Examples with AccessCheckStatus com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus used on opensource projects

Example 46 with AccessCheckStatus

use of com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus in project athenz by yahoo.

the class TestAuthZpe method testX509CertificateReadAllowed.

@Test(dataProvider = "x509CertData")
public void testX509CertificateReadAllowed(String issuer, String subject, AccessCheckStatus expectedStatus, String angResource) {
    final String issuers = "InvalidToBeSkipped | C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain2, CN=angler:role.public | C=US, ST=CA, O=Athenz, OU=Testing Domain, CN=angler.test:role.public";
    AuthZpeClient.setX509CAIssuers(issuers);
    final String action = "read";
    X509Certificate cert = Mockito.mock(X509Certificate.class);
    X500Principal x500Principal = Mockito.mock(X500Principal.class);
    X500Principal x500PrincipalS = Mockito.mock(X500Principal.class);
    Mockito.when(x500Principal.getName()).thenReturn(issuer);
    Mockito.when(x500PrincipalS.getName()).thenReturn(subject);
    Mockito.when(cert.getIssuerX500Principal()).thenReturn(x500Principal);
    Mockito.when(cert.getSubjectX500Principal()).thenReturn(x500PrincipalS);
    AccessCheckStatus status = AuthZpeClient.allowAccess(cert, angResource, action);
    Assert.assertEquals(status, expectedStatus);
}

Example 47 with AccessCheckStatus

use of com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus in project athenz by yahoo.

the class TestAuthZpe method testWildcardManageRiversDeniedTokenString.

@Test
public void testWildcardManageRiversDeniedTokenString() {
    String action = "manage";
    String angResource = "angler:riversKernCounty";
    List<String> roles = new ArrayList<>();
    roles.add("managerkernco");
    roles.add("managerventuraco");
    // 1000 sec expiry
    RoleToken rtoken = createRoleToken("angler", roles, "0", 1000);
    AccessCheckStatus status = AuthZpeClient.allowAccess(rtoken.getSignedToken(), angResource, action);
    Assert.assertEquals(status, AccessCheckStatus.DENY);
    // multi tokens test
    List<String> tokenList = new ArrayList<>();
    // add an ALLOW role
    tokenList.add(rToken0AnglerAdmin.getSignedToken());
    // add the DENY role token in
    tokenList.add(rtoken.getSignedToken());
    StringBuilder roleName = new StringBuilder();
    status = AuthZpeClient.allowAccess(tokenList, angResource, action, roleName);
    // DENY over-rides ALLOW
    Assert.assertEquals(status, AccessCheckStatus.DENY);
    Assert.assertEquals(roleName.toString(), "managerventura*");
    tokenList = new ArrayList<>();
    // add a DENY_DOMAIN_MISMATCH
    tokenList.add(rToken0CoreTechPublic.getSignedToken());
    // add an ALLOW role
    tokenList.add(rToken0AnglerAdmin.getSignedToken());
    // add the DENY role token in
    tokenList.add(rtoken.getSignedToken());
    roleName = new StringBuilder();
    status = AuthZpeClient.allowAccess(tokenList, angResource, action, roleName);
    // DENY over-rides everything else
    Assert.assertEquals(status, AccessCheckStatus.DENY);
    Assert.assertEquals(roleName.toString(), "managerventura*");
    // order wont matter
    tokenList = new ArrayList<>();
    // add the DENY role token in
    tokenList.add(rtoken.getSignedToken());
    // add a DENY_DOMAIN_MISMATCH
    tokenList.add(rToken0CoreTechPublic.getSignedToken());
    // add an ALLOW role
    tokenList.add(rToken0AnglerAdmin.getSignedToken());
    roleName = new StringBuilder();
    status = AuthZpeClient.allowAccess(tokenList, angResource, action, roleName);
    // DENY over-rides everything else
    Assert.assertEquals(status, AccessCheckStatus.DENY);
    Assert.assertEquals(roleName.toString(), "managerventura*");
}

Example 48 with AccessCheckStatus

use of com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus in project athenz by yahoo.

the class TestAuthZpe method testAllowAccessMatchStartsWithDenied.

@Test
public void testAllowAccessMatchStartsWithDenied() {
    String action = "startswith";
    String resource = "angler:startswitgreat";
    /* missing h from startswith */
    StringBuilder roleName = new StringBuilder();
    AccessCheckStatus status = AuthZpeClient.allowAccess(rToken0AnglerRegex, resource, action, roleName);
    Assert.assertEquals(status, AccessCheckStatus.DENY_NO_MATCH);
    Assert.assertEquals(roleName.toString(), "");
    // multi tokens test
    List<String> tokenList = new ArrayList<>();
    tokenList.add(rToken0AnglerExpirePublic.getSignedToken());
    tokenList.add(rToken0AnglerRegex.getSignedToken());
    tokenList.add(rToken0AnglerPublic.getSignedToken());
    tokenList.add(rToken0CoreTechPublic.getSignedToken());
    roleName = new StringBuilder();
    status = AuthZpeClient.allowAccess(tokenList, resource, action, roleName);
    // last token was for domain coretech
    Assert.assertEquals(status, AccessCheckStatus.DENY_DOMAIN_MISMATCH);
    Assert.assertEquals(roleName.toString(), "");
    tokenList = new ArrayList<>();
    tokenList.add(rToken0AnglerExpirePublic.getSignedToken());
    tokenList.add(rToken0AnglerPublic.getSignedToken());
    tokenList.add(rToken0CoreTechPublic.getSignedToken());
    tokenList.add(rToken0AnglerRegex.getSignedToken());
    roleName = new StringBuilder();
    status = AuthZpeClient.allowAccess(tokenList, resource, action, roleName);
    // last token was for domain angler with regex token
    Assert.assertEquals(status, AccessCheckStatus.DENY_NO_MATCH);
    Assert.assertEquals(roleName.toString(), "");
}

Example 49 with AccessCheckStatus

use of com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus in project athenz by yahoo.

the class TestAuthZpe method testWildcardManageRiversVenturaDenied.

@Test
public void testWildcardManageRiversVenturaDenied() {
    String action = "manage";
    String angResource = "angler:RiversKernCounty";
    List<String> roles = new ArrayList<>();
    roles.add("managerventuraco");
    // 1000 sec expiry
    RoleToken rtoken = createRoleToken("angler", roles, "0", 1000);
    StringBuilder roleName = new StringBuilder(256);
    AccessCheckStatus status = AuthZpeClient.allowAccess(rtoken, angResource, action, roleName);
    // Ventura county manager is allowed to manage Kern county ponds
    Assert.assertEquals(status, AccessCheckStatus.DENY);
    Assert.assertEquals(roleName.toString(), "managerventura*");
}

Example 50 with AccessCheckStatus

use of com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus in project athenz by yahoo.

the class TestAuthZpe method testCleanupOfTokenNotCleaned.

@Test
public void testCleanupOfTokenNotCleaned() {
    // perform an allowed access check
    String action = "fish";
    String angResource = "angler:stockedpondBigBassLake";
    List<String> roles = new ArrayList<>();
    roles.add("public");
    roles.add("admin");
    // 10 sec expiry
    RoleToken rtoken = createRoleToken("angler", roles, "0", 10);
    String signedToken = rtoken.getSignedToken();
    AccessCheckStatus status = AuthZpeClient.allowAccess(signedToken, angResource, action);
    Assert.assertEquals(status, AccessCheckStatus.ALLOW);
    Map<String, RoleToken> roleMap = ZpeUpdPolLoader.getRoleTokenCacheMap();
    RoleToken mapToken = roleMap.get(signedToken);
    Assert.assertEquals(signedToken, mapToken.getSignedToken());
    // then in a loop, check for existence of the token in the token map
    for (int cnt = 0; cnt < 5; ++cnt) {
        // -Dyahoo.zpeclient.updater.cleanup_tokens_secs=1
        try {
            // test has timeout set to 1 second
            Thread.sleep(1000);
        } catch (Exception exc) {
            System.out.println("testCleanupOfToken: sleep was interrupted: in loop, cnt=" + cnt + " token=" + signedToken);
        }
        mapToken = roleMap.get(signedToken);
        Assert.assertNotNull(mapToken);
        Assert.assertEquals(signedToken, mapToken.getSignedToken());
    }
    // assert token is not in the map outside of the loop
    Assert.assertNotNull(mapToken);
    Assert.assertEquals(signedToken, mapToken.getSignedToken());
}