Examples with RoleAuthority com.yahoo.athenz.auth.impl.RoleAuthority used on opensource projects

Example 1 with RoleAuthority

use of com.yahoo.athenz.auth.impl.RoleAuthority in project athenz by yahoo.

the class RoleAuthorityTest method testRoleAuthorityMismatchIP.

@Test
public void testRoleAuthorityMismatchIP() throws IOException, CryptoException {
    RoleAuthority rollAuthority = new RoleAuthority();
    KeyStore keyStore = new KeyStoreMock();
    rollAuthority.setKeyStore(keyStore);
    // Add some roles
    List<String> roles = new ArrayList<String>();
    roles.add("storage.tenant.weather.updater");
    // Create and sign token with keyVersion = 0
    RoleToken roleToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("" + userDomain + ".joe").keyId(testKeyVersionK0).build();
    roleToken.sign(ztsPrivateKeyStringK0);
    // mismatch IP should fail
    StringBuilder errMsg = new StringBuilder();
    Principal principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "DELETE", errMsg);
    assertNull(principal);
    assertTrue(!errMsg.toString().isEmpty());
    assertTrue(errMsg.toString().contains("authenticate"));
    // get a fresh one
    errMsg = new StringBuilder();
    principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "PUT", errMsg);
    assertNull(principal);
    assertTrue(!errMsg.toString().isEmpty());
    assertTrue(errMsg.toString().contains("authenticate"));
    // final check should be ok with valid IP
    principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.1", "DELETE", errMsg);
    assertNotNull(principal);
}

Example 2 with RoleAuthority

use of com.yahoo.athenz.auth.impl.RoleAuthority in project athenz by yahoo.

the class RoleAuthorityTest method testRoleAuthorityMismatchIPNonUser.

@Test
public void testRoleAuthorityMismatchIPNonUser() throws IOException, CryptoException {
    RoleAuthority rollAuthority = new RoleAuthority();
    KeyStore keyStore = new KeyStoreMock();
    rollAuthority.setKeyStore(keyStore);
    // Add some roles
    List<String> roles = new ArrayList<String>();
    roles.add("storage.tenant.weather.updater");
    // Create and sign token with keyVersion = 0
    RoleToken roleToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK0).build();
    roleToken.sign(ztsPrivateKeyStringK0);
    // mismatch IP but should be OK since it's not User
    StringBuilder errMsg = new StringBuilder();
    Principal principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "GET", errMsg);
    assertNotNull(principal);
}

Example 3 with RoleAuthority

use of com.yahoo.athenz.auth.impl.RoleAuthority in project athenz by yahoo.

the class RoleAuthorityTest method testRoleAuthority.

@Test
public void testRoleAuthority() throws IOException, CryptoException {
    RoleAuthority rollAuthority = new RoleAuthority();
    KeyStore keyStore = new KeyStoreMock();
    rollAuthority.setKeyStore(keyStore);
    assertEquals(rollAuthority.getDomain(), "sys.auth");
    assertEquals(rollAuthority.getHeader(), "Athenz-Role-Auth");
    // Add some roles
    List<String> roles = new ArrayList<String>();
    roles.add("storage.tenant.weather.updater");
    roles.add("fantasy.tenant.sports.admin");
    roles.add("fantasy.tenant.sports.reader");
    roles.add("fantasy.tenant.sports.writer");
    roles.add("fantasy.tenant.sports.scanner");
    // Create and sign token with no key version
    RoleToken rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").build();
    rollToken.sign(ztsPrivateKeyStringK0);
    StringBuilder errMsg = new StringBuilder();
    Principal principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
    assertNotNull(principal);
    assertNotNull(principal.getAuthority());
    assertEquals(principal.getCredentials(), rollToken.getSignedToken());
    assertEquals(principal.getDomain(), rollToken.getDomain());
    principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", null);
    assertNotNull(principal);
    List<String> rolesToValidate = principal.getRoles();
    assertEquals(rolesToValidate.size(), roles.size());
    assertTrue(rolesToValidate.equals(roles));
    // Create and sign token with keyVersion = 0
    rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK0).build();
    rollToken.sign(ztsPrivateKeyStringK0);
    principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
    assertNotNull(principal);
    assertEquals(principal.getCredentials(), rollToken.getSignedToken());
    // Create and sign token with keyVersion = 1
    rollToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK1).build();
    rollToken.sign(ztsPrivateKeyStringK1);
    principal = rollAuthority.authenticate(rollToken.getSignedToken(), "127.0.0.1", "GET", errMsg);
    assertNotNull(principal);
    assertEquals(principal.getCredentials(), rollToken.getSignedToken());
}

Example 4 with RoleAuthority

use of com.yahoo.athenz.auth.impl.RoleAuthority in project athenz by yahoo.

the class RoleAuthorityTest method testRoleAuthority_TamperedToken.

@Test
public void testRoleAuthority_TamperedToken() throws IOException, CryptoException {
    RoleAuthority rollAuthority = new RoleAuthority();
    KeyStore keyStore = new KeyStoreMock();
    rollAuthority.setKeyStore(keyStore);
    // Add some roles
    List<String> roles = new ArrayList<String>();
    roles.add("storage.tenant.weather.updater");
    roles.add("fantasy.tenant.sports.admin");
    roles.add("fantasy.tenant.sports.reader");
    roles.add("fantasy.tenant.sports.writer");
    roles.add("fantasy.tenant.sports.scanner");
    // Create and sign token
    RoleToken serviceToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("coretech.storage").keyId(testKeyVersionK1).build();
    serviceToken.sign(ztsPrivateKeyStringK0);
    String tokenToTamper = serviceToken.getSignedToken();
    StringBuilder errMsg = new StringBuilder();
    Principal principal = rollAuthority.authenticate(tamperWithRoleToken(tokenToTamper), "127.0.0.1", "GET", errMsg);
    // Role Authority should return null when authenticate() fails
    assertNull(principal);
    assertTrue(!errMsg.toString().isEmpty());
    assertTrue(errMsg.toString().contains("authenticate"));
    principal = rollAuthority.authenticate(tamperWithRoleToken(tokenToTamper), "127.0.0.1", "GET", null);
    assertNull(principal);
}

Example 5 with RoleAuthority

use of com.yahoo.athenz.auth.impl.RoleAuthority in project athenz by yahoo.

the class RoleAuthorityTest method testRoleAuthorityMismatchIPNonWrite.

@Test
public void testRoleAuthorityMismatchIPNonWrite() throws IOException, CryptoException {
    RoleAuthority rollAuthority = new RoleAuthority();
    KeyStore keyStore = new KeyStoreMock();
    rollAuthority.setKeyStore(keyStore);
    // Add some roles
    List<String> roles = new ArrayList<String>();
    roles.add("storage.tenant.weather.updater");
    // Create and sign token with keyVersion = 0
    RoleToken roleToken = new RoleToken.Builder(rolVersion, svcDomain, roles).salt(salt).ip("127.0.0.1").expirationWindow(expirationTime).principal("" + userDomain + ".joe").keyId(testKeyVersionK0).build();
    roleToken.sign(ztsPrivateKeyStringK0);
    // mismatch IP but should be OK since it's not write operation
    StringBuilder errMsg = new StringBuilder();
    Principal principal = rollAuthority.authenticate(roleToken.getSignedToken(), "127.0.0.2", "GET", errMsg);
    assertNotNull(principal);
}