Search in sources :

Example 1 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class OAuthCertBoundJwtAccessTokenAuthorityTest method testAuthenticate.

@Test
public void testAuthenticate() {
    String expiredJwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleUlkIn0.eyJzdWIiOiJ1c2VyLmFkbWluIiwiaXNzIjoic3lzLmF1dGgudGVzdElkUCIsImF1ZCI6Imh0dHBzOi8vem1zLmF0aGVuei5pbyIsInNjb3BlIjoic3lzLmF1dGg6cm9sZS5hZG1pbiIsImNsaWVudF9pZCI6InVpLmF0aGVuei5pbyIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoxNTE2MjM5MDIyfQ.cMbo1Ogwz3HTGdfncjBn3H99ehe_yT1Zhlb8vmDqvPnbjuZUnuFl3aZEIE_JyLQrGADZf9PFlqxMNQcd_AlrZ-SePW8u4kIe1mFBr6oSTzuBkLzpwlff_vWaoOGlXrjlai64ISaDXYaYFPxnNMhjFSpod6D_anaQqs3XXEqrlwHHG7zk99UvPZehtXntKcAv0it8K5_7-vtQiEqHIvy14oxLNhQa801bhaUvjgnSVhnQzfXTCYzM4B1QfF1Cp7k9ktw3tsOShZGYHYr-XOvO_199z0ZJfWkdqk_FA3Mdo_Nw_r9ghh2kCx5YhmNpaqN9BANmwv3PbREcfIt1o4V7ZTHSzBq2cuCjEmU59Nl530tUMe31npw-8i6MIGzE_Ifg4k5ea1L1JBzQkbtWeIVd8SV3j_D0TNhYmeeAYgK8UikkFIw3Uza6ZvfZKTe8cffomzzfeB5fjL9GUsqj6LpIL1R2CgCQARqlZDGl9d73j81G7r7qZPZuBW5U3c3cPrdChw1-AwgDT27-Hu3yAzxZyJmsfIkUj5VZZfb1loIsovcRr_h9VUeNEqMimKfwxRBr7EP7fw7eRQoAJIthdeMGS6hfh-ZPM85N2YN34aQ0YJKWJUgdLudCGpkmfYBBd28D1VGNTUlfEuwHXosVP1GoYLXlz8zgwWIoXuk_bj4QH-g";
    String noExpJwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleUlkIn0.eyJzdWIiOiJ1c2VyLmFkbWluIiwiaXNzIjoic3lzLmF1dGgudGVzdElkUCIsImF1ZCI6Imh0dHBzOi8vem1zLmF0aGVuei5pbyIsInNjb3BlIjoic3lzLmF1dGg6cm9sZS5hZG1pbiIsImNsaWVudF9pZCI6InVpLmF0aGVuei5pbyIsImlhdCI6MTUxNjIzOTAyMn0.I8da4Q_SysUJ3O4VZQQb7v0tQHNaAWk7WGkC3AImhd6FK_g6wAFe4Nw7K5ofOCdJKjHGUmqgBpnt1vbOqia8UJhcKkByBXywVnbK655MQ3ogkBmi3tUPx6Dmq1dwiaxsVZMAnxFQeACcTEz_Q_BWiXJqSpUP0vBy2sOFTus_xmvcooewu7n-EgdrO26oYwCMp0IARaSZq6hRmF5Le4wyz8d8CEzIArjEBOBpbONsX3NOvPSox3whDvIk91Zy4ZsORAMoLgGSQTqrEYBLSsFwng01V_OW4JVfM2p9f3U2gpqF6Ja7FFXrxnrgXEjvLvcMQYgv21eTT7ELMMFFQaYLPcCXNDoGwPOOU0dxngqw9B9qqhZV-gTJ7w5ADH2knwqNN5EJxnflVU_D-dUZFNJ0ruMc3bfsLzXQhhHqdhY6h6vkqQ2IGUiGilS4hgVWa26QOstj1twf4Dj1xaHro5800evW886pwJyK3FSfULrvpiJ6Q_DkzSEG1sGRj4RTwl8Opgh27Mot5m2x-qESwbEMeazz2saIdHpt6lcH1VY2baazy322mCRXzA9SdQD-u2bjjI4Fu-AJQRbL51pvzNceXJdz9xwnbX5RgY99E6AYOlzQ5zVl7PDsxLwdJr8UppYGQmrTBZ7DBjtNXGGMelZ0M1SBJVa0JZ3K61MWnYzPL5M";
    String noCnfJwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleUlkIn0.eyJzdWIiOiJ1c2VyLmFkbWluIiwiaXNzIjoic3lzLmF1dGgudGVzdElkUCIsImF1ZCI6Imh0dHBzOi8vem1zLmF0aGVuei5pbyIsInNjb3BlIjoic3lzLmF1dGg6cm9sZS5hZG1pbiIsImNsaWVudF9pZCI6InVpLmF0aGVuei5pbyIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjo5OTkwMDA5OTk5fQ.uE-SsyDGb0a1QU1Clv0WmwZqIm1HXc0pJy_rGofpIeo5jOsz3wj1ZVjGslgLV56hW9zvnwOh5ur8ChgQrYfDN1meM6loiu4py9mAU9bfaiPkecqGA5zmWQjhl9206MbVKxFXbVlt5FrQJaM5corSkIH4MIpxS4vU2dZBC4Emtc8hZXRg5BOKr6xRA-vTLbWNa3FTh8dhehTXngQ_bnJfU5MxoTMlrBCrajKjnzSYzZ6vutJKDZKGdbmRrM982wjuDyEzhViKVDBsNqUa0LUblBoUtVx2FnPCUlBWnyqm4aaf6FtqV8z2KolcH1DA_3PaWv1R_txFD0B4pRm1GA77LGCgAdNzZ4KMBN300K0DzBhbYS4fmbr0faAIUtYWRTI3PwkSQGUwZTS4FZbK6RQ-kUkx68BhLP3R33E06EGsb7qvdcPELFjMh8HtbUPUZdJnq0z5Q6EJrWE4h3_7c6JDCm5IIJ9GDN8u20l0BFQe1SCmcYAVutuuGX_79B73r2sQdm8-6LVoOZXtDFLlbadcXUHybUgZYYSlehKD1Vdt4JQqeVStdUM0q7Otfe9dhfrDHwJrEN9iGNWVItxlP86K8SrTRzaa8b1Qs6E-qXx_6XFF3taFU9jWS3I571WrXo1qkJp6QQknqEFa1JJkh28UDjonkgRSzeProQxbF_7T5VE";
    String invalidSubjectJwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleUlkIn0.eyJzdWIiOiJ1c2VyYWRtaW4iLCJpc3MiOiJzeXMuYXV0aC50ZXN0SWRQIiwiYXVkIjoiaHR0cHM6Ly96bXMuYXRoZW56LmlvIiwic2NvcGUiOiJzeXMuYXV0aDpyb2xlLmFkbWluIiwiY2xpZW50X2lkIjoidWkuYXRoZW56LmlvIiwiaWF0IjoxNTE2MjM5MDIyLCJjbmYiOnsieDV0I1MyNTYiOiJ6bGt4eW9YOTVsZS1OdjdPSTBCeGNqVE9vZ3Z5OVBHSC12X0NCcl9Ec0VrIn0sImV4cCI6OTk5MDAwOTk5OX0.HhCeOzNcDtR6GmPvlARwn5NSNPK3QhLw_LSsyg8LIq35vu8BoBsgX-Dw8GuFXc84e9gFdV5LTPOpOM78Ktc_L-eQ27j3u_UggCGwxkZHknRprLzBDx8A-bM3VyPyxTpokNFyrmrDbUn7pE8QwDRuPxOHjZUG1Wca2kY9YtgxnvYmh8w6TRH_uKdCPlbdo6FgQFbpSXZWbm0_UOQXpsSLH-q9vwz52D2wuDM_kGigLf1GKueshj-4Rzmrgh1nT-Zb6JQtBKdsnJRjQi9O9gQFwAdUcFFLVXd8IQKpgJc6ZvesGBwJmEOrE-THFHaGPdiRbqgMc8ha_0uknVeOwgiIflQfXi2Tid6aXBWBLDnABJuzlpSs7cXto3Fu-RAQLCQ16YJnFfeaCpmRkkjqTIupgRUy3_rqBNDUgg62kGjb6Sz_Q9lC1rdvx19i2lZqlvxgX1Q0_tbkqfCXm4mgU8b70OJ2oVGE6fq4hXDIKl-v7YAtDQdfqz3OmN6epRdOXCi3ZdgE5QzJS1TVbu-IgGrNgkfl8QzS02mSoIUpJAWZfE_21oYvLNjtYuOC2r9q3CSTwUHQJu45HupZnr0dLq7dIV-y_PAanHpz2IRJrhbZBicbR2P0sBsx-FxPUIGCK4II3Gsx5LehYNWYHSNnzdaGZC56x41VTzo2g7KNqLNYUBk";
    String customJwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleUlkIn0.eyJzdWIiOiJ1c2VyLmFkbWluIiwiaXNzIjoic3lzLmF1dGgudGVzdElkUCIsImF1ZCI6WyJjdXN0b21fYXVkXzEiLCJjdXN0b21fYXVkXzIiXSwic2NvcGUiOiJjdXN0b21fc2NvcGVfMSBjdXN0b21fc2NvcGVfMiIsImNsaWVudF9pZCI6InVpLmF0aGVuei5pbyIsImlhdCI6MTUxNjIzOTAyMiwiY25mIjp7Ing1dCNTMjU2IjoiemxreHlvWDk1bGUtTnY3T0kwQnhjalRPb2d2eTlQR0gtdl9DQnJfRHNFayJ9LCJleHAiOjk5OTAwMDk5OTl9.HCc0RCeV06gtgUKPoSDGhFySDxsCujmpzbge-oe1YQv43sRBTJfvJ4JIDnuPCosPugw8R9l9Bj3VM_sKSLHpJGhDRcQPamlawdes7bHSSL8VDoQIPLIzTdQUXc81OJqKSTMBjChdPzHSKF3VpwnrMpuFuBLvPs7PyN7xXxzDlEANPYx6-9pnd_z_eB4hABj0Q_fyX9pcm9wyXPyW3eEDo0m_R80fa6CUaEGt6FseVyZp7WimCXF-IongjXJLy3BLppVIUHg5U_rVmvoe81pE7-tJe7NiS5suUWLq-kMBNhmGBulGNLbH8VT4jOVDTpzS8a3jHL18xtHlij9Zbg4zpBbo4Z8O0Az37SS1vrGwTMPAW9uhjVRqAJB1MM5YZ5Rr8XRy6hduF-FbDmOP27jE_n0Hk2oQ2yfaB2oAY0wjpSLukV_CNzaDWrBBu_j25ld1OsvKeHXTBtf8EhjIcWrktu48SJvoDNQZZskeDXAt7gabFv7y2Gbe4JG4AF43-ewRuFzoMBJsLgzjvd7f1v71leTV519AD4ScjJNp17PakSc8BFu3E9--yr2jLFsJ1cC3VtezdOV2Jssh00WiklsB-mdcHi2WOXr3XONuix6ZvS2DehQCKEFtGEQcWe3oLjZmE5QDJNvuCbU1GbtAXiAbbEuqKaUKUf9HZW2KVfUSgqI";
    HttpServletRequest requestMock = null;
    StringBuilder errMsg = new StringBuilder();
    OAuthCertBoundJwtAccessTokenAuthority authority = new OAuthCertBoundJwtAccessTokenAuthority();
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    KeyStore jwtKeyStore = Mockito.spy(baseKeyStore);
    Mockito.when(jwtKeyStore.getPublicKey("sys.auth", "testidp", "keyId")).thenReturn(this.jwtPublicKey);
    authority.setKeyStore(jwtKeyStore);
    Principal principal = null;
    // empty token, skip
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList()));
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.length(), 0);
    // no certificate error
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer dummy_access_token")));
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.toString(), "OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid certificate: No certificate available in request");
    // null errMsg, no errors
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer dummy_access_token_1")));
    assertEquals(authority.authenticate(requestMock, null), null);
    // parse JWT error
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer invalid_access_token")));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.toString(), "OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: io.jsonwebtoken.MalformedJwtException: JWT strings must contain exactly 2 period characters. Found: 0");
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + expiredJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertTrue(errMsg.toString().startsWith("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: io.jsonwebtoken.ExpiredJwtException: JWT expired at 2018-01-18T01:30:22Z. Current time: "));
    // invalid JWT
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + noExpJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.toString(), "OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: exp is empty");
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + noCnfJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.toString(), "OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: NO mapping of authorized client IDs for certificate principal (ui.athenz.io)");
    // skip cert thumbprint verification
    System.setProperty("athenz.auth.oauth.jwt.authorized_client_ids_path", this.classLoader.getResource("authorized_client_ids.single.txt").getPath());
    System.setProperty("athenz.auth.oauth.jwt.verify_cert_thumbprint", "false");
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    System.clearProperty("athenz.auth.oauth.jwt.authorized_client_ids_path");
    System.clearProperty("athenz.auth.oauth.jwt.verify_cert_thumbprint");
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + noCnfJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    principal = authority.authenticate(requestMock, errMsg);
    assertNotNull(principal);
    assertEquals(errMsg.toString(), "");
    assertEquals(principal.getDomain(), "user");
    assertEquals(principal.getName(), "admin");
    assertEquals(principal.getCredentials(), noCnfJwt);
    assertEquals(principal.getIssueTime(), 1516239022L);
    assertEquals(principal.getX509Certificate(), clientCertChain[0]);
    assertEquals(principal.getRoles(), null);
    assertEquals(principal.getApplicationId(), "ui.athenz.io");
    assertEquals(principal.getAuthorizedService(), "sys.auth.ui");
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    // reset
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    // invalid subject JWT
    System.setProperty("athenz.auth.oauth.jwt.authorized_client_ids_path", this.classLoader.getResource("authorized_client_ids.single.txt").getPath());
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    System.clearProperty("athenz.auth.oauth.jwt.authorized_client_ids_path");
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + invalidSubjectJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    assertEquals(authority.authenticate(requestMock, errMsg), null);
    assertEquals(errMsg.toString(), "OAuthCertBoundJwtAccessTokenAuthority:authenticate: sub is not a valid service identity: got=useradmin");
    // verify non-default JWT
    System.setProperty("athenz.auth.oauth.jwt.authorized_client_ids_path", this.classLoader.getResource("authorized_client_ids.single.txt").getPath());
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "custom.iss");
    System.setProperty("athenz.auth.oauth.jwt.claim.aud", "custom_aud_1,custom_aud_2");
    System.setProperty("athenz.auth.oauth.jwt.claim.scope", "custom_scope_1 custom_scope_2");
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    System.clearProperty("athenz.auth.oauth.jwt.authorized_client_ids_path");
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
    System.clearProperty("athenz.auth.oauth.jwt.claim.aud");
    System.clearProperty("athenz.auth.oauth.jwt.claim.scope");
    requestMock = Mockito.mock(HttpServletRequestWrapper.class);
    Mockito.when(requestMock.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList("Bearer " + customJwt)));
    Mockito.when(requestMock.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(clientCertChain);
    errMsg.setLength(0);
    principal = authority.authenticate(requestMock, errMsg);
    assertNotNull(principal);
    assertEquals(errMsg.toString(), "");
    assertEquals(principal.getDomain(), "user");
    assertEquals(principal.getName(), "admin");
    assertEquals(principal.getCredentials(), customJwt);
    assertEquals(principal.getIssueTime(), 1516239022L);
    assertEquals(principal.getX509Certificate(), clientCertChain[0]);
    assertEquals(principal.getRoles(), null);
    assertEquals(principal.getApplicationId(), "ui.athenz.io");
    assertEquals(principal.getAuthorizedService(), "sys.auth.ui");
    System.setProperty("athenz.auth.oauth.jwt.claim.iss", "sys.auth.testIdP");
    // reset
    authority.initialize();
    System.clearProperty("athenz.auth.oauth.jwt.claim.iss");
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper) KeyStore(com.yahoo.athenz.auth.KeyStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 2 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class PrincipalAuthorityTest method testGetPublicKeyKeyServiceZms.

@Test
public void testGetPublicKeyKeyServiceZms() {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = Mockito.mock(KeyStore.class);
    serviceAuthority.setKeyStore(keyStore);
    Mockito.when(keyStore.getPublicKey("sys.auth", "zms", "v1")).thenReturn("zms-key");
    Mockito.when(keyStore.getPublicKey("athenz", "svc", "v1")).thenReturn("athenz-key");
    String key = serviceAuthority.getPublicKey("athenz", "svc", "zms", "v1", false);
    assertEquals(key, "zms-key");
}
Also used : KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 3 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class PrincipalAuthorityTest method testPrincipalAuthority.

@Test
public void testPrincipalAuthority() throws IOException, CryptoException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    assertNull(serviceAuthority.getDomain());
    assertEquals(serviceAuthority.getHeader(), "Athenz-Principal-Auth");
    // Create and sign token with no key version
    PrincipalToken serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).build();
    serviceToken.sign(servicePrivateKeyStringK0);
    StringBuilder errMsg = new StringBuilder();
    Principal principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
    assertNotNull(principal);
    assertNotNull(principal.getAuthority());
    assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
    assertEquals(principal.getDomain(), serviceToken.getDomain());
    assertEquals(principal.getName(), serviceToken.getName());
    assertEquals(principal.getKeyId(), "0");
    principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", null);
    assertNotNull(principal);
    // Create and sign token with key version 0
    String testKeyVersionK0 = "0";
    serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).keyId(testKeyVersionK0).build();
    serviceToken.sign(servicePrivateKeyStringK0);
    principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
    assertNotNull(principal);
    assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
    // Create and sign token with key version 1
    String testKeyVersionK1 = "1";
    serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).keyId(testKeyVersionK1).build();
    serviceToken.sign(servicePrivateKeyStringK1);
    principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
    assertNotNull(principal);
    assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 4 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedIlligalForAuthorizedService.

@Test
public void testValidateAuthorizedIlligalForAuthorizedService() {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = Mockito.mock(KeyStore.class);
    serviceAuthority.setKeyStore(keyStore);
    Mockito.when(keyStore.getPublicKey("sports", "fantasy", "1")).thenReturn(null);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    List<String> authorizedServices = new ArrayList<>();
    authorizedServices.add("sports.fantasy");
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).expirationWindow(expirationTime).authorizedServices(authorizedServices).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // now let's sign the token for an authorized service
    userTokenToSign.signForAuthorizedService("sports.fantasy", "1", servicePrivateKeyStringK1);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertNull(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg));
}
Also used : ArrayList(java.util.ArrayList) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 5 with KeyStore

use of com.yahoo.athenz.auth.KeyStore in project athenz by yahoo.

the class PrincipalAuthorityTest method testPrincipalAuthority_TamperedToken.

@Test
public void testPrincipalAuthority_TamperedToken() throws IOException, CryptoException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    // Create and sign token
    PrincipalToken serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).build();
    serviceToken.sign(servicePrivateKeyStringK0);
    String tokenToTamper = serviceToken.getSignedToken();
    StringBuilder errMsg = new StringBuilder();
    Principal principal = serviceAuthority.authenticate(tamperWithServiceToken(tokenToTamper), null, "GET", errMsg);
    // Service Authority should return null when authenticate() fails
    assertNull(principal);
    assertTrue(!errMsg.toString().isEmpty());
    assertTrue(errMsg.toString().contains("authenticate"));
    principal = serviceAuthority.authenticate(tamperWithServiceToken(tokenToTamper), null, "GET", null);
    assertNull(principal);
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Aggregations

KeyStore (com.yahoo.athenz.auth.KeyStore)51 Test (org.testng.annotations.Test)50 BeforeTest (org.testng.annotations.BeforeTest)28 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)25 InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)19 ArrayList (java.util.ArrayList)17 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)16 Principal (com.yahoo.athenz.auth.Principal)15 PublicKey (java.security.PublicKey)9 ResourceException (com.yahoo.athenz.instance.provider.ResourceException)8 RoleToken (com.yahoo.athenz.auth.token.RoleToken)7 Path (java.nio.file.Path)7 PrivateKey (java.security.PrivateKey)6 HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)4 InstanceRegisterToken (com.yahoo.athenz.zts.InstanceRegisterToken)4 SigningKeyResolver (io.jsonwebtoken.SigningKeyResolver)2 DefaultClaims (io.jsonwebtoken.impl.DefaultClaims)2 DefaultJwsHeader (io.jsonwebtoken.impl.DefaultJwsHeader)2 FileReader (java.io.FileReader)2 Field (java.lang.reflect.Field)2