Search in sources :

Example 6 with DiscFilterRequest

use of com.yahoo.jdisc.http.filter.DiscFilterRequest in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method certificate_is_accepted.

@Test
public void certificate_is_accepted() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
    when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    AthenzPrincipal expectedPrincipal = new AthenzPrincipal(IDENTITY);
    verify(request).setUserPrincipal(expectedPrincipal);
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) Test(org.junit.Test)

Example 7 with DiscFilterRequest

use of com.yahoo.jdisc.http.filter.DiscFilterRequest in project vespa by vespa-engine.

the class FilterTester method toDiscFilterRequest.

private static DiscFilterRequest toDiscFilterRequest(Request request) {
    DiscFilterRequest r = mock(DiscFilterRequest.class);
    when(r.getMethod()).thenReturn(request.method().name());
    when(r.getUri()).thenReturn(URI.create("http://localhost").resolve(request.path()));
    when(r.getRemoteAddr()).thenReturn(request.remoteAddr());
    when(r.getLocalAddr()).thenReturn(request.localAddr());
    if (request.commonName().isPresent()) {
        X509Certificate cert = certificateFor(request.commonName().get(), keyPair());
        when(r.getClientCertificateChain()).thenReturn(Collections.singletonList(cert));
    }
    return r;
}
Also used : DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) X509Certificate(java.security.cert.X509Certificate)

Example 8 with DiscFilterRequest

use of com.yahoo.jdisc.http.filter.DiscFilterRequest in project vespa by vespa-engine.

the class AthenzPrincipalFilterTest method conflicting_ntoken_and_certificate_is_unauthorized.

@Test
public void conflicting_ntoken_and_certificate_is_unauthorized() {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
    when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
    when(request.getClientCertificateChain()).thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
    when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
    ResponseHandlerMock responseHandler = new ResponseHandlerMock();
    AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
    filter.filter(request, responseHandler);
    assertUnauthorized(responseHandler, "Identity in principal token does not match x509 CN");
}
Also used : AthenzPrincipal(com.yahoo.vespa.athenz.api.AthenzPrincipal) DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest) AthenzUser(com.yahoo.vespa.athenz.api.AthenzUser) Test(org.junit.Test)

Example 9 with DiscFilterRequest

use of com.yahoo.jdisc.http.filter.DiscFilterRequest in project vespa by vespa-engine.

the class AccessControlRequestFilterTest method newOptionsRequest.

private static DiscFilterRequest newOptionsRequest(String origin) {
    DiscFilterRequest request = mock(DiscFilterRequest.class);
    when(request.getHeader("Origin")).thenReturn(origin);
    when(request.getMethod()).thenReturn(OPTIONS.name());
    return request;
}
Also used : DiscFilterRequest(com.yahoo.jdisc.http.filter.DiscFilterRequest)

Aggregations

DiscFilterRequest (com.yahoo.jdisc.http.filter.DiscFilterRequest)9 Test (org.junit.Test)6 AthenzPrincipal (com.yahoo.vespa.athenz.api.AthenzPrincipal)5 AthenzUser (com.yahoo.vespa.athenz.api.AthenzUser)1 InvalidTokenException (com.yahoo.vespa.hosted.controller.api.integration.athenz.InvalidTokenException)1 X509Certificate (java.security.cert.X509Certificate)1 Matchers.containsString (org.hamcrest.Matchers.containsString)1