Rename peerName->policyName, add assumed roles to PeerPolicy

7 files changed, 113 insertions, 13 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
index 7fad485f3de..80ef06d9cac 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
@@ -27,6 +27,7 @@ class TransportSecurityOptionsEntity {
     static class AuthorizedPeer {
         @JsonProperty("required-credentials") List<RequiredCredential> requiredCredentials = new ArrayList<>();
         @JsonProperty("name") String name;
+        @JsonProperty("roles") List<String> roles = new ArrayList<>();
     }
 
     static class RequiredCredential {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
index 47814546135..2e2148628e8 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
@@ -11,6 +11,7 @@ import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.HostGlobPattern;
 import com.yahoo.security.tls.policy.PeerPolicy;
 import com.yahoo.security.tls.policy.RequiredPeerCredential;
+import com.yahoo.security.tls.policy.Role;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -80,7 +81,16 @@ public class TransportSecurityOptionsJsonSerializer {
         if (authorizedPeer.requiredCredentials.isEmpty()) {
             throw missingFieldException("required-credentials");
         }
-        return new PeerPolicy(authorizedPeer.name, toRequestPeerCredentials(authorizedPeer.requiredCredentials));
+        if (authorizedPeer.roles.isEmpty()) {
+            throw missingFieldException("roles");
+        }
+        return new PeerPolicy(authorizedPeer.name, toRoles(authorizedPeer.roles), toRequestPeerCredentials(authorizedPeer.requiredCredentials));
+    }
+
+    private static Set<Role> toRoles(List<String> roles) {
+        return roles.stream()
+                .map(Role::new)
+                .collect(toSet());
     }
 
     private static List<RequiredPeerCredential> toRequestPeerCredentials(List<RequiredCredential> requiredCredentials) {
@@ -116,13 +126,14 @@ public class TransportSecurityOptionsJsonSerializer {
         options.getAuthorizedPeers().ifPresent( authorizedPeers -> {
             for (PeerPolicy peerPolicy : authorizedPeers.peerPolicies()) {
                 AuthorizedPeer authorizedPeer = new AuthorizedPeer();
-                authorizedPeer.name = peerPolicy.peerName();
+                authorizedPeer.name = peerPolicy.policyName();
                 for (RequiredPeerCredential requiredPeerCredential : peerPolicy.requiredCredentials()) {
                     RequiredCredential requiredCredential = new RequiredCredential();
                     requiredCredential.field = toField(requiredPeerCredential.field());
                     requiredCredential.matchExpression = requiredPeerCredential.pattern().asString();
                     authorizedPeer.requiredCredentials.add(requiredCredential);
                 }
+                peerPolicy.assumedRoles().forEach(role -> authorizedPeer.roles.add(role.name()));
                 entity.authorizedPeers.add(authorizedPeer);
             }
         });
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java
index b5d295e29c8..d62219b2ebe 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java
@@ -13,7 +13,18 @@ public class AuthorizedPeers {
     private final Set<PeerPolicy> peerPolicies;
 
     public AuthorizedPeers(Set<PeerPolicy> peerPolicies) {
-        this.peerPolicies = Collections.unmodifiableSet(peerPolicies);
+        this.peerPolicies = verifyPeerPolicies(peerPolicies);
+    }
+
+    private Set<PeerPolicy> verifyPeerPolicies(Set<PeerPolicy> peerPolicies) {
+        long distinctNames = peerPolicies.stream()
+                .map(PeerPolicy::policyName)
+                .distinct()
+                .count();
+        if (distinctNames != peerPolicies.size()) {
+            throw new IllegalArgumentException("'authorized-peers' contains entries with duplicate names");
+        }
+        return Collections.unmodifiableSet(peerPolicies);
     }
 
     public Set<PeerPolicy> peerPolicies() {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
index 77ee793777c..294f8543f43 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
@@ -4,22 +4,29 @@ package com.yahoo.security.tls.policy;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * @author bjorncs
  */
 public class PeerPolicy {
 
-    private final String peerName;
+    private final String policyName;
+    private final Set<Role> assumedRoles;
     private final List<RequiredPeerCredential> requiredCredentials;
 
-    public PeerPolicy(String peerName, List<RequiredPeerCredential> requiredCredentials) {
-        this.peerName = peerName;
+    public PeerPolicy(String policyName, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) {
+        this.policyName = policyName;
+        this.assumedRoles = assumedRoles;
         this.requiredCredentials = Collections.unmodifiableList(requiredCredentials);
     }
 
-    public String peerName() {
-        return peerName;
+    public String policyName() {
+        return policyName;
+    }
+
+    public Set<Role> assumedRoles() {
+        return assumedRoles;
     }
 
     public List<RequiredPeerCredential> requiredCredentials() {
@@ -29,7 +36,8 @@ public class PeerPolicy {
     @Override
     public String toString() {
         return "PeerPolicy{" +
-                "peerName='" + peerName + '\'' +
+                "policyName='" + policyName + '\'' +
+                ", assumedRoles=" + assumedRoles +
                 ", requiredCredentials=" + requiredCredentials +
                 '}';
     }
@@ -39,12 +47,13 @@ public class PeerPolicy {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         PeerPolicy that = (PeerPolicy) o;
-        return Objects.equals(peerName, that.peerName) &&
+        return Objects.equals(policyName, that.policyName) &&
+                Objects.equals(assumedRoles, that.assumedRoles) &&
                 Objects.equals(requiredCredentials, that.requiredCredentials);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(peerName, requiredCredentials);
+        return Objects.hash(policyName, assumedRoles, requiredCredentials);
     }
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java
new file mode 100644
index 00000000000..6d64ccff2c5
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java
@@ -0,0 +1,40 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls.policy;
+
+import java.util.Objects;
+
+/**
+ * @author bjorncs
+ */
+public class Role {
+
+    private final String name;
+
+    public Role(String name) {
+        this.name = name;
+    }
+
+    public String name() {
+        return name;
+    }
+
+    @Override
+    public String toString() {
+        return "Role{" +
+                "name='" + name + '\'' +
+                '}';
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        Role role = (Role) o;
+        return Objects.equals(name, role.name);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name);
+    }
+}
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
index a6e1de66c68..952c4d05972 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
@@ -5,6 +5,7 @@ import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.HostGlobPattern;
 import com.yahoo.security.tls.policy.PeerPolicy;
 import com.yahoo.security.tls.policy.RequiredPeerCredential;
+import com.yahoo.security.tls.policy.Role;
 import org.junit.Test;
 
 import java.io.ByteArrayInputStream;
@@ -15,6 +16,7 @@ import java.util.Collections;
 import java.util.HashSet;
 
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.*;
+import static java.util.Collections.singleton;
 import static org.junit.Assert.*;
 
 /**
@@ -30,10 +32,10 @@ public class TransportSecurityOptionsJsonSerializerTest {
                 .withAuthorizedPeers(
                         new AuthorizedPeers(
                                 new HashSet<>(Arrays.asList(
-                                        new PeerPolicy("cfgserver", Arrays.asList(
+                                        new PeerPolicy("cfgserver", singleton(new Role("myrole")), Arrays.asList(
                                                 new RequiredPeerCredential(CN, new HostGlobPattern("mycfgserver")),
                                                 new RequiredPeerCredential(SAN_DNS, new HostGlobPattern("*.suffix.com")))),
-                                        new PeerPolicy("node", Collections.singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("hostname"))))))))
+                                        new PeerPolicy("node", singleton(new Role("anotherrole")), Collections.singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("hostname"))))))))
                 .build();
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
new file mode 100644
index 00000000000..ac201fcabbc
--- /dev/null
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
@@ -0,0 +1,26 @@
+package com.yahoo.security.tls.policy;
+
+import org.junit.Test;
+
+import java.util.HashSet;
+import java.util.List;
+
+import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
+import static java.util.Arrays.asList;
+import static java.util.Collections.singleton;
+import static java.util.Collections.singletonList;
+
+/**
+ * @author bjorncs
+ */
+public class AuthorizedPeersTest {
+
+    @Test(expected = IllegalArgumentException.class)
+    public void throws_exception_on_peer_policies_with_duplicate_names() {
+        List<RequiredPeerCredential> requiredPeerCredential = singletonList(new RequiredPeerCredential(CN, new HostGlobPattern("mycfgserver")));
+        PeerPolicy peerPolicy1 = new PeerPolicy("duplicate-name", singleton(new Role("role")), requiredPeerCredential);
+        PeerPolicy peerPolicy2 = new PeerPolicy("duplicate-name", singleton(new Role("anotherrole")), requiredPeerCredential);
+        new AuthorizedPeers(new HashSet<>(asList(peerPolicy1, peerPolicy2)));
+    }
+
+}
\ No newline at end of file