Search in sources :

Example 6 with ApiDate

use of keywhiz.api.ApiDate in project keywhiz by square.

the class ClientAuthenticatorTest method createsDbRecordForNewClient_whenConfigured.

@Test
public void createsDbRecordForNewClient_whenConfigured() {
    ApiDate now = ApiDate.now();
    Client newClient = new Client(2345L, "new-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
    // lookup doesn't find client
    when(clientDAO.getClientByName("new-client")).thenReturn(Optional.empty());
    // a new DB record is created
    when(clientDAO.createClient(eq("new-client"), eq("automatic"), any(), any())).thenReturn(2345L);
    when(clientDAO.getClientById(2345L)).thenReturn(Optional.of(newClient));
    assertThat(authenticator.authenticate(SimplePrincipal.of("CN=new-client"), true)).isEqualTo(Optional.of(newClient));
}
Also used : ApiDate(keywhiz.api.ApiDate) Client(keywhiz.api.model.Client) Test(org.junit.Test)

Example 7 with ApiDate

use of keywhiz.api.ApiDate in project keywhiz by square.

the class ClientAuthenticatorTest method rejectsCertMatchingMultipleClients.

@Test(expected = NotAuthorizedException.class)
public void rejectsCertMatchingMultipleClients() {
    ApiDate now = ApiDate.now();
    Client otherClient = new Client(2345L, "other-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
    when(clientDAO.getClientByName(clientName)).thenReturn(Optional.of(client));
    when(clientDAO.getClientBySpiffeId(clientSpiffe)).thenReturn(Optional.of(otherClient));
    authenticator.authenticate(certPrincipal, true);
}
Also used : ApiDate(keywhiz.api.ApiDate) Client(keywhiz.api.model.Client) Test(org.junit.Test)

Example 8 with ApiDate

use of keywhiz.api.ApiDate in project keywhiz by square.

the class ClientDAOTest method sawClientTest.

@Test
public void sawClientTest() {
    assertThat(client1.getLastSeen()).isNull();
    assertThat(client2.getLastSeen()).isNull();
    Instant expiration = Instant.now();
    // Remove nanos because database drops it on storage, and we want
    // to compare later to make sure the proper expiration was set in DB.
    expiration = expiration.minusNanos(expiration.get(NANO_OF_SECOND));
    CertificatePrincipal principal = mock(CertificatePrincipal.class);
    when(principal.getCertificateExpiration()).thenReturn(expiration);
    ApiDate now = ApiDate.now();
    clientDAO.sawClient(client1, principal);
    // reload clients from db, as sawClient doesn't update in-memory object
    Client client1v2 = clientDAO.getClientByName(client1.getName()).get();
    Client client2v2 = clientDAO.getClientByName(client2.getName()).get();
    // verify client1 from db has updated lastSeen, and client2 hasn't changed
    assertThat(client1v2.getLastSeen()).isNotNull();
    assertTrue(client1v2.getLastSeen().toEpochSecond() >= now.toEpochSecond());
    assertThat(client2v2.getLastSeen()).isNull();
    assertThat(client1v2.getExpiration()).isNotNull();
    assertThat(client1v2.getExpiration().toInstant()).isEqualTo(expiration);
    assertThat(client2v2.getExpiration()).isNull();
}
Also used : ApiDate(keywhiz.api.ApiDate) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Instant(java.time.Instant) Client(keywhiz.api.model.Client) Test(org.junit.Test)

Example 9 with ApiDate

use of keywhiz.api.ApiDate in project keywhiz by square.

the class AclDAO method processSanitizedSecretRow.

private SanitizedSecret processSanitizedSecretRow(Record row, Client client) {
    boolean rowHmacLog = config.getRowHmacCheck() == RowHmacCheck.DISABLED_BUT_LOG;
    boolean rowHmacFail = config.getRowHmacCheck() == RowHmacCheck.ENFORCED;
    SecretSeries series = secretSeriesMapper.map(row.into(SECRETS));
    String secretHmac = rowHmacGenerator.computeRowHmac(SECRETS.getName(), List.of(row.getValue(SECRETS.NAME), row.getValue(SECRETS.ID)));
    if (!secretHmac.equals(row.getValue(SECRETS.ROW_HMAC))) {
        String errorMessage = String.format("Secret HMAC verification failed for secret: %s", row.getValue(SECRETS.NAME));
        if (rowHmacLog) {
            logger.warn(errorMessage);
        }
        if (rowHmacFail) {
            throw new AssertionError(errorMessage);
        }
    }
    String clientHmac = rowHmacGenerator.computeRowHmac(CLIENTS.getName(), List.of(client.getName(), client.getId()));
    if (!clientHmac.equals(row.getValue(CLIENTS.ROW_HMAC))) {
        String errorMessage = String.format("Client HMAC verification failed for client: %s", client.getName());
        if (rowHmacLog) {
            logger.warn(errorMessage);
        }
        if (rowHmacFail) {
            throw new AssertionError(errorMessage);
        }
    }
    String membershipsHmac = rowHmacGenerator.computeRowHmac(MEMBERSHIPS.getName(), List.of(client.getId(), row.getValue(MEMBERSHIPS.GROUPID)));
    if (!membershipsHmac.equals(row.getValue(MEMBERSHIPS.ROW_HMAC))) {
        String errorMessage = String.format("Memberships HMAC verification failed for clientId: %d in groupId: %d", client.getId(), row.getValue(MEMBERSHIPS.GROUPID));
        if (rowHmacLog) {
            logger.warn(errorMessage);
        }
        if (rowHmacFail) {
            throw new AssertionError(errorMessage);
        }
    }
    String accessgrantsHmac = rowHmacGenerator.computeRowHmac(ACCESSGRANTS.getName(), List.of(row.getValue(MEMBERSHIPS.GROUPID), row.getValue(SECRETS.ID)));
    if (!accessgrantsHmac.equals(row.getValue(ACCESSGRANTS.ROW_HMAC))) {
        String errorMessage = String.format("Access Grants HMAC verification failed for groupId: %d in secretId: %d", row.getValue(MEMBERSHIPS.GROUPID), row.getValue(SECRETS.ID));
        if (rowHmacLog) {
            logger.warn(errorMessage);
        }
        if (rowHmacFail) {
            throw new AssertionError(errorMessage);
        }
    }
    return SanitizedSecret.of(series.id(), series.name(), series.owner(), series.description(), row.getValue(SECRETS_CONTENT.CONTENT_HMAC), series.createdAt(), series.createdBy(), series.updatedAt(), series.updatedBy(), secretContentMapper.tryToReadMapFromMetadata(row.getValue(SECRETS_CONTENT.METADATA)), series.type().orElse(null), series.generationOptions(), row.getValue(SECRETS_CONTENT.EXPIRY), series.currentVersion().orElse(null), new ApiDate(row.getValue(SECRETS_CONTENT.CREATEDAT)), row.getValue(SECRETS_CONTENT.CREATEDBY));
}
Also used : ApiDate(keywhiz.api.ApiDate) SecretSeries(keywhiz.api.model.SecretSeries)

Example 10 with ApiDate

use of keywhiz.api.ApiDate in project keywhiz by square.

the class ClientMapper method map.

public Client map(ClientsRecord r) {
    ApiDate lastSeen = Optional.ofNullable(r.getLastseen()).map(ApiDate::new).orElse(null);
    ApiDate expiration = Optional.ofNullable(r.getExpiration()).map(ApiDate::new).orElse(null);
    return new Client(r.getId(), r.getName(), r.getDescription(), r.getSpiffeId(), new ApiDate(r.getCreatedat()), r.getCreatedby(), new ApiDate(r.getUpdatedat()), r.getUpdatedby(), lastSeen, expiration, r.getEnabled(), r.getAutomationallowed());
}
Also used : ApiDate(keywhiz.api.ApiDate) Client(keywhiz.api.model.Client)

Aggregations

ApiDate (keywhiz.api.ApiDate)19 Test (org.junit.Test)14 Client (keywhiz.api.model.Client)13 SecretSeries (keywhiz.api.model.SecretSeries)6 URI (java.net.URI)2 AutomationClient (keywhiz.api.model.AutomationClient)2 SpiffePrincipal (keywhiz.auth.mutualssl.SpiffePrincipal)2 Instant (java.time.Instant)1 CertificatePrincipal (keywhiz.auth.mutualssl.CertificatePrincipal)1 SecretsRecord (keywhiz.jooq.tables.records.SecretsRecord)1 Record (org.jooq.Record)1 Before (org.junit.Before)1