support proxy for all go utilties (AthenZ#772)

* support proxy for all go utilties

* dependency updates with tidelift yml file

* more dependency update for tidelift warnings

.tidelift.yml

@@ -0,0 +1,9 @@
+ci:
+  tests:
+    removed: fail
+    deprecated: warn
+    unmaintained: warn
+    unlicensed: warn
+    outdated: warn
+    vulnerable: fail
+    inactive_stream: fail

clients/java/zts/core/examples/tls-support/pom.xml

@@ -27,7 +27,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <athenz.version>1.8.30</athenz.version>
+    <athenz.version>1.8.31</athenz.version>
   </properties>
 
   <dependencies>
@@ -44,17 +44,17 @@
     <dependency>
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
-      <version>1.3.1</version>
+      <version>1.4</version>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
-      <version>1.7.25</version>
+      <version>1.7.28</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.1.3</version>
+      <version>1.2.3</version>
     </dependency>
   </dependencies>
 

examples/java/centralized-use-case/client/pom.xml

@@ -27,7 +27,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <athenz.version>1.8.3</athenz.version>
+    <athenz.version>1.8.31</athenz.version>
   </properties>
 
   <dependencies>

examples/java/centralized-use-case/servlet/pom.xml

@@ -27,7 +27,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <athenz.version>1.8.3</athenz.version>
+    <athenz.version>1.8.31</athenz.version>
   </properties>
 
   <dependencies>

examples/java/instance-provider/client/pom.xml

@@ -27,9 +27,9 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <athenz.version>1.8.15</athenz.version>
+    <athenz.version>1.8.31</athenz.version>
     <jackson.version>2.9.9</jackson.version>
-    <jersey.version>2.27</jersey.version>
+    <jersey.version>2.29</jersey.version>
   </properties>
 
   <dependencies>
@@ -56,17 +56,17 @@
     <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt</artifactId>
-      <version>0.9.0</version>
+      <version>0.9.1</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-annotations</artifactId>
-      <version>${jackson.version}</version>
+      <version>2.9.9</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>${jackson.version}</version>
+      <version>2.9.9.3</version>
     </dependency>
     <dependency>
       <groupId>org.glassfish.jersey.media</groupId>

examples/java/instance-provider/provider/pom.xml

@@ -25,11 +25,10 @@
   <description>Athenz Instance Provider Example</description>
 
   <properties>
-    <jetty.version>9.4.9.v20180320</jetty.version>
-    <jersey.version>2.25.1</jersey.version>
-    <jackson.version>2.9.9</jackson.version>
-    <athenz.version>1.8.3</athenz.version>
-    <bouncycastle.version>1.60</bouncycastle.version>
+    <jetty.version>9.4.20.v20190813</jetty.version>
+    <jersey.version>2.29</jersey.version>
+    <athenz.version>1.8.31</athenz.version>
+    <bouncycastle.version>1.62</bouncycastle.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
   </properties>
@@ -53,7 +52,7 @@
     <dependency>
       <groupId>com.yahoo.rdl</groupId>
       <artifactId>rdl-java</artifactId>
-      <version>1.5.1</version>
+      <version>1.5.2</version>
       <exclusions>
         <exclusion>
           <groupId>com.fasterxml.jackson.core</groupId>
@@ -72,7 +71,7 @@
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
-      <version>1.7.25</version>
+      <version>1.7.28</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
@@ -143,17 +142,17 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-annotations</artifactId>
-      <version>${jackson.version}</version>
+      <version>2.9.9</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>${jackson.version}</version>
+      <version>2.9.9.3</version>
     </dependency>
     <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt</artifactId>
-      <version>0.9.0</version>
+      <version>0.9.1</version>
     </dependency>
   </dependencies>
 

examples/java/instance-provider/provider/src/main/java/com/yahoo/athenz/example/instance/provider/InstanceProviderContainer.java

@@ -26,7 +26,7 @@
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
-import org.glassfish.hk2.utilities.binding.AbstractBinder;
+import org.glassfish.jersey.internal.inject.AbstractBinder;
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.servlet.ServletContainer;
 

libs/java/cert_refresher/examples/tls-support/pom.xml

@@ -27,7 +27,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <athenz.version>1.7.33</athenz.version>
+    <athenz.version>1.8.31</athenz.version>
   </properties>
 
   <dependencies>
@@ -39,12 +39,12 @@
     <dependency>
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
-      <version>1.3.1</version>
+      <version>1.4</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.1.3</version>
+      <version>1.2.3</version>
     </dependency>
   </dependencies>
 

utils/athenz-conf/athenz-conf.go

@@ -302,6 +302,7 @@ func getHttpTransport(socksProxy, keyFile, certFile, caCertFile *string, skipVer
 		if skipVerify {
 			config.InsecureSkipVerify = skipVerify
 		}
+		tr.Proxy = http.ProxyFromEnvironment
 		tr.TLSClientConfig = config
 	}
 	return &tr

utils/zts-accesstoken/zts-accesstoken.go

@@ -36,7 +36,7 @@ func main() {
 	flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service")
 	flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name")
 	flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes")
-	flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request")
+	flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
 	flag.Parse()
 
 	fetchAccessToken(domain, service, roles, ztsURL, svcKeyFile, svcCertFile, ntokenFile, hdr, proxy, expireTime)

utils/zts-rolecert/zts-rolecert.go

@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"crypto"
 	"crypto/rand"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -16,11 +15,11 @@ import (
 	"io/ioutil"
 	"log"
 	"net"
-	"net/http"
 	"net/url"
 	"strings"
 
 	"github.com/yahoo/athenz/clients/go/zts"
+	"github.com/yahoo/athenz/libs/go/athenzutils"
 )
 
 type signer struct {
@@ -33,7 +32,7 @@ func main() {
 	var ztsURL, svcKeyFile, svcCertFile, roleKeyFile, dom, svc string
 	var caCertFile, roleCertFile, roleDomain, roleName, dnsDomain string
 	var subjC, subjO, subjOU, ip, uri string
-	var spiffe, csr bool
+	var spiffe, csr, proxy bool
 	var expiryTime int
 
 	flag.StringVar(&roleKeyFile, "role-key-file", "", "role cert private key file (default: service identity private key)")
@@ -54,6 +53,7 @@ func main() {
 	flag.BoolVar(&spiffe, "spiffe", false, "include spiffe uri in csr")
 	flag.BoolVar(&csr, "csr", false, "request csr only")
 	flag.IntVar(&expiryTime, "expiry-time", 0, "expiry time in minutes")
+	flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
 
 	flag.Parse()
 
@@ -116,7 +116,7 @@ func main() {
 		return
 	}
 
-	client, err := ztsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile)
+	client, err := athenzutils.ZtsClient(ztsURL, svcKeyFile, svcCertFile, caCertFile, proxy)
 	if err != nil {
 		log.Fatalf("Unable to initialize ZTS Client for %s, err: %v\n", ztsURL, err)
 	}
@@ -197,83 +197,6 @@ func getRoleCertificate(client *zts.ZTSClient, csr, roleDomain, roleName, roleCe
 	}
 }
 
-func ztsClient(ztsURL, keyFile, certFile, caFile string) (*zts.ZTSClient, error) {
-	config, err := tlsConfiguration(keyFile, certFile, caFile)
-	if err != nil {
-		return nil, err
-	}
-	tr := &http.Transport{
-		TLSClientConfig: config,
-	}
-	client := zts.NewClient(ztsURL, tr)
-	return &client, nil
-}
-
-func tlsConfiguration(keyFile, certFile, caFile string) (*tls.Config, error) {
-	var capem []byte
-	var err error
-	if caFile != "" {
-		capem, err = ioutil.ReadFile(caFile)
-		if err != nil {
-			return nil, err
-		}
-	}
-	var keypem []byte
-	var certpem []byte
-	if keyFile != "" && certFile != "" {
-		keypem, err = ioutil.ReadFile(keyFile)
-		if err != nil {
-			return nil, err
-		}
-		certpem, err = ioutil.ReadFile(certFile)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return tlsConfigurationFromPEM(keypem, certpem, capem)
-}
-
-func tlsConfigurationFromPEM(keypem, certpem, capem []byte) (*tls.Config, error) {
-	config := &tls.Config{}
-
-	certPool := x509.NewCertPool()
-	if capem != nil {
-		if !certPool.AppendCertsFromPEM(capem) {
-			return nil, fmt.Errorf("Failed to append certs to pool")
-		}
-		config.RootCAs = certPool
-	}
-
-	if certpem != nil && keypem != nil {
-		mycert, err := tls.X509KeyPair(certpem, keypem)
-		if err != nil {
-			return nil, err
-		}
-		config.Certificates = make([]tls.Certificate, 1)
-		config.Certificates[0] = mycert
-
-		config.ClientCAs = certPool
-		config.ClientAuth = tls.VerifyClientCertIfGiven
-	}
-
-	//Use only modern ciphers
-	config.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
-
-	//Use only TLS v1.2
-	config.MinVersion = tls.VersionTLS12
-
-	//Don't allow session resumption
-	config.SessionTicketsDisabled = true
-	return config, nil
-}
-
 func newSigner(privateKeyPEM []byte) (*signer, error) {
 	block, _ := pem.Decode(privateKeyPEM)
 	if block == nil {

utils/zts-roletoken/zts-roletoken.go

@@ -40,7 +40,7 @@ func main() {
 	flag.StringVar(&ztsURL, "zts", "", "url of the ZTS Service")
 	flag.StringVar(&hdr, "hdr", "Athenz-Principal-Auth", "Header name")
 	flag.IntVar(&expireTime, "expire-time", 120, "token expire time in minutes")
-	flag.BoolVar(&proxy, "proxy", false, "enable proxy mode for request")
+	flag.BoolVar(&proxy, "proxy", true, "enable proxy mode for request")
 	flag.BoolVar(&validate, "validate", false, "validate role token")
 	flag.StringVar(&roleToken, "role-token", "", "role token to validate")
 	flag.StringVar(&conf, "conf", "/home/athenz/conf/athenz.conf", "path to configuration file with public keys")