Example 1 with Certificate
use of uk.gov.ida.hub.config.domain.Certificate in project verify-hub by alphagov.
the class CertificateExpiryDateCheckService method run.
@Override
public void run() {
try {
final Set<Certificate> certificateSet = certificateService.getAllCertificates();
final double timestamp = DateTime.now(DateTimeZone.UTC).getMillis();
for (Certificate certificate : certificateSet) {
try {
expiryDateGauge.labels(certificate.getIssuerEntityId(), certificate.getCertificateUse().toString(), certificate.getSubject(), certificate.getFingerprint(), String.valueOf(certificate.getSerialNumber())).set(certificate.getNotAfter().getTime());
} catch (CertificateException e) {
LOG.error(String.format("Invalid X.509 certificate [issuer id: %s]", certificate.getIssuerEntityId()));
} catch (Exception e) {
if (Objects.nonNull(certificate)) {
// TODO: change this back to error; once we figure how to deal with this in https://govukverify.atlassian.net/browse/HUB-457.
LOG.warn(String.format("Unable to set certificate expiry date metrics for the certificate [issuer id: %s]", certificate.getIssuerEntityId()), e);
} else {
LOG.error("Unable to set certificate expiry date metrics.", e);
}
}
}
lastUpdatedGauge.set(timestamp);
LOG.info("Updated Certificates Expiry Dates Metrics.");
} catch (Exception e) {
LOG.error("Failed to update Certificates Expiry Dates Metrics.", e);
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
CertificateException(java.security.cert.CertificateException)
Certificate(uk.gov.ida.hub.config.domain.Certificate)
Example 2 with Certificate
use of uk.gov.ida.hub.config.domain.Certificate in project verify-hub by alphagov.
the class OcspCertificateChainValidationService method run.
@Override
public void run() {
try {
final Set<Certificate> certificatesSet = certificateService.getAllCertificates();
final double timestamp = DateTime.now(DateTimeZone.UTC).getMillis();
for (Certificate certificate : certificatesSet) {
try {
if (ocspCertificateChainValidityChecker.isValid(certificate)) {
updateAGauge(ocspStatusGauge, certificate, VALID);
updateAGauge(lastUpdatedGauge, certificate, timestamp);
} else {
updateAGauge(ocspStatusGauge, certificate, INVALID);
}
} catch (Exception e) {
if (Objects.nonNull(certificate)) {
// TODO: change this back to error; once we figure how to deal with this in https://govukverify.atlassian.net/browse/HUB-457.
LOG.warn(String.format("Unable to set certificates OCSP revocation status metrics for the certificate [issuer id: %s]", certificate.getIssuerEntityId()), e);
} else {
LOG.error("Unable to set certificates OCSP revocation status metrics.", e);
}
}
}
LOG.info("Updated Certificates OCSP Revocation Statuses Metrics.");
} catch (Exception e) {
LOG.error("Failed to update Certificates OCSP Revocation Statuses Metrics", e);
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
Certificate(uk.gov.ida.hub.config.domain.Certificate)
Example 3 with Certificate
use of uk.gov.ida.hub.config.domain.Certificate in project verify-hub by alphagov.
the class CertificateHealthCheckDtoTest method testCreateCertificateHealthCheckDto_returnsOK.
@Test
public void testCreateCertificateHealthCheckDto_returnsOK() {
final Certificate certificate = new Certificate("entityId", FederationEntityType.RP, HUB_TEST_PUBLIC_SIGNING_CERT, CertificateUse.SIGNING, CertificateOrigin.FEDERATION, true);
DateTimeFreezer.freezeTime(new DateTime(certificate.getNotAfter()).minusMonths(3));
CertificateHealthCheckDto checked = new CertificateHealthCheckDto(certificate, org.joda.time.Duration.standardDays(30));
assertThat(checked.getEntityId()).isEqualTo("entityId");
assertThat(checked.getStatus()).isEqualTo(CertificateExpiryStatus.OK);
assertThat(checked.getMessage()).isEmpty();
}
Also used :
DateTime(org.joda.time.DateTime)
Certificate(uk.gov.ida.hub.config.domain.Certificate)
Test(org.junit.jupiter.api.Test)
Example 4 with Certificate
use of uk.gov.ida.hub.config.domain.Certificate in project verify-hub by alphagov.
the class CertificateHealthCheckDtoTest method testCreateCertificateHealthCheckDto_forwarning.
@Test
public void testCreateCertificateHealthCheckDto_forwarning() {
final Certificate certificate = new Certificate("entityId", FederationEntityType.RP, HUB_TEST_PUBLIC_SIGNING_CERT, CertificateUse.SIGNING, CertificateOrigin.FEDERATION, true);
final DateTime certificateExpiryDate = new DateTime(certificate.getNotAfter());
DateTimeFreezer.freezeTime(certificateExpiryDate.minusWeeks(1));
CertificateHealthCheckDto checked = new CertificateHealthCheckDto(certificate, org.joda.time.Duration.standardDays(30));
assertThat(checked.getEntityId()).isEqualTo("entityId");
assertThat(checked.getStatus()).isEqualTo(CertificateExpiryStatus.WARNING);
assertThat(checked.getMessage()).isEqualTo("Expires on " + DateTimeFormat.forPattern("EE dd MMM yyyy").print(certificateExpiryDate));
}
Also used :
DateTime(org.joda.time.DateTime)
Certificate(uk.gov.ida.hub.config.domain.Certificate)
Test(org.junit.jupiter.api.Test)
Example 5 with Certificate
use of uk.gov.ida.hub.config.domain.Certificate in project verify-hub by alphagov.
the class CertificateServiceTest method signatureVerificationCertificatesForEntityIdWarnsAndThrowsWhenMatchingSignatureCertificatesExistButAreInvalid.
@Test
public void signatureVerificationCertificatesForEntityIdWarnsAndThrowsWhenMatchingSignatureCertificatesExistButAreInvalid() {
Assertions.assertThrows(NoCertificateFoundException.class, () -> {
MatchingServiceConfig matchingServiceConfig = aMatchingServiceConfig().withEntityId(RP_ONE_ENTITY_ID).addSignatureVerificationCertificate(CERT_ONE_X509).addSignatureVerificationCertificate(CERT_TWO_X509).build();
Certificate invalidCertificate1 = new Certificate(RP_ONE_ENTITY_ID, FederationEntityType.MS, CERT_ONE_X509, CertificateUse.SIGNING, CertificateOrigin.FEDERATION, true);
Certificate invalidCertificate2 = new Certificate(RP_ONE_ENTITY_ID, FederationEntityType.MS, CERT_TWO_X509, CertificateUse.SIGNING, CertificateOrigin.FEDERATION, true);
when(connectedServiceConfigRepository.has(RP_ONE_ENTITY_ID)).thenReturn(false);
when(matchingServiceConfigRepository.has(RP_ONE_ENTITY_ID)).thenReturn(true);
when(matchingServiceConfigRepository.get(RP_ONE_ENTITY_ID)).thenReturn(Optional.of(matchingServiceConfig));
when(certificateValidityChecker.isValid(invalidCertificate1)).thenReturn(false);
when(certificateValidityChecker.isValid(invalidCertificate2)).thenReturn(false);
try {
certificateService.signatureVerificationCertificatesFor(RP_ONE_ENTITY_ID);
} finally {
String expectedLogMessage = String.format("Signature verification certificates were requested for entityId '%s'; 2 of them are invalid", RP_ONE_ENTITY_ID);
checkForExpectedLogWarnings(List.of(expectedLogMessage));
}
});
}
Also used :
MatchingServiceConfig(uk.gov.ida.hub.config.domain.MatchingServiceConfig)
MatchingServiceConfigBuilder.aMatchingServiceConfig(uk.gov.ida.hub.config.domain.builders.MatchingServiceConfigBuilder.aMatchingServiceConfig)
Certificate(uk.gov.ida.hub.config.domain.Certificate)
Test(org.junit.jupiter.api.Test)
Aggregations
Certificate (uk.gov.ida.hub.config.domain.Certificate)17
Test (org.junit.jupiter.api.Test)13
MatchingServiceConfig (uk.gov.ida.hub.config.domain.MatchingServiceConfig)6
MatchingServiceConfigBuilder.aMatchingServiceConfig (uk.gov.ida.hub.config.domain.builders.MatchingServiceConfigBuilder.aMatchingServiceConfig)6
TransactionConfig (uk.gov.ida.hub.config.domain.TransactionConfig)5
DateTime (org.joda.time.DateTime)3
CertificateException (java.security.cert.CertificateException)2
CertificateDisabledException (uk.gov.ida.hub.config.exceptions.CertificateDisabledException)2
NoCertificateFoundException (uk.gov.ida.hub.config.exceptions.NoCertificateFoundException)2
Timed (com.codahale.metrics.annotation.Timed)1
ArrayList (java.util.ArrayList)1
Collection (java.util.Collection)1
HashSet (java.util.HashSet)1
List (java.util.List)1
Optional (java.util.Optional)1
Set (java.util.Set)1
Collectors.toList (java.util.stream.Collectors.toList)1
Inject (javax.inject.Inject)1
GET (javax.ws.rs.GET)1
Path (javax.ws.rs.Path)1
