use of keywhiz.api.ApiDate in project keywhiz by square.
the class ClientAuthenticatorTest method createsDbRecordForNewClient_whenConfigured.
@Test
public void createsDbRecordForNewClient_whenConfigured() {
ApiDate now = ApiDate.now();
Client newClient = new Client(2345L, "new-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
// lookup doesn't find client
when(clientDAO.getClientByName("new-client")).thenReturn(Optional.empty());
// a new DB record is created
when(clientDAO.createClient(eq("new-client"), eq("automatic"), any(), any())).thenReturn(2345L);
when(clientDAO.getClientById(2345L)).thenReturn(Optional.of(newClient));
assertThat(authenticator.authenticate(SimplePrincipal.of("CN=new-client"), true)).isEqualTo(Optional.of(newClient));
}
use of keywhiz.api.ApiDate in project keywhiz by square.
the class ClientAuthenticatorTest method rejectsCertMatchingMultipleClients.
@Test(expected = NotAuthorizedException.class)
public void rejectsCertMatchingMultipleClients() {
ApiDate now = ApiDate.now();
Client otherClient = new Client(2345L, "other-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
when(clientDAO.getClientByName(clientName)).thenReturn(Optional.of(client));
when(clientDAO.getClientBySpiffeId(clientSpiffe)).thenReturn(Optional.of(otherClient));
authenticator.authenticate(certPrincipal, true);
}
use of keywhiz.api.ApiDate in project keywhiz by square.
the class ClientDAOTest method sawClientTest.
@Test
public void sawClientTest() {
assertThat(client1.getLastSeen()).isNull();
assertThat(client2.getLastSeen()).isNull();
Instant expiration = Instant.now();
// Remove nanos because database drops it on storage, and we want
// to compare later to make sure the proper expiration was set in DB.
expiration = expiration.minusNanos(expiration.get(NANO_OF_SECOND));
CertificatePrincipal principal = mock(CertificatePrincipal.class);
when(principal.getCertificateExpiration()).thenReturn(expiration);
ApiDate now = ApiDate.now();
clientDAO.sawClient(client1, principal);
// reload clients from db, as sawClient doesn't update in-memory object
Client client1v2 = clientDAO.getClientByName(client1.getName()).get();
Client client2v2 = clientDAO.getClientByName(client2.getName()).get();
// verify client1 from db has updated lastSeen, and client2 hasn't changed
assertThat(client1v2.getLastSeen()).isNotNull();
assertTrue(client1v2.getLastSeen().toEpochSecond() >= now.toEpochSecond());
assertThat(client2v2.getLastSeen()).isNull();
assertThat(client1v2.getExpiration()).isNotNull();
assertThat(client1v2.getExpiration().toInstant()).isEqualTo(expiration);
assertThat(client2v2.getExpiration()).isNull();
}
use of keywhiz.api.ApiDate in project keywhiz by square.
the class AclDAO method processSanitizedSecretRow.
private SanitizedSecret processSanitizedSecretRow(Record row, Client client) {
boolean rowHmacLog = config.getRowHmacCheck() == RowHmacCheck.DISABLED_BUT_LOG;
boolean rowHmacFail = config.getRowHmacCheck() == RowHmacCheck.ENFORCED;
SecretSeries series = secretSeriesMapper.map(row.into(SECRETS));
String secretHmac = rowHmacGenerator.computeRowHmac(SECRETS.getName(), List.of(row.getValue(SECRETS.NAME), row.getValue(SECRETS.ID)));
if (!secretHmac.equals(row.getValue(SECRETS.ROW_HMAC))) {
String errorMessage = String.format("Secret HMAC verification failed for secret: %s", row.getValue(SECRETS.NAME));
if (rowHmacLog) {
logger.warn(errorMessage);
}
if (rowHmacFail) {
throw new AssertionError(errorMessage);
}
}
String clientHmac = rowHmacGenerator.computeRowHmac(CLIENTS.getName(), List.of(client.getName(), client.getId()));
if (!clientHmac.equals(row.getValue(CLIENTS.ROW_HMAC))) {
String errorMessage = String.format("Client HMAC verification failed for client: %s", client.getName());
if (rowHmacLog) {
logger.warn(errorMessage);
}
if (rowHmacFail) {
throw new AssertionError(errorMessage);
}
}
String membershipsHmac = rowHmacGenerator.computeRowHmac(MEMBERSHIPS.getName(), List.of(client.getId(), row.getValue(MEMBERSHIPS.GROUPID)));
if (!membershipsHmac.equals(row.getValue(MEMBERSHIPS.ROW_HMAC))) {
String errorMessage = String.format("Memberships HMAC verification failed for clientId: %d in groupId: %d", client.getId(), row.getValue(MEMBERSHIPS.GROUPID));
if (rowHmacLog) {
logger.warn(errorMessage);
}
if (rowHmacFail) {
throw new AssertionError(errorMessage);
}
}
String accessgrantsHmac = rowHmacGenerator.computeRowHmac(ACCESSGRANTS.getName(), List.of(row.getValue(MEMBERSHIPS.GROUPID), row.getValue(SECRETS.ID)));
if (!accessgrantsHmac.equals(row.getValue(ACCESSGRANTS.ROW_HMAC))) {
String errorMessage = String.format("Access Grants HMAC verification failed for groupId: %d in secretId: %d", row.getValue(MEMBERSHIPS.GROUPID), row.getValue(SECRETS.ID));
if (rowHmacLog) {
logger.warn(errorMessage);
}
if (rowHmacFail) {
throw new AssertionError(errorMessage);
}
}
return SanitizedSecret.of(series.id(), series.name(), series.owner(), series.description(), row.getValue(SECRETS_CONTENT.CONTENT_HMAC), series.createdAt(), series.createdBy(), series.updatedAt(), series.updatedBy(), secretContentMapper.tryToReadMapFromMetadata(row.getValue(SECRETS_CONTENT.METADATA)), series.type().orElse(null), series.generationOptions(), row.getValue(SECRETS_CONTENT.EXPIRY), series.currentVersion().orElse(null), new ApiDate(row.getValue(SECRETS_CONTENT.CREATEDAT)), row.getValue(SECRETS_CONTENT.CREATEDBY));
}
use of keywhiz.api.ApiDate in project keywhiz by square.
the class ClientMapper method map.
public Client map(ClientsRecord r) {
ApiDate lastSeen = Optional.ofNullable(r.getLastseen()).map(ApiDate::new).orElse(null);
ApiDate expiration = Optional.ofNullable(r.getExpiration()).map(ApiDate::new).orElse(null);
return new Client(r.getId(), r.getName(), r.getDescription(), r.getSpiffeId(), new ApiDate(r.getCreatedat()), r.getCreatedby(), new ApiDate(r.getUpdatedat()), r.getUpdatedby(), lastSeen, expiration, r.getEnabled(), r.getAutomationallowed());
}
Aggregations