Support glob pattern for URIs with '/' as boundary

2 files changed, 38 insertions, 4 deletions

diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
index 518ec08d38e..fdfed781286 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
@@ -102,17 +102,17 @@ public class PeerAuthorizerTest {
     }
 
     @Test
-    public void can_exact_match_policy_with_san_uri_pattern() {
+    public void can_match_policy_with_san_uri_pattern() {
         RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn");
-        RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/exact/uri");
+        RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/*/uri");
         PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanUriRequirement));
 
-        AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/exact/uri")));
+        AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/matching/uri")));
         assertAuthorized(result);
         assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1);
         assertThat(result.matchedPolicies()).containsOnly(POLICY_1);
 
-        assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", emptyList(), singletonList("myscheme://my/nonmatching/uri"))));
+        assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", emptyList(), singletonList("myscheme://my/nonmatching/url"))));
     }
 
     private static X509Certificate createCertificate(String subjectCn, List<String> sanDns, List<String> sanUri) {
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
new file mode 100644
index 00000000000..98f8119b40e
--- /dev/null
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
@@ -0,0 +1,34 @@
+package com.yahoo.security.tls.policy;// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * @author bjorncs
+ */
+class UriGlobPatternTest {
+
+    @Test
+    void matches_correctly() {
+        assertMatches("scheme://hostname/*", "scheme://hostname/mypath");
+        assertMatches("scheme://hostname/*/segment2", "scheme://hostname/segment1/segment2");
+        assertMatches("scheme://hostname/segment1/*", "scheme://hostname/segment1/segment2");
+        assertNotMatches("scheme://hostname/*", "scheme://hostname/segment1/segment2");
+        assertMatches("scheme://*/segment1/segment2", "scheme://hostname/segment1/segment2");
+        assertMatches("scheme://*.name/", "scheme://host.name/");
+        assertNotMatches("scheme://*", "scheme://hostname/");
+    }
+
+    private void assertMatches(String pattern, String value) {
+        assertTrue(new UriGlobPattern(pattern).matches(value),
+                () -> String.format("Expected '%s' to match '%s'", pattern, value));
+    }
+
+    private void assertNotMatches(String pattern, String value) {
+        assertFalse(new UriGlobPattern(pattern).matches(value),
+                () -> String.format("Expected '%s' to not match '%s'", pattern, value));
+    }
+
+}
\ No newline at end of file