Allow applications to re-use SSLContext returned by provider

- Use MutableX509KeyManager instead of re-creating SSLContext when credentials are updated. - Make AthenzIdentityProviderImpl responsible for creating initial SSLContext. - Use proper x509 certificates and keys in unit test instead of Mockito mocks.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-07-03 15:09:47 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-07-03 15:15:56 +0200
commit: ab13fe34bc30ffab153aab1b74e512781d8012c2 (patch)
tree: 51b2f9e005adc228cf453c3aa36a7bdc73595be6 /vespa-athenz/src/test
parent: 15e75a0691dfd63a704b0ef5cf4389312e903e85 (diff)
1 files changed, 57 insertions, 9 deletions
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index 01dab2dada3..c584b803815 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -4,14 +4,30 @@ package com.yahoo.vespa.athenz.identityprovider.client;
 import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.jdisc.Metric;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.KeyStoreUtils;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.Pkcs10CsrBuilder;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.test.ManualClock;
+import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.file.Path;
+import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Date;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.function.Supplier;
@@ -43,13 +59,36 @@ public class AthenzIdentityProviderImplTest {
                                        .ztsUrl("https:localhost:4443/zts/v1")
                                        .athenzDnsSuffix("dev-us-north-1.vespa.cloud"));
 
+    private final KeyPair caKeypair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+    private Path trustStoreFile;
+    private X509Certificate caCertificate;
+
+    @Before
+    public void createTrustStoreFile() throws IOException {
+        caCertificate = X509CertificateBuilder
+                .fromKeypair(
+                        caKeypair,
+                        new X500Principal("CN=mydummyca"),
+                        Instant.EPOCH,
+                        Instant.EPOCH.plus(10000, ChronoUnit.DAYS),
+                        SignatureAlgorithm.SHA256_WITH_ECDSA,
+                        BigInteger.ONE)
+                .build();
+        trustStoreFile = tempDir.newFile().toPath();
+        KeyStoreUtils.writeKeyStoreToFile(
+                KeyStoreBuilder.withType(KeyStoreType.JKS)
+                        .withKeyEntry("default", caKeypair.getPrivate(), caCertificate)
+                        .build(),
+                trustStoreFile);
+    }
+
     @Test(expected = AthenzIdentityProviderException.class)
     public void component_creation_fails_when_credentials_not_found() {
         AthenzCredentialsService credentialService = mock(AthenzCredentialsService.class);
         when(credentialService.registerInstance())
                 .thenThrow(new RuntimeException("athenz unavailable"));
 
-        new AthenzIdentityProviderImpl(IDENTITY_CONFIG, mock(Metric.class), credentialService, mock(ScheduledExecutorService.class), new ManualClock(Instant.EPOCH));
+        new AthenzIdentityProviderImpl(IDENTITY_CONFIG, mock(Metric.class), trustStoreFile ,credentialService, mock(ScheduledExecutorService.class), new ManualClock(Instant.EPOCH));
     }
 
     @Test
@@ -59,18 +98,19 @@ public class AthenzIdentityProviderImplTest {
 
         AthenzCredentialsService athenzCredentialsService = mock(AthenzCredentialsService.class);
 
-        X509Certificate certificate = getCertificate(getExpirationSupplier(clock));
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+        X509Certificate certificate = getCertificate(keyPair, getExpirationSupplier(clock));
 
         when(athenzCredentialsService.registerInstance())
-                .thenReturn(new AthenzCredentials(certificate, null, null, null));
+                .thenReturn(new AthenzCredentials(certificate, keyPair, null));
 
         when(athenzCredentialsService.updateCredentials(any(), any()))
                 .thenThrow(new RuntimeException("#1"))
                 .thenThrow(new RuntimeException("#2"))
-                .thenReturn(new AthenzCredentials(certificate, null, null, null));
+                .thenReturn(new AthenzCredentials(certificate, keyPair, null));
 
         AthenzIdentityProviderImpl identityProvider =
-                new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, athenzCredentialsService, mock(ScheduledExecutorService.class), clock);
+                new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, trustStoreFile, athenzCredentialsService, mock(ScheduledExecutorService.class), clock);
 
         identityProvider.reportMetrics();
         verify(metric).set(eq(AthenzIdentityProviderImpl.CERTIFICATE_EXPIRY_METRIC_NAME), eq(certificateValidity.getSeconds()), any());
@@ -99,10 +139,18 @@ public class AthenzIdentityProviderImplTest {
         return () -> new Date(clock.instant().plus(certificateValidity).toEpochMilli());
     }
 
-    private X509Certificate getCertificate(Supplier<Date> expiry) {
-        X509Certificate x509Certificate = mock(X509Certificate.class);
-        when(x509Certificate.getNotAfter()).thenReturn(expiry.get());
-        return x509Certificate;
+    private X509Certificate getCertificate(KeyPair keyPair, Supplier<Date> expiry) {
+        Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=dummy"), keyPair, SignatureAlgorithm.SHA256_WITH_ECDSA)
+                .build();
+        return X509CertificateBuilder
+                .fromCsr(csr,
+                         caCertificate.getSubjectX500Principal(),
+                         Instant.EPOCH,
+                         expiry.get().toInstant(),
+                         caKeypair.getPrivate(),
+                         SignatureAlgorithm.SHA256_WITH_ECDSA,
+                         BigInteger.ONE)
+                .build();
     }
 
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-07-03 15:09:47 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-07-03 15:15:56 +0200
commit	ab13fe34bc30ffab153aab1b74e512781d8012c2 (patch)
tree	51b2f9e005adc228cf453c3aa36a7bdc73595be6 /vespa-athenz/src/test
parent	15e75a0691dfd63a704b0ef5cf4389312e903e85 (diff)