Example 86 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class PrincipalAuthorityTest method testPrincipalAuthority.
@Test
public void testPrincipalAuthority() throws IOException, CryptoException {
PrincipalAuthority serviceAuthority = new PrincipalAuthority();
KeyStore keyStore = new KeyStoreMock();
serviceAuthority.setKeyStore(keyStore);
assertNull(serviceAuthority.getDomain());
assertEquals(serviceAuthority.getHeader(), "Athenz-Principal-Auth");
// Create and sign token with no key version
PrincipalToken serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).build();
serviceToken.sign(servicePrivateKeyStringK0);
StringBuilder errMsg = new StringBuilder();
Principal principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
assertNotNull(principal);
assertNotNull(principal.getAuthority());
assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
assertEquals(principal.getDomain(), serviceToken.getDomain());
assertEquals(principal.getName(), serviceToken.getName());
assertEquals(principal.getKeyId(), "0");
principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", null);
assertNotNull(principal);
// Create and sign token with key version 0
serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).keyId(testKeyVersionK0).build();
serviceToken.sign(servicePrivateKeyStringK0);
principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
assertNotNull(principal);
assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
// Create and sign token with key version 1
serviceToken = new PrincipalToken.Builder(svcVersion, svcDomain, svcName).host(host).salt(salt).expirationWindow(expirationTime).keyId(testKeyVersionK1).build();
serviceToken.sign(servicePrivateKeyStringK1);
principal = serviceAuthority.authenticate(serviceToken.getSignedToken(), null, "GET", errMsg);
assertNotNull(principal);
assertEquals(principal.getCredentials(), serviceToken.getSignedToken());
}
Also used :
PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken)
KeyStore(com.yahoo.athenz.auth.KeyStore)
PrincipalAuthority(com.yahoo.athenz.auth.impl.PrincipalAuthority)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Example 87 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class RoleAuthorityTest method testRoleAuthorityMismatchIP.
@Test
public void testRoleAuthorityMismatchIP() throws IOException, CryptoException {
RoleAuthority rollAuthority = new RoleAuthority();
KeyStore keyStore = new KeyStoreMock();
rollAuthority.setKeyStore(keyStore);
// Add some roles
List<String> roles = new ArrayList<String>();
roles.add("storage.tenant.weather.updater");
// Create and sign token with keyVersion = 0
RoleToken roleToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("" + userDomain + ".joe").keyId(testKeyVersionK0).build();
roleToken.sign(ztsPrivateKeyStringK0);
// mismatch IP should fail
StringBuilder errMsg = new StringBuilder();
Principal principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "DELETE", errMsg);
assertNull(principal);
assertTrue(!errMsg.toString().isEmpty());
assertTrue(errMsg.toString().contains("authenticate"));
// get a fresh one
errMsg = new StringBuilder();
principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "PUT", errMsg);
assertNull(principal);
assertTrue(!errMsg.toString().isEmpty());
assertTrue(errMsg.toString().contains("authenticate"));
// final check should be ok with valid IP
principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.1", "DELETE", errMsg);
assertNotNull(principal);
}
Also used :
RoleAuthority(com.yahoo.athenz.auth.impl.RoleAuthority)
ArrayList(java.util.ArrayList)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Principal(com.yahoo.athenz.auth.Principal)
RoleToken(com.yahoo.athenz.auth.token.RoleToken)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Example 88 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class RoleAuthorityTest method testRoleAuthorityMismatchIPNonUser.
@Test
public void testRoleAuthorityMismatchIPNonUser() throws IOException, CryptoException {
RoleAuthority rollAuthority = new RoleAuthority();
KeyStore keyStore = new KeyStoreMock();
rollAuthority.setKeyStore(keyStore);
// Add some roles
List<String> roles = new ArrayList<String>();
roles.add("storage.tenant.weather.updater");
// Create and sign token with keyVersion = 0
RoleToken roleToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK0).build();
roleToken.sign(ztsPrivateKeyStringK0);
// mismatch IP but should be OK since it's not User
StringBuilder errMsg = new StringBuilder();
Principal principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "GET", errMsg);
assertNotNull(principal);
}
Also used :
RoleAuthority(com.yahoo.athenz.auth.impl.RoleAuthority)
ArrayList(java.util.ArrayList)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Principal(com.yahoo.athenz.auth.Principal)
RoleToken(com.yahoo.athenz.auth.token.RoleToken)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Example 89 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class RoleAuthorityTest method testRoleAuthority.
@Test
public void testRoleAuthority() throws IOException, CryptoException {
RoleAuthority rollAuthority = new RoleAuthority();
KeyStore keyStore = new KeyStoreMock();
rollAuthority.setKeyStore(keyStore);
assertEquals(rollAuthority.getDomain(), "sys.auth");
assertEquals(rollAuthority.getHeader(), "Athenz-Role-Auth");
// Add some roles
List<String> roles = new ArrayList<String>();
roles.add("storage.tenant.weather.updater");
roles.add("fantasy.tenant.sports.admin");
roles.add("fantasy.tenant.sports.reader");
roles.add("fantasy.tenant.sports.writer");
roles.add("fantasy.tenant.sports.scanner");
// Create and sign token with no key version
RoleToken rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").build();
rollToken.sign(ztsPrivateKeyStringK0);
StringBuilder errMsg = new StringBuilder();
Principal principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
assertNotNull(principal);
assertNotNull(principal.getAuthority());
assertEquals(principal.getCredentials(), rollToken.getSignedToken());
assertEquals(principal.getDomain(), rollToken.getDomain());
principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", null);
assertNotNull(principal);
List<String> rolesToValidate = principal.getRoles();
assertEquals(rolesToValidate.size(), roles.size());
assertTrue(rolesToValidate.equals(roles));
// Create and sign token with keyVersion = 0
rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK0).build();
rollToken.sign(ztsPrivateKeyStringK0);
principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
assertNotNull(principal);
assertEquals(principal.getCredentials(), rollToken.getSignedToken());
// Create and sign token with keyVersion = 1
rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK1).build();
rollToken.sign(ztsPrivateKeyStringK1);
principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
assertNotNull(principal);
assertEquals(principal.getCredentials(), rollToken.getSignedToken());
}
Also used :
RoleAuthority(com.yahoo.athenz.auth.impl.RoleAuthority)
ArrayList(java.util.ArrayList)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Principal(com.yahoo.athenz.auth.Principal)
RoleToken(com.yahoo.athenz.auth.token.RoleToken)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Example 90 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class RoleAuthorityTest method testRoleAuthority_TamperedToken.
@Test
public void testRoleAuthority_TamperedToken() throws IOException, CryptoException {
RoleAuthority rollAuthority = new RoleAuthority();
KeyStore keyStore = new KeyStoreMock();
rollAuthority.setKeyStore(keyStore);
// Add some roles
List<String> roles = new ArrayList<String>();
roles.add("storage.tenant.weather.updater");
roles.add("fantasy.tenant.sports.admin");
roles.add("fantasy.tenant.sports.reader");
roles.add("fantasy.tenant.sports.writer");
roles.add("fantasy.tenant.sports.scanner");
// Create and sign token
RoleToken serviceToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK1).build();
serviceToken.sign(ztsPrivateKeyStringK0);
String tokenToTamper = serviceToken.getSignedToken();
StringBuilder errMsg = new StringBuilder();
Principal principal = rollAuthority.authenticate(tamperWithRoleToken(tokenToTamper), "127.0.0.1", "GET", errMsg);
// Role Authority should return null when authenticate() fails
assertNull(principal);
assertTrue(!errMsg.toString().isEmpty());
assertTrue(errMsg.toString().contains("authenticate"));
principal = rollAuthority.authenticate(tamperWithRoleToken(tokenToTamper), "127.0.0.1", "GET", null);
assertNull(principal);
}
Also used :
RoleAuthority(com.yahoo.athenz.auth.impl.RoleAuthority)
ArrayList(java.util.ArrayList)
KeyStore(com.yahoo.athenz.auth.KeyStore)
Principal(com.yahoo.athenz.auth.Principal)
RoleToken(com.yahoo.athenz.auth.token.RoleToken)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Aggregations
Principal (com.yahoo.athenz.auth.Principal)259
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)219
Test (org.testng.annotations.Test)168
Authority (com.yahoo.athenz.auth.Authority)66
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)52
ArrayList (java.util.ArrayList)35
SignedDomain (com.yahoo.athenz.zms.SignedDomain)33
BeforeTest (org.testng.annotations.BeforeTest)17
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)14
SimpleServiceIdentityProvider (com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)13
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)13
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)13
IOException (java.io.IOException)13
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
KeyStore (com.yahoo.athenz.auth.KeyStore)11
UnsupportedEncodingException (java.io.UnsupportedEncodingException)10
WebApplicationException (javax.ws.rs.WebApplicationException)10
X509Certificate (java.security.cert.X509Certificate)9
ServiceIdentityProvider (com.yahoo.athenz.auth.ServiceIdentityProvider)8
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)8
