Search in sources :

Example 16 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestECPrivateKey.

@Test
public void testPostAccessTokenRequestECPrivateKey() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private_ec.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:domain");
    assertNotNull(resp);
    assertEquals("coretech:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertNotNull(claims.getBody().getId());
    assertEquals("user_domain.user", claims.getBody().getSubject());
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
    assertEquals("writers", claims.getBody().get("scope"));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 17 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestWithAuthorizationDetails.

@Test
public void testPostAccessTokenRequestWithAuthorizationDetails() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    final String authzDetails = "[{\"type\":\"message_access\",\"location\":[\"https://location1\"," + "\"https://location2\"],\"identifier\":\"id1\"}]";
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:role.writers&authorization_details=" + authzDetails);
    assertNotNull(resp);
    assertNull(resp.getScope());
    final String accessTokenStr = resp.getAccess_token();
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
    assertEquals(authzDetails, claims.getBody().get("authorization_details"));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 18 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestWithSystemAuthorizationDetails.

@Test
public void testPostAccessTokenRequestWithSystemAuthorizationDetails() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    System.setProperty(ZTSConsts.ZTS_PROP_SYSTEM_AUTHZ_DETAILS_PATH, "src/test/resources/system_single_authz_details.json");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key and clear authz details path
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    System.clearProperty(ZTSConsts.ZTS_PROP_SYSTEM_AUTHZ_DETAILS_PATH);
    SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    // first role based match
    String authzDetails = "[{\"type\":\"message_access\",\"location\":[\"https://location1\"," + "\"https://location2\"],\"identifier\":\"id1\"}]";
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:role.writers&authorization_details=" + authzDetails);
    assertNotNull(resp);
    assertNull(resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
    assertEquals(authzDetails, claims.getBody().get("authorization_details"));
    // next system based match
    authzDetails = "[{\"type\":\"proxy_access\",\"principal\":[\"spiffe://athenz/sa/api\"]}]";
    resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:role.writers&authorization_details=" + authzDetails);
    assertNotNull(resp);
    assertNull(resp.getScope());
    accessTokenStr = resp.getAccess_token();
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    assertEquals(authzDetails, claims.getBody().get("authorization_details"));
    // now match both - role and system based authz details
    authzDetails = "[{\"type\":\"message_access\",\"location\":[\"https://location1\"," + "\"https://location2\"],\"identifier\":\"id1\"}," + "{\"type\":\"proxy_access\",\"principal\":[\"spiffe://athenz.proxy/sa/api\"]}]";
    resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech:role.writers&authorization_details=" + authzDetails);
    assertNotNull(resp);
    assertNull(resp.getScope());
    accessTokenStr = resp.getAccess_token();
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    assertEquals(authzDetails, claims.getBody().get("authorization_details"));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 19 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testGetOIDCResponseNoRulesGroups.

@Test
public void testGetOIDCResponseNoRulesGroups() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    SignedDomain signedDomain = createSignedDomain("coretech", "sports", "api", true);
    store.processSignedDomain(signedDomain, false);
    Response response = ztsImpl.getOIDCResponse(context, "id_token", "coretech.api", "https://localhost:4443/zts", "openid", null, "nonce", "RSA");
    assertEquals(response.getStatus(), ResourceException.FOUND);
    String location = response.getHeaderString("Location");
    int idx = location.indexOf("#id_token=");
    String idToken = location.substring(idx + 10);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(idToken);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.user", claims.getBody().getSubject());
    assertEquals("coretech.api", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOpenIDIssuer, claims.getBody().getIssuer());
    List<String> groups = (List<String>) claims.getBody().get("groups");
    assertNull(groups);
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) Response(javax.ws.rs.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 20 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestProxyUser.

@Test
public void testPostAccessTokenRequestProxyUser() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    List<RoleMember> writers = new ArrayList<>();
    writers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
    writers.add(new RoleMember().setMemberName("user_domain.joe"));
    List<RoleMember> readers = new ArrayList<>();
    readers.add(new RoleMember().setMemberName("user_domain.proxy-user2"));
    readers.add(new RoleMember().setMemberName("user_domain.jane"));
    SignedDomain signedDomain = createSignedDomain("coretech-proxy2", "weather-proxy2", "storage", writers, readers, true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "proxy-user1", "v=U1;d=user_domain;n=proxy-user1;s=sig", 0, null);
    ResourceContext context = createResourceContext(principal);
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech-proxy2:domain&proxy_for_principal=user_domain.joe");
    assertNotNull(resp);
    assertEquals("coretech-proxy2:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.joe", claims.getBody().getSubject());
    assertEquals("user_domain.proxy-user1", claims.getBody().get("proxy"));
    assertEquals("coretech-proxy2", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Aggregations

SignatureException (io.jsonwebtoken.security.SignatureException)20 Claims (io.jsonwebtoken.Claims)17 CloudStore (com.yahoo.athenz.zts.store.CloudStore)15 MockCloudStore (com.yahoo.athenz.zts.store.MockCloudStore)15 Principal (com.yahoo.athenz.auth.Principal)14 Test (org.testng.annotations.Test)14 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 Response (javax.ws.rs.core.Response)3 JWSObject (com.nimbusds.jose.JWSObject)2 AthenzObject (com.yahoo.athenz.zts.ZTSImpl.AthenzObject)2 ExpiredJwtException (io.jsonwebtoken.ExpiredJwtException)2 UnsupportedJwtException (io.jsonwebtoken.UnsupportedJwtException)2 Path (java.nio.file.Path)2 InvalidKeyException (java.security.InvalidKeyException)2 PublicKey (java.security.PublicKey)2 Signature (java.security.Signature)2 X509Certificate (java.security.cert.X509Certificate)2 ECPublicKey (java.security.interfaces.ECPublicKey)2 RSAPublicKey (java.security.interfaces.RSAPublicKey)2 Map (java.util.Map)2