|
31 | 31 | import java.security.cert.CertificateFactory; |
32 | 32 | import java.security.cert.X509Certificate; |
33 | 33 | import java.time.Instant; |
| 34 | +import java.time.temporal.ChronoUnit; |
34 | 35 | import java.util.ArrayList; |
35 | 36 | import java.util.Base64; |
36 | 37 | import java.util.List; |
| 38 | +import java.util.UUID; |
37 | 39 | import java.util.function.Function; |
38 | 40 | import java.util.regex.Pattern; |
39 | 41 | import java.util.stream.Stream; |
40 | 42 |
|
41 | 43 | import javax.security.auth.x500.X500Principal; |
42 | 44 |
|
| 45 | +import org.eclipse.hono.service.management.tenant.Tenant; |
| 46 | +import org.eclipse.hono.service.management.tenant.TrustedCertificateAuthority; |
43 | 47 | import org.eclipse.hono.util.RegistryManagementConstants; |
44 | 48 | import org.junit.jupiter.api.BeforeEach; |
45 | 49 | import org.junit.jupiter.api.Test; |
@@ -242,18 +246,21 @@ public void testDecodePskCredential() { |
242 | 246 | } |
243 | 247 |
|
244 | 248 | /** |
245 | | - * Test encoding an X.509 secret. |
| 249 | + * Test encoding an X.509 credential. |
246 | 250 | */ |
247 | 251 | @Test |
248 | 252 | public void testEncodeX509Credential() { |
249 | 253 |
|
250 | 254 | final X509CertificateSecret x509Secret = new X509CertificateSecret(); |
251 | 255 | addCommonProperties(x509Secret); |
252 | | - var credential = X509CertificateCredential.fromSubjectDn("CN=foo, O=bar", List.of(x509Secret)); |
| 256 | + var credential = X509CertificateCredential.fromSubjectDn("CN=foo, O=bar", "CN=test, O=bar", "foo-bar", |
| 257 | + List.of(x509Secret)); |
253 | 258 |
|
254 | 259 | JsonObject json = JsonObject.mapFrom(credential); |
255 | 260 | assertEquals("x509-cert", json.getString(RegistryManagementConstants.FIELD_TYPE)); |
256 | 261 | assertEquals("CN=foo,O=bar", json.getString(RegistryManagementConstants.FIELD_AUTH_ID)); |
| 262 | + assertEquals(false, json.containsKey(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID)); |
| 263 | + assertEquals(false, json.containsKey(RegistryManagementConstants.FIELD_ISSUER_DN)); |
257 | 264 | JsonObject secret = json.getJsonArray(RegistryManagementConstants.FIELD_SECRETS).getJsonObject(0); |
258 | 265 | assertCommonSecretProperties(secret); |
259 | 266 |
|
@@ -295,6 +302,106 @@ public void testDecodeX509CredentialFromSubjectDn() { |
295 | 302 | assertCommonSecretProperties(secret); |
296 | 303 | } |
297 | 304 |
|
| 305 | + /** |
| 306 | + * Verifies that a JSON object containing an auth-id, generated-auth-id and a secret can be decoded into an X.509 |
| 307 | + * credential. |
| 308 | + */ |
| 309 | + @Test |
| 310 | + void testDecodeX509CredentialWithGeneratedAuthId() { |
| 311 | + final JsonObject jsonCredential = new JsonObject() |
| 312 | + .put(RegistryManagementConstants.FIELD_TYPE, RegistryManagementConstants.SECRETS_TYPE_X509_CERT) |
| 313 | + .put(RegistryManagementConstants.FIELD_AUTH_ID, "CN=Acme") |
| 314 | + .put(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID, "Acme") |
| 315 | + .put(RegistryManagementConstants.FIELD_COMMENT, "comment") |
| 316 | + .put(RegistryManagementConstants.FIELD_ENABLED, true) |
| 317 | + .put(RegistryManagementConstants.FIELD_SECRETS, new JsonArray() |
| 318 | + .add(new JsonObject() |
| 319 | + .put(RegistryManagementConstants.FIELD_ENABLED, true) |
| 320 | + .put(RegistryManagementConstants.FIELD_SECRETS_NOT_BEFORE, NOT_BEFORE_STRING) |
| 321 | + .put(RegistryManagementConstants.FIELD_SECRETS_NOT_AFTER, NOT_AFTER_STRING) |
| 322 | + .put(RegistryManagementConstants.FIELD_SECRETS_COMMENT, SECRET_COMMENT))); |
| 323 | + |
| 324 | + final X509CertificateCredential credential = jsonCredential.mapTo(X509CertificateCredential.class); |
| 325 | + |
| 326 | + assertEquals("CN=Acme", credential.getAuthId()); |
| 327 | + assertEquals("Acme", credential.getGeneratedAuthId()); |
| 328 | + assertEquals("comment", credential.getComment()); |
| 329 | + assertTrue(credential.isEnabled()); |
| 330 | + assertEquals(1, credential.getSecrets().size()); |
| 331 | + |
| 332 | + final X509CertificateSecret secret = credential.getSecrets().get(0); |
| 333 | + assertCommonSecretProperties(secret); |
| 334 | + } |
| 335 | + |
| 336 | + /** |
| 337 | + * Verifies an X.509 credential obtained by overriding the authId with the generated authId. |
| 338 | + */ |
| 339 | + @Test |
| 340 | + void testX509CredentialObtainedByOverridingAuthId() { |
| 341 | + final String subjectDn = "CN=foo, O=bar"; |
| 342 | + final String generatedAuthId = "foo-bar"; |
| 343 | + final X509CertificateSecret x509Secret = new X509CertificateSecret(); |
| 344 | + addCommonProperties(x509Secret); |
| 345 | + final var credential = X509CertificateCredential.fromSubjectDn(subjectDn, null, generatedAuthId, |
| 346 | + List.of(x509Secret)); |
| 347 | + final X509CertificateCredential credentialWithOverriddenAuthId = credential.overrideAuthIdWithGeneratedAuthId(); |
| 348 | + |
| 349 | + assertEquals(generatedAuthId, credentialWithOverriddenAuthId.getAuthId()); |
| 350 | + assertTrue(credentialWithOverriddenAuthId.isEnabled()); |
| 351 | + assertEquals(1, credentialWithOverriddenAuthId.getSecrets().size()); |
| 352 | + |
| 353 | + final X509CertificateSecret secret = credentialWithOverriddenAuthId.getSecrets().get(0); |
| 354 | + assertCommonSecretProperties(secret); |
| 355 | + } |
| 356 | + |
| 357 | + /** |
| 358 | + * Verifies an X.509 credential obtained by applying the given auth-id-template |
| 359 | + * to the client certificate's subject DN. |
| 360 | + */ |
| 361 | + @Test |
| 362 | + void testX509CredentialWithGeneratedAuthIdObtainedByApplyingAuthIdTemplate() { |
| 363 | + final String commonName = UUID.randomUUID().toString(); |
| 364 | + final String issuerDn = "CN=testBase,OU=Hono,O=Eclipse"; |
| 365 | + final String subjectDN = String.format("CN=%s,OU=Hono,O=Eclipse", commonName); |
| 366 | + final String authIdTemplate = "auth-{{subject-cn}}-{{subject-ou}}-{{subject-o}}"; |
| 367 | + final String generatedAuthId = String.format("auth-%s-Hono-Eclipse", commonName); |
| 368 | + |
| 369 | + final var trustedCa = new TrustedCertificateAuthority() |
| 370 | + .setSubjectDn(issuerDn) |
| 371 | + .setPublicKey("NOTAKEY".getBytes(StandardCharsets.UTF_8)) |
| 372 | + .setAuthIdTemplate(authIdTemplate) |
| 373 | + .setNotBefore(Instant.now().minus(1, ChronoUnit.DAYS)) |
| 374 | + .setNotAfter(Instant.now().plus(2, ChronoUnit.DAYS)); |
| 375 | + final var tenant = new Tenant().setTrustedCertificateAuthorities(List.of(trustedCa)); |
| 376 | + final X509CertificateSecret x509Secret = new X509CertificateSecret(); |
| 377 | + addCommonProperties(x509Secret); |
| 378 | + final var credential = X509CertificateCredential.fromSubjectDn(subjectDN, issuerDn, null, List.of(x509Secret)); |
| 379 | + credential.setEnabled(true) |
| 380 | + .setComment("comment"); |
| 381 | + |
| 382 | + final X509CertificateCredentialWithGeneratedAuthId credentialWithGeneratedAuthId = X509CertificateCredentialWithGeneratedAuthId |
| 383 | + .applyAuthIdTemplate(credential, tenant); |
| 384 | + |
| 385 | + assertEquals(subjectDN, credentialWithGeneratedAuthId.getAuthId()); |
| 386 | + assertEquals(generatedAuthId, credentialWithGeneratedAuthId.getGeneratedAuthId()); |
| 387 | + assertEquals("comment", credentialWithGeneratedAuthId.getComment()); |
| 388 | + assertTrue(credentialWithGeneratedAuthId.isEnabled()); |
| 389 | + assertEquals(1, credentialWithGeneratedAuthId.getSecrets().size()); |
| 390 | + |
| 391 | + final X509CertificateSecret secret = credentialWithGeneratedAuthId.getSecrets().get(0); |
| 392 | + assertCommonSecretProperties(secret); |
| 393 | + |
| 394 | + final JsonObject json = JsonObject.mapFrom(credentialWithGeneratedAuthId); |
| 395 | + |
| 396 | + assertEquals("x509-cert", json.getString(RegistryManagementConstants.FIELD_TYPE)); |
| 397 | + assertEquals(subjectDN, json.getString(RegistryManagementConstants.FIELD_AUTH_ID)); |
| 398 | + assertEquals(generatedAuthId, json.getString(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID)); |
| 399 | + assertEquals("comment", json.getString(RegistryManagementConstants.FIELD_COMMENT)); |
| 400 | + |
| 401 | + final JsonObject secretJson = json.getJsonArray(RegistryManagementConstants.FIELD_SECRETS).getJsonObject(0); |
| 402 | + assertCommonSecretProperties(secretJson); |
| 403 | + } |
| 404 | + |
298 | 405 | /** |
299 | 406 | * Verifies that a JSON object containing a client certificate can be decoded into an X.509 credential. |
300 | 407 | * |
|
0 commit comments