diff options
| author | Tor Brede Vekterli <vekterli@oath.com> | 2018-11-20 12:27:37 +0000 |
|---|---|---|
| committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-11-20 12:27:37 +0000 |
| commit | fa78e3273688c776c0b5f84468d7910232e26f40 (patch) | |
| tree | 448ee5d36ec6c3fd306a5661bad319bfbe2aacf8 /vespalib/src/tests/net/tls | |
| parent | a549b3d81757eb3670982c936c1312a939003816 (diff) | |
Rename `allowed-peers` to `authorized-peers`
Diffstat (limited to 'vespalib/src/tests/net/tls')
3 files changed, 74 insertions, 74 deletions
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index 1ae4d622b4f..dbfd77aa1c4 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -418,9 +418,9 @@ struct CertFixture : Fixture { return {std::move(cert), std::move(key)}; } - void reset_client_with_cert_opts(const CertKeyWrapper& ck, AllowedPeers allowed) { + void reset_client_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions client_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), - ck.key->private_to_pem(), std::move(allowed)); + ck.key->private_to_pem(), std::move(authorized)); client = create_openssl_codec(client_opts, CryptoCodec::Mode::Client); } @@ -429,9 +429,9 @@ struct CertFixture : Fixture { client = create_openssl_codec(client_opts, std::move(cert_cb), CryptoCodec::Mode::Client); } - void reset_server_with_cert_opts(const CertKeyWrapper& ck, AllowedPeers allowed) { + void reset_server_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), - ck.key->private_to_pem(), std::move(allowed)); + ck.key->private_to_pem(), std::move(authorized)); server = create_openssl_codec(server_opts, CryptoCodec::Mode::Server); } @@ -541,46 +541,46 @@ TEST_F("Only DNS SANs are enumerated", CertFixture) { TEST_F("Client rejects server with certificate that DOES NOT match peer policy", CertFixture) { auto client_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_client_with_cert_opts(client_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_client_with_cert_opts(client_ck, std::move(authorized)); // crash.wile.example.com not present in certificate auto server_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:roadrunner.wile.example.com"}}); - f.reset_server_with_cert_opts(server_ck, AllowedPeers::allow_all_authenticated()); + f.reset_server_with_cert_opts(server_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_FALSE(f.handshake()); } TEST_F("Client allows server with certificate that DOES match peer policy", CertFixture) { auto client_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_client_with_cert_opts(client_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_client_with_cert_opts(client_ck, std::move(authorized)); auto server_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:crash.wile.example.com"}}); - f.reset_server_with_cert_opts(server_ck, AllowedPeers::allow_all_authenticated()); + f.reset_server_with_cert_opts(server_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_TRUE(f.handshake()); } TEST_F("Server rejects client with certificate that DOES NOT match peer policy", CertFixture) { auto server_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_server_with_cert_opts(server_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_server_with_cert_opts(server_ck, std::move(authorized)); // crash.wile.example.com not present in certificate auto client_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:roadrunner.wile.example.com"}}); - f.reset_client_with_cert_opts(client_ck, AllowedPeers::allow_all_authenticated()); + f.reset_client_with_cert_opts(client_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_FALSE(f.handshake()); } TEST_F("Server allows client with certificate that DOES match peer policy", CertFixture) { auto server_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_server_with_cert_opts(server_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_server_with_cert_opts(server_ck, std::move(authorized)); auto client_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:crash.wile.example.com"}}); - f.reset_client_with_cert_opts(client_ck, AllowedPeers::allow_all_authenticated()); + f.reset_client_with_cert_opts(client_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_TRUE(f.handshake()); } diff --git a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp index 6e9e0304c89..ad45c217701 100644 --- a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp +++ b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp @@ -76,109 +76,109 @@ PeerCredentials creds_with_cn(vespalib::stringref cn) { return creds; } -bool verify(AllowedPeers allowed_peers, const PeerCredentials& peer_creds) { - auto verifier = create_verify_callback_from(std::move(allowed_peers)); +bool verify(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) { + auto verifier = create_verify_callback_from(std::move(authorized_peers)); return verifier->verify(peer_creds); } -TEST("Default-constructed AllowedPeers does not allow all authenticated peers") { - EXPECT_FALSE(AllowedPeers().allows_all_authenticated()); +TEST("Default-constructed AuthorizedPeers does not allow all authenticated peers") { + EXPECT_FALSE(AuthorizedPeers().allows_all_authenticated()); } TEST("Specially constructed set of policies allows all authenticated peers") { - auto allow_all = AllowedPeers::allow_all_authenticated(); + auto allow_all = AuthorizedPeers::allow_all_authenticated(); EXPECT_TRUE(allow_all.allows_all_authenticated()); EXPECT_TRUE(verify(allow_all, creds_with_dns_sans({{"anything.goes"}}))); } TEST("Non-empty policies do not allow all authenticated peers") { - auto allow_not_all = allowed_peers({policy_with({required_san_dns("hello.world")})}); + auto allow_not_all = authorized_peers({policy_with({required_san_dns("hello.world")})}); EXPECT_FALSE(allow_not_all.allows_all_authenticated()); } TEST("SAN requirement without glob pattern is matched as exact string") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.bar"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.worlds"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hhello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.world.bar"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.worlds"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hhello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.world.bar"}}))); } TEST("SAN requirement can include glob wildcards") { - auto allowed = allowed_peers({policy_with({required_san_dns("*.w?rld")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"greetings.w0rld"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.wrld"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("*.w?rld")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"greetings.w0rld"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.wrld"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"world"}}))); } TEST("multi-SAN policy requires all SANs to be present in certificate") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world"), - required_san_dns("foo.bar")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world"), + required_san_dns("foo.bar")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}}))); // Need both - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.bar"}}))); // OK with more SANs that strictly required - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"baz.blorg"}}))); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"baz.blorg"}}))); } TEST("wildcard SAN in certificate is not treated as a wildcard match by policy") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world")})}); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"*.world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world")})}); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"*.world"}}))); } TEST("wildcard SAN in certificate is still matched by wildcard policy SAN") { - auto allowed = allowed_peers({policy_with({required_san_dns("*.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"*.world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("*.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"*.world"}}))); } struct MultiPolicyMatchFixture { - AllowedPeers allowed; + AuthorizedPeers authorized; MultiPolicyMatchFixture(); ~MultiPolicyMatchFixture(); }; MultiPolicyMatchFixture::MultiPolicyMatchFixture() - : allowed(allowed_peers({policy_with({required_san_dns("hello.world")}), - policy_with({required_san_dns("foo.bar")}), - policy_with({required_san_dns("zoid.berg")})})) + : authorized(authorized_peers({policy_with({required_san_dns("hello.world")}), + policy_with({required_san_dns("foo.bar")}), + policy_with({required_san_dns("zoid.berg")})})) {} MultiPolicyMatchFixture::~MultiPolicyMatchFixture() = default; TEST_F("peer verifies if it matches at least 1 policy of multiple", MultiPolicyMatchFixture) { - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"foo.bar"}}))); - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"zoid.berg"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"zoid.berg"}}))); } TEST_F("peer verifies if it matches multiple policies", MultiPolicyMatchFixture) { - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}}))); } TEST_F("peer must match at least 1 of multiple policies", MultiPolicyMatchFixture) { - EXPECT_FALSE(verify(f.allowed, creds_with_dns_sans({{"does.not.exist"}}))); + EXPECT_FALSE(verify(f.authorized, creds_with_dns_sans({{"does.not.exist"}}))); } TEST("CN requirement without glob pattern is matched as exact string") { - auto allowed = allowed_peers({policy_with({required_cn("hello.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_cn("hello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("foo.bar"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.worlds"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hhello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("foo.hello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.world.bar"))); + auto authorized = authorized_peers({policy_with({required_cn("hello.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_cn("hello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("foo.bar"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.worlds"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hhello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("foo.hello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.world.bar"))); } TEST("CN requirement can include glob wildcards") { - auto allowed = allowed_peers({policy_with({required_cn("*.w?rld")})}); - EXPECT_TRUE(verify(allowed, creds_with_cn("hello.world"))); - EXPECT_TRUE(verify(allowed, creds_with_cn("greetings.w0rld"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.wrld"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("world"))); + auto authorized = authorized_peers({policy_with({required_cn("*.w?rld")})}); + EXPECT_TRUE(verify(authorized, creds_with_cn("hello.world"))); + EXPECT_TRUE(verify(authorized, creds_with_cn("greetings.w0rld"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.wrld"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("world"))); } // TODO test CN _and_ SAN diff --git a/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp index 380bb0a3d71..1a442dc54f0 100644 --- a/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp +++ b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp @@ -66,7 +66,7 @@ vespalib::string json_with_policies(const vespalib::string& policies) { const char* fmt = R"({"files":{"private-key":"dummy_privkey.txt", "certificates":"dummy_certs.txt", "ca-certificates":"dummy_ca_certs.txt"}, - "allowed-peers":[%s]})"; + "authorized-peers":[%s]})"; return vespalib::make_string(fmt, policies.c_str()); } @@ -74,18 +74,18 @@ TransportSecurityOptions parse_policies(const vespalib::string& policies) { return *read_options_from_json_string(json_with_policies(policies)); } -TEST("config file without allowed-peers accepts all pre-verified certificates") { +TEST("config file without authorized-peers accepts all pre-verified certificates") { const char* json = R"({"files":{"private-key":"dummy_privkey.txt", "certificates":"dummy_certs.txt", "ca-certificates":"dummy_ca_certs.txt"}})"; - EXPECT_TRUE(read_options_from_json_string(json)->allowed_peers().allows_all_authenticated()); + EXPECT_TRUE(read_options_from_json_string(json)->authorized_peers().allows_all_authenticated()); } // Instead of contemplating what the semantics of an empty allow list should be, // we do the easy way out and just say it's not allowed in the first place. TEST("empty policy array throws exception") { EXPECT_EXCEPTION(parse_policies(""), vespalib::IllegalArgumentException, - "\"allowed-peers\" must either be not present (allows " + "\"authorized-peers\" must either be not present (allows " "all peers with valid certificates) or a non-empty array"); } @@ -95,8 +95,8 @@ TEST("can parse single peer policy with single requirement") { {"field": "SAN_DNS", "must-match": "hello.world"} ] })"; - EXPECT_EQUAL(allowed_peers({policy_with({required_san_dns("hello.world")})}), - parse_policies(json).allowed_peers()); + EXPECT_EQUAL(authorized_peers({policy_with({required_san_dns("hello.world")})}), + parse_policies(json).authorized_peers()); } TEST("can parse single peer policy with multiple requirements") { @@ -106,9 +106,9 @@ TEST("can parse single peer policy with multiple requirements") { {"field": "CN", "must-match": "goodbye.moon"} ] })"; - EXPECT_EQUAL(allowed_peers({policy_with({required_san_dns("hello.world"), - required_cn("goodbye.moon")})}), - parse_policies(json).allowed_peers()); + EXPECT_EQUAL(authorized_peers({policy_with({required_san_dns("hello.world"), + required_cn("goodbye.moon")})}), + parse_policies(json).authorized_peers()); } TEST("unknown field type throws exception") { |