local athenz start and stop scripts (AthenZ#1165)

* local athenz start and stop scripts


Co-authored-by: Abhijeet V <[email protected]>

docker/Makefile

@@ -58,17 +58,17 @@ deploy-dev:
 
 deploy-local:
 	# generate self-signed certificates
-	docker run --rm -t -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/self-signed-certificates.sh
+	docker run --rm -t -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/self-signed-certificates.sh
 	# ZMS
-	docker run --rm -t -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/zms-auto-config.sh
+	docker run --rm -t -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/zms-auto-config.sh
 	sh "./deploy-scripts/zms-deploy-local.sh"
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zms-debug.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zms-debug.sh
 	# ZTS
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/zts-auto-config.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/zts-auto-config.sh
 	sh "./deploy-scripts/zts-deploy-local.sh"
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zts-debug.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zts-debug.sh
 	# UI
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/ui-auto-config.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/setup-scripts/ui-auto-config.sh
 	sh "./deploy-scripts/ui-deploy-local.sh"
 
 
@@ -77,8 +77,8 @@ verify:
 	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz-setup-env sh /athenz/docker/deploy-scripts/zts-verify.sh
 
 verify-local:
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zms-verify.sh
-	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" abvaidya/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zts-verify.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zms-verify.sh
+	docker run --rm -t --network="$(DOCKER_NETWORK)" -v "$(BASE_DIR):/athenz" --user "$(shell id -u):$(shell id -g)" athenz/athenz-setup-env:1.9.22 sh /athenz/docker/deploy-scripts/zts-verify.sh
 
 CONTAINERS := $(shell docker ps -aq --filter 'label=org.label-schema.url=https://www.athenz.io/')
 remove-all: remove-containers remove-networks remove-files reset-repo
@@ -110,3 +110,11 @@ clean: remove-all
 	docker image rm athenz-conf || true
 	docker image rm athenz-setup-env || true
 	docker image rm rdl-athenz-java-model || true
+
+remove-local-images:
+	docker image rm athenz/athenz-setup-env:1.9.22 || true
+	docker image rm athenz/athenz-zms-db:1.9.22 || true
+	docker image rm athenz/athenz-zms-server:1.9.22 || true
+	docker image rm athenz/athenz-zts-db:1.9.22 || true
+	docker image rm athenz/athenz-zts-server:1.9.22 || true
+	docker image rm athenz/athenz-ui:1.9.22 || true

docker/deploy-scripts/ui-deploy-local.sh

@@ -52,12 +52,12 @@ docker run -d -h "${UI_HOST}" \
     -e "PORT=${UI_CONTAINER_PORT}" \
     -e "UI_CONF_PATH=/opt/athenz/ui/conf/ui_server" \
     -e "ZMS_SERVER_URL=https://${ZMS_HOST}:${ZMS_PORT}/zms/v1/" \
-    --name "${UI_HOST}" abvaidya/athenz-ui:1.9.22
+    --name "${UI_HOST}" athenz/athenz-ui:1.9.22
 # wait for UI to be ready
 until docker run --rm --entrypoint curl \
     --network="${DOCKER_NETWORK}" \
     --user "$(id -u):$(id -g)" \
-    --name athenz-curl abvaidya/athenz-setup-env:1.9.22 \
+    --name athenz-curl athenz/athenz-setup-env:1.9.22 \
     -k --silent --fail --show-error --output /dev/null "https://${UI_HOST}:${UI_CONTAINER_PORT}/status" \
     ; do
     echo 'UI is unavailable - will sleep 3s...'

docker/deploy-scripts/zms-deploy-local.sh

@@ -55,7 +55,7 @@ docker run -d -h "${ZMS_DB_HOST}" \
     --user mysql:mysql \
     -v "${DOCKER_DIR}/db/zms/zms-db.cnf:/etc/mysql/conf.d/zms-db.cnf" \
     -e "MYSQL_ROOT_PASSWORD=${ZMS_DB_ROOT_PASS}" \
-    --name "${ZMS_DB_HOST}" abvaidya/athenz-zms-db:1.9.22
+    --name "${ZMS_DB_HOST}" athenz/athenz-zms-db:1.9.22
 # wait for ZMS DB to be ready
 docker run --rm \
     --network="${DOCKER_NETWORK}" \
@@ -64,7 +64,7 @@ docker run --rm \
     -v "${DOCKER_DIR}/db/zms/zms-db.cnf:/etc/my.cnf" \
     -e "MYSQL_PWD=${ZMS_DB_ROOT_PASS}" \
     --entrypoint '/bin/wait-for-mysql.sh' \
-    --name wait-for-mysql abvaidya/athenz-zms-db:1.9.22 \
+    --name wait-for-mysql athenz/athenz-zms-db:1.9.22 \
     --user='root' \
     --host="${ZMS_DB_HOST}" \
     --port=3306
@@ -92,7 +92,7 @@ docker run -d -h "${ZMS_HOST}" \
     -p "${ZMS_PORT}:${ZMS_PORT}" \
     --dns="${DOCKER_DNS}" \
     --network="${DOCKER_NETWORK}" \
-    --user "athenz:shadow" \
+    --user "$(id -u):$(id -g)" \
     -v "${DOCKER_DIR}/zms/var:/opt/athenz/zms/var" \
     -v "${DOCKER_DIR}/zms/conf:/opt/athenz/zms/conf/zms_server" \
     -v "${DOCKER_DIR}/logs/zms:/opt/athenz/zms/logs/zms_server" \
@@ -103,12 +103,12 @@ docker run -d -h "${ZMS_HOST}" \
     -e "ZMS_KEYSTORE_PASS=${ZMS_KEYSTORE_PASS}" \
     -e "ZMS_TRUSTSTORE_PASS=${ZMS_TRUSTSTORE_PASS}" \
     -e "ZMS_PORT=${ZMS_PORT}" \
-    --name "${ZMS_HOST}" abvaidya/athenz-zms-server:1.9.22
+    --name "${ZMS_HOST}" athenz/athenz-zms-server:1.9.22
 # wait for ZMS to be ready
 until docker run --rm --entrypoint curl \
     --network="${DOCKER_NETWORK}" \
     --user "$(id -u):$(id -g)" \
-    --name athenz-curl abvaidya/athenz-setup-env:1.9.22 \
+    --name athenz-curl athenz/athenz-setup-env:1.9.22 \
     -k --silent --fail --show-error --output /dev/null "https://${ZMS_HOST}:${ZMS_PORT}/zms/v1/status" \
     ; do
     echo 'ZMS is unavailable - will sleep 3s...'

docker/deploy-scripts/zts-deploy-local.sh

@@ -55,7 +55,7 @@ docker run -d -h "${ZTS_DB_HOST}" \
     --user mysql:mysql \
     -v "${DOCKER_DIR}/db/zts/zts-db.cnf:/etc/mysql/conf.d/zts-db.cnf" \
     -e "MYSQL_ROOT_PASSWORD=${ZTS_DB_ROOT_PASS}" \
-    --name "${ZTS_DB_HOST}" abvaidya/athenz-zts-db:1.9.22
+    --name "${ZTS_DB_HOST}" athenz/athenz-zts-db:1.9.22
 # wait for ZTS DB to be ready
 docker run --rm \
     --network="${DOCKER_NETWORK}" \
@@ -64,7 +64,7 @@ docker run --rm \
     -v "${DOCKER_DIR}/db/zts/zts-db.cnf:/etc/my.cnf" \
     -e "MYSQL_PWD=${ZTS_DB_ROOT_PASS}" \
     --entrypoint '/bin/wait-for-mysql.sh' \
-    --name wait-for-mysql abvaidya/athenz-zts-db:1.9.22 \
+    --name wait-for-mysql athenz/athenz-zts-db:1.9.22 \
     --user='root' \
     --host="${ZTS_DB_HOST}" \
     --port=3306
@@ -106,12 +106,12 @@ docker run -d -h "${ZTS_HOST}" \
     -e "ZMS_CLIENT_KEYSTORE_PASS=${ZMS_CLIENT_KEYSTORE_PASS}" \
     -e "ZMS_CLIENT_TRUSTSTORE_PASS=${ZMS_CLIENT_TRUSTSTORE_PASS}" \
     -e "ZTS_PORT=${ZTS_PORT}" \
-    --name "${ZTS_HOST}" abvaidya/athenz-zts-server:1.9.22
+    --name "${ZTS_HOST}" athenz/athenz-zts-server:1.9.22
 # wait for ZTS to be ready
 until docker run --rm --entrypoint curl \
     --network="${DOCKER_NETWORK}" \
     --user "$(id -u):$(id -g)" \
-    --name athenz-curl abvaidya/athenz-setup-env:1.9.22 \
+    --name athenz-curl athenz/athenz-setup-env:1.9.22 \
     -k --silent --fail --show-error --output /dev/null "https://${ZTS_HOST}:${ZTS_PORT}/zts/v1/status" \
     ; do
     echo 'ZTS is unavailable - will sleep 3s...'

docker/sample/CAs/create-self-signed-ca.sh

@@ -31,6 +31,9 @@ CN='Sample Self Signed Service CA' \
   -keyout "${DEV_SERVICE_CA_KEY_PATH}" \
   -out "${DEV_SERVICE_CA_PATH}" 2> /dev/null
 
+# convert pem cert to der format so that it can be imported into OS ( optional step )
+openssl x509 -outform der -in "${DEV_ATHENZ_CA_PATH}" -out "${DEV_ATHENZ_CA_DER_PATH}"
+
 # print result
 cat <<EOF
 

docker/sample/domain-admin/create-self-signed-user-cert.sh

@@ -14,7 +14,7 @@ CN="${DEV_DOMAIN_ADMIN}" openssl req -nodes \
   -keyout "${DEV_DOMAIN_ADMIN_CERT_KEY_PATH}" \
   -out "${DEV_DOMAIN_ADMIN_CSR_PATH}" 2> /dev/null
 # sign request
-openssl x509 -req -days 3650 \
+openssl x509 -req -days 30 \
   -in "${DEV_DOMAIN_ADMIN_CSR_PATH}" \
   -CA "${DEV_USER_CA_PATH}" \
   -CAkey "${DEV_USER_CA_KEY_PATH}" \

docker/sample/env.dev.sh

@@ -17,6 +17,7 @@ export DEV_USER_CA_KEY_PATH="${DEV_CA_DIR}/user_ca.pem"
 export DEV_USER_CA_PATH="${DEV_CA_DIR}/user_ca.pem"
 export DEV_SERVICE_CA_KEY_PATH="${DEV_CA_DIR}/service_ca.pem"
 export DEV_SERVICE_CA_PATH="${DEV_CA_DIR}/service_ca.pem"
+export DEV_ATHENZ_CA_DER_PATH="${DEV_CA_DIR}/athenz_ca.der"
 
 ### ----------------------------------------------------------------
 ### domain admin

docker/sample/ui/create-self-signed-certs.sh

@@ -17,7 +17,7 @@ CN='Sample Self Signed UI' SAN="${UI_HOST}" openssl req -nodes \
   -keyout "${DEV_UI_CERT_KEY_PATH}" \
   -out "${DEV_UI_CSR_PATH}" 2> /dev/null
 # sign request
-SAN="${UI_HOST}" openssl x509 -req -days 3650 \
+SAN="${UI_HOST}" openssl x509 -req -days 364 \
   -in "${DEV_UI_CSR_PATH}" \
   -CA "${DEV_ATHENZ_CA_PATH}" \
   -CAkey "${DEV_ATHENZ_CA_KEY_PATH}" \

docker/sample/zms/create-self-signed-certs.sh

@@ -15,7 +15,7 @@ CN='Sample Self Signed ZMS' SAN="${ZMS_HOST}" openssl req -nodes \
   -keyout "${DEV_ZMS_CERT_KEY_PATH}" \
   -out "${DEV_ZMS_CSR_PATH}" 2> /dev/null
 # sign request
-SAN="${ZMS_HOST}" openssl x509 -req -days 3650 \
+SAN="${ZMS_HOST}" openssl x509 -req -days 364 \
   -in "${DEV_ZMS_CSR_PATH}" \
   -CA "${DEV_ATHENZ_CA_PATH}" \
   -CAkey "${DEV_ATHENZ_CA_KEY_PATH}" \

docker/sample/zts/create-self-signed-certs.sh

@@ -17,7 +17,7 @@ CN='Sample Self Signed ZTS' SAN="${ZTS_HOST}" openssl req -nodes \
   -keyout "${DEV_ZTS_CERT_KEY_PATH}" \
   -out "${DEV_ZTS_CSR_PATH}" 2> /dev/null
 # sign request
-SAN="${ZTS_HOST}" openssl x509 -req -days 3650 \
+SAN="${ZTS_HOST}" openssl x509 -req -days 364 \
   -in "${DEV_ZTS_CSR_PATH}" \
   -CA "${DEV_ATHENZ_CA_PATH}" \
   -CAkey "${DEV_ATHENZ_CA_KEY_PATH}" \

docker/setup-scripts/zms-auto-config.sh

@@ -75,13 +75,15 @@ echo '6. config the Athenz domain admin' | colored_cat g
 echo "your setting: DOMAIN_ADMIN=${DOMAIN_ADMIN}" | colored_cat y
 sed -i "s/user\.github-.*$/${DOMAIN_ADMIN}/g" "${ZMS_CONF_DIR}/zms.properties"
 
-echo '7. summary' | colored_cat g
+echo '7. configure the necessary user authorities to work in local / test environment.' | colored_cat g
+sed -i "s/athenz\.zms\.authority_classes=/athenz\.zms\.authority_classes=com\.yahoo\.athenz\.auth\.impl\.PrincipalAuthority,com\.yahoo\.athenz\.auth\.impl\.TestUserAuthority,/g" "${ZMS_CONF_DIR}/zms.properties"
+
+echo '8. summary' | colored_cat g
 tree "${CA_DIR}"
 tree "${PROD_ZMS_DIR}"
 tree "${ZMS_DIR}"
 
 
-
 ### ----------------------------------------------------------------
 echo ''
 echo '# Get Athenz domain admin user certificate for accessing ZMS' | colored_cat r

docker/zms/Dockerfile

@@ -18,10 +18,6 @@ LABEL org.label-schema.vcs-ref=$VCS_REF
 ARG GID=1001
 ARG UID=10001
 
-RUN apk update && apk add linux-pam
-
-RUN adduser -S -H -u 10002 uiuser && passwd -u uiuser << Athenz123#
-
 # add athenz user
 RUN addgroup -g ${GID} athenz && \
   adduser -S -D -H -s /sbin/nologin -u ${UID} -G athenz athenz

docker/zms/conf/zms.properties

@@ -9,7 +9,7 @@
 
 # Comma separated list of authority implementation classes to support
 # authenticating principals in ZMS
-athenz.zms.authority_classes=com.yahoo.athenz.auth.impl.PrincipalAuthority,com.yahoo.athenz.auth.impl.UserAuthority,com.yahoo.athenz.auth.oauth.OAuthCertBoundJwtAccessTokenAuthority,com.yahoo.athenz.auth.impl.CertificateAuthority
+athenz.zms.authority_classes=com.yahoo.athenz.auth.oauth.OAuthCertBoundJwtAccessTokenAuthority,com.yahoo.athenz.auth.impl.CertificateAuthority
 
 # Principal Authority class. If defined and the caller asks for the header
 # name for the getUserToken api, the header from this authority will be

libs/java/auth_core/pom.xml

@@ -73,6 +73,12 @@
       <version>${jjwt.version}</version>
       <scope>runtime</scope>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-inline</artifactId>
+      <version>${mockito.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/TestUserAuthority.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright 2020 Verizon Media
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.auth.impl;
+
+import com.yahoo.athenz.auth.Authority;
+import com.yahoo.athenz.auth.Principal;
+import org.bouncycastle.util.encoders.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.nio.charset.StandardCharsets;
+
+/**
+ * Implementation to be used by local testing purposes.
+ * NOT RECOMMENDED to be used in production
+ */
+public class TestUserAuthority implements Authority {
+
+    private static final Logger LOG = LoggerFactory.getLogger(TestUserAuthority.class);
+    public static final String ATHENZ_AUTH_CHALLENGE = "Basic realm=\"athenz\"";
+
+    @Override
+    public void initialize() {
+    }
+
+    @Override
+    public String getID() {
+        return "Auth-TESTUSER";
+    }
+
+    @Override
+    public String getDomain() {
+        return "user";
+    }
+
+    @Override
+    public String getHeader() {
+        return "Authorization";
+    }
+
+    @Override
+    public String getAuthenticateChallenge() {
+        return ATHENZ_AUTH_CHALLENGE;
+    }
+
+    /*
+     * we don't want the user to keep specifying their username and
+     * password as part of the request. instead, the user must first
+     * request a usertoken and then use that usertoken for all other
+     * requests against ZMS and ZTS servers.
+     * @see com.yahoo.athenz.auth.Authority#allowAuthorization()
+     */
+    @Override
+    public boolean allowAuthorization() {
+        return false;
+    }
+
+    @Override
+    public Principal authenticate(String creds, String remoteAddr, String httpMethod, StringBuilder errMsg) {
+        errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
+
+        // the HTTP Basic authorization format is: Basic base64(<username>:<password>)
+
+        if (!creds.startsWith("Basic ")) {
+            errMsg.append("UserAuthority:authenticate: credentials do not start with 'Basic '");
+            LOG.error(errMsg.toString());
+            return null;
+        }
+
+        final String encodedPassword = creds.substring(6);
+        if (encodedPassword.isEmpty()) {
+            errMsg.append("TestUserAuthority:authenticate: no credentials after 'Basic '");
+            LOG.error(errMsg.toString());
+            return null;
+        }
+
+        // decode - need to skip the first 6 bytes for 'Basic '
+
+        String decodedCreds;
+        try {
+            decodedCreds = new String(Base64.decode(encodedPassword.getBytes(StandardCharsets.UTF_8)));
+        } catch (Exception e) {
+            errMsg.append("UserAuthority:authenticate: factory exc=").append(e.getMessage());
+            LOG.error(errMsg.toString());
+            return null;
+        }
+
+        int idx = decodedCreds.indexOf(':');
+        if (idx == -1) {
+            errMsg.append("TestUserAuthority: authenticate: no password specified");
+            LOG.error(errMsg.toString());
+            return null;
+        }
+
+        final String username = decodedCreds.substring(0, idx);
+        final String password = decodedCreds.substring(idx + 1);
+
+        // just a simple check to make sure username and password match
+        if (!username.equals(password)) {
+            LOG.error("TestUserAuthority:authenticate: failed: username and password do not match");
+            return null;
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("TestUserAuthority.authenticate: valid user={}", username);
+        }
+
+        // all the role members in Athenz are normalized to lower case so we need to make
+        // sure our principal's name and domain are created with lower case as well
+
+        long issueTime = 0;
+        SimplePrincipal princ = getSimplePrincipal(username.toLowerCase(), creds, issueTime);
+        if (princ == null) {
+            errMsg.append("TestUserAuthority:authenticate: failed to create principal: user=")
+                .append(username);
+            LOG.error(errMsg.toString());
+            return null;
+        }
+        princ.setUnsignedCreds(username);
+        return princ;
+    }
+
+    SimplePrincipal getSimplePrincipal(String name, String creds, long issueTime) {
+        return (SimplePrincipal) SimplePrincipal.create(getDomain(),
+                name, creds, issueTime, this);
+    }
+}