Example 31 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSClientTest method testGetTenantDomains.
@Test
public void testGetTenantDomains() {
ZTSRDLClientMock ztsClientMock = new ZTSRDLClientMock();
List<String> tenantDomains = new ArrayList<>();
tenantDomains.add("iaas.athenz");
tenantDomains.add("coretech.storage");
ztsClientMock.setTenantDomains(tenantDomains);
Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
ZTSClient client = new ZTSClient("http://localhost:4080", principal);
client.setZTSRDLGeneratedClient(ztsClientMock);
TenantDomains doms = client.getTenantDomains("provider", "user", "admin", "storage");
assertNotNull(doms);
assertTrue(doms.getTenantDomainNames().contains("iaas.athenz"));
assertTrue(doms.getTenantDomainNames().contains("coretech.storage"));
try {
client.getTenantDomains("unknown", "user", "admin", "storage");
fail();
} catch (ResourceException ex) {
assertEquals(ex.getCode(), 404);
} catch (Exception ex) {
fail();
}
client.close();
}
Also used :
ArrayList(java.util.ArrayList)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException)
Test(org.testng.annotations.Test)
Example 32 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSClientTest method testHostNameVerifierVerifyCert.
@Test
public void testHostNameVerifierVerifyCert() throws CertificateException, IOException {
ZTSRDLClientMock ztsClientMock = new ZTSRDLClientMock();
Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
ZTSClient client = new ZTSClient("http://localhost:4080", principal);
client.setZTSRDLGeneratedClient(ztsClientMock);
ZTSClient.AWSHostNameVerifier hostnameVerifier = client.new AWSHostNameVerifier("host1");
InputStream is = new ByteArrayInputStream(test_cert.getBytes("utf-8"));
CertificateFactory cf = CertificateFactory.getInstance("X.509");
java.security.cert.Certificate cert = cf.generateCertificate(is);
is.close();
Certificate[] certs = new Certificate[1];
certs[0] = cert;
SSLSession session = Mockito.mock(SSLSession.class);
Mockito.when(session.getPeerCertificates()).thenReturn(certs);
assertFalse(hostnameVerifier.verify("unknown", session));
client.close();
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
SSLSession(javax.net.ssl.SSLSession)
CertificateFactory(java.security.cert.CertificateFactory)
Certificate(java.security.cert.Certificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Certificate(java.security.cert.Certificate)
Test(org.testng.annotations.Test)
Example 33 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSClientTest method testGetRoleTokenCacheKey.
@Test
public void testGetRoleTokenCacheKey() {
Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
assertEquals(client.getRoleTokenCacheKey("coretech", "Role1", "proxy"), "p=user_domain.user;d=coretech;r=Role1;u=proxy");
client.close();
}
Also used :
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 34 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSClientTest method testIsExpiredTokenAtLeastBothLimitsNullBiggerThanMin.
@Test
public void testIsExpiredTokenAtLeastBothLimitsNullBiggerThanMin() {
System.setProperty(ZTSClient.ZTS_CLIENT_PROP_TOKEN_MIN_EXPIRY_TIME, "400");
ZTSClient.initConfigValues();
Principal principal = SimplePrincipal.create("user_domain", "user", "v=S1;d=user_domain;n=user;s=sig", PRINCIPAL_AUTHORITY);
ZTSClient client = new ZTSClient("http://localhost:4080/", principal);
assertFalse(client.isExpiredToken(500, null, null));
client.close();
}
Also used :
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 35 with Principal
use of com.yahoo.athenz.auth.Principal in project athenz by yahoo.
the class ZTSClientTest method testPrefetchShouldNotCallServer.
@Test
public void testPrefetchShouldNotCallServer() throws Exception {
System.out.println("testPrefetchShouldNotCallServer");
ZTSRDLClientMock ztsClientMock = new ZTSRDLClientMock();
ztsClientMock.setRoleName("role1");
long intervalSecs = Integer.parseInt(System.getProperty(ZTSClient.ZTS_CLIENT_PROP_PREFETCH_SLEEP_INTERVAL, "5"));
ztsClientMock.setTestSleepInterval(intervalSecs);
final Principal principal = SimplePrincipal.create("user_domain", "user", "auth_creds", PRINCIPAL_AUTHORITY);
ServiceIdentityProvider siaProvider = Mockito.mock(ServiceIdentityProvider.class);
Mockito.when(siaProvider.getIdentity(Mockito.<String>any(), Mockito.<String>any())).thenReturn(principal);
ZTSClient client = new ZTSClient("http://localhost:4080/", "user_domain", "user", siaProvider);
client.setZTSRDLGeneratedClient(ztsClientMock);
String domain1 = "coretech";
String domain2 = "providerdomain";
ztsClientMock.setAwsCreds(Timestamp.fromCurrentTime(), domain1, "role1");
ztsClientMock.setAwsCreds(Timestamp.fromCurrentTime(), domain2, "role1");
// initially, roleToken was never fetched.
assertTrue(ztsClientMock.getLastRoleTokenFetchedTime(domain1, null, null) < 0);
// initialize the prefetch token process.
client.prefetchRoleToken(domain1, null, null, null, null);
int scheduledItemsSize = client.getScheduledItemsSize();
// make sure only unique items are in the queue
client.prefetchRoleToken(domain1, null, null, null, null);
int scheduledItemsSize2 = client.getScheduledItemsSize();
assertEquals(scheduledItemsSize, scheduledItemsSize2);
// repeat for aws cred
//
client.prefetchAwsCred(domain1, "role1", null, null);
scheduledItemsSize = client.getScheduledItemsSize();
assertTrue(scheduledItemsSize > scheduledItemsSize2);
// make sure only unique items are in the queue
client.prefetchAwsCred(domain1, "role1", null, null);
scheduledItemsSize2 = client.getScheduledItemsSize();
assertEquals(scheduledItemsSize, scheduledItemsSize2);
AWSTemporaryCredentials awsCred1 = client.getAWSTemporaryCredentials(domain1, "role1");
assertTrue(awsCred1 != null);
long awsCredExpiryd1r1 = awsCred1.getExpiration().millis();
RoleToken roleToken1 = client.getRoleToken(domain1);
assertTrue(roleToken1 != null);
long rt1Expiry = roleToken1.getExpiryTime();
long lastTokenFetchedTime1 = ztsClientMock.getLastRoleTokenFetchedTime(domain1, "role1", null);
long lastTokenFetchedTime1nr = ztsClientMock.getLastRoleTokenFetchedTime(domain1, null, null);
// work with domain2
//
client.prefetchRoleToken(domain2, null, null, null, null);
scheduledItemsSize2 = client.getScheduledItemsSize();
assertEquals(scheduledItemsSize2, scheduledItemsSize + 1);
client.prefetchAwsCred(domain2, "role1", null, null);
scheduledItemsSize2 = client.getScheduledItemsSize();
assertEquals(scheduledItemsSize2, scheduledItemsSize + 2);
RoleToken roleToken2 = client.getRoleToken(domain2);
assertTrue(roleToken2 != null);
long rt2Expiry = roleToken2.getExpiryTime();
AWSTemporaryCredentials awsCred2 = client.getAWSTemporaryCredentials(domain2, "role1");
assertTrue(awsCred2 != null);
long awsCredExpiry = awsCred2.getExpiration().millis();
System.out.println("testPrefetchShouldNotCallServer: sleep Secs=" + (2 * intervalSecs) + "+0.1");
Thread.sleep((2 * intervalSecs * 1000) + 100);
System.out.println("testPrefetchShouldNotCallServer: nap over so what happened");
assertEquals(client.getScheduledItemsSize(), scheduledItemsSize + 2);
long lastTimerTriggered1 = ZTSClient.FETCHER_LAST_RUN_AT.get();
long lastTokenFetchedTimeDom2 = ztsClientMock.getLastRoleTokenFetchedTime(domain2, null, null);
assertTrue(lastTokenFetchedTimeDom2 > 0);
roleToken2 = client.getRoleToken(domain2);
long rt2Expiry2 = roleToken2.getExpiryTime();
// this token was refreshed
assertTrue(rt2Expiry2 > rt2Expiry);
awsCred2 = client.getAWSTemporaryCredentials(domain2, "role1");
long awsCredExpiry2 = awsCred2.getExpiration().millis();
// this cred was refreshed
assertTrue(awsCredExpiry2 > awsCredExpiry);
// wait a few seconds, and see subsequent fetch happened.
System.out.println("testPrefetchRoleTokenShouldNotCallServer: again sleep Secs=" + (2 * intervalSecs) + "+0.1");
Thread.sleep((2 * intervalSecs * 1000) + 100);
System.out.println("testPrefetchShouldNotCallServer: again nap over so what happened");
RoleToken roleToken3 = client.getRoleToken(domain2);
long rt2Expiry3 = roleToken3.getExpiryTime();
System.out.println("testPrefetchShouldNotCallServer: roleToken3:domain=" + domain2 + " expires at " + rt2Expiry3);
// this token was refreshed
assertTrue(rt2Expiry3 > rt2Expiry2);
AWSTemporaryCredentials awsCred3 = client.getAWSTemporaryCredentials(domain2, "role1");
long awsCredExpiry3 = awsCred3.getExpiration().millis();
// this cred was refreshed
assertTrue(awsCredExpiry3 > awsCredExpiry2);
long lastTokenFetchedTimed1r1 = ztsClientMock.getLastRoleTokenFetchedTime(domain1, "role1", null);
long lastTokenFetchedTime3 = ztsClientMock.getLastRoleTokenFetchedTime(domain1, null, null);
long lastTimerTriggered2 = ZTSClient.FETCHER_LAST_RUN_AT.get();
// Since token should be good for 2 hrs, lastTokenFetchedTime1 & 2 & 3 all should be the same
// because token is not expired yet.
assertEquals(lastTokenFetchedTime1, lastTokenFetchedTimed1r1);
assertEquals(lastTokenFetchedTime3, lastTokenFetchedTime1nr);
// token should be identical since didnt get refreshed
RoleToken roleToken1b = client.getRoleToken(domain1);
long rt1bExpiry = roleToken1b.getExpiryTime();
assertEquals(rt1Expiry, rt1bExpiry);
assertEquals(roleToken1.getToken(), roleToken1b.getToken());
// aws cred should be identical since didnt get refreshed
AWSTemporaryCredentials awsCred1b = client.getAWSTemporaryCredentials(domain1, "role1");
long ac1bExpiry = awsCred1b.getExpiration().millis();
assertEquals(awsCredExpiryd1r1, ac1bExpiry);
assertEquals(awsCred1.getSessionToken(), awsCred1b.getSessionToken());
// But, make sure the Timer actually triggered.
assertTrue(lastTimerTriggered1 > 0);
assertTrue(lastTimerTriggered2 > 0);
assertNotEquals(lastTimerTriggered1, lastTimerTriggered2);
assertTrue(lastTimerTriggered2 > lastTimerTriggered1);
client.removePrefetcher();
client.close();
}
Also used :
SimpleServiceIdentityProvider(com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)
ServiceIdentityProvider(com.yahoo.athenz.auth.ServiceIdentityProvider)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Aggregations
Principal (com.yahoo.athenz.auth.Principal)258
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)218
Test (org.testng.annotations.Test)168
Authority (com.yahoo.athenz.auth.Authority)66
PrincipalAuthority (com.yahoo.athenz.auth.impl.PrincipalAuthority)52
ArrayList (java.util.ArrayList)35
SignedDomain (com.yahoo.athenz.zms.SignedDomain)33
BeforeTest (org.testng.annotations.BeforeTest)17
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)14
SimpleServiceIdentityProvider (com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider)13
AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)13
IOException (java.io.IOException)13
PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)12
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
KeyStore (com.yahoo.athenz.auth.KeyStore)11
UnsupportedEncodingException (java.io.UnsupportedEncodingException)10
WebApplicationException (javax.ws.rs.WebApplicationException)10
X509Certificate (java.security.cert.X509Certificate)9
ServiceIdentityProvider (com.yahoo.athenz.auth.ServiceIdentityProvider)8
CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)8
