Example 6 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class RsrcCtxWrapperTest method TestAuthorize.
@Test
public void TestAuthorize() {
HttpServletRequest reqMock = Mockito.mock(HttpServletRequest.class);
HttpServletResponse resMock = Mockito.mock(HttpServletResponse.class);
AuthorityList authListMock = new AuthorityList();
Authorizer authorizerMock = Mockito.mock(Authorizer.class);
Authority authMock = Mockito.mock(Authority.class);
Principal prin = Mockito.mock(Principal.class);
Mockito.when(authMock.getHeader()).thenReturn("testheader");
Mockito.when(reqMock.getHeader("testheader")).thenReturn("testcred");
Mockito.when(authMock.getCredSource()).thenReturn(com.yahoo.athenz.auth.Authority.CredSource.HEADER);
Mockito.when(authMock.authenticate(Mockito.<String>any(), Mockito.<String>any(), Mockito.<String>any(), Mockito.any())).thenReturn(prin);
Mockito.when(reqMock.getRemoteAddr()).thenReturn("1.1.1.1");
Mockito.when(reqMock.getMethod()).thenReturn("POST");
authListMock.add(authMock);
// force true access right
Mockito.when(authorizerMock.access(Mockito.<String>any(), Mockito.<String>any(), Mockito.any(), Mockito.any())).thenReturn(true);
RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock);
wrapper.authorize("add-domain", "test", "test");
// after authorize success, principal should be set
assertEquals(wrapper.principal(), prin);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authority(com.yahoo.athenz.auth.Authority)
Authorizer(com.yahoo.athenz.auth.Authorizer)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthorityList(com.yahoo.athenz.common.server.rest.Http.AuthorityList)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 7 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class RsrcCtxWrapperTest method TestRsrcCtxWrapperSimpleAssertion.
@Test
public void TestRsrcCtxWrapperSimpleAssertion() {
HttpServletRequest reqMock = Mockito.mock(HttpServletRequest.class);
HttpServletResponse resMock = Mockito.mock(HttpServletResponse.class);
AuthorityList authListMock = new AuthorityList();
Authorizer authorizerMock = Mockito.mock(Authorizer.class);
Authority authMock = Mockito.mock(Authority.class);
Principal prin = Mockito.mock(Principal.class);
Mockito.when(authMock.getHeader()).thenReturn("testheader");
Mockito.when(reqMock.getHeader("testheader")).thenReturn("testcred");
Mockito.when(authMock.getCredSource()).thenReturn(com.yahoo.athenz.auth.Authority.CredSource.HEADER);
Mockito.when(authMock.authenticate(Mockito.<String>any(), Mockito.<String>any(), Mockito.<String>any(), Mockito.any())).thenReturn(prin);
Mockito.when(reqMock.getRemoteAddr()).thenReturn("1.1.1.1");
Mockito.when(reqMock.getMethod()).thenReturn("POST");
authListMock.add(authMock);
RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock);
assertNotNull(wrapper.context());
// default principal should be null
assertEquals(wrapper.principal(), null);
assertEquals(wrapper.request(), reqMock);
assertEquals(wrapper.response(), resMock);
wrapper.authenticate();
// after authenticate, principal should be set
assertEquals(wrapper.principal(), prin);
// invalid kerberos request
try {
wrapper.authenticateKerberos();
fail();
} catch (ResourceException ex) {
assertNotNull(ex);
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authority(com.yahoo.athenz.auth.Authority)
Authorizer(com.yahoo.athenz.auth.Authorizer)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthorityList(com.yahoo.athenz.common.server.rest.Http.AuthorityList)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 8 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZTSImpl method postOSTKInstanceRefreshRequest.
// this method will be removed and replaced with call to postInstanceRefreshInformation
@Override
public Identity postOSTKInstanceRefreshRequest(ResourceContext ctx, String domain, String service, OSTKInstanceRefreshRequest req) {
final String caller = "postostkinstancerefreshrequest";
final String callerTiming = "postostkinstancerefreshrequest_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postOSTKInstanceRefreshRequest: " + req);
}
validateRequest(ctx.request(), caller);
validate(domain, TYPE_DOMAIN_NAME, caller);
validate(service, TYPE_SIMPLE_NAME, caller);
validate(req, TYPE_OSTK_INSTANCE_REFRESH_REQUEST, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
// make sure the credentials match to whatever the request is
Principal principal = ((RsrcCtxWrapper) ctx).principal();
String principalName = domain + "." + service;
if (!principalName.equals(principal.getFullName())) {
throw requestError("postOSTKInstanceRefreshRequest: Principal mismatch: " + principalName + " vs. " + principal.getFullName(), caller, domain);
}
Authority authority = principal.getAuthority();
if (!(authority instanceof CertificateAuthority)) {
throw requestError("postOSTKInstanceRefreshRequest: Unsupported authority for TLS Certs: " + authority.toString(), caller, domain);
}
X509Certificate cert = principal.getX509Certificate();
X509CertRecord x509CertRecord = instanceCertManager.getX509CertRecord("ostk", cert);
if (x509CertRecord == null) {
throw forbiddenError("postOSTKInstanceRefreshRequest: Unable to find certificate record", caller, domain);
}
// validate that the cn and public key (if required) match to
// the provided details
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(req.getCsr());
if (certReq == null) {
throw requestError("postOSTKInstanceRefreshRequest: unable to parse PKCS10 certificate request", caller, domain);
}
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, x509CertRecord)) {
throw requestError("postOSTKInstanceRefreshRequest: invalid CSR - cn mismatch", caller, domain);
}
// now we need to make sure the serial number for the certificate
// matches to what we had issued previously. If we have a mismatch
// then we're going to revoke this instance as it has been possibly
// compromised
String serialNumber = cert.getSerialNumber().toString();
if (x509CertRecord.getCurrentSerial().equals(serialNumber)) {
// update the record to mark current as previous
// and we'll update the current set with our existing
// details
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
} else if (!x509CertRecord.getPrevSerial().equals(serialNumber)) {
// we have a mismatch for both current and previous serial
// numbers so we're going to revoke it
LOGGER.error("postOSTKInstanceRefreshRequest: Revoking certificate refresh for cn: {} " + "instance id: {}, current serial: {}, previous serial: {}, cert serial: {}", principalName, x509CertRecord.getInstanceId(), x509CertRecord.getCurrentSerial(), x509CertRecord.getPrevSerial(), serialNumber);
x509CertRecord.setPrevSerial("-1");
x509CertRecord.setCurrentSerial("-1");
instanceCertManager.updateX509CertRecord(x509CertRecord);
throw forbiddenError("postOSTKInstanceRefreshRequest: Certificate revoked", caller, domain);
}
// generate identity with the certificate
Identity identity = ZTSUtils.generateIdentity(certSigner, req.getCsr(), principalName, null, 0);
if (identity == null) {
throw serverError("Unable to generate identity", caller, domain);
}
// need to update our cert record with new certificate details
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
if (!instanceCertManager.updateX509CertRecord(x509CertRecord)) {
throw serverError("postOSTKInstanceRefreshRequest: unable to update cert db", caller, domain);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
Authority(com.yahoo.athenz.auth.Authority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
X509Certificate(java.security.cert.X509Certificate)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
Date(java.util.Date)
Example 9 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class ZMSImplTest method zmsInit.
private ZMSImpl zmsInit() {
// we want to make sure we start we clean dir structure
FileConnection.deleteDirectory(new File(ZMS_DATA_STORE_PATH));
Authority principalAuthority = new com.yahoo.athenz.common.server.debug.DebugPrincipalAuthority();
String unsignedCreds = "v=U1;d=user;n=user1";
rsrcPrince = SimplePrincipal.create("user", "user1", unsignedCreds + ";s=signature", 0, principalAuthority);
((SimplePrincipal) rsrcPrince).setUnsignedCreds(unsignedCreds);
Mockito.when(mockDomRestRsrcCtx.request()).thenReturn(mockServletRequest);
Mockito.when(mockDomRestRsrcCtx.principal()).thenReturn(rsrcPrince);
Mockito.when(mockDomRsrcCtx.context()).thenReturn(mockDomRestRsrcCtx);
Mockito.when(mockDomRsrcCtx.request()).thenReturn(mockServletRequest);
Mockito.when(mockDomRsrcCtx.principal()).thenReturn(rsrcPrince);
String pubKeyName = System.getProperty(ZMS_PROP_PUBLIC_KEY);
File pubKeyFile = new File(pubKeyName);
pubKey = Crypto.encodedFile(pubKeyFile);
String privKeyName = System.getProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY);
File privKeyFile = new File(privKeyName);
privKey = Crypto.encodedFile(privKeyFile);
adminUser = System.getProperty(ZMSConsts.ZMS_PROP_DOMAIN_ADMIN);
System.setProperty(ZMSConsts.ZMS_PROP_FILE_STORE_PATH, "/tmp/zms_core_unit_tests/");
System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RW_STORE);
System.clearProperty(ZMSConsts.ZMS_PROP_JDBC_RO_STORE);
ZMSImpl zmsObj = new ZMSImpl();
zmsObj.serverPublicKeyMap.put("1", pubKeyK1);
zmsObj.serverPublicKeyMap.put("2", pubKeyK2);
ZMSImpl.serverHostName = "localhost";
return zmsObj;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
File(java.io.File)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Example 10 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class UserAuthorityTest method testIsValidUser.
@Test
public void testIsValidUser() {
Authority userAuthority = new Authority() {
@Override
public void initialize() {
}
@Override
public String getDomain() {
return null;
}
@Override
public String getHeader() {
return null;
}
@Override
public Principal authenticate(String creds, String remoteAddr, String httpMethod, StringBuilder errMsg) {
return null;
}
@Override
public boolean isValidUser(String username) {
return username.equals("validuser");
}
};
assertFalse(userAuthority.isValidUser("invaliduser"));
assertTrue(userAuthority.isValidUser("validuser"));
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Test(org.testng.annotations.Test)
Aggregations
Authority (com.yahoo.athenz.auth.Authority)193
Principal (com.yahoo.athenz.auth.Principal)124
Test (org.testng.annotations.Test)72
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30
HttpServletRequest (javax.servlet.http.HttpServletRequest)24
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21
HttpServletResponse (javax.servlet.http.HttpServletResponse)20
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19
Authorizer (com.yahoo.athenz.auth.Authorizer)15
AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9
Timestamp (com.yahoo.rdl.Timestamp)9
Metric (com.yahoo.athenz.common.metrics.Metric)8
IOException (java.io.IOException)8
Response (javax.ws.rs.core.Response)6
Struct (com.yahoo.rdl.Struct)5
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
