diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 14:56:51 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 15:30:19 +0200 |
commit | f4965306b79f0015ca9e8e32072877e57f7f532c (patch) | |
tree | c3bc93a0916de30dcb70435531c1aa850b27c51c /security-utils/src/test | |
parent | d2864cf3be9a93d784ac98b6beee0813dc60b290 (diff) |
Move logic for capability checking/logging to ConnectionAuthContext
Diffstat (limited to 'security-utils/src/test')
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java new file mode 100644 index 00000000000..8036bc38d90 --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java @@ -0,0 +1,59 @@ +package com.yahoo.security.tls;// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; +import org.junit.jupiter.api.Test; + +import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.time.Instant; +import java.time.temporal.ChronoUnit; +import java.util.List; +import java.util.Set; + +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; +import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat; +import static org.junit.jupiter.api.Assertions.assertFalse; + +/** + * @author bjorncs + */ +class ConnectionAuthContextTest { + @Test + void fails_on_missing_capabilities() { + ConnectionAuthContext ctx = createConnectionAuthContext(); + assertFalse(ctx.hasCapabilities(CapabilitySet.from(Capability.CONTENT__STATUS_PAGES))); + } + + @Test + void creates_correct_error_message() { + ConnectionAuthContext ctx = createConnectionAuthContext(); + CapabilitySet requiredCaps = CapabilitySet.from(Capability.CONTENT__STATUS_PAGES); + String expectedMessage = """ + Permission denied for 'myaction' on 'myresource'. Peer 'mypeer' with Optional[[CN='myidentity']]. + Requires capabilities [vespa.content.status_pages] but peer has + [vespa.content.document_api, vespa.content.search_api, vespa.slobrok.api]. + """; + String actualMessage = ctx.createPermissionDeniedErrorMessage(requiredCaps, "myaction", "myresource", "mypeer"); + assertThat(actualMessage).isEqualToIgnoringWhitespace(expectedMessage); + } + + private static ConnectionAuthContext createConnectionAuthContext() { + return new ConnectionAuthContext( + List.of(createCertificate()), CapabilitySet.Predefined.CONTAINER_NODE.capabilities(), Set.of(), + CapabilityMode.ENFORCE); + } + + private static X509Certificate createCertificate() { + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + return X509CertificateBuilder.fromKeypair( + keyPair, new X500Principal("CN=myidentity"), Instant.EPOCH, + Instant.EPOCH.plus(100000, ChronoUnit.DAYS), SHA256_WITH_ECDSA, BigInteger.ONE) + .build(); + } + + +}
\ No newline at end of file |