Examples with CertificatePrincipal keywhiz.auth.mutualssl.CertificatePrincipal used on opensource projects

Search in sources :

Example 1 with CertificatePrincipal

use of keywhiz.auth.mutualssl.CertificatePrincipal in project keywhiz by square.

the class ClientAuthFactoryTest method setUp.

@Before
public void setUp() throws Exception {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate clientCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientPem.getBytes(UTF_8)));
    clientPrincipal = new CertificatePrincipal(clientCert.getSubjectDN().toString(), new X509Certificate[] { clientCert });
    X509Certificate xfccCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(xfccPem.getBytes(UTF_8)));
    xfccPrincipal = new CertificatePrincipal(xfccCert.getSubjectDN().toString(), new X509Certificate[] { xfccCert });
    factory = new ClientAuthFactory(clientDAO, clientAuthConfig);
    when(request.getSecurityContext()).thenReturn(securityContext);
    when(clientDAO.getClientByName(clientName)).thenReturn(Optional.of(client));
    when(clientDAO.getClientBySpiffeId(new URI(clientSpiffe))).thenReturn(Optional.of(client));
    when(clientAuthConfig.xfccConfigs()).thenReturn(List.of(xfccSourceConfig));
    when(clientAuthConfig.typeConfig()).thenReturn(clientAuthTypeConfig);
    when(clientAuthConfig.createMissingClients()).thenReturn(false);
    when(xfccSourceConfig.port()).thenReturn(xfccAllowedPort);
    when(xfccSourceConfig.allowedClientNames()).thenReturn(List.of(xfccName));
    when(xfccSourceConfig.allowedSpiffeIds()).thenReturn(List.of(xfccSpiffe));
    when(clientAuthTypeConfig.useCommonName()).thenReturn(true);
    when(clientAuthTypeConfig.useSpiffeId()).thenReturn(true);
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) CertificateFactory(java.security.cert.CertificateFactory) URI(java.net.URI) X509Certificate(java.security.cert.X509Certificate) Before(org.junit.Before)

Example 2 with CertificatePrincipal

use of keywhiz.auth.mutualssl.CertificatePrincipal in project keywhiz by square.

the class ClientAuthenticatorTest method ignoresMultipleUris.

@Test
public void ignoresMultipleUris() throws Exception {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate multipleUriClientCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(multipleUriPem.getBytes(UTF_8)));
    Principal multipleUriPrincipal = new CertificatePrincipal(multipleUriClientCert.getSubjectDN().toString(), new X509Certificate[] { multipleUriClientCert });
    // Use only the (malformatted) URIs to retrieve a client (which should fail)
    when(clientAuthTypeConfig.useCommonName()).thenReturn(false);
    when(clientAuthTypeConfig.useSpiffeId()).thenReturn(true);
    assertThat(authenticator.authenticate(multipleUriPrincipal, false)).isEmpty();
    verifyNoInteractions(clientDAO);
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal) SimplePrincipal(keywhiz.auth.mutualssl.SimplePrincipal) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Principal(java.security.Principal) Test(org.junit.Test)

Example 3 with CertificatePrincipal

use of keywhiz.auth.mutualssl.CertificatePrincipal in project keywhiz by square.

the class ClientDAOTest method sawClientTest.

@Test
public void sawClientTest() {
    assertThat(client1.getLastSeen()).isNull();
    assertThat(client2.getLastSeen()).isNull();
    Instant expiration = Instant.now();
    // Remove nanos because database drops it on storage, and we want
    // to compare later to make sure the proper expiration was set in DB.
    expiration = expiration.minusNanos(expiration.get(NANO_OF_SECOND));
    CertificatePrincipal principal = mock(CertificatePrincipal.class);
    when(principal.getCertificateExpiration()).thenReturn(expiration);
    ApiDate now = ApiDate.now();
    clientDAO.sawClient(client1, principal);
    // reload clients from db, as sawClient doesn't update in-memory object
    Client client1v2 = clientDAO.getClientByName(client1.getName()).get();
    Client client2v2 = clientDAO.getClientByName(client2.getName()).get();
    // verify client1 from db has updated lastSeen, and client2 hasn't changed
    assertThat(client1v2.getLastSeen()).isNotNull();
    assertTrue(client1v2.getLastSeen().toEpochSecond() >= now.toEpochSecond());
    assertThat(client2v2.getLastSeen()).isNull();
    assertThat(client1v2.getExpiration()).isNotNull();
    assertThat(client1v2.getExpiration().toInstant()).isEqualTo(expiration);
    assertThat(client2v2.getExpiration()).isNull();
}
Also used : ApiDate(keywhiz.api.ApiDate) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Instant(java.time.Instant) Client(keywhiz.api.model.Client) Test(org.junit.Test)

Example 4 with CertificatePrincipal

use of keywhiz.auth.mutualssl.CertificatePrincipal in project keywhiz by square.

the class ClientDAO method sawClient.

public void sawClient(Client client, @Nullable Principal principal) {
    Instant now = Instant.now();
    Instant lastSeen = Optional.ofNullable(client.getLastSeen()).map(ls -> Instant.ofEpochSecond(ls.toEpochSecond())).orElse(EPOCH);
    final Instant expiration;
    if (principal instanceof CertificatePrincipal) {
        expiration = ((CertificatePrincipal) principal).getCertificateExpiration();
    } else {
        expiration = EPOCH;
    }
    // this way we can have less granularity on lastSeen and save DB writes
    if (now.isAfter(lastSeen.plus(LAST_SEEN_THRESHOLD))) {
        dslContext.transaction(configuration -> {
            Param<Long> lastSeenValue = DSL.val(now.getEpochSecond(), CLIENTS.LASTSEEN);
            Param<Long> expirationValue = DSL.val(expiration.getEpochSecond(), CLIENTS.EXPIRATION);
            DSL.using(configuration).update(CLIENTS).set(CLIENTS.LASTSEEN, when(CLIENTS.LASTSEEN.isNull(), lastSeenValue).otherwise(greatest(CLIENTS.LASTSEEN, lastSeenValue))).set(CLIENTS.EXPIRATION, expirationValue).where(CLIENTS.ID.eq(client.getId())).execute();
        });
    }
}
Also used : MEMBERSHIPS(keywhiz.jooq.tables.Memberships.MEMBERSHIPS) DSL(org.jooq.impl.DSL) DSL.when(org.jooq.impl.DSL.when) Inject(javax.inject.Inject) Duration(java.time.Duration) DSLContext(org.jooq.DSLContext) URI(java.net.URI) Client(keywhiz.api.model.Client) Nullable(javax.annotation.Nullable) ImmutableSet(com.google.common.collect.ImmutableSet) ClientsRecord(keywhiz.jooq.tables.records.ClientsRecord) Readonly(keywhiz.service.config.Readonly) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Preconditions.checkNotNull(com.google.common.base.Preconditions.checkNotNull) Instant(java.time.Instant) Param(org.jooq.Param) Configuration(org.jooq.Configuration) List(java.util.List) CLIENTS(keywhiz.jooq.tables.Clients.CLIENTS) Principal(java.security.Principal) OffsetDateTime(java.time.OffsetDateTime) DSL.greatest(org.jooq.impl.DSL.greatest) Optional(java.util.Optional) RowHmacGenerator(keywhiz.service.crypto.RowHmacGenerator) EPOCH(java.time.Instant.EPOCH) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Instant(java.time.Instant)

Example 5 with CertificatePrincipal

use of keywhiz.auth.mutualssl.CertificatePrincipal in project keywhiz by square.

the class ClientAuthFactory method authenticateClientFromXfccHeader.

/**
 * Extracts client information from the XFCC header and retrieves the client if present, throwing
 * exceptions if the header is malformatted or the client is absent.
 */
private Client authenticateClientFromXfccHeader(List<String> xfccHeaderValues) {
    X509Certificate clientCert = getClientCertFromXfccHeaderEnvoyFormatted(xfccHeaderValues).orElseThrow(() -> new NotAuthorizedException(format("unable to parse client certificate from %s header", XFCC_HEADER_NAME)));
    CertificatePrincipal certificatePrincipal = new CertificatePrincipal(clientCert.getSubjectDN().toString(), new X509Certificate[] { clientCert });
    return authenticateClientFromPrincipal(certificatePrincipal);
}
Also used : CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) X509Certificate(java.security.cert.X509Certificate)

Aggregations

CertificatePrincipal (keywhiz.auth.mutualssl.CertificatePrincipal)7 X509Certificate (java.security.cert.X509Certificate)5 ByteArrayInputStream (java.io.ByteArrayInputStream)4 CertificateFactory (java.security.cert.CertificateFactory)4 URI (java.net.URI)3 Principal (java.security.Principal)3 SpiffePrincipal (keywhiz.auth.mutualssl.SpiffePrincipal)3 Test (org.junit.Test)3 Instant (java.time.Instant)2 Client (keywhiz.api.model.Client)2 SimplePrincipal (keywhiz.auth.mutualssl.SimplePrincipal)2 Before (org.junit.Before)2 Preconditions.checkNotNull (com.google.common.base.Preconditions.checkNotNull)1 ImmutableSet (com.google.common.collect.ImmutableSet)1 Duration (java.time.Duration)1 EPOCH (java.time.Instant.EPOCH)1 OffsetDateTime (java.time.OffsetDateTime)1 List (java.util.List)1 Optional (java.util.Optional)1 Nullable (javax.annotation.Nullable)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial