Add test

author: Ola Aunronning <olaa@yahooinc.com> 2023-04-25 12:46:30 +0200
committer: Ola Aunronning <olaa@yahooinc.com> 2023-04-25 12:46:30 +0200
commit: d46b56f3f8577d8c4cc4b08f5f13b3b983ef7d2a (patch)
tree: 7b8b54ba5c1aa073f04060e8cc688e24001473f5 /vespa-athenz
parent: d74583acb0e5087567f1b977a72e82e48b2ea763 (diff)
2 files changed, 131 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index 3d8f12e559d..77aaf17419d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -95,7 +95,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
 
     @Inject
     public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) {
-        this(config, metric, CLIENT_TRUST_STORE, new ScheduledThreadPoolExecutor(1), Clock.systemUTC());
+        this(config, metric, CLIENT_TRUST_STORE, new ScheduledThreadPoolExecutor(1), Clock.systemUTC(), createAutoReloadingX509KeyManager(config));
     }
 
     // Test only
@@ -103,7 +103,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
                                Metric metric,
                                Path trustStore,
                                ScheduledExecutorService scheduler,
-                               Clock clock) {
+                               Clock clock,
+                               AutoReloadingX509KeyManager autoReloadingX509KeyManager) {
         this.metric = metric;
         this.trustStore = trustStore;
         this.scheduler = scheduler;
@@ -117,7 +118,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         this.domainSpecificAccessTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createAccessToken);
         this.roleSpecificAccessTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createAccessToken);
         this.csrGenerator = new CsrGenerator(config.athenzDnsSuffix(), config.configserverIdentityName());
-        this.autoReloadingX509KeyManager = AutoReloadingX509KeyManager.fromPemFiles(privateKeyPath(),certificatePath());
+        this.autoReloadingX509KeyManager = autoReloadingX509KeyManager;
         this.identitySslContext = createIdentitySslContext(autoReloadingX509KeyManager, trustStore);
         this.scheduler.scheduleAtFixedRate(this::reportMetrics, 0, 5, TimeUnit.MINUTES);
     }
@@ -320,6 +321,11 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         return new DefaultZtsClient.Builder(ztsEndpoint).withSslContext(getIdentitySslContext()).build();
     }
 
+    private static AutoReloadingX509KeyManager createAutoReloadingX509KeyManager(IdentityConfig config) {
+        var tenantIdentity = new AthenzService(config.domain(), config.service());
+        return AutoReloadingX509KeyManager.fromPemFiles(SiaUtils.getPrivateKeyFile(tenantIdentity), SiaUtils.getCertificateFile(tenantIdentity));
+    }
+
     @Override
     public void deconstruct() {
         try {
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
new file mode 100644
index 00000000000..108da9e0136
--- /dev/null
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -0,0 +1,122 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.client;
+
+import com.yahoo.container.core.identity.IdentityConfig;
+import com.yahoo.jdisc.Metric;
+import com.yahoo.security.AutoReloadingX509KeyManager;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.KeyStoreUtils;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.Pkcs10CsrBuilder;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.X509CertificateWithKey;
+import com.yahoo.test.ManualClock;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.function.Supplier;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class AthenzIdentityProviderImplTest {
+
+    @TempDir
+    public File tempDir;
+
+    public static final Duration certificateValidity = Duration.ofDays(30);
+
+    private static final IdentityConfig IDENTITY_CONFIG =
+            new IdentityConfig(new IdentityConfig.Builder()
+                                       .service("tenantService")
+                                       .domain("tenantDomain")
+                                       .nodeIdentityName("vespa.tenant")
+                                       .configserverIdentityName("vespa.configserver")
+                                       .loadBalancerAddress("cfg")
+                                       .ztsUrl("https:localhost:4443/zts/v1")
+                                       .athenzDnsSuffix("dev-us-north-1.vespa.cloud"));
+
+    private final KeyPair caKeypair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+    private Path trustStoreFile;
+    private X509Certificate caCertificate;
+
+    @BeforeEach
+    public void createTrustStoreFile() throws IOException {
+        caCertificate = X509CertificateBuilder
+                .fromKeypair(
+                        caKeypair,
+                        new X500Principal("CN=mydummyca"),
+                        Instant.EPOCH,
+                        Instant.EPOCH.plus(10000, ChronoUnit.DAYS),
+                        SignatureAlgorithm.SHA256_WITH_ECDSA,
+                        BigInteger.ONE)
+                .build();
+        trustStoreFile = File.createTempFile("junit", null, tempDir).toPath();
+        KeyStoreUtils.writeKeyStoreToFile(
+                KeyStoreBuilder.withType(KeyStoreType.JKS)
+                        .withKeyEntry("default", caKeypair.getPrivate(), caCertificate)
+                        .build(),
+                trustStoreFile);
+    }
+
+    @Test
+    void certificate_expiry_metric_is_reported() {
+        ManualClock clock = new ManualClock(Instant.EPOCH);
+        Metric metric = mock(Metric.class);
+        AutoReloadingX509KeyManager keyManager = mock(AutoReloadingX509KeyManager.class);
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+        X509Certificate certificate = getCertificate(keyPair, getExpirationSupplier(clock));
+        when(keyManager.getCurrentCertificateWithKey()).thenReturn(new X509CertificateWithKey(certificate, keyPair.getPrivate()));
+
+        AthenzIdentityProviderImpl identityProvider = new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, trustStoreFile, mock(ScheduledExecutorService.class), clock, keyManager);
+        identityProvider.reportMetrics();
+        verify(metric).set(eq(AthenzIdentityProviderImpl.CERTIFICATE_EXPIRY_METRIC_NAME), eq(certificateValidity.getSeconds()), any());
+
+        clock.advance(Duration.ofDays(1));
+        identityProvider.reportMetrics();
+        verify(metric).set(eq(AthenzIdentityProviderImpl.CERTIFICATE_EXPIRY_METRIC_NAME), eq(certificateValidity.minus(Duration.ofDays(1)).getSeconds()), any());
+
+        clock.advance(Duration.ofDays(1));
+        identityProvider.reportMetrics();
+        verify(metric).set(eq(AthenzIdentityProviderImpl.CERTIFICATE_EXPIRY_METRIC_NAME), eq(certificateValidity.minus(Duration.ofDays(2)).getSeconds()), any());
+    }
+
+    private Supplier<Date> getExpirationSupplier(ManualClock clock) {
+        return () -> new Date(clock.instant().plus(certificateValidity).toEpochMilli());
+    }
+
+    private X509Certificate getCertificate(KeyPair keyPair, Supplier<Date> expiry) {
+        Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=dummy"), keyPair, SignatureAlgorithm.SHA256_WITH_ECDSA)
+                .build();
+        return X509CertificateBuilder
+                .fromCsr(csr,
+                         caCertificate.getSubjectX500Principal(),
+                         Instant.EPOCH,
+                         expiry.get().toInstant(),
+                         caKeypair.getPrivate(),
+                         SignatureAlgorithm.SHA256_WITH_ECDSA,
+                         BigInteger.ONE)
+                .build();
+    }
+
+}
author	Ola Aunronning <olaa@yahooinc.com>	2023-04-25 12:46:30 +0200
committer	Ola Aunronning <olaa@yahooinc.com>	2023-04-25 12:46:30 +0200
commit	d46b56f3f8577d8c4cc4b08f5f13b3b983ef7d2a (patch)
tree	7b8b54ba5c1aa073f04060e8cc688e24001473f5 /vespa-athenz
parent	d74583acb0e5087567f1b977a72e82e48b2ea763 (diff)