diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-11 14:31:53 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-11 14:38:14 +0200 |
commit | 34dde2dc891ba88440ad72d86f8c4cc138c101c8 (patch) | |
tree | 774a3df8410de88711700246381d2597b1ea7f88 /security-utils/src/test | |
parent | 548fcbaa2a98f1626e7fb652db36dbfd4e9a1624 (diff) |
Remove 'role' concept from 'authorized-peers'
Diffstat (limited to 'security-utils/src/test')
5 files changed, 16 insertions, 36 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 8236ce081ba..358929606cd 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -6,7 +6,6 @@ import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; import org.junit.Test; import javax.net.ssl.SSLEngine; @@ -41,7 +40,6 @@ public class DefaultTlsContextTest { singleton( new PeerPolicy( "dummy-policy", - singleton(new Role("dummy-role")), singletonList(RequiredPeerCredential.of(RequiredPeerCredential.Field.CN, "dummy"))))); DefaultTlsContext tlsContext = diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java index fdfed781286..5a4ae1f4ff6 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java @@ -9,7 +9,6 @@ import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; import com.yahoo.security.tls.policy.RequiredPeerCredential.Field; -import com.yahoo.security.tls.policy.Role; import org.junit.Test; import javax.security.auth.x500.X500Principal; @@ -20,7 +19,6 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Arrays; import java.util.List; -import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; @@ -28,7 +26,6 @@ import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; import static java.util.Arrays.asList; import static java.util.Collections.emptyList; -import static java.util.Collections.emptySet; import static java.util.Collections.singletonList; import static java.util.stream.Collectors.toSet; import static org.assertj.core.api.Assertions.assertThat; @@ -41,17 +38,16 @@ import static org.junit.Assert.assertTrue; public class PeerAuthorizerTest { private static final KeyPair KEY_PAIR = KeyUtils.generateKeypair(KeyAlgorithm.EC); - private static final String ROLE_1 = "role-1", ROLE_2 = "role-2", ROLE_3 = "role-3", POLICY_1 = "policy-1", POLICY_2 = "policy-2"; + private static final String POLICY_1 = "policy-1", POLICY_2 = "policy-2"; @Test public void certificate_must_match_both_san_and_cn_pattern() { RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn"); RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san"); - PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanRequirement)); + PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanRequirement)); AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", asList("foo.matching.san", "foo.invalid.san"), emptyList())); assertAuthorized(result); - assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1); assertThat(result.matchedPolicies()).containsOnly(POLICY_1); assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList()))); @@ -65,25 +61,23 @@ public class PeerAuthorizerTest { RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san"); PeerAuthorizer peerAuthorizer = createPeerAuthorizer( - createPolicy(POLICY_1, createRoles(ROLE_1, ROLE_2), cnRequirement, sanRequirement), - createPolicy(POLICY_2, createRoles(ROLE_2, ROLE_3), cnRequirement, sanRequirement)); + createPolicy(POLICY_1, cnRequirement, sanRequirement), + createPolicy(POLICY_2, cnRequirement, sanRequirement)); AuthorizationResult result = peerAuthorizer .authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.matching.san"), emptyList())); assertAuthorized(result); - assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2, ROLE_3); assertThat(result.matchedPolicies()).containsOnly(POLICY_1, POLICY_2); } @Test public void can_match_subset_of_policies() { PeerAuthorizer peerAuthorizer = createPeerAuthorizer( - createPolicy(POLICY_1, createRoles(ROLE_1), createRequiredCredential(CN, "*.matching.cn")), - createPolicy(POLICY_2, createRoles(ROLE_1, ROLE_2), createRequiredCredential(SAN_DNS, "*.matching.san"))); + createPolicy(POLICY_1, createRequiredCredential(CN, "*.matching.cn")), + createPolicy(POLICY_2, createRequiredCredential(SAN_DNS, "*.matching.san"))); AuthorizationResult result = peerAuthorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList())); assertAuthorized(result); - assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2); assertThat(result.matchedPolicies()).containsOnly(POLICY_2); } @@ -94,7 +88,7 @@ public class PeerAuthorizerTest { RequiredPeerCredential sanPrefixRequirement = createRequiredCredential(SAN_DNS, "*.*.matching.suffix.san"); RequiredPeerCredential sanSuffixRequirement = createRequiredCredential(SAN_DNS, "matching.prefix.*.*.*"); PeerAuthorizer peerAuthorizer = createPeerAuthorizer( - createPolicy(POLICY_1, emptySet(), cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement)); + createPolicy(POLICY_1, cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement)); assertAuthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.matching.suffix.san"), emptyList()))); assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.invalid.suffix.san"), emptyList()))); @@ -105,11 +99,10 @@ public class PeerAuthorizerTest { public void can_match_policy_with_san_uri_pattern() { RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn"); RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/*/uri"); - PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanUriRequirement)); + PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanUriRequirement)); AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/matching/uri"))); assertAuthorized(result); - assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1); assertThat(result.matchedPolicies()).containsOnly(POLICY_1); assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", emptyList(), singletonList("myscheme://my/nonmatching/url")))); @@ -133,16 +126,12 @@ public class PeerAuthorizerTest { return RequiredPeerCredential.of(field, pattern); } - private static Set<Role> createRoles(String... roleNames) { - return Arrays.stream(roleNames).map(Role::new).collect(toSet()); - } - private static PeerAuthorizer createPeerAuthorizer(PeerPolicy... policies) { return new PeerAuthorizer(new AuthorizedPeers(Arrays.stream(policies).collect(toSet()))); } - private static PeerPolicy createPolicy(String name, Set<Role> roles, RequiredPeerCredential... requiredCredentials) { - return new PeerPolicy(name, roles, asList(requiredCredentials)); + private static PeerPolicy createPolicy(String name, RequiredPeerCredential... requiredCredentials) { + return new PeerPolicy(name, asList(requiredCredentials)); } private static void assertAuthorized(AuthorizationResult result) { diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java index 6bca49aee83..2cb262cecc0 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java @@ -5,7 +5,6 @@ import com.yahoo.security.tls.TransportSecurityOptions; import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -26,7 +25,6 @@ import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals; -import static java.util.Collections.singleton; import static org.junit.Assert.assertEquals; /** @@ -47,11 +45,11 @@ public class TransportSecurityOptionsJsonSerializerTest { .withAuthorizedPeers( new AuthorizedPeers( new LinkedHashSet<>(Arrays.asList( - new PeerPolicy("cfgserver", "cfgserver policy description", singleton(new Role("myrole")), Arrays.asList( + new PeerPolicy("cfgserver", "cfgserver policy description", Arrays.asList( RequiredPeerCredential.of(CN, "mycfgserver"), RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"), RequiredPeerCredential.of(SAN_URI, "myscheme://resource/path/"))), - new PeerPolicy("node", singleton(new Role("anotherrole")), Collections.singletonList(RequiredPeerCredential.of(CN, "hostname"))))))) + new PeerPolicy("node", Collections.singletonList(RequiredPeerCredential.of(CN, "hostname"))))))) .build(); ByteArrayOutputStream out = new ByteArrayOutputStream(); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java index c44a23ecf2b..3ad826d3996 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java @@ -4,11 +4,9 @@ package com.yahoo.security.tls.policy; import org.junit.Test; import java.util.HashSet; -import java.util.List; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; import static java.util.Arrays.asList; -import static java.util.Collections.singleton; import static java.util.Collections.singletonList; /** @@ -18,9 +16,8 @@ public class AuthorizedPeersTest { @Test(expected = IllegalArgumentException.class) public void throws_exception_on_peer_policies_with_duplicate_names() { - List<RequiredPeerCredential> requiredPeerCredential = singletonList(RequiredPeerCredential.of(CN, "mycfgserver")); - PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singleton(new Role("role")), requiredPeerCredential); - PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singleton(new Role("anotherrole")), requiredPeerCredential); + PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singletonList(RequiredPeerCredential.of(CN, "mycfgserver"))); + PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singletonList(RequiredPeerCredential.of(CN, "myclient"))); new AuthorizedPeers(new HashSet<>(asList(peerPolicy1, peerPolicy2))); } diff --git a/security-utils/src/test/resources/transport-security-options-with-authz-rules.json b/security-utils/src/test/resources/transport-security-options-with-authz-rules.json index ea0bee38c8a..06ed6e0943c 100644 --- a/security-utils/src/test/resources/transport-security-options-with-authz-rules.json +++ b/security-utils/src/test/resources/transport-security-options-with-authz-rules.json @@ -16,14 +16,12 @@ "must-match" : "myscheme://resource/path/" } ], "name" : "cfgserver", - "description" : "cfgserver policy description", - "roles" : [ "myrole" ] + "description" : "cfgserver policy description" }, { "required-credentials" : [ { "field" : "CN", "must-match" : "hostname" } ], - "name" : "node", - "roles" : [ "anotherrole" ] + "name" : "node" } ] }
\ No newline at end of file |