Examples with AccessToken com.yahoo.athenz.auth.token.AccessToken used on opensource projects

Example 16 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class InstanceAzureProviderTest method createAccessToken.

private String createAccessToken() {
    long now = System.currentTimeMillis() / 1000;
    AccessToken accessToken = new AccessToken();
    accessToken.setAuthTime(now);
    accessToken.setSubject("111111-2222-3333-4444-555555555");
    accessToken.setExpiryTime(now + 3600);
    accessToken.setIssueTime(now);
    accessToken.setClientId("azure-client");
    accessToken.setAudience("https://azure-zts");
    accessToken.setVersion(1);
    accessToken.setIssuer("azure");
    // now get the signed token
    PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
    return accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
}

Example 17 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class AuthZpeClient method allowAccessTokenAccess.

static AccessCheckStatus allowAccessTokenAccess(String accessToken, X509Certificate cert, String certHash, String resource, String action, StringBuilder matchRoleName) {
    if (accessToken.startsWith(BEARER_TOKEN)) {
        accessToken = accessToken.substring(BEARER_TOKEN.length());
    }
    Map<String, AccessToken> tokenCache = zpeClt.getAccessTokenCacheMap();
    AccessToken acsToken = tokenCache.get(accessToken);
    if (acsToken != null && cert != null && !acsToken.confirmMTLSBoundToken(cert, certHash)) {
        LOG.error("allowAccess: mTLS Client certificate confirmation failed");
        return AccessCheckStatus.DENY_CERT_HASH_MISMATCH;
    }
    if (acsToken == null) {
        try {
            if (cert == null && certHash == null) {
                acsToken = new AccessToken(accessToken, accessSignKeyResolver);
            } else {
                acsToken = new AccessToken(accessToken, accessSignKeyResolver, cert, certHash);
            }
        } catch (CryptoException ex) {
            LOG.error("allowAccess: Authorization denied. Authentication failed for token={}", ex.getMessage());
            return (ex.getCode() == CryptoException.CERT_HASH_MISMATCH) ? AccessCheckStatus.DENY_CERT_HASH_MISMATCH : AccessCheckStatus.DENY_ROLETOKEN_INVALID;
        } catch (Exception ex) {
            LOG.error("allowAccess: Authorization denied. Authentication failed for token={}", ex.getMessage());
            return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
        }
        tokenCache.put(accessToken, acsToken);
    }
    return allowAccess(acsToken, resource, action, matchRoleName);
}

Example 18 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class AuthZpeClient method validateAccessToken.

/**
 * Validate the AccessToken and return the parsed token object that
 * could be used to extract all fields from the access token. If the
 * access token is invalid, then null object is returned.
 * @param accessToken - value for the REST header: Authorization
 *        ex: "Bearer authz-token"
 * @param cert X509 Client Certificate used to establish the mTLS connection
 *        submitting this request. can be null if no mtls binding to be verified
 * @param certHash If the connection is coming through a proxy, this includes
 *        the certificate hash of the client certificate that was calculated
 *        by the proxy and forwarded in a http header. can be null if no mtls
 *        mvnbinding to be verified
 * @return AccessToken if the token is validated successfully otherwise null
 */
public static AccessToken validateAccessToken(String accessToken, X509Certificate cert, String certHash) {
    if (accessToken.startsWith(BEARER_TOKEN)) {
        accessToken = accessToken.substring(BEARER_TOKEN.length());
    }
    Map<String, AccessToken> tokenCache = zpeClt.getAccessTokenCacheMap();
    AccessToken acsToken = tokenCache.get(accessToken);
    if (acsToken != null && cert != null && !acsToken.confirmMTLSBoundToken(cert, certHash)) {
        return null;
    }
    if (acsToken == null) {
        try {
            if (cert == null && certHash == null) {
                acsToken = new AccessToken(accessToken, accessSignKeyResolver);
            } else {
                acsToken = new AccessToken(accessToken, accessSignKeyResolver, cert, certHash);
            }
        } catch (Exception ex) {
            LOG.error("validateAccessToken: Access Token validation failed: {}", ex.getMessage());
            return null;
        }
        tokenCache.put(accessToken, acsToken);
    }
    return acsToken;
}

Example 19 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class TestAuthZpe method testValidateAccessTokenInvalid.

@Test
public void testValidateAccessTokenInvalid() {
    // create a token with a key id that does not exist
    List<String> roles = Collections.singletonList("matchall");
    final String invalidKeyIdToken = createInvalidAccessToken("angler", roles);
    AccessToken accessToken = AuthZpeClient.validateAccessToken(invalidKeyIdToken, null, null);
    assertNull(accessToken);
    // now we're going to include the Bearer part
    accessToken = AuthZpeClient.validateAccessToken("Bearer " + invalidKeyIdToken, null, null);
    assertNull(accessToken);
}

Example 20 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class TestAuthZpe method testValidateAccessTokenWithoutMtlsBound.

@Test
public void testValidateAccessTokenWithoutMtlsBound() {
    AccessToken accessToken = AuthZpeClient.validateAccessToken(accessToken0AnglerRegex, null, null);
    assertNotNull(accessToken);
    // now we're going to include the Bearer part
    accessToken = AuthZpeClient.validateAccessToken("Bearer " + accessToken0AnglerRegex, null, null);
    assertNotNull(accessToken);
}