Search in sources :

Example 31 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedServiceMultiple.

@Test
public void testValidateAuthorizedServiceMultiple() throws IOException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    List<String> authorizedServices = new ArrayList<>();
    authorizedServices.add("sports.fantasy");
    authorizedServices.add("sports.hockey");
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).expirationWindow(expirationTime).authorizedServices(authorizedServices).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // now let's sign the token for an authorized service
    userTokenToSign.signForAuthorizedService("sports.fantasy", "1", servicePrivateKeyStringK1);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertEquals(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg), "sports.fantasy");
}
Also used : ArrayList(java.util.ArrayList) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 32 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedServiceNoServices.

@Test
public void testValidateAuthorizedServiceNoServices() throws IOException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).expirationWindow(expirationTime).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertNull(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg));
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 33 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testRemoteIpCheckNone.

@Test
public void testRemoteIpCheckNone() {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    serviceAuthority.ipCheckMode = IpCheckMode.OPS_NONE;
    PrincipalToken serviceToken = new PrincipalToken("v=S1;d=user;n=user1;i=10.11.12.23;s=sig");
    // all operations must return true
    // first let's verify read operation with and without matches
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", false, serviceToken, null));
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", false, serviceToken, null));
    // now let's try write operations without authorized service
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", true, serviceToken, null));
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", true, serviceToken, null));
    // finally mismatch operation with authorized service
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.22", true, serviceToken, "authz_service"));
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 34 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testValidateAuthorizedIlligalServiceName.

@Test
public void testValidateAuthorizedIlligalServiceName() throws IOException {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    KeyStore keyStore = new KeyStoreMock();
    serviceAuthority.setKeyStore(keyStore);
    long issueTime = System.currentTimeMillis() / 1000;
    // Create and sign token
    List<String> authorizedServices = new ArrayList<>();
    authorizedServices.add(".fantasy");
    PrincipalToken userTokenToSign = new PrincipalToken.Builder(usrVersion, usrDomain, usrName).salt(salt).issueTime(issueTime).expirationWindow(expirationTime).authorizedServices(authorizedServices).build();
    userTokenToSign.sign(servicePrivateKeyStringK0);
    // now let's sign the token for an authorized service
    userTokenToSign.signForAuthorizedService(".fantasy", "1", servicePrivateKeyStringK1);
    // Create a token for validation using the signed data
    StringBuilder errMsg = new StringBuilder();
    assertNull(serviceAuthority.validateAuthorizeService(userTokenToSign, errMsg));
}
Also used : ArrayList(java.util.ArrayList) PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 35 with PrincipalToken

use of com.yahoo.athenz.auth.token.PrincipalToken in project athenz by yahoo.

the class PrincipalAuthorityTest method testRemoteIpCheckAll.

@Test
public void testRemoteIpCheckAll() {
    PrincipalAuthority serviceAuthority = new PrincipalAuthority();
    serviceAuthority.ipCheckMode = IpCheckMode.OPS_ALL;
    PrincipalToken serviceToken = new PrincipalToken("v=S1;d=domain;n=service;i=10.11.12.23;s=sig");
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", false, serviceToken, null));
    assertTrue(serviceAuthority.remoteIpCheck("10.11.12.23", true, serviceToken, null));
    assertFalse(serviceAuthority.remoteIpCheck("10.11.12.22", false, serviceToken, null));
    assertFalse(serviceAuthority.remoteIpCheck("10.11.12.22", true, serviceToken, null));
}
Also used : PrincipalToken(com.yahoo.athenz.auth.token.PrincipalToken) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Aggregations

PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)47 Test (org.testng.annotations.Test)29 KeyStore (com.yahoo.athenz.auth.KeyStore)25 BeforeTest (org.testng.annotations.BeforeTest)17 Principal (com.yahoo.athenz.auth.Principal)15 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)14 InstanceZTSProvider (com.yahoo.athenz.instance.provider.impl.InstanceZTSProvider)12 ArrayList (java.util.ArrayList)10 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7 ResourceException (com.yahoo.athenz.instance.provider.ResourceException)6 CryptoException (com.yahoo.athenz.auth.util.CryptoException)4 HostnameResolver (com.yahoo.athenz.common.server.dns.HostnameResolver)4 InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)4 X509Certificate (java.security.cert.X509Certificate)4 Priority (com.yahoo.athenz.common.server.cert.Priority)2 AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)2 SSHCertRecord (com.yahoo.athenz.common.server.ssh.SSHCertRecord)2 StatusCheckException (com.yahoo.athenz.common.server.status.StatusCheckException)2 ZMSClient (com.yahoo.athenz.zms.ZMSClient)2 DataCache (com.yahoo.athenz.zts.cache.DataCache)2