Examples with PrincipalToken com.yahoo.athenz.auth.token.PrincipalToken used on opensource projects

Example 16 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class SimpleServiceIdentityProvider method getIdentity.

public Principal getIdentity(String domainName, String serviceName) {
    // all the role members in Athenz are normalized to lower case so we need to make
    // sure our principal's name and domain are created with lower case as well
    domainName = domainName.toLowerCase();
    serviceName = serviceName.toLowerCase();
    if (!domainName.equals(domain) || !serviceName.equals(service)) {
        return null;
    }
    PrincipalToken token = new PrincipalToken.Builder("S1", domainName, serviceName).expirationWindow(tokenTimeout).host(host).keyId(keyId).build();
    token.sign(key);
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domainName, serviceName, token.getSignedToken(), System.currentTimeMillis() / 1000, authority);
    principal.setUnsignedCreds(token.getUnsignedToken());
    return principal;
}

Example 17 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testPrincipalAuthorityWithAuthorizedService.

@Test
public void testPrincipalAuthorityWithAuthorizedService() throws IOException, CryptoException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    // Create and sign token with key version 0
    List<String> authorizedServices = new ArrayList<>();
    authorizedServices.add("sports.fantasy");
    authorizedServices.add("sports.hockey");
    long issueTime = System.currentTimeMillis() / 1000;
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).ip("127.0.0.2").issueTime(issueTime).expirationWindow(expirationTime).authorizedServices(authorizedServices).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // now let's sign the token for an authorized service
    userTokenToSign.signForAuthorizedService("sports.fantasy", "1", servicePrivateKeyStringK1);
    // we're going to pass a different IP so we get the authorized service checks
    StringBuilder errMsg = new StringBuilder();
    Principal principal = serviceAuthority.authenticate(userTokenToSign.getSignedToken(), "127.0.0.3", "POST", errMsg);
    assertNotNull(principal);
    assertEquals(principal.getAuthorizedService(), "sports.fantasy");
}

Example 18 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedServiceNoServices.

@Test
public void testValidateAuthorizedServiceNoServices() throws IOException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).expirationWindow(expirationTime).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertNull(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg));
}

Example 19 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedServiceNoSignature.

@Test
public void testValidateAuthorizedServiceNoSignature() throws IOException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    List<String> authorizedServices = new ArrayList<>();
    authorizedServices.add("coretech.storage");
    authorizedServices.add("media.storage");
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).authorizedServices(authorizedServices).expirationWindow(expirationTime).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertNull(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg));
}

Example 20 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testRemoteIpCheckNone.

@Test
public void testRemoteIpCheckNone() {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    serviceAuthority.ipCheckMode = IpCheckMode.OPS_NONE;
    PrincipalToken serviceToken = new PrincipalToken("v=S1;d=user;n=user1;i=10.11.12.23;s=sig");
    // all operations must return true
    // first let's verify read operation with and without matches
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", false, serviceToken, null));
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", false, serviceToken, null));
    // now let's try write operations without authorized service
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", true, serviceToken, null));
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", true, serviceToken, null));
    // finally mismatch operation with authorized service
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", true, serviceToken, "authz_service"));
}