Can be useful for testing everything compiles & building.

WARNING: this does not work yet, but I am no jdbc/flyaway expert so idk

I figured I would open and if you want it you can help me fix, but if not just close this no worries :)

I think the problem is, the model pom.xml is trying to create a database then use it.

Failing in the container with:

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Keywhiz (Parent) ................................... SUCCESS [  7.557 s]
[INFO] Keywhiz Testing .................................... SUCCESS [  8.528 s]
[INFO] Keywhiz API ........................................ SUCCESS [  2.565 s]
[INFO] Keywhiz Client ..................................... SUCCESS [  0.443 s]
[INFO] Keywhiz CLI ........................................ SUCCESS [  6.017 s]
[INFO] Keywhiz HKDF ....................................... SUCCESS [  0.443 s]
[INFO] Keywhiz Model ...................................... FAILURE [  1.460 s]
[INFO] Keywhiz Server ..................................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 27.591 s
[INFO] Finished at: 2015-04-28T19:21:04+00:00
[INFO] Final Memory: 41M/707M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.flywaydb:flyway-maven-plugin:3.2:migrate (default) on project keywhiz-model: org.flywaydb.core.api.FlywayException: Unable to obtain Jdbc connection from DataSource (jdbc:postgresql:keywhizdb_test) for user 'root': Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. -> [Help 1]
[ERROR] 

Let me know if you want the full stack trace. But it's probably just some java thing I don't know.

Keywhiz server and CLI compile fine, and I can log in to the webui with both a user from the development sample SQL and a user I added my self in the database. However I can't seem to use keywhiz.cli to log in.

danny@MacBook-Pro ~/src/keywhiz ±master » ./cli/target/keywhiz-cli-*-SNAPSHOT-shaded.jar -U https://localhost:4444/ login      130 ↵
password for 'danny':
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:241)
    at com.squareup.okhttp.Connection.connect(Connection.java:158)
    at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:174)
    at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:120)
    at com.squareup.okhttp.internal.http.RouteSelector.next(RouteSelector.java:131)
    at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:312)
    at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:235)
    at com.squareup.okhttp.Call.getResponse(Call.java:262)
    at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:219)
    at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:192)
    at com.squareup.okhttp.Call.execute(Call.java:79)
    at keywhiz.client.KeywhizClient.httpPost(KeywhizClient.java:272)
    at keywhiz.client.KeywhizClient.login(KeywhizClient.java:111)
    at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:121)
    at keywhiz.cli.CliMain.main(CliMain.java:68)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351)
    ... 22 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 28 more

This is a 100% stock server with just the development user and my "danny" user added. I'm assuming this is because the certificate i'm testing with it not actually signed by a trusted root CA?

It also seems there is little-to-no documentation around actually adding your own CA to the server. I believe this would live in "derivation.jceks" but i'm not sure.

Any guidance as to how one would actually use keywhiz in production would be greatly appreciated. I'm working on secrets management right now, and keywhiz seems to be the 'answer' to that if I can make it work in production.

Hi, I want to consume a secret from java api.when i try to consume it from RestClient then i am getting reply as unauthorized.

Can you help how to do it.

I was able to compile the latest version of Keywhiz 0.10.2 successfully.

But when I try to run it, I got an error: "java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider"

Do you know why that happen and how to fix it?

$ java -javaagent:/opt/jolokia-jvm-1.3.6-agent.jar -jar /opt/keywhiz-server-0.10.2-SNAPSHOT-shaded.jar server /opt/keywhiz-master/server/target/classes/keywhiz-stg.yml I> No access restrictor found, access to any MBean is allowed Jolokia: Agent started with URL http://127.0.0.1:8778/jolokia/ java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider at keywhiz.ServiceModule.configure(ServiceModule.java:63) at com.google.inject.AbstractModule.configure(AbstractModule.java:61) at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:344) at com.google.inject.spi.Elements.getElements(Elements.java:103) at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:137) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:103) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at com.google.inject.Guice.createInjector(Guice.java:59) at keywhiz.KeywhizService.run(KeywhizService.java:114) at keywhiz.KeywhizService.run(KeywhizService.java:71) at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:43) at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) at io.dropwizard.cli.Cli.run(Cli.java:78) at io.dropwizard.Application.run(Application.java:93) at keywhiz.KeywhizService.main(KeywhizService.java:78) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:583) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 16 more [keywhiz@keywhiz-233048331-1-258246470 ~]$

$ java --version openjdk 11.0.3 2019-04-16 LTS OpenJDK Runtime Environment 18.9 (build 11.0.3+7-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.3+7-LTS, mixed mode, sharing) [keywhiz@keywhiz-233048331-1-258246470 ~]$

Any idea?

Thank you in advance,

Flavio.

SecretResource now accepts GET requests for a list of versions of a given secret, ordered with the most recently created version first. This list can be restricted by passing indices to the GET request; it will then return only the versions between these indices in the list (inclusive).

Automation clients can already access the contents of any secret by assigning it to themselves (since they have complete control of group, client, and secret ACLs), reading it through the SecretDeliveryResource, and unassigning it from themselves. This new endpoint directly exposes the ability for automation endpoints to read secrets in one call rather than three, and thus avoids the need to write to Keywhiz (with the assigns and unassigns) in order to read from it. It logs all uses of this endpoint to the audit log.

This makes the update command print a warning if content appears to have been piped into it (stdin could be read from without blocking) but the --content flag was not specified. It does not update the secret with the input content if the flag was not specified, however.

This adds an endpoint to both the automation and admin APIs to list secrets in batches, specified by an index into a list of the secrets sorted by creation date from oldest to newest, and a number of secrets after that index to retrieve.

The fact that an index of 0 retrieves the oldest secret is not necessarily the most convenient for a user querying secrets. However, if the automation endpoint is used to iterate over secrets in batches, querying from newest to oldest would run into unexpected repeated secrets, and overlooked new secrets, if a secret was created between one batch and the next. Querying from oldest to newest avoids this potential bug.

The docs say "(Optional) Import some development data:" but it seems like if you fail to do this you can't log in with the dev username/password. I just wasted a bunch of time trying to figure our what the username/password was because I failed to run db-seed. I think the instructions should be explicit that this is really necessary to set up the dev account.

My guess is that the entire project isn't compatible with Windows, but at least from the start, when I run mvn clean verify from the parent, I get an error in the cli module. Going in to that module specifically and running mvn clean verify produces the following output on my machine (Win7, jdk1.8.0_60+JCE):

C:\Users\Me\dev\java\keywhiz\cli [master ≡]
λ mvn clean verify
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Keywhiz CLI 0.7.9-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ keywhiz-cli ---
[INFO] Deleting C:\Users\Me\dev\java\keywhiz\cli\target
[INFO]
[INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-unlimited-crypto-policy) @ keywhiz-cli ---
[INFO]
[INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ keywhiz-cli ---
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ keywhiz-cli ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 2 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ keywhiz-cli ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 22 source files to C:\Users\Me\dev\java\keywhiz\cli\target\classes
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ keywhiz-cli ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 4 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ keywhiz-cli ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 9 source files to C:\Users\Me\dev\java\keywhiz\cli\target\test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.14.1:test (default-test) @ keywhiz-cli ---
[INFO] Surefire report directory: C:\Users\Me\dev\java\keywhiz\cli\target\surefire-reports

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running keywhiz.cli.commands.AddActionTest
2015-11-04 21:05:01,799 - Creating secret 'newSecret' with version '1576915baeb123e0'.
2015-11-04 21:05:01,837 - Creating group 'newGroup'.
2015-11-04 21:05:01,844 - Creating secret 'newSecret' with version '1576915bc725a9a1'.
2015-11-04 21:05:01,850 - Creating client 'newClient'.
2015-11-04 21:05:01,868 - Creating secret 'newSecret' with version '1576915bcdfd8e14'.
2015-11-04 21:05:01,880 - Creating secret 'newSecret' with version ''.
2015-11-04 21:05:01,905 - Creating secret 'newSecret' with version '1576915bdc6dc6b4'.
2015-11-04 21:05:01,906 - Allowing group 'newGroup' access to secret 'newSecret'.
2015-11-04 21:05:01,914 - Creating secret 'newSecret' with version '1576915bea18e06a'.
Tests run: 17, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.397 sec
Running keywhiz.cli.commands.AssignActionTest
2015-11-04 21:05:01,943 - Creating client 'non-existent-client-name'.
2015-11-04 21:05:01,944 - Enrolling client 'non-existent-client-name' in group 'group'.
2015-11-04 21:05:01,947 - Enrolling client 'existing-client-name' in group 'group'.
2015-11-04 21:05:01,951 - Allowing group 'group' access to secret 'secret'.
Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.005 sec
Running keywhiz.cli.commands.DeleteActionTest
Please confirm deletion of secret 'secret': Y/N
Please confirm deletion of secret 'secret': Y/N
Please confirm deletion of secret 'secret': Y/N
2015-11-04 21:05:01,965 - Deleting group 'Web'.
2015-11-04 21:05:01,976 - Deleting client 'newClient'.
Please confirm deletion of secret 'secret': Y/N
2015-11-04 21:05:01,978 - Deleting secret 'secret'.
Tests run: 13, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.011 sec
Running keywhiz.cli.commands.DescribeActionTest
Tests run: 11, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.008 sec
Running keywhiz.cli.commands.ListActionTest
Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.003 sec
Running keywhiz.cli.commands.UnassignActionTest
2015-11-04 21:05:02,079 - Evicting client 'client-name' from group 'group-name'.
2015-11-04 21:05:02,081 - Revoke group 'group-name' access to secret 'secret-name..1576915c401e87fb'.
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.004 sec
Running keywhiz.cli.JsonCookieTest
Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.129 sec
Running keywhiz.cli.UtilitiesTest
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 sec
Running keywhiz.client.ClientUtilsTest
Tests run: 6, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.869 sec <<< FAILURE!
testLoadCookiesWithFile(keywhiz.client.ClientUtilsTest)  Time elapsed: 0.022 sec  <<< ERROR!
java.nio.file.InvalidPathException: Illegal char <:> at index 2: /C:/Users/Me/dev/java/keywhiz/cli/target/test-classes/fixtures/cookies.json
        at sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:182)
        at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:153)
        at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)
        at sun.nio.fs.WindowsPath.parse(WindowsPath.java:94)
        at sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:255)
        at java.nio.file.Paths.get(Paths.java:84)
        at keywhiz.client.ClientUtilsTest.testLoadCookiesWithFile(ClientUtilsTest.java:129)

testSaveAndLoadCookies(keywhiz.client.ClientUtilsTest)  Time elapsed: 0.054 sec  <<< ERROR!
java.lang.UnsupportedOperationException: null
        at java.nio.file.Files.setPosixFilePermissions(Files.java:2044)
        at keywhiz.cli.ClientUtils.saveCookies(ClientUtils.java:131)
        at keywhiz.client.ClientUtilsTest.testSaveAndLoadCookies(ClientUtilsTest.java:138)

testSaveCookies(keywhiz.client.ClientUtilsTest)  Time elapsed: 0.001 sec  <<< ERROR!
java.lang.UnsupportedOperationException: null
        at java.nio.file.Files.setPosixFilePermissions(Files.java:2044)
        at keywhiz.cli.ClientUtils.saveCookies(ClientUtils.java:131)
        at keywhiz.client.ClientUtilsTest.testSaveCookies(ClientUtilsTest.java:113)


Results :

Tests in error:
  ClientUtilsTest.testLoadCookiesWithFile:129 » InvalidPath Illegal char <:> at ...
  ClientUtilsTest.testSaveAndLoadCookies:138 » UnsupportedOperation
  ClientUtilsTest.testSaveCookies:113 » UnsupportedOperation

Tests run: 70, Failures: 0, Errors: 3, Skipped: 0

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17.749 s
[INFO] Finished at: 2015-11-04T15:05:03-06:00
[INFO] Final Memory: 46M/369M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.14.1:test (default-test) on project keywhiz-cli: There are test failures.
[ERROR]
[ERROR] Please refer to C:\Users\Me\dev\java\keywhiz\cli\target\surefire-reports for the individual test results.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Bumps flyway-maven-plugin from 7.15.0 to 8.2.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps mockito-core from 4.8.1 to 4.11.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps easymock from 5.0.0 to 5.1.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps slf4j.version from 1.7.36 to 2.0.6. Updates jul-to-slf4j from 1.7.36 to 2.0.6

Updates log4j-over-slf4j from 1.7.36 to 2.0.6

Updates slf4j-api from 1.7.36 to 2.0.6

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps unboundid-ldapsdk from 6.0.5 to 6.0.7.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps maven-dependency-plugin from 3.3.0 to 3.4.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.