Search in sources :

Example 6 with X509RoleCertRequest

use of com.yahoo.athenz.zts.cert.X509RoleCertRequest in project athenz by yahoo.

the class ZTSImplTest method testValidateRoleCertificateRequestWithUriHostname.

@Test
public void testValidateRoleCertificateRequestWithUriHostname() throws IOException {
    Path path = Paths.get("src/test/resources/athenz.examples.role-uri-hostname-only.csr");
    String csr = new String(Files.readAllBytes(path));
    path = Paths.get("src/test/resources/athenz.examples.no-uri.pem");
    String pem = new String(Files.readAllBytes(path));
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    X509RoleCertRequest certReq = new X509RoleCertRequest(csr);
    // if the CSR has hostname, but the cert doesn't have hostname, it should result in false
    assertFalse(zts.validateRoleCertificateRequest(certReq, "athenz.examples.httpd", null, cert, "10.0.0.1"));
    path = Paths.get("src/test/resources/athenz.examples.uri-hostname-only.pem");
    pem = new String(Files.readAllBytes(path));
    cert = Crypto.loadX509Certificate(pem);
    assertTrue(zts.validateRoleCertificateRequest(certReq, "athenz.examples.httpd", null, cert, "10.0.0.1"));
    path = Paths.get("src/test/resources/athenz.examples.role-uri-instanceid-hostname.csr");
    csr = new String(Files.readAllBytes(path));
    certReq = new X509RoleCertRequest(csr);
    // if CSR has hostname+instanceid, and cert has only hostname, it should result in false
    assertFalse(zts.validateRoleCertificateRequest(certReq, "athenz.examples.httpd", null, cert, "10.0.0.1"));
    path = Paths.get("src/test/resources/athenz.examples.uri-instanceid-hostname.pem");
    pem = new String(Files.readAllBytes(path));
    cert = Crypto.loadX509Certificate(pem);
    assertTrue(zts.validateRoleCertificateRequest(certReq, "athenz.examples.httpd", null, cert, "10.0.0.1"));
}
Also used : Path(java.nio.file.Path) X509RoleCertRequest(com.yahoo.athenz.zts.cert.X509RoleCertRequest) X509Certificate(java.security.cert.X509Certificate) Test(org.testng.annotations.Test)

Example 7 with X509RoleCertRequest

use of com.yahoo.athenz.zts.cert.X509RoleCertRequest in project athenz by yahoo.

the class ZTSImplTest method testValidateRoleCertificateRequestOU.

@Test
public void testValidateRoleCertificateRequestOU() throws IOException {
    Path path = Paths.get("src/test/resources/valid_email.csr");
    String csr = new String(Files.readAllBytes(path));
    zts.validCertSubjectOrgValues = null;
    Set<String> ouValues = new HashSet<>();
    ouValues.add("Testing Domain1");
    zts.validCertSubjectOrgUnitValues = ouValues;
    zts.verifyCertSubjectOU = true;
    X509RoleCertRequest certReq = new X509RoleCertRequest(csr);
    assertFalse(zts.validateRoleCertificateRequest(certReq, "sports.scores", null, null, "10.0.0.1"));
    ouValues.add("Testing Domain");
    assertTrue(zts.validateRoleCertificateRequest(certReq, "sports.scores", null, null, "10.0.0.1"));
}
Also used : Path(java.nio.file.Path) X509RoleCertRequest(com.yahoo.athenz.zts.cert.X509RoleCertRequest) Test(org.testng.annotations.Test)

Example 8 with X509RoleCertRequest

use of com.yahoo.athenz.zts.cert.X509RoleCertRequest in project athenz by yahoo.

the class ZTSImplTest method testValidateRoleCertificateRequestMismatchIP.

@Test
public void testValidateRoleCertificateRequestMismatchIP() throws IOException {
    Path path = Paths.get("src/test/resources/role_single_ip.csr");
    String csr = new String(Files.readAllBytes(path));
    path = Paths.get("src/test/resources/athenz.instanceid.pem");
    String pem = new String(Files.readAllBytes(path));
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    X509RoleCertRequest certReq = new X509RoleCertRequest(csr);
    // disable IP validation and we should get success
    zts.verifyCertRequestIP = false;
    zts.validCertSubjectOrgValues = null;
    assertTrue(zts.validateRoleCertificateRequest(certReq, "athenz.production", null, cert, "10.11.12.13"));
    assertTrue(zts.validateRoleCertificateRequest(certReq, "athenz.production", null, cert, "10.11.12.14"));
    // enable validation and the mismatch one should fail
    zts.verifyCertRequestIP = true;
    assertTrue(zts.validateRoleCertificateRequest(certReq, "athenz.production", null, cert, "10.11.12.13"));
    assertFalse(zts.validateRoleCertificateRequest(certReq, "athenz.production", null, cert, "10.11.12.14"));
}
Also used : Path(java.nio.file.Path) X509RoleCertRequest(com.yahoo.athenz.zts.cert.X509RoleCertRequest) X509Certificate(java.security.cert.X509Certificate) Test(org.testng.annotations.Test)

Example 9 with X509RoleCertRequest

use of com.yahoo.athenz.zts.cert.X509RoleCertRequest in project athenz by yahoo.

the class ZTSImplTest method testValidateRoleCertificateRequest.

@Test
public void testValidateRoleCertificateRequest() throws IOException {
    Path path = Paths.get("src/test/resources/valid_email.csr");
    String csr = new String(Files.readAllBytes(path));
    X509RoleCertRequest certReq = new X509RoleCertRequest(csr);
    zts.validCertSubjectOrgValues = null;
    assertTrue(zts.validateRoleCertificateRequest(certReq, "sports.scores", null, null, "10.0.0.1"));
    Set<String> validOValues = new HashSet<>();
    validOValues.add("Athenz");
    zts.validCertSubjectOrgValues = validOValues;
    assertTrue(zts.validateRoleCertificateRequest(certReq, "sports.scores", null, null, "10.0.0.1"));
}
Also used : Path(java.nio.file.Path) X509RoleCertRequest(com.yahoo.athenz.zts.cert.X509RoleCertRequest) Test(org.testng.annotations.Test)

Aggregations

X509RoleCertRequest (com.yahoo.athenz.zts.cert.X509RoleCertRequest)9 Test (org.testng.annotations.Test)9 Path (java.nio.file.Path)8 X509Certificate (java.security.cert.X509Certificate)3 Principal (com.yahoo.athenz.auth.Principal)1