// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; import org.junit.jupiter.api.Test; import javax.security.auth.x500.X500Principal; import java.math.BigInteger; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.List; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat; import static org.junit.jupiter.api.Assertions.assertThrows; /** * @author bjorncs */ class ConnectionAuthContextTest { @Test void fails_on_missing_capabilities() { ConnectionAuthContext ctx = createConnectionAuthContext(); assertThrows(MissingCapabilitiesException.class, () -> ctx.verifyCapabilities(CapabilitySet.of(Capability.CONTENT__STATUS_PAGES))); } @Test void creates_correct_error_message() { ConnectionAuthContext ctx = createConnectionAuthContext(); CapabilitySet requiredCaps = CapabilitySet.of(Capability.CONTENT__STATUS_PAGES); String expectedMessage = """ Permission denied for 'myaction' on 'myresource'. Peer 'mypeer' with [CN='myidentity']. Requires capabilities [vespa.content.status_pages] but peer has [vespa.logserver.api]. """; String actualMessage = ctx.createPermissionDeniedErrorMessage(requiredCaps, "myaction", "myresource", "mypeer"); assertThat(actualMessage).isEqualToIgnoringWhitespace(expectedMessage); } private static ConnectionAuthContext createConnectionAuthContext() { return new ConnectionAuthContext( List.of(createCertificate()), CapabilitySet.of(Capability.LOGSERVER_API), Set.of(), CapabilityMode.ENFORCE); } private static X509Certificate createCertificate() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); return X509CertificateBuilder.fromKeypair( keyPair, new X500Principal("CN=myidentity"), Instant.EPOCH, Instant.EPOCH.plus(100000, ChronoUnit.DAYS), SHA256_WITH_ECDSA, BigInteger.ONE) .build(); } }