From 2a056e05db247b39ec395631364b8c0d286d6085 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 29 Jan 2020 17:10:45 +0100 Subject: Access tokens should not be an empty string --- .../main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java index 86deb0b59b3..ec8c1f3f9f3 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java @@ -22,9 +22,13 @@ public class AthenzAccessToken { private static String stripBearerTokenPrefix(String rawValue) { String stripped = rawValue.strip(); - return stripped.startsWith(BEARER_TOKEN_PREFIX) - ? stripped.substring(BEARER_TOKEN_PREFIX.length()) + String prefixRemoved = stripped.startsWith(BEARER_TOKEN_PREFIX) + ? stripped.substring(BEARER_TOKEN_PREFIX.length()).strip() : stripped; + if (prefixRemoved.isBlank()) { + throw new IllegalArgumentException(String.format("Access token is blank: '%s'", prefixRemoved)); + } + return prefixRemoved; } public String value() { return value; } -- cgit v1.2.3 From eb4b7b8fcdc7aa5de13c05872a1fdca4076179b9 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 30 Jan 2020 12:43:28 +0100 Subject: Add methods to convert AthenzRole to and from single string --- .../main/java/com/yahoo/vespa/athenz/api/AthenzRole.java | 14 ++++++++++++++ .../yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java | 5 +---- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java index 3a81e4a5e17..a7c9dbff3f8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java @@ -7,6 +7,8 @@ import java.util.Objects; * @author tokle */ public class AthenzRole { + private static final String DOMAIN_ROLE_NAME_DELIMITER = ":role."; + private final AthenzDomain domain; private final String roleName; @@ -20,6 +22,16 @@ public class AthenzRole { this.roleName = roleName; } + public static AthenzRole fromString(String string) { + if (!string.contains(DOMAIN_ROLE_NAME_DELIMITER)) { + throw new IllegalArgumentException("Not a valid role: " + string); + } + int delimiterIndex = string.indexOf(DOMAIN_ROLE_NAME_DELIMITER); + String domain = string.substring(0, delimiterIndex); + String roleName = string.substring(delimiterIndex + DOMAIN_ROLE_NAME_DELIMITER.length()); + return new AthenzRole(domain, roleName); + } + public AthenzDomain domain() { return domain; } @@ -28,6 +40,8 @@ public class AthenzRole { return roleName; } + public String asString() { return domain.getName() + DOMAIN_ROLE_NAME_DELIMITER + roleName; } + @Override public boolean equals(Object o) { if (this == o) return true; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index 33e5552eaf6..6793d5804c7 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -43,10 +43,7 @@ public class AthenzX509CertificateUtils { public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) { String commonName = com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0); - int delimiterIndex = commonName.indexOf(COMMON_NAME_ROLE_DELIMITER); - String domain = commonName.substring(0, delimiterIndex); - String roleName = commonName.substring(delimiterIndex + COMMON_NAME_ROLE_DELIMITER.length()); - return new AthenzRole(domain, roleName); + return AthenzRole.fromString(commonName); } private static AthenzIdentity getIdentityFromSanEmail(String email) { -- cgit v1.2.3 From 959960a0e24d33a22d360468834cb4e41fa145c5 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 30 Jan 2020 12:54:05 +0100 Subject: Remove unused methods Methods were unused and relied on hardcoded issuer names (ouch!). --- .../yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index 6793d5804c7..a555f955962 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -17,20 +17,8 @@ import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; */ public class AthenzX509CertificateUtils { - private static final String COMMON_NAME_ROLE_DELIMITER = ":role."; - private AthenzX509CertificateUtils() {} - public static boolean isAthenzRoleCertificate(X509Certificate certificate) { - return isAthenzIssuedCertificate(certificate) && - com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER); - } - - public static boolean isAthenzIssuedCertificate(X509Certificate certificate) { - return com.yahoo.security.X509CertificateUtils.getIssuerCommonNames(certificate).stream() - .anyMatch(cn -> cn.equalsIgnoreCase("Yahoo Athenz CA") || cn.equalsIgnoreCase("Athenz AWS CA")); - } - public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) { List sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate); return sans.stream() -- cgit v1.2.3 From 045cb0fa8fb519f7470f2f63c5c0e6884d63b3b0 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Fri, 31 Jan 2020 11:18:04 +0100 Subject: Improve naming of string conversion methods for AthenzRole --- .../com/yahoo/vespa/athenz/api/AthenzRole.java | 23 +++++++++++++--------- .../athenz/tls/AthenzX509CertificateUtils.java | 2 +- 2 files changed, 15 insertions(+), 10 deletions(-) (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java index a7c9dbff3f8..4e432768298 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzRole.java @@ -7,7 +7,7 @@ import java.util.Objects; * @author tokle */ public class AthenzRole { - private static final String DOMAIN_ROLE_NAME_DELIMITER = ":role."; + private static final String ROLE_RESOURCE_PREFIX = "role."; private final AthenzDomain domain; private final String roleName; @@ -22,14 +22,17 @@ public class AthenzRole { this.roleName = roleName; } - public static AthenzRole fromString(String string) { - if (!string.contains(DOMAIN_ROLE_NAME_DELIMITER)) { - throw new IllegalArgumentException("Not a valid role: " + string); + public static AthenzRole fromResourceNameString(String string) { + return fromResourceName(AthenzResourceName.fromString(string)); + } + + public static AthenzRole fromResourceName(AthenzResourceName resourceName) { + String entityName = resourceName.getEntityName(); + if (!entityName.startsWith(ROLE_RESOURCE_PREFIX)) { + throw new IllegalArgumentException("Not a valid role: " + resourceName.toResourceNameString()); } - int delimiterIndex = string.indexOf(DOMAIN_ROLE_NAME_DELIMITER); - String domain = string.substring(0, delimiterIndex); - String roleName = string.substring(delimiterIndex + DOMAIN_ROLE_NAME_DELIMITER.length()); - return new AthenzRole(domain, roleName); + String roleName = entityName.substring(ROLE_RESOURCE_PREFIX.length()); + return new AthenzRole(resourceName.getDomain(), roleName); } public AthenzDomain domain() { @@ -40,7 +43,9 @@ public class AthenzRole { return roleName; } - public String asString() { return domain.getName() + DOMAIN_ROLE_NAME_DELIMITER + roleName; } + public String toResourceNameString() { return toResourceName().toResourceNameString(); } + + public AthenzResourceName toResourceName() { return new AthenzResourceName(domain, ROLE_RESOURCE_PREFIX + roleName); } @Override public boolean equals(Object o) { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index a555f955962..bec21a5b25f 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -31,7 +31,7 @@ public class AthenzX509CertificateUtils { public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) { String commonName = com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0); - return AthenzRole.fromString(commonName); + return AthenzRole.fromResourceNameString(commonName); } private static AthenzIdentity getIdentityFromSanEmail(String email) { -- cgit v1.2.3