Example 41 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class HttpTest method testAuthenticateHeaderFailureMultipleAuth.
@Test
public void testAuthenticateHeaderFailureMultipleAuth() {
HttpServletRequest httpServletRequest = Mockito.mock(HttpServletRequest.class);
Http.AuthorityList authorities = new Http.AuthorityList();
Authority authority1 = Mockito.mock(Authority.class);
Mockito.when(authority1.getCredSource()).thenReturn(CredSource.HEADER);
Mockito.when(authority1.getHeader()).thenReturn("Cookie.hogehoge");
Mockito.when(authority1.getAuthenticateChallenge()).thenReturn("Basic realm=\"athenz\"");
authorities.add(authority1);
Authority authority2 = Mockito.mock(Authority.class);
Mockito.when(authority2.getCredSource()).thenReturn(CredSource.REQUEST);
Mockito.when(authority2.getAuthenticateChallenge()).thenReturn("AthenzRequest realm=\"athenz\"");
authorities.add(authority2);
try {
Http.authenticate(httpServletRequest, authorities);
} catch (ResourceException expected) {
assertEquals(expected.getCode(), 401);
}
Set<String> challenges = new HashSet<>();
challenges.add("Basic realm=\"athenz\"");
challenges.add("AthenzRequest realm=\"athenz\"");
Mockito.verify(httpServletRequest, times(1)).setAttribute("com.yahoo.athenz.auth.credential.challenges", challenges);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Example 42 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class HttpTest method testAuthorizedUser.
@Test
public void testAuthorizedUser() {
HttpServletRequest httpServletRequest = Mockito.mock(HttpServletRequest.class);
Principal principal = Mockito.mock(Principal.class);
Mockito.when(principal.getFullName()).thenReturn("athenz.api");
Authorizer authorizer = Mockito.mock(Authorizer.class);
Mockito.when(authorizer.access(ArgumentMatchers.any(), ArgumentMatchers.any(), ArgumentMatchers.any(Principal.class), ArgumentMatchers.any())).thenReturn(true);
Authority authority = Mockito.mock(Authority.class);
Mockito.when(authority.getCredSource()).thenReturn(Authority.CredSource.HEADER);
Mockito.when(authority.getHeader()).thenReturn("Athenz-Principal-Auth");
Mockito.when(httpServletRequest.getHeader("Athenz-Principal-Auth")).thenReturn("Creds");
Mockito.when(authority.authenticate(ArgumentMatchers.any(), ArgumentMatchers.any(), ArgumentMatchers.any(), ArgumentMatchers.any())).thenReturn(principal);
Http.AuthorityList authorities = new Http.AuthorityList();
authorities.add(authority);
assertEquals("athenz.api", Http.authorizedUser(httpServletRequest, authorities, authorizer, "action", "resource", null));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authority(com.yahoo.athenz.auth.Authority)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
Authorizer(com.yahoo.athenz.auth.Authorizer)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 43 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class Http method authenticate.
public static Principal authenticate(HttpServletRequest request, AuthorityList authorities, boolean optionalAuth) {
if (authorities == null) {
LOG.error("authenticate: No authorities configured");
throw new ResourceException(ResourceException.INTERNAL_SERVER_ERROR, "No authorities configured");
}
StringBuilder authErrMsg = new StringBuilder(512);
Set<String> authChallenges = null;
for (Authority authority : authorities.authorities) {
Principal principal = null;
StringBuilder errMsg = new StringBuilder(512);
switch(authority.getCredSource()) {
case HEADER:
String creds = authenticatingCredentials(request, authority);
if (creds != null) {
principal = authority.authenticate(creds, ServletRequestUtil.getRemoteAddress(request), request.getMethod(), errMsg);
}
break;
case CERTIFICATE:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute(JAVAX_CERT_ATTR);
if (certs != null && certs[0] != null) {
principal = authority.authenticate(certs, errMsg);
}
break;
case REQUEST:
principal = authority.authenticate(request, errMsg);
break;
}
if (principal != null) {
return principal;
}
final String challenge = authority.getAuthenticateChallenge();
if (challenge != null) {
if (authChallenges == null) {
authChallenges = new HashSet<>();
}
authChallenges.add(challenge);
}
if (errMsg.length() > 0) {
authErrMsg.append(":error: ").append(errMsg);
}
}
if (authErrMsg.length() == 0 && optionalAuth) {
if (LOG.isDebugEnabled()) {
LOG.debug("authenticate: No credentials provided for optional auth request");
}
return null;
}
if (authErrMsg.length() > 0) {
request.setAttribute(INVALID_CRED_ATTR, authErrMsg.toString());
LOG.error("authenticate: {}", authErrMsg.toString());
} else {
request.setAttribute(INVALID_CRED_ATTR, "No credentials provided");
LOG.error("authenticate: No credentials provided");
}
// if we have challenges specified, we're going to set it as a request
// attribute and let the caller decide if they want to add it to the
// response as a header in its context handler
request.setAttribute(AUTH_CHALLENGES, authChallenges);
throw new ResourceException(ResourceException.UNAUTHORIZED, "Invalid credentials");
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
Principal(com.yahoo.athenz.auth.Principal)
X509Certificate(java.security.cert.X509Certificate)
Example 44 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class NotificationToEmailConverterCommon method loadNotificationUserAuthority.
private Authority loadNotificationUserAuthority(String className) {
LOGGER.debug("Loading Notification user authority {}...", className);
Authority authority;
try {
authority = (Authority) Class.forName(className).newInstance();
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
LOGGER.error("Invalid Notification user Authority class: {} error: {}", className, e.getMessage());
return null;
}
return authority;
}
Also used :
Authority(com.yahoo.athenz.auth.Authority)
Example 45 with Authority
use of com.yahoo.athenz.auth.Authority in project athenz by yahoo.
the class DBServiceTest method testUpdateUserAuthorityExpiryGroupMember.
@Test
public void testUpdateUserAuthorityExpiryGroupMember() {
Authority savedAuthority = zms.dbService.zmsConfig.getUserAuthority();
Authority authority = Mockito.mock(Authority.class);
Date currentDate = new Date();
Timestamp authorityDate = Timestamp.fromDate(currentDate);
Mockito.when(authority.getDateAttribute("user.john", "elevated-clearance")).thenReturn(currentDate);
Mockito.when(authority.getDateAttribute("user.jane", "elevated-clearance")).thenReturn(currentDate);
Mockito.when(authority.getDateAttribute("user.joe", "elevated-clearance")).thenReturn(null);
zms.dbService.zmsConfig.setUserAuthority(authority);
// service users are not processed
GroupMember groupMember = new GroupMember().setMemberName("sports.api");
assertFalse(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
// user.joe - no expiry setting
groupMember = new GroupMember().setMemberName("user.joe");
assertTrue(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertNotNull(groupMember.getExpiration());
// we'll change if the expiry date is in the future
Timestamp expiryDate = Timestamp.fromMillis(System.currentTimeMillis() + 1000000);
groupMember.setExpiration(expiryDate);
assertTrue(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertNotEquals(groupMember.getExpiration(), expiryDate);
// we will not change if the entry is already expired
expiryDate = Timestamp.fromMillis(System.currentTimeMillis() - 1000000);
groupMember.setExpiration(expiryDate);
assertFalse(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertEquals(groupMember.getExpiration(), expiryDate);
// now let's test a user with valid authority expiry date
// if the user doesn't have an expiry, we'll default to the value
// returned by the user authority
groupMember = new GroupMember().setMemberName("user.jane");
assertTrue(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertNotNull(groupMember.getExpiration());
assertEquals(groupMember.getExpiration(), authorityDate);
// if the value matches to our user authority value then no change
groupMember.setExpiration(authorityDate);
assertFalse(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertNotNull(groupMember.getExpiration());
assertEquals(groupMember.getExpiration(), authorityDate);
// if no match then we change the value
groupMember.setExpiration(Timestamp.fromMillis(System.currentTimeMillis() - 2000000));
assertTrue(zms.dbService.updateUserAuthorityExpiry(groupMember, "elevated-clearance"));
assertNotNull(groupMember.getExpiration());
assertEquals(groupMember.getExpiration(), authorityDate);
zms.dbService.zmsConfig.setUserAuthority(savedAuthority);
}Aggregations
Authority (com.yahoo.athenz.auth.Authority)193
Principal (com.yahoo.athenz.auth.Principal)124
Test (org.testng.annotations.Test)72
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)32
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)30
HttpServletRequest (javax.servlet.http.HttpServletRequest)24
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)21
HttpServletResponse (javax.servlet.http.HttpServletResponse)20
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)19
Authorizer (com.yahoo.athenz.auth.Authorizer)15
AuthorityList (com.yahoo.athenz.common.server.rest.Http.AuthorityList)13
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)11
ServerPrivateKey (com.yahoo.athenz.auth.ServerPrivateKey)9
Timestamp (com.yahoo.rdl.Timestamp)9
Metric (com.yahoo.athenz.common.metrics.Metric)8
IOException (java.io.IOException)8
Response (javax.ws.rs.core.Response)6
Struct (com.yahoo.rdl.Struct)5
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
