diff options
Diffstat (limited to 'vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp')
-rw-r--r-- | vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp | 104 |
1 files changed, 99 insertions, 5 deletions
diff --git a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp index 812d06868fd..8c9e50f17b4 100644 --- a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp +++ b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp @@ -124,7 +124,12 @@ PeerCredentials creds_with_cn(vespalib::stringref cn) { bool verify(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) { auto verifier = create_verify_callback_from(std::move(authorized_peers)); - return verifier->verify(peer_creds); + return verifier->verify(peer_creds).success(); +} + +AssumedRoles verify_roles(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) { + auto verifier = create_verify_callback_from(std::move(authorized_peers)); + return verifier->verify(peer_creds).steal_assumed_roles(); } TEST("Default-constructed AuthorizedPeers does not allow all authenticated peers") { @@ -137,6 +142,16 @@ TEST("Specially constructed set of policies allows all authenticated peers") { EXPECT_TRUE(verify(allow_all, creds_with_dns_sans({{"anything.goes"}}))); } +TEST("specially constructed set of policies returns wildcard role set") { + auto allow_all = AuthorizedPeers::allow_all_authenticated(); + EXPECT_EQUAL(verify_roles(allow_all, creds_with_dns_sans({{"anything.goes"}})), AssumedRoles::make_wildcard_role()); +} + +TEST("policy without explicit role set implicitly returns wildcard role set") { + auto authorized = authorized_peers({policy_with({required_san_dns("yolo.swag")})}); + EXPECT_EQUAL(verify_roles(authorized, creds_with_dns_sans({{"yolo.swag"}})), AssumedRoles::make_wildcard_role()); +} + TEST("Non-empty policies do not allow all authenticated peers") { auto allow_not_all = authorized_peers({policy_with({required_san_dns("hello.world")})}); EXPECT_FALSE(allow_not_all.allows_all_authenticated()); @@ -231,10 +246,11 @@ struct MultiPolicyMatchFixture { }; MultiPolicyMatchFixture::MultiPolicyMatchFixture() - : authorized(authorized_peers({policy_with({required_san_dns("hello.world")}), - policy_with({required_san_dns("foo.bar")}), - policy_with({required_san_dns("zoid.berg")}), - policy_with({required_san_uri("zoid://be.rg/")})})) + : authorized(authorized_peers({policy_with({required_san_dns("hello.world")}, assumed_roles({"r1"})), + policy_with({required_san_dns("foo.bar")}, assumed_roles({"r2"})), + policy_with({required_san_dns("zoid.berg")}, assumed_roles({"r2", "r3"})), + policy_with({required_san_dns("secret.sauce")}, AssumedRoles::make_wildcard_role()), + policy_with({required_san_uri("zoid://be.rg/")}, assumed_roles({"r4"}))})) {} MultiPolicyMatchFixture::~MultiPolicyMatchFixture() = default; @@ -246,14 +262,34 @@ TEST_F("peer verifies if it matches at least 1 policy of multiple", MultiPolicyM EXPECT_TRUE(verify(f.authorized, creds_with_uri_sans({{"zoid://be.rg/"}}))); } +TEST_F("role set is returned for single matched policy", MultiPolicyMatchFixture) { + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}})), assumed_roles({"r1"})); + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"foo.bar"}})), assumed_roles({"r2"})); + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"zoid.berg"}})), assumed_roles({"r2", "r3"})); + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"secret.sauce"}})), AssumedRoles::make_wildcard_role()); + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_uri_sans({{"zoid://be.rg/"}})), assumed_roles({"r4"})); +} + TEST_F("peer verifies if it matches multiple policies", MultiPolicyMatchFixture) { EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}}))); } +TEST_F("union role set is returned if multiple policies match", MultiPolicyMatchFixture) { + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"zoid.berg"}})), + assumed_roles({"r1", "r2", "r3"})); + // Wildcard role is tracked as a distinct role string + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"secret.sauce"}})), + assumed_roles({"r1", "r2", "*"})); +} + TEST_F("peer must match at least 1 of multiple policies", MultiPolicyMatchFixture) { EXPECT_FALSE(verify(f.authorized, creds_with_dns_sans({{"does.not.exist"}}))); } +TEST_F("empty role set is returned if no policies match", MultiPolicyMatchFixture) { + EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"does.not.exist"}})), AssumedRoles::make_empty()); +} + TEST("CN requirement without glob pattern is matched as exact string") { auto authorized = authorized_peers({policy_with({required_cn("hello.world")})}); EXPECT_TRUE(verify(authorized, creds_with_cn("hello.world"))); @@ -272,6 +308,64 @@ TEST("CN requirement can include glob wildcards") { EXPECT_FALSE(verify(authorized, creds_with_cn("world"))); } +TEST("AssumedRoles by default contains no roles") { + AssumedRoles roles; + EXPECT_TRUE(roles.empty()); + EXPECT_FALSE(roles.can_assume_role("foo")); + auto empty = AssumedRoles::make_empty(); + EXPECT_EQUAL(roles, empty); +} + +TEST("AssumedRoles can be constructed with an explicit set of roles") { + auto roles = AssumedRoles::make_for_roles({"foo", "bar"}); + EXPECT_TRUE(roles.can_assume_role("foo")); + EXPECT_TRUE(roles.can_assume_role("bar")); + EXPECT_FALSE(roles.can_assume_role("baz")); +} + +TEST("AssumedRoles wildcard role can assume any role") { + auto roles = AssumedRoles::make_wildcard_role(); + EXPECT_TRUE(roles.can_assume_role("foo")); + EXPECT_TRUE(roles.can_assume_role("bar")); +} + +TEST("AssumedRolesBuilder builds union set of added roles") { + AssumedRolesBuilder builder; + builder.add_union(AssumedRoles::make_for_roles({"hello", "world"})); + builder.add_union(AssumedRoles::make_for_roles({"hello", "moon"})); + builder.add_union(AssumedRoles::make_for_roles({"goodbye", "moon"})); + auto roles = builder.build_with_move(); + EXPECT_EQUAL(roles, AssumedRoles::make_for_roles({"hello", "goodbye", "moon", "world"})); +} + +TEST("AuthorizationResult is not authorized by default") { + AuthorizationResult result; + EXPECT_FALSE(result.success()); + EXPECT_TRUE(result.assumed_roles().empty()); +} + +TEST("AuthorizationResult can be explicitly created as not authorzed") { + auto result = AuthorizationResult::make_not_authorized(); + EXPECT_FALSE(result.success()); + EXPECT_TRUE(result.assumed_roles().empty()); +} + +TEST("AuthorizationResult can be pre-authorized for all roles") { + auto result = AuthorizationResult::make_authorized_for_all_roles(); + EXPECT_TRUE(result.success()); + EXPECT_FALSE(result.assumed_roles().empty()); + EXPECT_TRUE(result.assumed_roles().can_assume_role("foo")); +} + +TEST("AuthorizationResult can be pre-authorized for an explicit set of roles") { + auto result = AuthorizationResult::make_authorized_for_roles(AssumedRoles::make_for_roles({"elden", "ring"})); + EXPECT_TRUE(result.success()); + EXPECT_FALSE(result.assumed_roles().empty()); + EXPECT_TRUE(result.assumed_roles().can_assume_role("elden")); + EXPECT_TRUE(result.assumed_roles().can_assume_role("ring")); + EXPECT_FALSE(result.assumed_roles().can_assume_role("O you don't have the right")); +} + // TODO test CN _and_ SAN TEST_MAIN() { TEST_RUN_ALL(); } |