summaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java')
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java99
1 files changed, 9 insertions, 90 deletions
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
index 366dbb79f74..a4e85b9f63c 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java
@@ -6,16 +6,12 @@ import com.yahoo.jdisc.handler.ContentChannel;
import com.yahoo.jdisc.handler.ReadableContentChannel;
import com.yahoo.jdisc.handler.ResponseHandler;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
-import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.athenz.api.AthenzPrincipal;
-import com.yahoo.vespa.athenz.api.AthenzUser;
-import com.yahoo.vespa.athenz.api.NToken;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator;
-import org.jetbrains.annotations.NotNull;
-import org.junit.Before;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzPrincipal;
+import com.yahoo.vespa.athenz.api.AthenzUser;
import org.junit.Test;
import javax.security.auth.x500.X500Principal;
@@ -29,13 +25,10 @@ import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Objects;
-import java.util.Set;
import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED;
import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
-import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA;
import static java.util.Collections.emptyList;
-import static java.util.Collections.singleton;
import static java.util.Collections.singletonList;
import static java.util.stream.Collectors.joining;
import static org.hamcrest.CoreMatchers.containsString;
@@ -52,40 +45,12 @@ import static org.mockito.Mockito.when;
*/
public class AthenzPrincipalFilterTest {
- private static final NToken NTOKEN = new NToken("dummy");
- private static final String ATHENZ_PRINCIPAL_HEADER = "Athenz-Principal-Auth";
private static final AthenzIdentity IDENTITY = AthenzUser.fromUserId("bob");
private static final X509Certificate CERTIFICATE = createSelfSignedCertificate(IDENTITY);
- private NTokenValidator validator;
-
- @Before
- public void before() {
- validator = mock(NTokenValidator.class);
- }
-
- @Test
- public void valid_ntoken_is_accepted() {
- DiscFilterRequest request = createRequestMock();
- AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN);
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
- when(request.getClientCertificateChain()).thenReturn(emptyList());
- when(validator.validate(NTOKEN)).thenReturn(principal);
-
- AthenzPrincipalFilter filter = createFilter(false);
- filter.filter(request, new ResponseHandlerMock());
-
- assertAuthenticated(request, principal);
- }
-
- private DiscFilterRequest createRequestMock() {
- return mock(DiscFilterRequest.class);
- }
-
@Test
- public void missing_token_and_certificate_is_unauthorized() {
+ public void missing_certificate_is_unauthorized() {
DiscFilterRequest request = createRequestMock();
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
when(request.getClientCertificateChain()).thenReturn(emptyList());
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -97,25 +62,8 @@ public class AthenzPrincipalFilterTest {
}
@Test
- public void invalid_token_is_unauthorized() {
- DiscFilterRequest request = createRequestMock();
- String errorMessage = "Invalid token";
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
- when(request.getClientCertificateChain()).thenReturn(emptyList());
- when(validator.validate(NTOKEN)).thenThrow(new NTokenValidator.InvalidTokenException(errorMessage));
-
- ResponseHandlerMock responseHandler = new ResponseHandlerMock();
-
- AthenzPrincipalFilter filter = createFilter(false);
- filter.filter(request, responseHandler);
-
- assertUnauthorized(request, responseHandler, errorMessage);
- }
-
- @Test
public void certificate_is_accepted() {
DiscFilterRequest request = createRequestMock();
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -132,43 +80,10 @@ public class AthenzPrincipalFilterTest {
verify(request).setAttribute(AthenzPrincipalFilter.RESULT_PRINCIPAL, expectedPrincipal);
}
- @Test
- public void both_ntoken_and_certificate_is_accepted() {
- DiscFilterRequest request = createRequestMock();
- AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN);
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
- when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
- when(validator.validate(NTOKEN)).thenReturn(principalWithToken);
-
- ResponseHandlerMock responseHandler = new ResponseHandlerMock();
-
- AthenzPrincipalFilter filter = createFilter(false);
- filter.filter(request, responseHandler);
-
- assertAuthenticated(request, principalWithToken);
- }
-
- @Test
- public void conflicting_ntoken_and_certificate_is_unauthorized() {
- DiscFilterRequest request = createRequestMock();
- AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
- when(request.getClientCertificateChain())
- .thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
- when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
-
- ResponseHandlerMock responseHandler = new ResponseHandlerMock();
-
- AthenzPrincipalFilter filter = createFilter(false);
- filter.filter(request, responseHandler);
-
- assertUnauthorized(request, responseHandler, "Identity in principal token does not match x509 CN");
- }
@Test
public void no_response_produced_when_passthrough_mode_is_enabled() {
DiscFilterRequest request = createRequestMock();
- when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
when(request.getClientCertificateChain()).thenReturn(emptyList());
ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -179,8 +94,12 @@ public class AthenzPrincipalFilterTest {
assertThat(responseHandler.response, nullValue());
}
+ private DiscFilterRequest createRequestMock() {
+ return mock(DiscFilterRequest.class);
+ }
+
private AthenzPrincipalFilter createFilter(boolean passthroughModeEnabled) {
- return new AthenzPrincipalFilter(validator, ATHENZ_PRINCIPAL_HEADER, passthroughModeEnabled);
+ return new AthenzPrincipalFilter(passthroughModeEnabled);
}
private static void assertUnauthorized(DiscFilterRequest request, ResponseHandlerMock responseHandler, String expectedMessageSubstring) {