summaryrefslogtreecommitdiffstats
path: root/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java')
-rw-r--r--security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java31
1 files changed, 10 insertions, 21 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
index fdfed781286..5a4ae1f4ff6 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
@@ -9,7 +9,6 @@ import com.yahoo.security.tls.policy.AuthorizedPeers;
import com.yahoo.security.tls.policy.PeerPolicy;
import com.yahoo.security.tls.policy.RequiredPeerCredential;
import com.yahoo.security.tls.policy.RequiredPeerCredential.Field;
-import com.yahoo.security.tls.policy.Role;
import org.junit.Test;
import javax.security.auth.x500.X500Principal;
@@ -20,7 +19,6 @@ import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.List;
-import java.util.Set;
import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
@@ -28,7 +26,6 @@ import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS
import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI;
import static java.util.Arrays.asList;
import static java.util.Collections.emptyList;
-import static java.util.Collections.emptySet;
import static java.util.Collections.singletonList;
import static java.util.stream.Collectors.toSet;
import static org.assertj.core.api.Assertions.assertThat;
@@ -41,17 +38,16 @@ import static org.junit.Assert.assertTrue;
public class PeerAuthorizerTest {
private static final KeyPair KEY_PAIR = KeyUtils.generateKeypair(KeyAlgorithm.EC);
- private static final String ROLE_1 = "role-1", ROLE_2 = "role-2", ROLE_3 = "role-3", POLICY_1 = "policy-1", POLICY_2 = "policy-2";
+ private static final String POLICY_1 = "policy-1", POLICY_2 = "policy-2";
@Test
public void certificate_must_match_both_san_and_cn_pattern() {
RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn");
RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san");
- PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanRequirement));
+ PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanRequirement));
AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", asList("foo.matching.san", "foo.invalid.san"), emptyList()));
assertAuthorized(result);
- assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1);
assertThat(result.matchedPolicies()).containsOnly(POLICY_1);
assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList())));
@@ -65,25 +61,23 @@ public class PeerAuthorizerTest {
RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san");
PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
- createPolicy(POLICY_1, createRoles(ROLE_1, ROLE_2), cnRequirement, sanRequirement),
- createPolicy(POLICY_2, createRoles(ROLE_2, ROLE_3), cnRequirement, sanRequirement));
+ createPolicy(POLICY_1, cnRequirement, sanRequirement),
+ createPolicy(POLICY_2, cnRequirement, sanRequirement));
AuthorizationResult result = peerAuthorizer
.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.matching.san"), emptyList()));
assertAuthorized(result);
- assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2, ROLE_3);
assertThat(result.matchedPolicies()).containsOnly(POLICY_1, POLICY_2);
}
@Test
public void can_match_subset_of_policies() {
PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
- createPolicy(POLICY_1, createRoles(ROLE_1), createRequiredCredential(CN, "*.matching.cn")),
- createPolicy(POLICY_2, createRoles(ROLE_1, ROLE_2), createRequiredCredential(SAN_DNS, "*.matching.san")));
+ createPolicy(POLICY_1, createRequiredCredential(CN, "*.matching.cn")),
+ createPolicy(POLICY_2, createRequiredCredential(SAN_DNS, "*.matching.san")));
AuthorizationResult result = peerAuthorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList()));
assertAuthorized(result);
- assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2);
assertThat(result.matchedPolicies()).containsOnly(POLICY_2);
}
@@ -94,7 +88,7 @@ public class PeerAuthorizerTest {
RequiredPeerCredential sanPrefixRequirement = createRequiredCredential(SAN_DNS, "*.*.matching.suffix.san");
RequiredPeerCredential sanSuffixRequirement = createRequiredCredential(SAN_DNS, "matching.prefix.*.*.*");
PeerAuthorizer peerAuthorizer = createPeerAuthorizer(
- createPolicy(POLICY_1, emptySet(), cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement));
+ createPolicy(POLICY_1, cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement));
assertAuthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.matching.suffix.san"), emptyList())));
assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.invalid.suffix.san"), emptyList())));
@@ -105,11 +99,10 @@ public class PeerAuthorizerTest {
public void can_match_policy_with_san_uri_pattern() {
RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn");
RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/*/uri");
- PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanUriRequirement));
+ PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, cnRequirement, sanUriRequirement));
AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/matching/uri")));
assertAuthorized(result);
- assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1);
assertThat(result.matchedPolicies()).containsOnly(POLICY_1);
assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", emptyList(), singletonList("myscheme://my/nonmatching/url"))));
@@ -133,16 +126,12 @@ public class PeerAuthorizerTest {
return RequiredPeerCredential.of(field, pattern);
}
- private static Set<Role> createRoles(String... roleNames) {
- return Arrays.stream(roleNames).map(Role::new).collect(toSet());
- }
-
private static PeerAuthorizer createPeerAuthorizer(PeerPolicy... policies) {
return new PeerAuthorizer(new AuthorizedPeers(Arrays.stream(policies).collect(toSet())));
}
- private static PeerPolicy createPolicy(String name, Set<Role> roles, RequiredPeerCredential... requiredCredentials) {
- return new PeerPolicy(name, roles, asList(requiredCredentials));
+ private static PeerPolicy createPolicy(String name, RequiredPeerCredential... requiredCredentials) {
+ return new PeerPolicy(name, asList(requiredCredentials));
}
private static void assertAuthorized(AuthorizationResult result) {