diff options
Diffstat (limited to 'security-utils/src/test/java/com/yahoo/security/tls')
2 files changed, 37 insertions, 16 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java index 2530bfcfb45..4440b964096 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java @@ -3,6 +3,7 @@ package com.yahoo.security.tls.authz; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; +import com.yahoo.security.SubjectAlternativeName.Type; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; @@ -18,12 +19,17 @@ import java.security.cert.X509Certificate; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Arrays; +import java.util.List; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; +import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; +import static java.util.Arrays.asList; +import static java.util.Collections.emptyList; import static java.util.Collections.emptySet; +import static java.util.Collections.singletonList; import static java.util.stream.Collectors.toSet; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.Assert.assertFalse; @@ -43,14 +49,14 @@ public class PeerAuthorizerTest { RequiredPeerCredential sanRequirement = createRequiredCredential(SAN_DNS, "*.matching.san"); PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanRequirement)); - AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", "foo.matching.san", "foo.invalid.san")); + AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", asList("foo.matching.san", "foo.invalid.san"), emptyList())); assertAuthorized(result); assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1); assertThat(result.matchedPolicies()).containsOnly(POLICY_1); - assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", "foo.matching.san"))); - assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", "foo.matching.san", "foo.invalid.san"))); - assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", "foo.invalid.san"))); + assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList()))); + assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.invalid.cn", asList("foo.matching.san", "foo.invalid.san"),emptyList()))); + assertUnauthorized(authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.invalid.san"), emptyList()))); } @Test @@ -63,7 +69,7 @@ public class PeerAuthorizerTest { createPolicy(POLICY_2, createRoles(ROLE_2, ROLE_3), cnRequirement, sanRequirement)); AuthorizationResult result = peerAuthorizer - .authorizePeer(createCertificate("foo.matching.cn", "foo.matching.san")); + .authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.matching.san"), emptyList())); assertAuthorized(result); assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2, ROLE_3); assertThat(result.matchedPolicies()).containsOnly(POLICY_1, POLICY_2); @@ -75,7 +81,7 @@ public class PeerAuthorizerTest { createPolicy(POLICY_1, createRoles(ROLE_1), createRequiredCredential(CN, "*.matching.cn")), createPolicy(POLICY_2, createRoles(ROLE_1, ROLE_2), createRequiredCredential(SAN_DNS, "*.matching.san"))); - AuthorizationResult result = peerAuthorizer.authorizePeer(createCertificate("foo.invalid.cn", "foo.matching.san")); + AuthorizationResult result = peerAuthorizer.authorizePeer(createCertificate("foo.invalid.cn", singletonList("foo.matching.san"), emptyList())); assertAuthorized(result); assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1, ROLE_2); assertThat(result.matchedPolicies()).containsOnly(POLICY_2); @@ -90,12 +96,24 @@ public class PeerAuthorizerTest { PeerAuthorizer peerAuthorizer = createPeerAuthorizer( createPolicy(POLICY_1, emptySet(), cnSuffixRequirement, cnPrefixRequirement, sanPrefixRequirement, sanSuffixRequirement)); - assertAuthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", "matching.prefix.matching.suffix.san"))); - assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", "matching.prefix.invalid.suffix.san"))); - assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("invalid.prefix.matching.suffix.cn", "matching.prefix.matching.suffix.san"))); + assertAuthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.matching.suffix.san"), emptyList()))); + assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("matching.prefix.matching.suffix.cn", singletonList("matching.prefix.invalid.suffix.san"), emptyList()))); + assertUnauthorized(peerAuthorizer.authorizePeer(createCertificate("invalid.prefix.matching.suffix.cn", singletonList("matching.prefix.matching.suffix.san"), emptyList()))); } - private static X509Certificate createCertificate(String subjectCn, String... sanCns) { + @Test + public void can_exact_match_policy_with_san_uri_pattern() { + RequiredPeerCredential cnRequirement = createRequiredCredential(CN, "*.matching.cn"); + RequiredPeerCredential sanUriRequirement = createRequiredCredential(SAN_URI, "myscheme://my/exact/uri"); + PeerAuthorizer authorizer = createPeerAuthorizer(createPolicy(POLICY_1, createRoles(ROLE_1), cnRequirement, sanUriRequirement)); + + AuthorizationResult result = authorizer.authorizePeer(createCertificate("foo.matching.cn", singletonList("foo.irrelevant.san"), singletonList("myscheme://my/exact/uri"))); + assertAuthorized(result); + assertThat(result.assumedRoles()).extracting(Role::name).containsOnly(ROLE_1); + assertThat(result.matchedPolicies()).containsOnly(POLICY_1); + } + + private static X509Certificate createCertificate(String subjectCn, List<String> sanDns, List<String> sanUri) { X509CertificateBuilder builder = X509CertificateBuilder.fromKeypair( KEY_PAIR, @@ -104,9 +122,8 @@ public class PeerAuthorizerTest { Instant.EPOCH.plus(100000, ChronoUnit.DAYS), SHA256_WITH_ECDSA, BigInteger.ONE); - for (String sanCn : sanCns) { - builder.addSubjectAlternativeName(sanCn); - } + sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS_NAME, san)); + sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.UNIFORM_RESOURCE_IDENTIFIER, san)); return builder.build(); } @@ -123,7 +140,7 @@ public class PeerAuthorizerTest { } private static PeerPolicy createPolicy(String name, Set<Role> roles, RequiredPeerCredential... requiredCredentials) { - return new PeerPolicy(name, roles, Arrays.asList(requiredCredentials)); + return new PeerPolicy(name, roles, asList(requiredCredentials)); } private static void assertAuthorized(AuthorizationResult result) { diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java index 22df35cedfb..ee1fa12b15f 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java @@ -24,6 +24,7 @@ import java.util.HashSet; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; +import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals; import static java.util.Collections.singleton; import static org.junit.Assert.assertEquals; @@ -38,7 +39,7 @@ public class TransportSecurityOptionsJsonSerializerTest { private static final Path TEST_CONFIG_FILE = Paths.get("src/test/resources/transport-security-options.json"); @Test - public void can_serialize_and_deserialize_transport_security_options() { + public void can_serialize_and_deserialize_transport_security_options() throws IOException { TransportSecurityOptions options = new TransportSecurityOptions.Builder() .withCaCertificates(Paths.get("/path/to/ca-certs.pem")) .withCertificates(Paths.get("/path/to/cert.pem"), Paths.get("/path/to/key.pem")) @@ -48,7 +49,8 @@ public class TransportSecurityOptionsJsonSerializerTest { new HashSet<>(Arrays.asList( new PeerPolicy("cfgserver", "cfgserver policy description", singleton(new Role("myrole")), Arrays.asList( RequiredPeerCredential.of(CN, "mycfgserver"), - RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"))), + RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"), + RequiredPeerCredential.of(SAN_URI, "myscheme://resource/path/"))), new PeerPolicy("node", singleton(new Role("anotherrole")), Collections.singletonList(RequiredPeerCredential.of(CN, "hostname"))))))) .build(); @@ -57,6 +59,8 @@ public class TransportSecurityOptionsJsonSerializerTest { serializer.serialize(out, options); TransportSecurityOptions deserializedOptions = serializer.deserialize(new ByteArrayInputStream(out.toByteArray())); assertEquals(options, deserializedOptions); + Path expectedJsonFile = Paths.get("src/test/resources/transport-security-options-with-authz-rules.json"); + assertJsonEquals(new String(Files.readAllBytes(expectedJsonFile)), out.toString()); } @Test |