Remove 'role' concept from 'authorized-peers'

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-11 14:31:53 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-11 14:38:14 +0200
commit: 34dde2dc891ba88440ad72d86f8c4cc138c101c8 (patch)
tree: 774a3df8410de88711700246381d2597b1ea7f88 /security-utils/src/test/java
parent: 548fcbaa2a98f1626e7fb652db36dbfd4e9a1624 (diff)
4 files changed, 14 insertions, 32 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index 8236ce081ba..358929606cd 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -6,7 +6,6 @@ import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.PeerPolicy;
 import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.Role;
 import org.junit.Test;
 
 import javax.net.ssl.SSLEngine;
@@ -41,7 +40,6 @@ public class DefaultTlsContextTest {
                 singleton(
                         new PeerPolicy(
                                 "dummy-policy",
-                                singleton(new Role("dummy-role")),
                                 singletonList(RequiredPeerCredential.of(RequiredPeerCredential.Field.CN, "dummy")))));
 
         DefaultTlsContext tlsContext =
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
index fdfed781286..5a4ae1f4ff6 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
@@ -9,7 +9,6 @@ import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.PeerPolicy;
 import com.yahoo.security.tls.policy.RequiredPeerCredential;
 import com.yahoo.security.tls.policy.RequiredPeerCredential.Field;
-import com.yahoo.security.tls.policy.Role;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
@@ -20,7 +19,6 @@ import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Arrays;
 import java.util.List;
-import java.util.Set;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
@@ -28,7 +26,6 @@ import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI;
 import static java.util.Arrays.asList;
 import static java.util.Collections.emptyList;
-import static java.util.Collections.emptySet;
 import static java.util.Collections.singletonList;
 import static java.util.stream.Collectors.toSet;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -41,17 +38,16 @@ import static org.junit.Assert.assertTrue;
 public class PeerAuthorizerTest {
 
     private static final KeyPair KEY_PAIR = KeyUtils.generateKeypair(KeyAlgorithm.EC);
-    private static final String ROLE_1 = "role-1", ROLE_2 = "role-2", ROLE_3 = "role-3", POLICY_1 = "policy-1", POLICY_2 = "policy-2";
+    private static final String POLICY_1 = "policy-1", POLICY_2 = "policy-2";
 
     @Test
     public void certificate_must_match_both_san_and_cn_pattern() {
         RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn");
         RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san");
-        PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanRequirement));
+        PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanRequirement));
 
         AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", asList("foo.matching.san", "foo.invalid.san"), emptyList()));
         assertAuthorized(result);
-        assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1);
         assertThat(result.matchedPolicies()).containsOnly(POLICY_1);
 
         assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList())));
@@ -65,25 +61,23 @@ public class PeerAuthorizerTest {
         RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san");
 
         PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
-                createPolicy(POLICY_1, createRoles(ROLE_1, ROLE_2), cnRequirement, sanRequirement),
-                createPolicy(POLICY_2, createRoles(ROLE_2, ROLE_3), cnRequirement, sanRequirement));
+                createPolicy(POLICY_1, cnRequirement, sanRequirement),
+                createPolicy(POLICY_2, cnRequirement, sanRequirement));
 
         AuthorizationResult result = peerAuthorizer
                 .authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.matching.san"), emptyList()));
         assertAuthorized(result);
-        assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2, ROLE_3);
         assertThat(result.matchedPolicies()).containsOnly(POLICY_1, POLICY_2);
     }
 
     @Test
     public void can_match_subset_of_policies() {
         PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
-                createPolicy(POLICY_1, createRoles(ROLE_1), createRequiredCredential(CN, "*.matching.cn")),
-                createPolicy(POLICY_2, createRoles(ROLE_1, ROLE_2), createRequiredCredential(SAN_DNS, "*.matching.san")));
+                createPolicy(POLICY_1, createRequiredCredential(CN, "*.matching.cn")),
+                createPolicy(POLICY_2, createRequiredCredential(SAN_DNS, "*.matching.san")));
 
         AuthorizationResult result = peerAuthorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList()));
         assertAuthorized(result);
-        assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2);
         assertThat(result.matchedPolicies()).containsOnly(POLICY_2);
     }
 
@@ -94,7 +88,7 @@ public class PeerAuthorizerTest {
         RequiredPeerCredential sanPrefixRequirement = createRequiredCredential(SAN_DNS, "*.*.matching.suffix.san");
         RequiredPeerCredential sanSuffixRequirement = createRequiredCredential(SAN_DNS, "matching.prefix.*.*.*");
         PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
-                createPolicy(POLICY_1, emptySet(), cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement));
+                createPolicy(POLICY_1, cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement));
 
         assertAuthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.matching.suffix.san"), emptyList())));
         assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.invalid.suffix.san"), emptyList())));
@@ -105,11 +99,10 @@ public class PeerAuthorizerTest {
     public void can_match_policy_with_san_uri_pattern() {
         RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn");
         RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/*/uri");
-        PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanUriRequirement));
+        PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanUriRequirement));
 
         AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/matching/uri")));
         assertAuthorized(result);
-        assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1);
         assertThat(result.matchedPolicies()).containsOnly(POLICY_1);
 
         assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", emptyList(), singletonList("myscheme://my/nonmatching/url"))));
@@ -133,16 +126,12 @@ public class PeerAuthorizerTest {
         return RequiredPeerCredential.of(field, pattern);
     }
 
-    private static Set<Role> createRoles(String... roleNames) {
-        return Arrays.stream(roleNames).map(Role::new).collect(toSet());
-    }
-
     private static PeerAuthorizer createPeerAuthorizer(PeerPolicy... policies) {
         return new PeerAuthorizer(new AuthorizedPeers(Arrays.stream(policies).collect(toSet())));
     }
 
-    private static PeerPolicy createPolicy(String name, Set<Role> roles, RequiredPeerCredential... requiredCredentials) {
-        return new PeerPolicy(name, roles, asList(requiredCredentials));
+    private static PeerPolicy createPolicy(String name, RequiredPeerCredential... requiredCredentials) {
+        return new PeerPolicy(name, asList(requiredCredentials));
     }
 
     private static void assertAuthorized(AuthorizationResult result) {
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
index 6bca49aee83..2cb262cecc0 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
@@ -5,7 +5,6 @@ import com.yahoo.security.tls.TransportSecurityOptions;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.PeerPolicy;
 import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.Role;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -26,7 +25,6 @@ import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS;
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI;
 import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals;
-import static java.util.Collections.singleton;
 import static org.junit.Assert.assertEquals;
 
 /**
@@ -47,11 +45,11 @@ public class TransportSecurityOptionsJsonSerializerTest {
                 .withAuthorizedPeers(
                         new AuthorizedPeers(
                                 new LinkedHashSet<>(Arrays.asList(
-                                        new PeerPolicy("cfgserver", "cfgserver policy description", singleton(new Role("myrole")), Arrays.asList(
+                                        new PeerPolicy("cfgserver", "cfgserver policy description", Arrays.asList(
                                                 RequiredPeerCredential.of(CN, "mycfgserver"),
                                                 RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"),
                                                 RequiredPeerCredential.of(SAN_URI, "myscheme://resource/path/"))),
-                                        new PeerPolicy("node", singleton(new Role("anotherrole")), Collections.singletonList(RequiredPeerCredential.of(CN, "hostname")))))))
+                                        new PeerPolicy("node", Collections.singletonList(RequiredPeerCredential.of(CN, "hostname")))))))
                 .build();
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
index c44a23ecf2b..3ad826d3996 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
@@ -4,11 +4,9 @@ package com.yahoo.security.tls.policy;
 import org.junit.Test;
 
 import java.util.HashSet;
-import java.util.List;
 
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
 import static java.util.Arrays.asList;
-import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
 
 /**
@@ -18,9 +16,8 @@ public class AuthorizedPeersTest {
 
     @Test(expected = IllegalArgumentException.class)
     public void throws_exception_on_peer_policies_with_duplicate_names() {
-        List<RequiredPeerCredential> requiredPeerCredential = singletonList(RequiredPeerCredential.of(CN, "mycfgserver"));
-        PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singleton(new Role("role")), requiredPeerCredential);
-        PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singleton(new Role("anotherrole")), requiredPeerCredential);
+        PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singletonList(RequiredPeerCredential.of(CN, "mycfgserver")));
+        PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singletonList(RequiredPeerCredential.of(CN, "myclient")));
         new AuthorizedPeers(new HashSet<>(asList(peerPolicy1, peerPolicy2)));
     }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-11 14:31:53 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-11 14:38:14 +0200
commit	34dde2dc891ba88440ad72d86f8c4cc138c101c8 (patch)
tree	774a3df8410de88711700246381d2597b1ea7f88 /security-utils/src/test/java
parent	548fcbaa2a98f1626e7fb652db36dbfd4e9a1624 (diff)