH0hYKu
+OAFCNbpU6TCBkgYDVR0jBIGKMIGHgBRzUG6PZe6W5zH0hYKuOAFCNbpU6aFkpGIw
+YDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUx
+GDAWBgNVBAoTD015IFRlc3QgQ29tcGFueTEWMBQGA1UEAxMNYXRoZW56LnN5bmNl
+coIJAKxhW5mQ2i8xMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNHADBEAiBY+KCi
+NMjkPod8Cx9Iufy9sfPjohEsWtjhAhLpDDgxxgIgaaKNCn7SIWYyelqyn41VMazv
+4oAZqrR8bLL/qllF0bg=
+-----END CERTIFICATE-----

libs/go/athenzutils/data/valid_email_x509.cert

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAZGgAwIBAgIJAJfJZq1is0dQMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5U
+ZXN0aW5nIERvbWFpbjEcMBoGA1UEAxMTc3BvcnRzOnJvbGUucmVhZGVyczAeFw0x
+NzA2MDgyMjQ5MDhaFw0yNzA2MDYyMjQ5MDhaMGIxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJDQTEPMA0GA1UEChMGQXRoZW56MRcwFQYDVQQLEw5UZXN0aW5nIERvbWFp
+bjEcMBoGA1UEAxMTc3BvcnRzOnJvbGUucmVhZGVyczBcMA0GCSqGSIb3DQEBAQUA
+A0sAMEgCQQDmMlj3Ov0k/FEH7iK3VpgUFEp6KrCWegWNieG8/b+FJymUP5zL4lwn
+lk35Wa7SmZ6KjCn5Lo37fSdWMtoq375ZAgMBAAGjKjAoMCYGA1UdEQQfMB2BG2F0
+aGVucy56dHNAYXdzLmF0aGVuei5jbG91ZDANBgkqhkiG9w0BAQsFAANBACJ/oKfs
+6melTAC2E6iEpXpA8HRguTHNQFYiwhaYBazfXkL0zrtX2mKFT8yG2AtWw0+w9A0u
+SXShdpDmz9y2kPY=
+-----END CERTIFICATE-----

libs/go/ztsclientutil/pom.xml libs/go/athenzutils/pom.xml

@@ -0,0 +1,54 @@
+// Copyright 2018 Oath, Inc.
+// Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.
+
+package athenzutils
+
+import (
+	"crypto/x509"
+	"fmt"
+	"strings"
+)
+
+// Return the Athenz Service principal for the given certificate which
+// could be either a service certificate or a role certificate.
+// If the certificate does not have the Athenz expected name format
+// the method will an appropriate error
+
+func ExtractServicePrincipal(x509Cert x509.Certificate) (string, error) {
+
+	// let's first get the common name of the certificate
+
+	principal := x509Cert.Subject.CommonName
+	if principal == "" {
+		return "", fmt.Errorf("certificate does not have a common name")
+	}
+
+	// check to see if we're dealing with role certificate which
+	// has the <domain>:role.<rolename> format or service
+	// certificate which has the <domain>.<service> format
+
+	if strings.Contains(principal, ":role.") {
+
+		// it's a role certificate so we're going to extract
+		// our service principal from the SAN email fieid
+		// verify that we must have only a single email
+		// field in the certificate
+
+		emails := x509Cert.EmailAddresses
+		if len(emails) != 1 {
+			return "", fmt.Errorf("certificate does not have a single email SAN value")
+		}
+
+		// athenz always verifies that we include a valid
+		// email in the certificate
+
+		idx := strings.Index(emails[0], "@")
+		if idx == -1 {
+			return "", fmt.Errorf("certificate email is invalid: %s", emails[0])
+		}
+
+		principal = emails[0][0:idx]
+	}
+
+	return principal, nil
+}

libs/go/athenzutils/principal.go

@@ -0,0 +1,66 @@
+// Copyright 2018 Oath, Inc.
+// Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.
+
+package athenzutils
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"testing"
+)
+
+func TestExtractServicePrincipal(test *testing.T) {
+
+	x509Cert, _ := getCertFromFile("data/service_identity1.cert")
+	principal, _ := ExtractServicePrincipal(*x509Cert)
+	if principal != "athenz.production" {
+		test.Errorf("invalid principal %s from data/service_identity1.cert", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/service_identity2.cert")
+	principal, _ = ExtractServicePrincipal(*x509Cert)
+	if principal != "athenz.syncer" {
+		test.Errorf("invalid principal %s from data/service_identity2.cert", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/valid_email_x509.cert")
+	principal, _ = ExtractServicePrincipal(*x509Cert)
+	if principal != "athens.zts" {
+		test.Errorf("invalid principal %s from data/valid_email.cert", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/no_cn_x509.cert")
+	principal, err := ExtractServicePrincipal(*x509Cert)
+	if err == nil {
+		test.Errorf("no error from invalid file data/no_cn_x509.cert: %s", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/invalid_email_x509.cert")
+	principal, err = ExtractServicePrincipal(*x509Cert)
+	if err == nil {
+		test.Errorf("no error from invalid file data/invalid_email_x509.cert: %s", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/multiple_email_x509.cert")
+	principal, err = ExtractServicePrincipal(*x509Cert)
+	if err == nil {
+		test.Errorf("no error from invalid file data/multiple_email_x509.cert: %s", principal)
+	}
+
+	x509Cert, _ = getCertFromFile("data/no_email_x509.cert")
+	principal, err = ExtractServicePrincipal(*x509Cert)
+	if err == nil {
+		test.Errorf("no error from invalid file data/no_email_x509.cert: %s", principal)
+	}
+}
+
+func getCertFromFile(certFile string) (*x509.Certificate, error) {
+	data, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return nil, err
+	}
+	var block *pem.Block
+	block, _ = pem.Decode(data)
+	return x509.ParseCertificate(block.Bytes)
+}

libs/go/athenzutils/principal_test.go

@@ -1,7 +1,7 @@
 // Copyright 2018 Yahoo Holdings, Inc.
 // Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.
 
-package ztsclientutil
+package athenzutils
 
 import (
 	"crypto/tls"

libs/go/ztsclientutil/ztsclient.go libs/go/athenzutils/ztsclient.go

@@ -37,11 +37,6 @@
       <artifactId>libpam4j</artifactId>
       <version>1.11</version>
     </dependency>
-    <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-s3</artifactId>
-      <version>${aws.version}</version>
-    </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>javax.servlet-api</artifactId>

libs/java/auth_core/pom.xml

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2018 Oath Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.auth.util;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class AthenzUtils {
+
+    /**
+     * Return the Athenz Service principal for the given certificate which
+     * could be either a service certificate or a role certificate.
+     * If the certificate does not have the Athenz expected name format
+     * the method will return null.
+     * @param x509Cert x.509 athenz service or role certificate
+     * @return service principal cn
+     */
+    public static String extractServicePrincipal(X509Certificate x509Cert) {
+
+        // let's first get the common name of the certificate
+
+        String principal = Crypto.extractX509CertCommonName(x509Cert);
+        if (principal == null) {
+            return null;
+        }
+
+        // check to see if we're dealing with role certificate which
+        // has the <domain>:role.<rolename> format or service
+        // certificate which has the <domain>.<service> format
+
+        if (principal.contains(":role.")) {
+
+            // it's a role certificate so we're going to extract
+            // our service principal from the SAN email fieid
+            // verify that we must have only a single email
+            // field in the certificate
+
+            final List<String> emails = Crypto.extractX509CertEmails(x509Cert);
+            if (emails.size() != 1) {
+                return null;
+            }
+
+            // athenz always verifies that we include a valid
+            // email in the certificate
+
+            final String email = emails.get(0);
+            int idx = email.indexOf('@');
+            if (idx == -1) {
+                return null;
+            }
+
+            principal = email.substring(0, idx);
+        }
+
+        return principal;
+    }
+}