Example 1 with SpiffePrincipal
use of keywhiz.auth.mutualssl.SpiffePrincipal in project keywhiz by square.
the class ClientAuthenticatorTest method createsDbRecordForNewClient_whenConfigured_spiffePrincipal.
@Test
public void createsDbRecordForNewClient_whenConfigured_spiffePrincipal() throws URISyntaxException {
ApiDate now = ApiDate.now();
Client newClient = new Client(2345L, "new-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
// lookup doesn't find client
when(clientDAO.getClientByName("new-client")).thenReturn(Optional.empty());
// a new DB record is created
when(clientDAO.createClient(eq("new-client"), eq("automatic"), any(), any())).thenReturn(2345L);
when(clientDAO.getClientById(2345L)).thenReturn(Optional.of(newClient));
assertThat(authenticator.authenticate(new SpiffePrincipal(new URI("spiffe://example.org/new-client")), true)).isEqualTo(Optional.of(newClient));
}
Also used :
ApiDate(keywhiz.api.ApiDate)
Client(keywhiz.api.model.Client)
URI(java.net.URI)
SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal)
Test(org.junit.Test)
Example 2 with SpiffePrincipal
use of keywhiz.auth.mutualssl.SpiffePrincipal in project keywhiz by square.
the class ClientAuthenticator method getClientName.
static Optional<String> getClientName(Principal principal) {
if (principal instanceof SpiffePrincipal) {
return Optional.of(((SpiffePrincipal) principal).getClientName());
}
X500Name name = new X500Name(principal.getName());
RDN[] rdns = name.getRDNs(BCStyle.CN);
if (rdns.length == 0) {
return Optional.empty();
}
return Optional.of(IETFUtils.valueToString(rdns[0].getFirst().getValue()));
}
Also used :
X500Name(org.bouncycastle.asn1.x500.X500Name)
RDN(org.bouncycastle.asn1.x500.RDN)
SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal)
Example 3 with SpiffePrincipal
use of keywhiz.auth.mutualssl.SpiffePrincipal in project keywhiz by square.
the class ClientAuthFactory method authenticateClientFromCallerSpiffeIdHeader.
/**
* Extracts client information from the callerSpiffeIdHeader and retrieves the client if present,
* throwing exceptions if the header is malformatted or the client is absent.
*/
private Client authenticateClientFromCallerSpiffeIdHeader(ContainerRequest containerRequest, String header) {
// Retrieve the client's SPIFFE ID from the input header
URI callerSpiffeId = ClientAuthenticator.getSpiffeIdFromHeader(containerRequest, header).orElseThrow(() -> new NotAuthorizedException(format("unable to parse client SPIFFE ID from %s header", header)));
SpiffePrincipal spiffePrincipal = new SpiffePrincipal(callerSpiffeId);
return authenticateClientFromPrincipal(spiffePrincipal);
}
Also used :
NotAuthorizedException(javax.ws.rs.NotAuthorizedException)
URI(java.net.URI)
SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal)
Example 4 with SpiffePrincipal
use of keywhiz.auth.mutualssl.SpiffePrincipal in project keywhiz by square.
the class ClientAuthenticatorTest method doesNotCreateDbRecordForNewClient_whenNotConfigured_spiffePrincipal.
@Test
public void doesNotCreateDbRecordForNewClient_whenNotConfigured_spiffePrincipal() throws URISyntaxException {
ApiDate now = ApiDate.now();
Client newClient = new Client(2345L, "new-client", "desc", null, now, "automatic", now, "automatic", null, null, true, false);
// lookup doesn't find client
when(clientDAO.getClientByName("new-client")).thenReturn(Optional.empty());
// a new DB record should not be created, but mock the DAO to create a client if called
when(clientDAO.createClient(eq("new-client"), eq("automatic"), any(), any())).thenReturn(2345L);
when(clientDAO.getClientById(2345L)).thenReturn(Optional.of(newClient));
assertThat(authenticator.authenticate(new SpiffePrincipal(new URI("spiffe://example.org/new-client")), false)).isEmpty();
// the authenticator should not have tried to create the new client
verify(clientDAO, never()).createClient(anyString(), anyString(), anyString(), any());
}
Also used :
ApiDate(keywhiz.api.ApiDate)
Client(keywhiz.api.model.Client)
URI(java.net.URI)
SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal)
Test(org.junit.Test)
Example 5 with SpiffePrincipal
use of keywhiz.auth.mutualssl.SpiffePrincipal in project keywhiz by square.
the class ClientAuthenticatorTest method setUp.
@Before
public void setUp() throws Exception {
clientSpiffe = new URI(clientSpiffeStr);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate clientCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientPem.getBytes(UTF_8)));
certPrincipal = new CertificatePrincipal(clientCert.getSubjectDN().toString(), new X509Certificate[] { clientCert });
spiffePrincipal = new SpiffePrincipal(new URI(clientSpiffeStr));
authenticator = new ClientAuthenticator(clientDAO, clientDAO, clientAuthConfig);
when(clientDAO.getClientByName(clientName)).thenReturn(Optional.of(client));
when(clientDAO.getClientBySpiffeId(clientSpiffe)).thenReturn(Optional.of(client));
when(clientAuthConfig.typeConfig()).thenReturn(clientAuthTypeConfig);
when(clientAuthTypeConfig.useCommonName()).thenReturn(true);
when(clientAuthTypeConfig.useSpiffeId()).thenReturn(true);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal)
URI(java.net.URI)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal)
Before(org.junit.Before)
Aggregations
SpiffePrincipal (keywhiz.auth.mutualssl.SpiffePrincipal)5
URI (java.net.URI)4
ApiDate (keywhiz.api.ApiDate)2
Client (keywhiz.api.model.Client)2
Test (org.junit.Test)2
ByteArrayInputStream (java.io.ByteArrayInputStream)1
CertificateFactory (java.security.cert.CertificateFactory)1
X509Certificate (java.security.cert.X509Certificate)1
NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1
CertificatePrincipal (keywhiz.auth.mutualssl.CertificatePrincipal)1
RDN (org.bouncycastle.asn1.x500.RDN)1
X500Name (org.bouncycastle.asn1.x500.X500Name)1
Before (org.junit.Before)1
