diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-09 15:13:33 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-09 15:22:53 +0200 |
commit | 3588ab015c45e5e8682e9a9299cabec25937d9d8 (patch) | |
tree | 4911645bf82062d85402ba2329358914733e812e /vespa-athenz/src/test | |
parent | 257bfcde6220c40e7ceab46d1f5b5ab8c5e650a0 (diff) |
Move NTokenValidator to vespa-athenz + load pub keys from file
- Move NTokenValidator from controller-server to vespa-athenz
- Remodel ZmsKeystore as AthenzTruststore
- Use file-backed truststore on controller (replaces download of public keys)
- Remove ZmsClient.getPublicKey/getPublicKeys
Diffstat (limited to 'vespa-athenz/src/test')
-rw-r--r-- | vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java new file mode 100644 index 00000000000..0e70993792f --- /dev/null +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java @@ -0,0 +1,87 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.utils.ntoken; + +import com.yahoo.athenz.auth.token.PrincipalToken; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.tls.KeyAlgorithm; +import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator.InvalidTokenException; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; + +import java.security.KeyPair; +import java.security.PrivateKey; +import java.time.Instant; +import java.util.Optional; + +import static org.junit.Assert.assertEquals; + +/** + * @author bjorncs + */ +public class NTokenValidatorTest { + + private static final KeyPair TRUSTED_KEY = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + private static final KeyPair UNKNOWN_KEY = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + private static final AthenzIdentity IDENTITY = AthenzUser.fromUserId("myuser"); + + @Rule + public ExpectedException exceptionRule = ExpectedException.none(); + + @Test + public void valid_token_is_accepted() throws InvalidTokenException { + NTokenValidator validator = new NTokenValidator(createTruststore()); + NToken token = createNToken(IDENTITY, Instant.now(), TRUSTED_KEY.getPrivate(), "0"); + AthenzPrincipal principal = validator.validate(token); + assertEquals("user.myuser", principal.getIdentity().getFullName()); + } + + @Test + public void invalid_signature_is_not_accepted() throws InvalidTokenException { + NTokenValidator validator = new NTokenValidator(createTruststore()); + NToken token = createNToken(IDENTITY, Instant.now(), UNKNOWN_KEY.getPrivate(), "0"); + exceptionRule.expect(InvalidTokenException.class); + exceptionRule.expectMessage("NToken is expired or has invalid signature"); + validator.validate(token); + } + + @Test + public void expired_token_is_not_accepted() throws InvalidTokenException { + NTokenValidator validator = new NTokenValidator(createTruststore()); + NToken token = createNToken(IDENTITY, Instant.ofEpochMilli(1234) /*long time ago*/, TRUSTED_KEY.getPrivate(), "0"); + exceptionRule.expect(InvalidTokenException.class); + exceptionRule.expectMessage("NToken is expired or has invalid signature"); + validator.validate(token); + } + + @Test + public void unknown_keyId_is_not_accepted() throws InvalidTokenException { + NTokenValidator validator = new NTokenValidator(createTruststore()); + NToken token = createNToken(IDENTITY, Instant.now(), TRUSTED_KEY.getPrivate(), "unknown-key-id"); + exceptionRule.expect(InvalidTokenException.class); + exceptionRule.expectMessage("NToken has an unknown keyId"); + validator.validate(token); + } + + private static AthenzTruststore createTruststore() { + return keyId -> keyId.equals("0") ? Optional.of(TRUSTED_KEY.getPublic()) : Optional.empty(); + } + + private static NToken createNToken(AthenzIdentity identity, Instant issueTime, PrivateKey privateKey, String keyId) { + PrincipalToken token = new PrincipalToken.Builder("U1", identity.getDomain().getName(), identity.getName()) + .keyId(keyId) + .salt("1234") + .host("host") + .ip("1.2.3.4") + .issueTime(issueTime.getEpochSecond()) + .expirationWindow(1000) + .build(); + token.sign(privateKey); + return new NToken(token.getSignedToken()); + } + +} |