Example 11 with SignatureException
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequestProxyUserSpecificRole.
@Test
public void testPostAccessTokenRequestProxyUserSpecificRole() {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
List<RoleMember> writers = new ArrayList<>();
writers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
writers.add(new RoleMember().setMemberName("user_domain.joe"));
List<RoleMember> readers = new ArrayList<>();
readers.add(new RoleMember().setMemberName("user_domain.proxy-user2"));
readers.add(new RoleMember().setMemberName("user_domain.jane"));
readers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
SignedDomain signedDomain = createSignedDomain("coretech-proxy4", "weather-proxy4", "storage", writers, readers, true);
store.processSignedDomain(signedDomain, false);
Principal principal = SimplePrincipal.create("user_domain", "proxy-user1", "v=U1;d=user_domain;n=proxy-user1;s=sig", 0, null);
ResourceContext context = createResourceContext(principal);
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech-proxy4:role.writers&proxy_for_principal=user_domain.joe");
assertNotNull(resp);
String accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("user_domain.joe", claims.getBody().getSubject());
assertEquals("user_domain.proxy-user1", claims.getBody().get("proxy"));
assertEquals("coretech-proxy4", claims.getBody().getAudience());
assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
List<String> scopes = (List<String>) claims.getBody().get("scp");
assertNotNull(scopes);
assertEquals(1, scopes.size());
assertEquals("writers", scopes.get(0));
}
Also used :
Claims(io.jsonwebtoken.Claims)
SignatureException(io.jsonwebtoken.security.SignatureException)
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 12 with SignatureException
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testGetOIDCResponseRoles.
@Test
public void testGetOIDCResponseRoles() {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
ResourceContext context = createResourceContext(principal);
SignedDomain signedDomain = createSignedDomain("coretech", "sports", "api", true, null);
store.processSignedDomain(signedDomain, false);
// get all the roles
Response response = ztsImpl.getOIDCResponse(context, "id_token", "coretech.api", "https://localhost:4443/zts", "openid roles", null, "nonce", "");
assertEquals(response.getStatus(), ResourceException.FOUND);
String location = response.getHeaderString("Location");
int idx = location.indexOf("#id_token=");
String idToken = location.substring(idx + 10);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(idToken);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("user_domain.user", claims.getBody().getSubject());
assertEquals("coretech.api", claims.getBody().getAudience());
assertEquals("nonce", claims.getBody().get("nonce", String.class));
assertEquals(ztsImpl.ztsOpenIDIssuer, claims.getBody().getIssuer());
List<String> userRoles = (List<String>) claims.getBody().get("groups");
assertNotNull(userRoles);
assertEquals(userRoles.size(), 1);
assertTrue(userRoles.contains("writers"));
// get only one of the groups
response = ztsImpl.getOIDCResponse(context, "id_token", "coretech.api", "https://localhost:4443/zts", "openid coretech:role.writers", null, "nonce", "RSA");
assertEquals(response.getStatus(), ResourceException.FOUND);
location = response.getHeaderString("Location");
idx = location.indexOf("#id_token=");
idToken = location.substring(idx + 10);
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(idToken);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("user_domain.user", claims.getBody().getSubject());
assertEquals("coretech.api", claims.getBody().getAudience());
assertEquals(ztsImpl.ztsOpenIDIssuer, claims.getBody().getIssuer());
userRoles = (List<String>) claims.getBody().get("groups");
assertNotNull(userRoles);
assertEquals(userRoles.size(), 1);
assertTrue(userRoles.contains("writers"));
// requesting a group that the user is not part of
response = ztsImpl.getOIDCResponse(context, "id_token", "coretech.api", "https://localhost:4443/zts", "openid coretech:role.eng-team", null, "nonce", "EC");
assertEquals(response.getStatus(), ResourceException.FOUND);
assertEquals(response.getHeaderString("Location"), "https://localhost:4443/zts?error=invalid_request&error_description=principal+not+included+in+requested+roles");
}
Also used :
Claims(io.jsonwebtoken.Claims)
SignatureException(io.jsonwebtoken.security.SignatureException)
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 13 with SignatureException
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequestOpenIdScope.
@Test
public void testPostAccessTokenRequestOpenIdScope() throws UnsupportedEncodingException {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
store.processSignedDomain(signedDomain, false);
Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
ResourceContext context = createResourceContext(principal);
final String scope = URLEncoder.encode("coretech:domain openid coretech:service.api", "UTF-8");
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=" + scope + "&expires_in=240");
assertNotNull(resp);
assertEquals("coretech:role.writers openid", resp.getScope());
String accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
String idToken = resp.getId_token();
assertNotNull(idToken);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("writers", claims.getBody().get("scope"));
assertEquals(240 * 1000, claims.getBody().getExpiration().getTime() - claims.getBody().getIssuedAt().getTime());
}
Also used :
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
Claims(io.jsonwebtoken.Claims)
SignatureException(io.jsonwebtoken.security.SignatureException)
Principal(com.yahoo.athenz.auth.Principal)
Test(org.testng.annotations.Test)
Example 14 with SignatureException
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequestWithProxyPrincipals.
@Test
public void testPostAccessTokenRequestWithProxyPrincipals() throws IOException {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
store.processSignedDomain(signedDomain, false);
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
Path path = Paths.get("src/test/resources/athenz.instanceid.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
principal.setX509Certificate(cert);
ResourceContext context = createResourceContext(principal);
final String proxyPrincipalsEncoded = "spiffe%3A%2F%2Fathenz%2Fsa%2Fapi%2Cspiffe%3A%2F%2Fsports%2Fsa%2Fapi";
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:role.writers&proxy_principal_spiffe_uris=" + proxyPrincipalsEncoded);
assertNotNull(resp);
assertNull(resp.getScope());
final String accessTokenStr = resp.getAccess_token();
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("coretech", claims.getBody().getAudience());
assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
List<String> scopes = (List<String>) claims.getBody().get("scp");
assertNotNull(scopes);
assertEquals(1, scopes.size());
assertEquals("writers", scopes.get(0));
LinkedHashMap<String, Object> cnf = (LinkedHashMap<String, Object>) claims.getBody().get("cnf");
assertNotNull(cnf);
List<String> spiffeUris = (List<String>) cnf.get("proxy-principals#spiffe");
assertNotNull(spiffeUris);
assertEquals(spiffeUris.size(), 2);
assertTrue(spiffeUris.contains("spiffe://athenz/sa/api"));
assertTrue(spiffeUris.contains("spiffe://sports/sa/api"));
}
Also used :
Path(java.nio.file.Path)
Claims(io.jsonwebtoken.Claims)
SignatureException(io.jsonwebtoken.security.SignatureException)
X509Certificate(java.security.cert.X509Certificate)
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
JWSObject(com.nimbusds.jose.JWSObject)
AthenzObject(com.yahoo.athenz.zts.ZTSImpl.AthenzObject)
Test(org.testng.annotations.Test)
Example 15 with SignatureException
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequestOpenIdScope.
private void testPostAccessTokenRequestOpenIdScope(final String issuer, final String reqComp) throws UnsupportedEncodingException {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
store.processSignedDomain(signedDomain, false);
Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
ResourceContext context = createResourceContext(principal);
final String scope = URLEncoder.encode("coretech:domain openid coretech:service.api", "UTF-8");
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=" + scope + "&expires_in=240" + reqComp);
assertNotNull(resp);
assertEquals("coretech:role.writers openid", resp.getScope());
String accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals(issuer, claims.getBody().getIssuer());
assertEquals("writers", claims.getBody().get("scope"));
assertEquals(240 * 1000, claims.getBody().getExpiration().getTime() - claims.getBody().getIssuedAt().getTime());
String idTokenStr = resp.getId_token();
assertNotNull(idTokenStr);
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(idTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals(issuer, claims.getBody().getIssuer());
}
Also used :
MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore)
CloudStore(com.yahoo.athenz.zts.store.CloudStore)
Claims(io.jsonwebtoken.Claims)
SignatureException(io.jsonwebtoken.security.SignatureException)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
SignatureException (io.jsonwebtoken.security.SignatureException)20
Claims (io.jsonwebtoken.Claims)17
CloudStore (com.yahoo.athenz.zts.store.CloudStore)15
MockCloudStore (com.yahoo.athenz.zts.store.MockCloudStore)15
Principal (com.yahoo.athenz.auth.Principal)14
Test (org.testng.annotations.Test)14
HttpServletResponse (javax.servlet.http.HttpServletResponse)3
Response (javax.ws.rs.core.Response)3
JWSObject (com.nimbusds.jose.JWSObject)2
AthenzObject (com.yahoo.athenz.zts.ZTSImpl.AthenzObject)2
ExpiredJwtException (io.jsonwebtoken.ExpiredJwtException)2
UnsupportedJwtException (io.jsonwebtoken.UnsupportedJwtException)2
Path (java.nio.file.Path)2
InvalidKeyException (java.security.InvalidKeyException)2
PublicKey (java.security.PublicKey)2
Signature (java.security.Signature)2
X509Certificate (java.security.cert.X509Certificate)2
ECPublicKey (java.security.interfaces.ECPublicKey)2
RSAPublicKey (java.security.interfaces.RSAPublicKey)2
Map (java.util.Map)2
