java source code of X509CertRequestTest

athenz-master
- utils
  - zts-roletoken
    - Makefile
    - pom.xml
    - doc.go
    - zts-roletoken.go
    - README.md
  - zms-svctoken
    - Makefile
    - pom.xml
    - doc.go
    - zms-svctoken.go
    - README.md
  - zts-rolecert
    - zts-rolecert.go
    - Makefile
    - pom.xml
    - doc.go
    - zts-rolecert_test.go
    - data
      - service_x509.pem
    - README.md
  - zms-cli
    - Makefile
    - pom.xml
    - doc.go
    - zms-cli.go
    - README.md
  - athenz-conf
    - Makefile
    - pom.xml
    - doc.go
    - athenz-conf.go
    - README.md
  - zts-accesstoken
    - Makefile
    - pom.xml
    - doc.go
    - zts-accesstoken.go
    - README.md
  - zpe-updater
    - zpu_config_test.go
    - Makefile
    - zpu_client.go
    - pom.xml
    - doc.go
    - util
      - util.go
      - doc.go
      - util_test.go
      - canonicalstring_test.go
      - canonicalstring.go
    - test_data
      - doc.go
      - data.go
      - data_domain2.go
      - data_domain1.go
    - README.md
    - cmd
      - tools
        main.go
    - zpu_client_test.go
    - devel
      - doc.go
      - testing_utilities.go
    - conf
      - zpu.conf
    - zpu_config.go
  - zpe_policy_updater
    - src
      - main
        java
        com
        yahoo
        athenz
        zpe_policy_updater
        PolicyUpdater.java
        ZTSClientFactory.java
        ZTSClientFactoryImpl.java
        PolicyUpdaterConfiguration.java
      - test
        resources
        unit_test_zms_private_k0.pem
        unit_test_zpu_private.pem
        sys.auth.pol.tampered.zts
        logback.xml
        zms_public_k0.pem
        sports.pol
        zpu_empty.conf
        tmp
        .keepme
        zpu_public.pem
        zts_public_k0.pem
        sys.auth.pol
        athenz.conf
        sys.auth.pol.tampered.zms
        travis_logback.xml
        zts_public_k1.pem
        unit_test_zts_private_k1.pem
        zpu.conf
        pol_dir
        .keepme
        unit_test_zts_private_k0.pem
        zpu_test.conf
        java
        com
        yahoo
        athenz
        zpe_policy_updater
        DebugZTSClientFactory.java
        PolicyUpdaterTest.java
        SignPoliciesUtility.java
        ZTSMock.java
    - pom.xml
    - README.md
    - scripts
      - zpu_run.sh
      - zpu_set_ownership.pl
    - conf
      - logback.xml
      - utility_settings
      - zpu.conf
  - zts-svccert
    - Makefile
    - pom.xml
    - doc.go
    - zts-svccert.go
    - README.md
    - .gitignore
- servers
  - zms
    - src
      - main
        resources
        messages
        domain-member-expiry.html
        principal-expiry.html
        membership-approval-reminder.html
        principal-review.html
        domain-member-review.html
        membership-approval.html
        rdl
        ZMS.rdl
        java
        com
        yahoo
        athenz
        zms
        PrincipalRole.java
        utils
        ZMSUtils.java
        JsonMappingExceptionMapper.java
        JsonProcessingExceptionMapper.java
        QuotaChecker.java
        ResourceContext.java
        RsrcCtxWrapper.java
        ResourceError.java
        store
        impl
        FileObjectStoreFactory.java
        JDBCObjectStoreFactory.java
        AWSObjectStoreFactory.java
        ObjectStoreConnection.java
        jdbc
        JDBCConnection.java
        JDBCObjectStore.java
        AthenzDomain.java
        file
        FileObjectStore.java
        FileConnection.java
        DomainStruct.java
        ObjectStoreFactory.java
        ObjectStore.java
        config
        SolutionTemplates.java
        AuthorizedServices.java
        AuthorizedService.java
        AllowedOperation.java
        JsonGeneralExceptionMapper.java
        ResourceException.java
        ZMSConsts.java
        ZMSHandler.java
        notification
        RoleMemberReviewNotificationTask.java
        RoleMemberExpiryNotificationTask.java
        PendingMembershipApprovalNotificationTask.java
        ZMSNotificationTaskFactory.java
        PutMembershipNotificationTask.java
        RoleMemberNotificationCommon.java
        ZMSConfig.java
        ZMSResources.java
        JsonParseExceptionMapper.java
        ZMS.java
        ZMSBinder.java
        webapp
        WEB-INF
        web.xml
      - test
        resources
        logback.xml
        zms.properties
        unit_test_zms_private_k1.pem
        authorized_services.json
        unit_test_zms_private.pem
        zms_public_k2.pem
        zms_public.pem
        travis_logback.xml
        unit_test_zms_private_k2.pem
        zms_public_k1.pem
        solution_templates.json
        java
        com
        yahoo
        athenz
        zms
        utils
        ZMSUtilsTest.java
        ZMSTestUtils.java
        audit
        MockAuditReferenceValidatorImpl.java
        MockAuditReferenceValidatorFactoryImpl.java
        MockHttpServletResponse.java
        ResourceExceptionTest.java
        store
        impl
        AWSObjectStoreFactoryTest.java
        JDBCObjectStoreFactoryTest.java
        jdbc
        JDBCObjectStoreTest.java
        file
        FileObjectStoreTest.java
        FileConnectionTest.java
        config
        AuthorizedServicesTest.java
        AllowedOperationTest.java
        SolutionTemplatesTest.java
        TestUserPrincipalAuthority.java
        RsrcCtxWrapperTest.java
        MockHttpServletRequest.java
        ExceptionMapperTest.java
        ZMSTest.java
        QuotaCheckerTest.java
        notification
        PutMembershipNotificationTaskTest.java
        MockNotificationService.java
        RoleMemberExpiryNotificationTaskTest.java
        ZMSNotificationTaskFactoryTest.java
        RoleMemberReviewNotificationTaskTest.java
        RoleMemberNotificationCommonTest.java
        MockNotificationServiceFactory.java
        PendingMembershipApprovalNotificationTaskTest.java
        NotificationManagerTest.java
        DomainRoleMembersFetcherTest.java
        ZMSBinderTest.java
        status
        MockStatusCheckerThrowException.java
        MockStatusCheckerNoException.java
    - pom.xml
    - README.md
    - scripts
      - zms
      - setup_dev_zms.sh
      - make_stubs.sh
    - schema
      - zms_server.sql
      - zms_server.mwb
      - updates
        update-20200420.sql
        update-20191127.sql
        update-20191004.sql
        update-20191106.sql
        update-20191003.sql
        update-20200129.sql
        update-20191025.sql
        update-20191227.sql
        update-20190107.sql
        update-20190702.sql
        update-20200507.sql
        update-20190816.sql
        update-20200510.sql
        update-20200609.sql
        update-20200506.sql
        update-20190606.sql
    - conf
      - dev_x509_cert.cnf
      - logback.xml
      - zms.properties
      - athenz.properties
      - authorized_services.json
      - solution_templates.json
  - zts
    - src
      - main
        resources
        messages
        unrefreshed-certs.html
        aws-zts-health.html
        rdl
        ZTS.rdl
        java
        com
        yahoo
        athenz
        zts
        ZTS.java
        ZTSHandler.java
        utils
        ProviderIPBlocks.java
        ZTSUtils.java
        IPBlock.java
        CertBundle.java
        FilesHelper.java
        IPPrefixes.java
        CertBundles.java
        DynamoDBUtils.java
        GlobStringsMatcher.java
        ProviderIPBlock.java
        IPPrefix.java
        JsonMappingExceptionMapper.java
        JsonProcessingExceptionMapper.java
        AccessTokenRequest.java
        ZTSResources.java
        ResourceContext.java
        cert
        impl
        KeyStoreCertSignerFactory.java
        DynamoDBSSHRecordStore.java
        FileCertRecordStoreFactory.java
        DynamoDBClientSettings.java
        DynamoDBCertRecordStore.java
        JDBCSSHRecordStoreConnection.java
        FileSSHRecordStore.java
        JDBCCertRecordStoreConnection.java
        DynamoDBClientAndCredentials.java
        DynamoDBClientFetcherFactory.java
        DynamoDBCertRecordStoreConnection.java
        DynamoDBSSHRecordStoreConnection.java
        JDBCCertRecordStoreFactory.java
        DynamoDBStatusChecker.java
        DynamoDBCertRecordStoreFactory.java
        JDBCSSHRecordStoreFactory.java
        KeyStoreCertSigner.java
        SelfCertSignerFactory.java
        FileCertRecordStoreConnection.java
        AWSCertRecordStoreFactory.java
        HttpCertSigner.java
        DynamoDBClientFetcherImpl.java
        FileSSHRecordStoreFactory.java
        DynamoDBStatusCheckerFactory.java
        crypki
        AbstractHttpCertSigner.java
        X509CertificateSigningRequest.java
        X509Certificate.java
        KeyMeta.java
        HttpCertSigner.java
        HttpCertSignerFactory.java
        FileSSHRecordStoreConnection.java
        SelfCertSigner.java
        JDBCCertRecordStore.java
        HttpCertSignerFactory.java
        FileCertRecordStore.java
        DynamoDBClientFetcher.java
        DynamoDBSSHRecordStoreFactory.java
        JDBCSSHRecordStore.java
        X509CertSignObject.java
        X509ServiceCertRequest.java
        X509CertRequest.java
        X509RoleCertRequest.java
        SshHostCsr.java
        X509CertUtils.java
        InstanceCertManager.java
        RsrcCtxWrapper.java
        ResourceError.java
        store
        impl
        ZMSFileChangeLogStore.java
        ZMSFileChangeLogStoreFactory.java
        S3ChangeLogStore.java
        S3ChangeLogStoreFactory.java
        ChangeLogStoreFactory.java
        CloudStore.java
        ChangeLogStore.java
        DataStore.java
        ZTSImpl.java
        JsonGeneralExceptionMapper.java
        ResourceException.java
        ZTSBinder.java
        cache
        DataCache.java
        MemberRole.java
        DataCacheProvider.java
        notification
        CertFailedRefreshNotificationTask.java
        AWSZTSHealthNotificationTask.java
        ZTSNotificationTaskFactory.java
        ZTSClientNotificationSenderImpl.java
        ZTSAuthorizer.java
        JsonParseExceptionMapper.java
        InstanceProviderManager.java
        ZTSConsts.java
        webapp
        WEB-INF
        web.xml
      - test
        resources
        multiple_cn.csr
        multi_dns_domain_wildcard.csr
        multiple_uri.csr
        multiple_org.csr
        athenz.instanceid_ip.csr
        coretech_readers_proxy_role_uri.csr
        athenz.mismatch.dns.csr
        multi_dns_domain_wildcard_mismatch.csr
        athenz.instanceid.cname.csr
        valid_noemail.csr
        spiffe_service_mismatch.csr
        sshhost_nocnames.csr
        valid_cn_only.csr
        athenz_coretech_role_uri_ip.csr
        role_multiple_ip.csr
        unit_test_gdpr.aws.core.key.pem
        spiffe_role.csr
        spiffe_invalid_exc.csr
        valid_provider_refresh.pem
        gdpr.aws.core.cert.pem
        ipblocks_k8s.txt
        logback.xml
        ca-bundle-file-invalid-ssh.json
        spiffe_service.csr
        ssh-ca-certs
        instance_cert_ipblocks_invalid_ip.txt
        ca-bundle-file-empty.json
        athenz_no_zms_publickeys.conf
        invalid_dns.csr
        svc_multiple_ip.pem
        athenz.instanceid.hostname.csr
        multiple_ips.csr
        athenz.instanceid.uri.pem
        athenz_coretech_proxy_role_uri.csr
        athenz.cert_ou.csr
        ca-bundle-file-invalid.json
        unit_test_zts_at_private.pem
        athenz_role_uri_invalid.csr
        athenz.instanceid.cname.suffix.csr
        ca-bundle-file-missing-filename.json
        unit_test_test_private.v1
        role_single_ip.csr
        truststore.jks
        svc_single_ip.pem
        zts_public.pem
        test_public.v1
        ipblocks_athenz.txt
        valid_provider_refresh.csr
        cert_log.pem
        athenz_zms_invalid_publickeys.conf
        instance_cert_ipblocks_invalid_json.txt
        athenz.multiple_ou.csr
        x509_certs_comments.pem
        multiple_proxy_role.csr
        spiffe_service_short_mismatch_service.csr
        athenz_zts_invalid_publickeys.conf
        athenz.conf
        x509_certs_no_comments.pem
        zts.properties
        subdomain.csr
        athenz.instanceid.uri.csr
        sshhost_valid_sample.csr
        subdomain_invalid.csr
        unit_test_zts_private.pem
        valid_cn_x509.cert
        ca-bundle-file-invalid-x509.json
        aws_public.crt
        athenz.single_ip.csr
        athenz.mismatch.cn.csr
        travis_logback.xml
        valid_email.csr
        unit_test_private_encrypted.key
        athenz_invalid_zts_pem_publickey.conf
        mockito-extensions
        org.mockito.plugins.MockMaker
        athenz.instance.prod.uri.csr
        proxy_role.csr
        unit_test_zts_private_ec.pem
        empty_ipblocks.txt
        cert_refresh_ipblocks.txt
        ca-bundle-file.json
        zts_at_public.pem
        athenz_no_zts_publickeys.conf
        athenz.instanceid.pem
        iaas.json
        spiffe_short_service.csr
        instance_cert_ipblocks.txt
        athenz_role_uri.csr
        athenz.instanceid.csr
        spiffe_service_short_mismatch_domain.csr
        invalid_ipblocks.txt
        athenz_coretech_role_uri.csr
        valid.csr
        zts_public_ec.pem
        keystore.pkcs12
        spiffe_invalid_scheme.csr
        mtls_token_spec.cert
        multi_dns_domain.csr
        spiffe_invalid_uri.csr
        java
        com
        yahoo
        athenz
        zts
        utils
        IPBlockTest.java
        CertBundleTest.java
        DynamoDBUtilsTest.java
        GlobStringsMatcherTest.java
        ZTSUtilsTest.java
        CertBundlesTest.java
        IPPrefixesTest.java
        cert
        impl
        DynamoDBCertRecordStoreConnectionTest.java
        MockSSHSignerFactory.java
        TestHostnameResolver.java
        KeyStoreCertSignerTest.java
        JDBCCertRecordStoreConnectionTest.java
        AWSCertRecordStoreFactoryTest.java
        DynamoDBClientFetcherImplTest.java
        JDBCSSHRecordStoreConnectionTest.java
        FileSSHRecordStoreConnectionTest.java
        JDBCCertRecordStoreFactoryTest.java
        KeyStoreCertSignerFactoryTest.java
        DynamoDBSSHRecordStoreTest.java
        DynamoDBCertRecordStoreFactoryTest.java
        JDBCSSHRecordStoreFactoryTest.java
        FileCertRecordStoreConnectionTest.java
        JDBCSSHRecordStoreTest.java
        DynamoDBClientSettingsTest.java
        MockSSHSigner.java
        crypki
        HttpCertSignerTest.java
        SelfCertSignerTest.java
        HttpCertSignerTest.java
        DynamoDBCertRecordStoreTest.java
        FileCertRecordStoreTest.java
        TestHostnameResolverFactory.java
        DynamoDBSSHRecordStoreConnectionTest.java
        FileSSHRecordStoreTest.java
        DynamoDBStatusCheckerFactoryTest.java
        JDBCCertRecordStoreTest.java
        DynamoDBSSHRecordStoreFactoryTest.java
        DynamoDBStatusCheckerTest.java
        X509CertUtilsTest.java
        SshHostCsrTest.java
        X509CertRequestTest.java
        X509ServiceCertRequestTest.java
        X509CertSignObjectTest.java
        X509RoleCertRequestTest.java
        InstanceCertManagerTest.java
        ZTSTest.java
        ResourceExceptionTest.java
        store
        impl
        ZMSFileChangeLogStoreFactoryTest.java
        MockZMSFileChangeLogStoreFactory.java
        ZMSFileChangeLogStoreTest.java
        MockZMSFileChangeLogStore.java
        MockS3ChangeLogStoreFactory.java
        MockS3ChangeLogStore.java
        S3ChangeLogStoreFactoryTest.java
        S3ChangeLogStoreTest.java
        MockCloudStore.java
        DataStoreTest.java
        CloudStoreTest.java
        ZTSAuthorizerTest.java
        InstanceTestClassProvider.java
        AccessTokenRequestTest.java
        RsrcCtxWrapperTest.java
        MockHttpServletRequest.java
        ExceptionMapperTest.java
        cache
        MemberRoleTest.java
        DataCacheTest.java
        MockAuthority.java
        notification
        ZTSClientNotificationSenderImplTest.java
        CertFailedRefreshNotificationTaskTest.java
        NotificationTestsCommon.java
        AWSZTSHealthNotificationTaskTest.java
        DomainRoleMembersFetcherTest.java
        InstanceProviderManagerTest.java
        ZTSTestUtils.java
        status
        MockStatusCheckerThrowException.java
        MockStatusCheckerNoException.java
    - pom.xml
    - README.md
    - scripts
      - zts
      - setup_dev_zts.sh
      - make_stubs.sh
    - schema
      - updates
        update-20190715.sql
        update-20190208.sql
        update-20200428.sql
        update-20200302.sql
      - zts_server.mwb
      - zts_server.sql
    - conf
      - dev_x509_cert.cnf
      - logback.xml
      - athenz.properties
      - zts.properties
      - aws_public.crt
- libs
  - go
    - sia
      - verify
        verify.go
      - file
        file.go
      - access
        tokens
        tokens.go
        tokens_test.go
        config
        config.go
    - ztsroletoken
      - Makefile
      - pom.xml
      - doc.go
      - role-token_test.go
      - README.md
      - role-token.go
      - .gitignore
    - zmscli
      - entity.go
      - user.go
      - Makefile
      - dump_test.go
      - utils.go
      - pom.xml
      - dump.go
      - cli.go
      - service.go
      - role_test.go
      - doc.go
      - quota.go
      - policy.go
      - ybase64.go
      - tenant.go
      - service_test.go
      - policy_test.go
      - access.go
      - domain.go
      - README.md
      - utils_test.go
      - import.go
      - template.go
      - repl.go
      - role.go
      - cli_test.go
    - athenzutils
      - principal.go
      - Makefile
      - ztsclient.go
      - pom.xml
      - cert_test.go
      - instance_test.go
      - data
        no_cn_x509.cert
        athenz_instanceid_uri.cert
        invalid_email_x509.cert
        valid_email_x509.cert
        multiple_email_x509.cert
        no_email_x509.cert
        service_identity2.cert
        service_identity1.cert
      - principal_test.go
      - README.md
      - instance.go
      - cert.go
    - athenzconf
      - Makefile
      - athenzconf.go
      - pom.xml
      - README.md
    - zmssvctoken
      - keyserver_test.go
      - util.go
      - Makefile
      - token.go
      - keystore.go
      - pom.xml
      - doc.go
      - ybase64.go
      - token_test.go
      - validate_test.go
      - signer.go
      - signer_test.go
      - README.md
      - ybase64_test.go
    - tls
      - config
        config.go
  - nodejs
    - auth_core
      - src
        impl
        SimpleServiceIdentityProvider.js
        SimplePrincipal.js
        PrincipalAuthority.js
        RoleAuthority.js
        KeyStore.js
        util
        Crypto.js
        YBase64.js
        Validate.js
        token
        PrincipalToken.js
        RoleToken.js
        Token.js
      - Makefile
      - Gruntfile.js
      - pom.xml
      - test
        resources
        unit_test_private_k0.pem
        unit_test_private_k1.pem
        public_k1.pem
        public_k0.pem
        config
        SimplePrincipalMock.js
        mock.js
        helpers.js
        PrincipalAuthorityMock.js
        KeyStore.js
        unit
        impl
        SimpleServiceIdentityProvider.js
        SimplePrincipal.js
        PrincipalAuthority.js
        RoleAuthority.js
        util
        Crypto.js
        YBase64.js
        Validate.js
        token
        PrincipalToken.js
        RoleToken.js
        Token.js
      - eslint.json
      - config
        config.js
        default-config.js
      - README.md
      - package.json
      - index.js
  - java
    - cert_refresher
      - src
        main
        java
        com
        oath
        auth
        KeyRefresherListener.java
        KeyRefresher.java
        JavaKeyStoreProvider.java
        KeyStoreProvider.java
        Utils.java
        TrustManagerProxy.java
        KeyManagerProxy.java
        KeyRefresherException.java
        CaCertKeyStoreProvider.java
        TrustStore.java
        test
        resources
        unit_test_gdpr.aws.core.key.pem
        rsa_public.key
        gdpr.aws.core.cert.pem
        ca.cert.pem
        unit_test_rsa_private.key
        rsa_public_x510_w_intermediate.cert
        truststore.jks
        testFile
        ca.certs.pem
        rsa_public_x510_empty.cert
        rsa_public_x509.cert
        java
        com
        oath
        auth
        KeyRefresherExceptionTest.java
        KeyManagerProxyTest.java
        KeyRefresherTest.java
        SocketTest.java
        TrustStoreTest.java
        TrustManagerProxyTest.java
        UtilsTest.java
        KeyStoreTest.java
      - examples
        tls-support
        src
        main
        java
        com
        yahoo
        athenz
        example
        http
        tls
        client
        HttpTLSClient.java
        pom.xml
        README.md
      - pom.xml
    - auth_core
      - src
        main
        java
        com
        yahoo
        athenz
        auth
        AuthorityKeyStore.java
        impl
        FilePrivateKeyStore.java
        CertificateIdentityException.java
        RoleAuthority.java
        LDAPAuthority.java
        CertificateAuthority.java
        PrincipalAuthority.java
        SimpleServiceIdentityProvider.java
        CertificateIdentityParser.java
        KerberosAuthority.java
        CertificateIdentity.java
        SimplePrincipal.java
        FilePrivateKeyStoreFactory.java
        UserAuthority.java
        KeyStore.java
        PrivateKeyStoreFactory.java
        AuthorityConsts.java
        Principal.java
        util
        Validate.java
        CryptoException.java
        AthenzUtils.java
        YBase64.java
        Crypto.java
        ServerPrivateKey.java
        Authorizer.java
        ServiceIdentityProvider.java
        token
        KerberosToken.java
        Token.java
        AccessToken.java
        IdToken.java
        PrincipalToken.java
        OAuth2Token.java
        jwts
        Keys.java
        JwtsSigningKeyResolver.java
        Key.java
        RoleToken.java
        Authority.java
        PrivateKeyStore.java
        oauth
        OAuthAuthorityConsts.java
        validator
        DefaultOAuthJwtAccessTokenValidator.java
        OAuthJwtAccessTokenValidator.java
        util
        OAuthAuthorityUtils.java
        OAuthCertBoundJwtAccessTokenAuthority.java
        token
        DefaultOAuthJwtAccessToken.java
        OAuthJwtAccessTokenException.java
        OAuthJwtAccessToken.java
        parser
        DefaultOAuthJwtAccessTokenParser.java
        OAuthJwtAccessTokenParserFactory.java
        OAuthJwtAccessTokenParser.java
        DefaultOAuthJwtAccessTokenParserFactory.java
        KeyStoreJwkKeyResolver.java
        test
        resources
        unit_test_ec_private.key
        valid_single_uri.csr
        ec_public_invalid.key
        authorized_client_ids.single.txt
        valid_noemail.csr
        no_cn_x509.cert
        rsa_public.key
        logback.xml
        unit_test_ec_private_param_prime256v1.key
        unit_test_zts_private_k0.key
        unit_test_ec_private_params.key
        role_cert_multiple_uri.cert
        multiple_ips.csr
        unit_test_rsa_private.key
        unit_test_ec_private_param_secp384r1.key
        invalid_email_x509.cert
        jaas.conf
        jwt_jwks.json
        athenz-no-valid-keys.conf
        valid_email_x509.cert
        unit_test_fantasy_private_k0.key
        x509_altnames_doubleuri.cert
        invalid_principal_x509.cert
        x509_certs_comments.pem
        multiple_email_x509.cert
        athenz.conf
        x509_certs_no_comments.pem
        x509_altnames_doubleip.cert
        authorized_client_ids.empty.txt
        x509_altnames_singleip.cert
        x509_altnames_noip.cert
        valid_cn_x509.cert
        ec_public_x509.cert
        fantasy_public_k1.key
        aws_public.crt
        athenz-no-keys.conf
        travis_logback.xml
        csr_altnames.csr
        ec_public_param_secp384r1.key
        valid_email.csr
        no_email_x509.cert
        unit_test_private_encrypted.key
        arg_file
        unit_test_fantasy_private_k1.key
        fantasy_public_k0.key
        jwt_ui.athenz.io.pem
        authorized_client_ids.txt
        ec_public.key
        zts_public_k0.key
        mtls_token2_spec.cert
        role_cert_invalid_uri.cert
        valid_multiple_uri.csr
        unit_test_host_private.key
        valid_emails.csr
        unit_test_zts_private_k1.key
        ec_public_param_prime256v1.key
        zts_public_k1.key
        example.keytab
        x509_altnames_singleuri.cert
        valid.csr
        unit_test_jwt_private.key
        invalid.csr
        rsa_public_invalid.key
        mtls_token_spec.cert
        jwt_public.key
        host_public.key
        invalid_x509.cert
        rsa_public_x509.cert
        ec_public_params.key
        java
        com
        yahoo
        athenz
        auth
        impl
        PrincipalAuthorityTest.java
        CertificateAuthorityTest.java
        MockPrivExcAction.java
        CertificateIdentityParserTest.java
        CertificateIdentityTest.java
        SimplePrincipalTest.java
        UserAuthorityTest.java
        TestLoginCallbackHandler.java
        LDAPAuthorityTest.java
        CertificateIdentityExceptionTest.java
        KerberosAuthorityTest.java
        KeyStoreMock.java
        FilePrivateKeyStoreTest.java
        SimpleServiceIdentityProviderTest.java
        RoleAuthorityTest.java
        ServerPrivateKeyTest.java
        PrivateKeyStoreTest.java
        util
        CryptoTest.java
        AthenzUtilsTest.java
        ValidateTest.java
        YBase64Test.java
        CryptoExceptionTest.java
        AuthorityConstsTest.java
        AuthorityTest.java
        token
        IdTokenTest.java
        AccessTokenTest.java
        RoleTokenTest.java
        PrincipalTokenTest.java
        TokenTest.java
        jwts
        TestJwtsSigningKeyResolver.java
        MockJwtsSigningKeyResolver.java
        TestKey.java
        PrincipalTest.java
        oauth
        OAuthAuthorityConstsTest.java
        validator
        DefaultOAuthJwtAccessTokenValidatorTest.java
        OAuthJwtAccessTokenValidatorTest.java
        OAuthCertBoundJwtAccessTokenAuthorityTest.java
        util
        OAuthAuthorityUtilsTest.java
        token
        OAuthJwtAccessTokenExceptionTest.java
        OAuthJwtAccessTokenTest.java
        DefaultOAuthJwtAccessTokenTest.java
        parser
        DefaultOAuthJwtAccessTokenParserTest.java
        KeyStoreJwkKeyResolverTest.java
        DefaultOAuthJwtAccessTokenParserFactoryTest.java
      - pom.xml
      - README.md
    - instance_provider
      - src
        main
        java
        com
        yahoo
        athenz
        instance
        provider
        impl
        InstanceAWSLambdaProvider.java
        InstanceHttpProvider.java
        InstanceZTSProvider.java
        InstanceAWSECSProvider.java
        InstanceAWSProvider.java
        InstanceUtils.java
        AWSAttestationData.java
        ProviderHostnameVerifier.java
        InstanceProvider.java
        ResourceException.java
        InstanceProviderClient.java
        InstanceConfirmation.java
        test
        resources
        logback.xml
        aws_public.cert
        travis_logback.xml
        unit_test_private_k0.key
        athenz.instanceid.pem
        public_k0.key
        java
        com
        yahoo
        athenz
        instance
        provider
        impl
        AWSAttestationDataTest.java
        InstanceProviderTest.java
        MockInstanceAWSECSProvider.java
        InstanceAWSProviderTest.java
        InstanceZTSProviderTest.java
        InstanceAWSECSProviderTest.java
        MockInstanceAWSProvider.java
        InstanceAWSLambdaProviderTest.java
        InstanceUtilsTest.java
        MockInstanceAWSLambdaProvider.java
        InstanceHttpProviderTest.java
        ProviderHostnameVerifierTest.java
        InstanceProviderClientTest.java
        ResourceExceptionTest.java
        InstanceConfirmationTest.java
      - pom.xml
      - README.md
    - client_common
      - src
        main
        java
        com
        yahoo
        athenz
        common
        utils
        SignUtils.java
        SSLUtils.java
        config
        AthenzConfig.java
        test
        resources
        logback.xml
        certs
        ca
        ca.pkcs12
        ca.pem
        unit_test_ca.key
        client
        client_wrong_ca.pkcs12
        client_multiple_keys.pkcs12
        client.pkcs12
        server
        server.pkcs12
        travis_logback.xml
        testKeyStore.pkcs12
        java
        com
        yahoo
        athenz
        common
        utils
        SignUtilsTest.java
        SSLUtilsTest.java
        config
        AthenzConfigTest.java
      - pom.xml
      - README.md
    - server_common
      - src
        main
        resources
        messages
        ServerCommon.properties
        emails
        base.css
        java
        com
        yahoo
        athenz
        common
        ServerCommonConsts.java
        server
        db
        PoolableDataSource.java
        AthenzDataSource.java
        RolesProvider.java
        DataSourceFactory.java
        audit
        AuditReferenceValidator.java
        AuditReferenceValidatorFactory.java
        cert
        CertRecordStoreConnection.java
        X509CertRecord.java
        CertRecordStoreFactory.java
        CertSignerFactory.java
        CertSigner.java
        CertRecordStore.java
        log
        impl
        DefaultAuditLoggerFactory.java
        DefaultAuditLogMsgBuilder.java
        DefaultAuditLogger.java
        AuditLoggerFactory.java
        AuditLogMsgBuilder.java
        AuditLogger.java
        util
        ConfigProperties.java
        ResourceUtils.java
        ServletRequestUtil.java
        StringUtils.java
        http
        HttpDriver.java
        dns
        HostnameResolverFactory.java
        HostnameResolver.java
        notification
        impl
        EmailNotificationService.java
        NotificationServiceFactoryImpl.java
        AWSEmailProvider.java
        NotificationEmail.java
        EmailProvider.java
        NotificationTaskFactory.java
        DomainRoleMembersFetcherCommon.java
        NotificationService.java
        Notification.java
        NotificationManager.java
        DomainRoleMembersFetcher.java
        NotificationServiceConstants.java
        NotificationToEmailConverter.java
        NotificationServiceFactory.java
        NotificationToEmailConverterCommon.java
        NotificationTask.java
        NotificationCommon.java
        rest
        ResourceContext.java
        ResourceException.java
        Http.java
        debug
        DebugUserAuthority.java
        DebugPrincipalAuthority.java
        DebugRoleAuthority.java
        DebugKerberosAuthority.java
        ssh
        SSHSignerFactory.java
        SSHRecordStoreConnection.java
        SSHCertRecord.java
        SSHSigner.java
        SSHRecordStore.java
        SSHRecordStoreFactory.java
        status
        StatusChecker.java
        StatusCheckException.java
        StatusCheckerFactory.java
        metrics
        impl
        NoOpMetricFactory.java
        NoOpMetric.java
        Metric.java
        MetricFactory.java
        filter
        impl
        NoOpRateLimit.java
        AthenzQoSFilter.java
        NoOpRateLimitFactory.java
        RateLimitFactory.java
        RateLimit.java
        auth
        impl
        aws
        AwsPrivateKeyStoreFactory.java
        AwsPrivateKeyStore.java
        test
        resources
        testFileConfigEmpty.properties
        logback.xml
        driver.truststore.jks
        driver.cert.pem
        unit_test_driver.key.pem
        travis_logback.xml
        testFileConfig.properties
        java
        com
        yahoo
        athenz
        common
        server
        db
        MockConnectionFactory.java
        DataSourceFactoryTest.java
        AthenzDataSourceTest.java
        cert
        CertSignerTest.java
        X509CertRecordTest.java
        log
        impl
        AuditLogMsgBuilderTest.java
        AuditLoggerTest.java
        util
        StringUtilsTest.java
        ServletRequestUtilTest.java
        ConfigPropertiesTest.java
        http
        HttpDriverTest.java
        dns
        HostnameResolverTest.java
        notification
        impl
        EmailNotificationServiceTest.java
        AWSEmailProviderTest.java
        NotificationServiceFactoryImplTest.java
        NotificationTest.java
        DomainRoleMembersFetcherCommonTest.java
        NotificationToEmailConverterCommonTest.java
        rest
        ResourceContextTest.java
        ResourceExceptionTest.java
        HttpTest.java
        debug
        DebugPrincipalAuthorityTest.java
        DebugUserAuthorityTest.java
        DebugKerberosAuthorityTest.java
        DebugRoleAuthorityTest.java
        ssh
        SSHCertRecordTest.java
        SSHSignerTest.java
        metrics
        impl
        MetricsTest.java
        filter
        impl
        NoOpRateLimitTest.java
        AthenzQoSFilterTest.java
        MockHttpServletResponse.java
        MockHttpServletRequest.java
        auth
        impl
        aws
        AwsPrivateKeyStoreTest.java
      - pom.xml
      - README.md
- provider
  - aws
    - sia-ec2
      - options
        options_test.go
        options.go
      - Makefile
      - build
        service
        sia.ubuntu
        sia.service
      - authn.go
      - stssession
        stssession.go
      - util
        util.go
        util_test.go
      - authn_test.go
      - data
        attestation
        attestation_test.go
        attestation.go
        meta
        meta.go
        meta_test.go
        doc
        doc.go
      - README.md
      - cmd
        ztsmock
        main.go
        siad
        main.go
        metamock
        main.go
      - logutil
        logutil.go
      - devel
        ztsmock
        zts.go
        data
        cert.pem
        unit_test_key.pem
        ca.cert.pem
        task-new-arn.json
        cert_wout_ou.pem
        task.json
        metamock
        meta.go
- .tidelift.yml
- go.sum
- examples
  - go
    - centralized-use-case
      - server
        recommend.go
        README.md
  - java
    - instance-provider
      - provider
        src
        main
        java
        com
        yahoo
        athenz
        example
        instance
        provider
        InstanceProviderHandler.java
        InstanceProviderHandlerImpl.java
        InstanceProvider.java
        ResourceContextImpl.java
        ResourceContext.java
        ResourceError.java
        InstanceProviderResources.java
        ResourceException.java
        InstanceProviderContainer.java
        pom.xml
        README.md
        scripts
        make_stubs.sh
      - client
        src
        main
        java
        com
        yahoo
        athenz
        example
        instance
        InstanceClientRefresh.java
        InstanceClientRegister.java
        pom.xml
        README.md
    - centralized-use-case
      - client
        src
        main
        java
        com
        yahoo
        athenz
        example
        ntoken
        HttpExampleClient.java
        pom.xml
        README.md
      - servlet
        src
        main
        java
        com
        yahoo
        athenz
        example
        centralized_authz
        RecServlet.java
        webapp
        WEB-INF
        web.xml
        pom.xml
        README.md
    - decentralized-use-case
      - client
        src
        main
        java
        com
        yahoo
        athenz
        example
        ztoken
        HttpExampleClient.java
        pom.xml
        README.md
      - command-line
        src
        main
        java
        com
        yahoo
        athenz
        example
        authz
        ZpeCheck.java
        pom.xml
        README.md
      - servlet
        src
        main
        java
        com
        yahoo
        athenz
        example
        decentralized_authz
        RecServlet.java
        webapp
        WEB-INF
        web.xml
        pom.xml
        README.md
- pom.xml
- containers
  - jetty
    - src
      - main
        java
        com
        yahoo
        athenz
        container
        AthenzConsts.java
        log
        AthenzRequestLog.java
        AthenzJettyContainer.java
        AthenzDaemon.java
        filter
        DefaultMediaTypeFilter.java
        RateLimitFilter.java
        HealthCheckFilter.java
        ETagFilter.java
      - test
        resources
        logback.xml
        travis_logback.xml
        java
        com
        yahoo
        athenz
        container
        AthenzDaemonTest.java
        log
        AthenzRequestLogTest.java
        AthenzJettyContainerTest.java
        filter
        MockHttpServletResponse.java
        MockHttpServletRequest.java
        RateLimitFilterTest.java
        HealthCheckFilterTest.java
        ETagFilterTest.java
    - pom.xml
    - README.md
    - conf
      - athenz.properties
      - etc
        webdefault.xml
- mkdocs.yml
- checkstyle-suppressions.xml
- ui
  - src
    - __tests__
      - pages
        template.test.js
        __snapshots__
        template.test.js.snap
        service.test.js.snap
        manage-domains.test.js.snap
        search.test.js.snap
        policy.test.js.snap
        home.test.js.snap
        workflow.test.js.snap
        role.test.js.snap
        role.test.js
        workflow.test.js
        home.test.js
        search.test.js
        manage-domains.test.js
        service.test.js
        policy.test.js
      - api.test.js
      - components
        utils
        NameUtils.test.js
        RequestUtils.test.js
        ServiceKeyUtils.test.js
        DateUtils.test.js
        pending-approval
        PendingApprovalTableHeader.test.js
        __snapshots__
        PendingApprovalTable.test.js.snap
        PendingApprovalTableHeader.test.js.snap
        PendingApprovalTableRow.test.js.snap
        PendingApprovalTable.test.js
        PendingApprovalTableRow.test.js
        header
        __snapshots__
        DomainDetails.test.js.snap
        HeaderMenu.test.js.snap
        Header.test.js.snap
        Tabs.test.js.snap
        Header.test.js
        Tabs.test.js
        DomainDetails.test.js
        HeaderMenu.test.js
        policy
        __snapshots__
        PolicyRow.test.js.snap
        PolicyRuleTable.test.js.snap
        AddRuleForm.test.js.snap
        PolicyList.test.js.snap
        AddPolicy.test.js.snap
        AddAssertion.test.js.snap
        AddRuleForm.test.js
        AddAssertion.test.js
        AddPolicy.test.js
        PolicyList.test.js
        PolicyRow.test.js
        PolicyRuleTable.test.js
        modal
        __snapshots__
        DeleteModal.test.js.snap
        AddModal.test.js.snap
        AddModal.test.js
        DeleteModal.test.js
        service
        __snapshots__
        ServiceList.test.js.snap
        ProviderTable.test.js.snap
        AddServiceForm.test.js.snap
        ServiceRow.test.js.snap
        AddKey.test.js.snap
        AddService.test.js.snap
        PublicKeyTable.test.js.snap
        AddKeyForm.test.js.snap
        PublicKeyTable.test.js
        AddServiceForm.test.js
        ServiceRow.test.js
        ProviderTable.test.js
        AddKeyForm.test.js
        ServiceList.test.js
        AddService.test.js
        AddKey.test.js
        flatpicker
        __snapshots__
        Flatpicker.test.js.snap
        Flatpicker.test.js
        template
        TemplateRow.test.js
        __snapshots__
        TemplateRow.test.js.snap
        TemplateDescription.test.js.snap
        TemplateList.test.js.snap
        ApplyTemplate.test.js.snap
        TemplateDescription.test.js
        TemplateList.test.js
        ApplyTemplate.test.js
        domain
        __snapshots__
        CreateDomain.test.js.snap
        UserDomain.test.js.snap
        ManageDomains.test.js.snap
        ManageDomains.test.js
        CreateDomain.test.js
        UserDomain.test.js
        history
        __snapshots__
        HistoryList.test.js.snap
        HistoryList.test.js
        role
        UserRoleTable.test.js
        __snapshots__
        RoleUserTable.test.js.snap
        RoleMember.test.js.snap
        ReviewMembersRow.test.js.snap
        RoleRow.test.js.snap
        RoleMemberReviewDetails.test.js.snap
        RoleList.test.js.snap
        AddMemberForm.test.js.snap
        RoleTable.test.js.snap
        UserRoleTable.test.js.snap
        RoleAuditLog.test.js.snap
        AddMemberForm.test.js
        RoleList.test.js
        RoleRow.test.js
        RoleMemberReviewDetails.test.js
        ReviewMembersRow.test.js
        RoleUserTable.test.js
        RoleAuditLog.test.js
        RoleTable.test.js
        RoleMember.test.js
        denali
        icons
        __snapshots__
        Icon.test.js.snap
        Icon.test.js
        TextArea.test.js
        __snapshots__
        Alert.test.js.snap
        SearchInput.test.js.snap
        TabGroup.test.js.snap
        Switch.test.js.snap
        Tag.test.js.snap
        RadioButton.test.js.snap
        Button.test.js.snap
        TextArea.test.js.snap
        ButtonGroup.test.js.snap
        NavBarItem.test.js.snap
        Modal.test.js.snap
        NavBar.test.js.snap
        InputDropdown.test.js.snap
        Input.test.js.snap
        RadioButtonGroup.test.js.snap
        NavBar.test.js
        Button.test.js
        Color.test.js
        ScrollWatch.test.js
        SearchInput.test.js
        NavBarItem.test.js
        Input.test.js
        Menu
        Menu.test.js
        ButtonGroup.test.js
        Tag.test.js
        Switch.test.js
        InputDropdown.test.js
        Loader.test.js
        RadioButtonGroup.test.js
        TabGroup.test.js
        styles
        index.test.js
        RadioButton.test.js
        Modal.test.js
        InputLabel.test.js
        Alert.test.js
      - config
        config.test.js
      - server
        secrets.test.js
        clients.test.js
        utils
        errorHandler.test.js
        authutils.test.js
        services
        userServiceImpl.test.js
        userService.test.js
        handlers
        policy.api.test.js
        domain-history.test.js
        status.test.js
        api.test.js
        passportAuth.test.js
        AuthStrategy.test.js
        logger.test.js
        body.test.js
        api-domain-history.test.js
        secure.test.js
        PublicKeyStore.test.js
        routes.test.js
    - pages
      - old-workflow.js
      - search.js
      - manage-domains.js
      - home.js
      - _document.js
      - create-domain.js
      - template.js
      - login.js
      - old-home.js
      - policy.js
      - workflow.js
      - history.js
      - role.js
      - service.js
      - _error.js
      - old-role.js
    - components
      - utils
        RequestUtils.js
        NameUtils.js
        ServiceKeyUtils.js
        DateUtils.js
      - pending-approval
        PendingApprovalTableRow.js
        PendingApprovalTableHeader.js
        PendingApprovalTable.js
      - header
        HeaderMenu.js
        Header.js
        Tabs.js
        DomainDetails.js
      - search
        Search.js
      - policy
        PolicyRuleTable.js
        PolicyList.js
        AddPolicy.js
        PolicyRow.js
        AddAssertion.js
        AddRuleForm.js
      - modal
        DeleteModal.js
        AddModal.js
      - service
        AddServiceForm.js
        ServiceRow.js
        AddKey.js
        ProviderTable.js
        AddKeyForm.js
        ServiceList.js
        PublicKeyTable.js
        AddService.js
      - constants
        constants.js
      - flatpicker
        FlatPicker.js
      - template
        TemplateDescription.js
        TemplateRow.js
        ApplyTemplate.js
        TemplateList.js
      - domain
        CreateDomain.js
        ManageDomains.js
        UserDomains.js
      - history
        HistoryList.js
      - role
        RoleAuditLog.js
        RoleTable.js
        RoleMember.js
        RoleMemberReviewDetails.js
        RoleList.js
        AddMemberToRoles.js
        RoleRow.js
        AddMemberForm.js
        RoleMemberDetails.js
        ReviewMembersRow.js
        AddRole.js
        RoleUserTable.js
        UserRoleTable.js
      - denali
        Loader.js
        NavBarItem.js
        icons
        Icon.js
        Icons.js
        InputLabel.js
        ScrollWatch.js
        Input.js
        SearchInput.js
        CheckBox.js
        ButtonGroup.js
        TabGroup.js
        Menu
        Menu.js
        styles.js
        NavBar.js
        Color.js
        TextArea.js
        RadioButtonGroup.js
        RadioButton.js
        Button.js
        Switch.js
        Alert.js
        styles
        colors.js
        link.js
        fonts.js
        breakpoints.js
        drop-shadow.js
        index.js
        InputDropdown.js
        Modal.js
        Tag.js
    - config
      - config.js
      - users_data_template.json
      - default-config.js
    - global-jest-setup.js
    - routes.js
    - server
      - utils
        errorHandler.js
        authUtils.js
      - services
        userService.js
        userServiceImpl.js
      - handlers
        passportAuth.js
        domain-history.js
        secure.js
        body.js
        logger.js
        routes.js
        AuthStrategy.js
        api.js
        status.js
        PublicKeyStore.js
      - clients.js
      - secrets.js
    - setup-jest-test-framework.js
    - api.js
    - rdl-rest.js
  - jest.config.js
  - .env
  - keys
    - dev_x509_cert.cnf
  - Makefile
  - pom.xml
  - pm2.config.js
  - .prettierrc
  - athenz-ui.spec
  - .npmrc
  - app.js
  - .editorconfig
  - __mocks__
    - fs.js
    - @athenz
      - DummyKeyStore.js
      - DummyYBase64.js
      - auth-core.js
      - DummyAuthority.js
  - .babelrc
  - .istanbul.yml
  - README.md
  - next.config.js
  - package.json
  - scripts
    - setup_dev_ui.sh
    - athenz_ui
  - docs
    - zms-api.md
  - static
    - favicon.ico
    - pure-min.css
- LICENSE
- travis
  - settings-zts-java-client.xml
  - settings-server-common.xml
  - settings-athenz-ui.xml
  - settings-zts-core.xml
  - settings-athenz-utils.xml
  - settings-athenz-parent.xml
  - settings-athenz-zts.xml
  - settings-zms-core.xml
  - settings-zpe-policy-updater.xml
  - settings-athenz-zpu.xml
  - settings-athenz-instance-provider.xml
  - settings-athenz-jetty-container.xml
  - settings-athenz-zms.xml
  - settings-auth-core.xml
  - settings-client-common.xml
  - settings-zms-java-client.xml
  - publish_to_bintray.sh
  - mkdocs.sh
  - settings-zts-java-client-core.xml
  - settings-zpe-java-client.xml
  - settings-cert-refresher.xml
- archive
  - ui
    - src
      - utils
        handlebarHelpers.js
        colors.js
        conf.js
        page.js
        number.js
        middleware.js
        features.js
        req.js
        pagination.js
        login.js
        date.js
        routes.js
        view.js
      - api
        common.js
        domain.js
        roles.js
        services.js
        policies.js
      - routeHandlers
        search.js
        domain.js
        main.js
        login.js
        policy.js
        role.js
        user.js
        service.js
      - rdl-rest.js
      - PublicKeyStore.js
    - keys
      - dev_x509_cert.cnf
    - rdl-api.md
    - Makefile
    - views
      - policyrow.handlebars
      - managedomains.handlebars
      - adddomains.handlebars
      - login.handlebars
      - searchresults.handlebars
      - rolerow.handlebars
      - domain.handlebars
      - 404.handlebars
      - partials
        policyrow.handlebars
        appheader.handlebars
        barchart.handlebars
        circlestat.handlebars
        entity.handlebars
        navlinks.handlebars
        servicekeyrow.handlebars
        list.handlebars
        mydomains.handlebars
        deleteconfirm.handlebars
        radialstat.handlebars
        adduserdomain.handlebars
        stat.handlebars
        adddomain.handlebars
        addpolicyruleform.handlebars
        servicerow.handlebars
        search.handlebars
        breadcrumbs.handlebars
        resources.handlebars
        header.handlebars
        addrolemember.handlebars
        athenzlogo.handlebars
        pagination.handlebars
        rolerow.handlebars
        modaltitle.handlebars
        roles.handlebars
        addrole.handlebars
        policies.handlebars
        addpolicy.handlebars
        addkeyform.handlebars
        addservice.handlebars
        roleaudit.handlebars
        assertionrow.handlebars
        services.handlebars
        submitcontainer.handlebars
        addsubdomain.handlebars
        roleadmins.handlebars
        rolememberresults.handlebars
        loginuser.handlebars
        domainMeta.handlebars
      - layouts
        main.handlebars
      - home.handlebars
    - Gruntfile.js
    - public
      - imgs
        welcome_to_athenz.gif
        athenz_logo.gif
        athenz_logo_nav.gif
      - fonts
        athenz.svg
        athenz.woff
      - js
        common.js
        selectize.js
        managePolicy.js
        manageService.js
        athenzPost.js
        manageRole.js
        interactions.js
        manageDomain.js
        index.js
        addDomain.js
        roleHelper.js
      - css
        app.css
        base
        barchart.css
        reset.css
        icons.css
        variables.css
        mixins.css
        autocomplete.css
        iconfont.css
        form.css
        table.css
        layout.css
        button.css
        modules
        pagination.css
        transports.css
        searchcontainer.css
        managedomains.css
        header.css
        notifications.css
        policies.css
        roles.css
        appheader.css
        console.css
        services.css
        searchresults.css
        home.css
        search.css
        adddomainsform.css
        changeownership.css
        meta.css
        domain.css
        dashboard.css
        common.css
    - test
      - functional
        search.js
        roles.js
        services.js
        policies.js
        domains-manage.js
        domains-create.js
        index.js
      - config
        protractor.conf.js
        mock.js
        helpers.js
      - unit
        utils
        handlebarHelpers.js
        page.js
        middleware.js
        features.js
        req.js
        pagination.js
        date.js
        view.js
        api
        common.js
        domain.js
        roles.js
        services.js
        policies.js
        routeHandlers
        domain.js
        main.js
        login.js
        policy.js
        role.js
        service.js
    - eslint.json
    - config
      - zms.json
      - config.js
      - default-config.js
    - server.js
    - README.md
    - package.json
    - scripts
      - setup_dev_ui.sh
      - athenz_ui
    - index.js
- go.mod
- contributions
  - authority
    - auth0
      - src
        main
        java
        com
        yahoo
        athenz
        auth
        oauth
        auth0
        Auth0JwtParserFactory.java
        Auth0Jwt.java
        Auth0JwtParser.java
        test
        resources
        jwt_jwks.json
        java
        com
        yahoo
        athenz
        auth
        oauth
        auth0
        Auth0JwtTest.java
        Auth0JwtParserTest.java
        Auth0JwtParserFactoryTest.java
      - pom.xml
      - README.md
  - metric
    - prometheus
      - src
        main
        java
        com
        yahoo
        athenz
        common
        metrics
        impl
        prometheus
        PrometheusExporter.java
        PrometheusMetric.java
        PrometheusMetricFactory.java
        PrometheusPullServer.java
        test
        java
        com
        yahoo
        athenz
        common
        metrics
        impl
        prometheus
        PrometheusMetricFactoryTest.java
        PrometheusMetricTest.java
        PrometheusPullServerTest.java
      - pom.xml
      - README.md
      - .gitignore
      - doc
        example-main.md
        performance.md
        design-concerns.md
        assets
        jmeter
        no_ops
        summary.csv
        prometheus
        summary.csv
        metric-2000-domain
        summary.csv
        metric-no-label
        summary.csv
- athenz-checkstyle.xml
- clients
  - go
    - zms
      - zms_schema.go
      - Makefile
      - examples
        get-access
        example.md
        main.go
      - pom.xml
      - doc.go
      - client.go
      - model.go
      - README.md
      - auth.go
    - zts
      - Makefile
      - examples
        get-role-token
        example.md
        main.go
      - pom.xml
      - doc.go
      - client.go
      - model.go
      - zts_schema.go
      - README.md
  - nodejs
    - zts
      - Makefile
      - libs
        rdl-rest.js
      - Gruntfile.js
      - pom.xml
      - test
        config
        RdlMock.js
        mock.js
        IdentityMock.js
        helpers.js
        SiaProviderMock.js
        RoleTokenMock.js
        KeyStore.js
        unit
        index.js
      - eslint.json
      - config
        zts.json
        config.js
        default-config.js
      - README.md
      - package.json
      - index.js
    - zpe
      - src
        AccessCheckStatus.js
        ZPEUpdater.js
        AuthZPEClient.js
        ZPEMatch.js
        PublicKeyStore.js
      - Makefile
      - Gruntfile.js
      - pom.xml
      - test
        resources
        unit_test_private_k0.pem
        athenz.empty.conf
        athenz.conf
        pol
        athenz.test.empty.pol
        athenz.test2.empty.pol
        athenz.test.pol
        athenz.test2.pol
        athenz.empty.publickey.conf
        public_k0.pem
        config
        RdlMock.js
        mock.js
        IdentityMock.js
        helpers.js
        SiaProviderMock.js
        RoleTokenMock.js
        KeyStore.js
        unit
        AccessCheckStatus.js
        ZPEUpdater.js
        AuthZPEClient.js
        ZPEMatch.js
        index.js
        PublicKeyStore.js
      - eslint.json
      - config
        config.js
        default-config.js
      - README.md
      - package.json
      - index.js
  - java
    - zms
      - src
        main
        java
        com
        yahoo
        athenz
        zms
        ResourceError.java
        ZMSRDLGeneratedClient.java
        ZMSClient.java
        ResourceException.java
        ZMSAuthorizer.java
        ZMSClientException.java
        test
        resources
        logback.xml
        ca.pkcs12
        athenz.conf
        travis_logback.xml
        client.pkcs12
        java
        com
        yahoo
        athenz
        zms
        ZMSClientExt.java
        ZMSLoadData.java
        ResourceExceptionTest.java
        ZMSAuthorizerTest.java
        ZMSClientMockTest.java
        ZMSClientTest.java
        ZMSClientTimeoutTest.java
      - examples
        tls-support
        src
        main
        java
        com
        yahoo
        athenz
        example
        zms
        tls
        client
        ZMSTLSClient.java
        pom.xml
        README.md
      - pom.xml
      - README.md
      - scripts
        make_stubs.sh
    - zts
      - shade
        src
        main
        resources
        META-INF
        services
        athenz.shade.zts.javax.ws.rs.client.ClientBuilder
        athenz.shade.zts.org.glassfish.jersey.internal.inject.InjectionManagerFactory
        athenz.shade.zts.javax.ws.rs.ext.MessageBodyWriter
        athenz.shade.zts.javax.ws.rs.ext.MessageBodyReader
        athenz.shade.zts.com.fasterxml.jackson.core.ObjectCodec
        athenz.shade.zts.org.glassfish.jersey.internal.spi.AutoDiscoverable
        athenz.shade.zts.com.fasterxml.jackson.databind.Module
        athenz.shade.zts.com.fasterxml.jackson.core.JsonFactory
        athenz.shade.zts.javax.ws.rs.ext.RuntimeDelegate
        athenz.shade.zts.org.glassfish.hk2.extension.ServiceLocatorGenerator
        pom.xml
      - core
        src
        main
        java
        com
        yahoo
        athenz
        zts
        ZTSRDLGeneratedClient.java
        ZTSClientException.java
        AWSLambdaIdentity.java
        ResourceError.java
        ZTSClientCache.java
        ZTSClientNotificationSender.java
        ZTSClientService.java
        ResourceException.java
        ZTSClient.java
        AWSCredentialsProviderImpl.java
        ZTSClientTokenCacher.java
        ZTSClientNotification.java
        AccessTokenResponseCacheEntry.java
        AWSAttestationData.java
        test
        resources
        unit_test_private_k0.pem
        test_cert.pem
        athenz.conf
        zts-client-ehcache.xml
        META-INF
        services
        com.yahoo.athenz.zts.ZTSClientService
        test_public_k0.pem
        travis_logback.xml
        java
        com
        yahoo
        athenz
        zts
        AWSCredentialsProviderImplTest.java
        AccessTokenResponseCacheEntryTest.java
        AWSAttestationDataTest.java
        AWSLambdaIdentityTest.java
        ZTSClientTimeoutTest.java
        ZTSClientMock.java
        ZTSRDLClientMock.java
        ZTSRDLGeneratedClientMock.java
        ZTSClientServiceProvider.java
        ZTSClientTest.java
        examples
        tls-support
        src
        main
        java
        com
        yahoo
        athenz
        example
        zts
        tls
        client
        ZTSAWSCredsClient.java
        JwtsSigningKeyResolver.java
        ZTSTLSClient.java
        ZTSInstanceRegister.java
        ZTSTLSClientAccessToken.java
        logback.xml
        pom.xml
        README.md
        pom.xml
        README.md
        scripts
        make_stubs.sh
    - zpe
      - src
        main
        java
        com
        yahoo
        athenz
        zpe
        match
        impl
        ZpeMatchAll.java
        ZpeMatchRegex.java
        ZpeMatchEqual.java
        ZpeMatchStartsWith.java
        ZpeMatch.java
        ZpeUpdater.java
        ZpeUpdMonitor.java
        pkey
        PublicKeyStoreFactory.java
        file
        FilePublicKeyStore.java
        FilePublicKeyStoreFactory.java
        PublicKeyStore.java
        ZpeThreadFactory.java
        AuthZpeClient.java
        ZpeConsts.java
        ZpeMetric.java
        ZpeYcrKey.java
        ZpeClient.java
        ZpeUpdPolLoader.java
        test
        resources
        unit_test_zms_private_k0.pem
        mtls_token_mismatch.cert
        logback.xml
        zms_public_k0.pem
        sports.pol
        angler.pol
        empty.pol
        zts_public_k0.pem
        sys.auth.pol
        athenz.conf
        out.pol
        unit_test_zts_private_k99.pem
        zts_public_k99.pem
        travis_logback.xml
        zts_public_k1.pem
        unit_test_zts_private_k1.pem
        mockito-extensions
        org.mockito.plugins.MockMaker
        unit_test_zts_private_k17.pem
        pol_dir
        .keepme
        unit_test_zts_private_k0.pem
        athenz_no_0.conf
        zts_public_k17.pem
        logback_perf.xml
        mtls_token_spec.cert
        java
        com
        yahoo
        athenz
        zpe
        TestZpeYcrKey.java
        TestZpeUpdPolLoader.java
        TestZpeMatch.java
        TestZpeMetric.java
        TestAuthZpe.java
      - pom.xml
      - README.md
- rdl
  - rdl-gen-athenz-go-client
    - Makefile
    - make_generator.sh
    - pom.xml
    - main.go
    - go-util.go
  - rdl-gen-athenz-go-model
    - Makefile
    - make_generator.sh
    - pom.xml
    - goschema.go
    - main.go
    - gomodel.go
  - rdl-gen-athenz-server
    - Makefile
    - java-util.go
    - make_generator.sh
    - pom.xml
    - main.go
    - go-util.go
- docker
  - env.sh
  - sample
    - CAs
      - create-self-signed-ca.sh
    - zms
      - create-self-signed-certs.sh
    - env.dev.sh
    - zts
      - zts_cert_signer_ca.cnf
      - create-self-signed-certs.sh
    - ui
      - dev_x509_cert.cnf
    - self-sign.cnf
    - http
      - zms.http
    - domain-admin
      - create-self-signed-user-cert.sh
    - oauth
      - config.cnf
  - Makefile
  - db
    - zms
      - zms-db.cnf
      - Dockerfile
    - zts
      - zts-db.cnf
      - Dockerfile
  - zms
    - Dockerfile
    - conf
      - logback.xml
      - zms.properties
      - athenz.properties
      - authorized_services.json
      - authorized_client_ids.txt
      - solution_templates.json
  - zts
    - Dockerfile
    - conf
      - logback.xml
      - athenz.properties
      - zts.properties
      - authorized_client_ids.txt
  - ui
    - Dockerfile
  - util
    - athenz-builder
      - Dockerfile
    - rdl-athenz-server
      - Dockerfile
    - athenz-conf
      - Dockerfile
    - athenz-mvn-base
      - Dockerfile
    - Dockerfile
  - setup-scripts
    - zms-auto-config.sh
    - self-signed-certificates.sh
    - common
      - color-print.sh
    - zts-auto-config.sh
    - Dockerfile
    - .gitignore
  - README.md
  - deploy-scripts
    - acceptance-test.sh
    - common
      - wait-for-mysql
        wait-for-mysql.sh
    - zms-verify.sh
    - zts-deploy.sh
    - zts-verify.sh
    - zms-debug.sh
    - zms-deploy.sh
    - zts-debug.sh
    - acceptance-test-reset.sh
  - .gitignore
  - docs
    - using-public-OAuth2-IdP.md
    - acceptance-test.md
    - images
      - README.md
    - zts-setup.md
    - try-out-Athenz-with-self-signed-CA.md
    - cast
      - README.md
      - athenz-bootstrap-demo.cast
      - athenz-acceptance-test-demo.cast
      - bootstrap-demo-welcome-script.sh
    - Athenz-bootstrap.md
    - IdP
      - Auth0.md
    - zms-setup.md
  - .dockerignore
- .travis.yml
- README.md
- assembly
  - utils
    - utils.xml
    - pom.xml
  - zms
    - zms.xml
    - pom.xml
  - zts
    - pom.xml
    - zts.xml
  - ui
    - ui.xml
    - pom.xml
  - zpu
    - pom.xml
    - zpu.xml
- core
  - zms
    - src
      - main
        rdl
        Tenancy.rdli
        Access.rdli
        Policy.rdli
        Domain.rdli
        ServiceIdentity.tdl
        Names.tdl
        SignedDomains.rdli
        Role.rdli
        Role.tdl
        DomainRoleMembership.tdl
        DomainRoleMembership.rdli
        Policy.tdl
        Domain.tdl
        Status.rdli
        Quota.rdli
        Template.rdli
        Entity.rdli
        Template.tdl
        DomainDataCheck.rdli
        Entity.tdl
        User.rdli
        ServiceIdentity.rdli
        Token.rdli
        ZMS.rdl
        java
        com
        yahoo
        athenz
        zms
        DomainList.java
        DomainData.java
        AssertionEffect.java
        DomainTemplateList.java
        TemplateMetaData.java
        Domain.java
        ResourceAccess.java
        SignedDomains.java
        RoleMember.java
        DanglingPolicy.java
        TopLevelDomain.java
        UserDomain.java
        DomainRoleMembers.java
        Quota.java
        ResourceAccessList.java
        Access.java
        JWSDomain.java
        DomainPolicies.java
        SubDomain.java
        TenantRoleAction.java
        UserList.java
        Policy.java
        RoleSystemMeta.java
        SignedDomain.java
        Template.java
        PolicyList.java
        ServicePrincipal.java
        Entity.java
        DomainTemplate.java
        PublicKeyEntry.java
        Assertion.java
        UserToken.java
        ServiceIdentitySystemMeta.java
        EntityList.java
        RoleMeta.java
        Role.java
        DomainRoleMembership.java
        TemplateList.java
        ZMSSchema.java
        MemberRole.java
        DomainMetaList.java
        Roles.java
        Membership.java
        RoleList.java
        Tenancy.java
        DomainTemplateDetailsList.java
        Status.java
        TenantResourceGroupRoles.java
        RoleAuditLog.java
        ServiceIdentityList.java
        DomainRoleMember.java
        DomainMeta.java
        ServiceIdentities.java
        DefaultAdmins.java
        User.java
        ProviderResourceGroupRoles.java
        Policies.java
        ServiceIdentity.java
        SignedPolicies.java
        DomainDataCheck.java
        ServerTemplateList.java
        TemplateParam.java
      - test
        java
        com
        yahoo
        athenz
        zms
        ZMSCoreTest.java
    - pom.xml
    - README.md
    - scripts
      - make_stubs.sh
  - zts
    - src
      - main
        rdl
        Tenancy.rdli
        Access.rdli
        RoleCert.rdli
        Names.tdl
        OSTKAuth.rdli
        ZTS.rdl
        DomainMetrics.rdli
        Instance.rdli
        Identity.tdl
        Policy.tdl
        SignedPolicies.rdli
        Status.rdli
        Identity.rdli
        OAauth.rdli
        InstanceProvider.rdl
        SSHCert.rdli
        AWSAuth.rdli
        InstanceProvider.rdli
        ServiceIdentity.rdli
        Token.rdli
        java
        com
        yahoo
        athenz
        zts
        ZTSSchema.java
        Identity.java
        AssertionEffect.java
        RoleCertificate.java
        ResourceAccess.java
        DomainMetric.java
        CertificateAuthorityBundle.java
        SignedPolicyData.java
        InstanceRefreshInformation.java
        TenantDomains.java
        JWK.java
        SSHCertRequestData.java
        Access.java
        SSHCertRequest.java
        Policy.java
        InstanceIdentity.java
        SSHCertificate.java
        DomainMetricType.java
        PublicKeyEntry.java
        Assertion.java
        RoleAccess.java
        CertType.java
        InstanceRefreshRequest.java
        Status.java
        RoleCertificateRequest.java
        OSTKInstanceRefreshRequest.java
        PolicyData.java
        JWKList.java
        ServiceIdentityList.java
        InstanceRegisterInformation.java
        SSHCertRequestMeta.java
        AccessTokenResponse.java
        DomainSignedPolicyData.java
        DomainMetrics.java
        AWSTemporaryCredentials.java
        RoleToken.java
        ServiceIdentity.java
        SSHCertificates.java
        HostServices.java
      - test
        java
        com
        yahoo
        athenz
        zts
        CertificateAuthorityBundleTest.java
        CertTypeTest.java
        IdentityTest.java
        DomainMetricTest.java
        InstanceIdentityTest.java
        ServiceIdentityListTest.java
        RoleCertificateTest.java
        RoleAccessTest.java
        AWSTemporaryCredentialsTest.java
        ResourceAccessTest.java
        DomainSignedPolicyDataTest.java
        AccessTokenResponseTest.java
        StatusTest.java
        RoleTokenTest.java
        ZTSCoreTest.java
        TenantDomainsTest.java
        InstanceRefreshInformationTest.java
        AssertionEffectTest.java
        ServiceIdentityTest.java
        SSHCertificateTest.java
        RoleCertificateRequestTest.java
        JWKListTest.java
        JWKTest.java
        HostServicesTest.java
        AccessTest.java
        InstanceRegisterInformationTest.java
        InstanceRefreshRequestTest.java
    - pom.xml
    - README.md
    - scripts
      - make_stubs.sh
- .gitignore
- docs
  - dev_decentralized_access.md
  - code_of_conduct.md
  - extra.css
  - copper_argos.md
  - example_go_centralized_access.md
  - member_soft_expiration.md
  - aws_zms_setup.md
  - setup_zts_prod.md
  - member_expiration.md
  - data_model.md
  - setup_zms.md
  - images
    - athenz-logo-stack.svg
    - athenz-logo-line.svg
  - role_cert_expiration.md
  - auth_flow.md
  - cert_signer.md
  - example_java_centralized_access.md
  - index.md
  - self_serve_roles.md
  - aws_ui_setup.md
  - token_expiration.md
  - contributing.md
  - aws_athenz_setup.md
  - principal_authentication.md
  - zms_client.md
  - dev_centralized_access.md
  - zts_api.md
  - zpu_policy_file.md
  - review_enabled_roles.md
  - example_service_athenz_setup.md
  - reg_service_guide.md
  - private_key_store.md
  - aws_zts_setup.md
  - dev_environment.md
  - setup_ui_prod.md
  - setup_zpu.md
  - role_delegation.md
  - email_notifications.md
  - service_authentication.md
  - setup_ui.md
  - example_java_decentralized_access.md
  - setup_zts.md
  - setup_zms_prod.md
  - system_view.md
  - zms_api.md
  - copper_argos_dev.md
- aws-setup
  - ui-setup
    - build
      - service
        ui.service
      - bin
        ui.sh
        get_certs.sh
        athenz_conf.sh
        aws_config.sh
      - conf
        awslogs.conf
        ui-user
    - packer
      - scripts
        setup.sh
      - aws
        packer.json
    - cloud-formation
      - athenz-ui-aws-roles-setup.yaml
      - athenz-ui-aws-resource-setup.yaml
      - athenz-ui-aws-instance-deployment.yaml
  - athenz-conf-aws
    - Makefile
    - pom.xml
    - athenz-conf-aws.go
  - zms-setup
    - build
      - service
        zms.service
      - bin
        aws_init.sh
        zms.sh
        initialize_zms.sh
        aws_java_truststore_gen.sh
        aws_config.sh
        aws_zms_keystore_gen.sh
        add_user.sh
        aws_zms_truststore_gen.sh
      - conf
        awslogs.conf
        logback.xml
        zms.properties
        athenz.properties
        zms-user
    - packer
      - scripts
        setup.sh
      - aws
        packer.json
    - cloud-formation
      - athens-zms-aws-resource-setup.yaml
      - athenz-zms-aws-rds-setup.yaml
      - athenz-zms-aws-instance-deployment.yaml
      - athens-zms-aws-roles-setup.yaml
  - zts-setup
    - build
      - service
        zts.service
      - bin
        aws_zts_keystore_gen.sh
        athenz_conf.sh
        aws_init.sh
        zts.sh
        aws_java_truststore_gen.sh
        aws_zts_truststore_gen.sh
        aws_config.sh
        initialize_zts.sh
      - conf
        awslogs.conf
        logback.xml
        athenz.properties
        zts.properties
        zts-user
        aws_public.crt
    - packer
      - scripts
        setup.sh
      - aws
        packer.json
    - cloud-formation
      - athens-zts-aws-instance-deployment.yaml
      - athens-zts-aws-resource-setup.yaml
      - athens-zts-aws-rds-setup.yaml
      - athens-zts-aws-roles-setup.yaml
  - cloud-formation
    - packer_vpc.yaml

/*
 * Copyright 2019 Oath Holdings Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.yahoo.athenz.zts.cert;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.X509Certificate;
import java.util.*;

import static org.testng.Assert.*;

import com.yahoo.athenz.common.server.dns.HostnameResolver;
import com.yahoo.athenz.zts.CertType;
import com.yahoo.athenz.zts.cache.DataCache;
import com.yahoo.athenz.zts.cert.impl.TestHostnameResolver;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.mockito.Mockito;
import org.testng.annotations.Test;

import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;

public class X509CertRequestTest {

    @Test
    public void testConstructorValidCsr() throws IOException {
        
        Path path = Paths.get("src/test/resources/valid_email.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
    }
    
    @Test
    public void testConstructorInvalidCsr() {

        X509CertRequest certReq = null;
        try {
            certReq = new X509CertRequest("csr");
            fail();
        } catch (CryptoException ignored) {
        }
        assertNull(certReq);
    }
    
    @Test
    public void testParseCertRequest() throws IOException {
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        StringBuilder errorMsg = new StringBuilder(256);
        assertTrue(certReq.parseCertRequest(errorMsg));
    }
    
    @Test
    public void testParseCertRequestIPs() throws IOException {
        Path path = Paths.get("src/test/resources/multiple_ips.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        StringBuilder errorMsg = new StringBuilder(256);
        assertTrue(certReq.parseCertRequest(errorMsg));
        
        List<String> values = certReq.getDnsNames();
        assertEquals(values.size(), 2);
        assertTrue(values.contains("production.athenz.ostk.athenz.cloud"));
        assertTrue(values.contains("1001.instanceid.athenz.ostk.athenz.cloud"));
        
        values = certReq.getIpAddresses();
        assertEquals(values.size(), 2);
        assertTrue(values.contains("10.11.12.13"));
        assertTrue(values.contains("10.11.12.14"));
    }
    
    @Test
    public void testParseCertRequestInvalid() throws IOException {
        Path path = Paths.get("src/test/resources/invalid_dns.csr");
        String csr = new String(Files.readAllBytes(path));
        
        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        assertFalse(certReq.parseCertRequest(errorMsg));
    }
    
    @Test
    public void testValidateCommonName() throws IOException {
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        assertTrue(certReq.validateCommonName("athenz.production"));
        assertEquals(certReq.getCommonName(), "athenz.production");
        
        assertFalse(certReq.validateCommonName("sys.production"));
        assertFalse(certReq.validateCommonName("athenz.storage"));
    }
    
    @Test
    public void testInstanceId() throws IOException {
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        assertEquals(certReq.getInstanceId(), "1001");
    }

    @Test
    public void testValidateDnsNamesWithCert() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);
        
        path = Paths.get("src/test/resources/athenz.instanceid.pem");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertTrue(certReq.validateDnsNames(cert));
    }

    @Test
    public void testValidateDnsNamesWithValues() throws IOException {

        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        List<String> providerDnsSuffixList = new ArrayList<>();

        // for the first test we're going to return null
        // and the list for all subsequent tests

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(null)
                .thenReturn(providerDnsSuffixList);

        List<String> providerHostnameAllowedSuffixList = Collections.singletonList("athenz.cloud");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(providerHostnameAllowedSuffixList);
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(null);

        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", null, null, null));

        // empty provider suffix list

        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", null, null, null));

        // provider suffix list with no match

        providerDnsSuffixList.add("ostk.myathenz.cloud");
        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", null, null, null));

        // no match if service list does not match

        assertFalse(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz2.cloud", null, null, null));

        // add the same domain to the provider suffix list

        providerDnsSuffixList.add("ostk.athenz.cloud");
        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz2.cloud", null, null, null));
        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", null, null, null));
        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "", null, null, null));
        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                null, null, null, null));
    }

    @Test
    public void testValidateDnsNamesWithCnameValues() throws IOException {

        Path path = Paths.get("src/test/resources/athenz.instanceid.cname.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(Collections.singletonList("ostk.athenz.cloud"));

        List<String> allowedSuffixList = new ArrayList<>();
        allowedSuffixList.add("athenz.info");
        allowedSuffixList.add("athenz.cloud");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(allowedSuffixList);
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(null);

        List<String> cnameList = new ArrayList<>();
        cnameList.add("cname1.athenz.info");
        cnameList.add("cname2.athenz.info");
        HostnameResolver resolver = Mockito.mock(HostnameResolver.class);
        Mockito.when(resolver.isValidHostCnameList("host1.athenz.cloud", cnameList, CertType.X509))
                .thenReturn(false)
                .thenReturn(true);
        Mockito.when(resolver.isValidHostname("host1.athenz.cloud")).thenReturn(true);

        // first call we're going to get failure

        assertFalse(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", "host1.athenz.cloud", cnameList, resolver));

        // second call is success

        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", "host1.athenz.cloud", cnameList, resolver));
    }

    @Test
    public void testValidateDnsNamesWithCnameValuesWithSameSuffix() throws IOException {

        Path path = Paths.get("src/test/resources/athenz.instanceid.cname.suffix.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(Collections.singletonList("ostk.athenz.cloud"));

        List<String> allowedSuffixList = new ArrayList<>();
        allowedSuffixList.add("athenz.info");
        allowedSuffixList.add("athenz.cloud");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(allowedSuffixList);
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(null);

        List<String> cnameList = new ArrayList<>();
        cnameList.add("cname1.ostk.athenz.cloud");
        cnameList.add("cname2.athenz.info");
        HostnameResolver resolver = Mockito.mock(HostnameResolver.class);
        Mockito.when(resolver.isValidHostCnameList("host1.athenz.cloud", cnameList, CertType.X509))
                .thenReturn(true);
        Mockito.when(resolver.isValidHostname("host1.athenz.cloud")).thenReturn(true);

        assertTrue(certReq.validateDnsNames("athenz", "production", "provider", athenzSysDomainCache,
                "ostk.athenz.cloud", "host1.athenz.cloud", cnameList, resolver));
    }

    @Test
    public void testValidateDnsNamesWithMultipleDomainValues() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        List<String> providerDnsSuffixList = new ArrayList<>();

        // for the first test we're going to return null
        // and the list for all subsequent tests

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(null)
                .thenReturn(providerDnsSuffixList);

        // only one domain will not match

        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "ostk.athenz.info", null, null, null));

        // only provider suffix list will not match

        providerDnsSuffixList.add("ostk.athenz.cloud");
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                null, null, null, null));

        // specifying both values match

        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "ostk.athenz.info", null, null, null));

        // tests with hostname field

        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", null, null, null));
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "host1.athenz.info", null, null));
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "athenz.ostk.athenz.info", null, null));

        List<String> providerHostnameAllowedSuffixList = new ArrayList<>();
        providerHostnameAllowedSuffixList.add(".ostk.athenz.info");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(providerHostnameAllowedSuffixList);

        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));

        // now specify a resolver for the hostname check

        HostnameResolver resolver = new TestHostnameResolver();
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, resolver));

        // include resolver with invalid hostname

        ((TestHostnameResolver) resolver).addValidHostname("api1.athenz.ostk.athenz.info");
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, resolver));

        // now add the hostname to the list

        ((TestHostnameResolver) resolver).addValidHostname("api.athenz.ostk.athenz.info");
        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, resolver));
    }

    @Test
    public void testValidateDnsNamesHostnameNullLists() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        List<String> providerDnsSuffixList = new ArrayList<>();
        providerDnsSuffixList.add("ostk.athenz.cloud");

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(providerDnsSuffixList);

        // both of our lists are null

        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(null);
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(null);

        // we should get false since we're not allowed

        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));
    }

    @Test
    public void testValidateDnsNamesHostnameNotAllowed() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        List<String> providerDnsSuffixList = new ArrayList<>();
        providerDnsSuffixList.add("ostk.athenz.cloud");

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(providerDnsSuffixList);

        // first we're going to allow a suffix that does not match
        // to our list

        List<String> providerHostnameAllowedSuffixList = new ArrayList<>();
        providerHostnameAllowedSuffixList.add(".ostk.athenz.data");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(providerHostnameAllowedSuffixList);

        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));

        // next we're going to add the suffix that matches so we'll get
        // successful response

        providerHostnameAllowedSuffixList.add(".ostk.athenz.info");
        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));

        // now we're going to return a denied list but first a value that
        // does not match our hostname

        List<String> providerHostnameDeniedSuffixList = new ArrayList<>();
        providerHostnameDeniedSuffixList.add(".ostk.athenz.data");
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(providerHostnameDeniedSuffixList);

        // since there is no match in our denied list we're going to get
        // a still successful response

        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));

        // now we're going to add the suffix to the list and make sure the
        // request is denied

        providerHostnameDeniedSuffixList.add(".ostk.athenz.info");
        assertFalse(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache,
                "zts.athenz.info", "api.athenz.ostk.athenz.info", null, null));
    }

    @Test
    public void testValidateProviderDnsNamesList() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        // now add the hostname to the list

        List<String> providerDnsSuffixList = new ArrayList<>();
        providerDnsSuffixList.add("ostk.athenz.cloud");

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(providerDnsSuffixList);

        List<String> providerHostnameAllowedSuffixList = new ArrayList<>();
        providerHostnameAllowedSuffixList.add(".ostk.athenz.info");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(providerHostnameAllowedSuffixList);

        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache, "zts.athenz.info",
                "api.athenz.ostk.athenz.info", null, null));

        List<String> dnsNames = certReq.getProviderDnsNames();
        assertEquals(dnsNames.size(), 2);
        assertTrue(dnsNames.contains("api.athenz.ostk.athenz.info"));
        assertTrue(dnsNames.contains("production.athenz.ostk.athenz.cloud"));
    }

    @Test
    public void testValidateProviderDnsNamesListWithWildcard() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain_wildcard.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        // now add the hostname to the list

        List<String> providerDnsSuffixList = new ArrayList<>();
        providerDnsSuffixList.add("ostk.athenz.cloud");

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(providerDnsSuffixList);

        assertTrue(certReq.validateDnsNames("athenz", "api", "provider", athenzSysDomainCache, null,
                null, null, null));

        // we should automatically skip the *.api.athenz
        // dns name from provider dns name review list

        List<String> dnsNames = certReq.getProviderDnsNames();
        assertEquals(dnsNames.size(), 2);
        assertTrue(dnsNames.contains("api.athenz.ostk.athenz.cloud"));
        assertTrue(dnsNames.contains("uuid.instanceid.athenz.ostk.athenz.cloud"));
    }

    @Test
    public void testValidateProviderDnsNamesListWithWildcardMismatch() throws IOException {

        Path path = Paths.get("src/test/resources/multi_dns_domain_wildcard_mismatch.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        // now add the hostname to the list

        List<String> providerDnsSuffixList = new ArrayList<>();
        providerDnsSuffixList.add("ostk.athenz.cloud");

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(providerDnsSuffixList);

        assertTrue(certReq.validateDnsNames("athenz.prod", "api", "provider", athenzSysDomainCache,
                null, null, null, null));

        // we should automatically skip the *.api.athenz
        // however it doesn't match the prefix so we're going
        // to keep it here and require the provider to verify it

        List<String> dnsNames = certReq.getProviderDnsNames();
        assertEquals(dnsNames.size(), 3);
        assertTrue(dnsNames.contains("api.athenz-prod.ostk.athenz.cloud"));
        assertTrue(dnsNames.contains("*.api.athenz.ostk.athenz.cloud"));
        assertTrue(dnsNames.contains("uuid.instanceid.athenz.ostk.athenz.cloud"));
    }

    @Test
    public void testValidateDnsNamesNoValues() throws IOException {

        Path path = Paths.get("src/test/resources/valid_cn_only.csr");
        String csr = new String(Files.readAllBytes(path));

        StringBuilder errorMsg = new StringBuilder(256);
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        certReq.parseCertRequest(errorMsg);

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        Mockito.when(athenzSysDomainCache.getProviderDnsSuffixList("provider"))
                .thenReturn(null);

        assertTrue(certReq.validateDnsNames("domain", "service1", "provider", athenzSysDomainCache,
                null, null, null, null));
    }

    @Test
    public void testValidateDnsNamesMismatchSize() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        path = Paths.get("src/test/resources/valid_cn_x509.cert");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertFalse(certReq.validateDnsNames(cert));
    }
    
    @Test
    public void testValidateDnsNamesMismatchValues() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.mismatch.dns.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        path = Paths.get("src/test/resources/athenz.instanceid.pem");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertFalse(certReq.validateDnsNames(cert));
    }
    
    @Test
    public void testValidatePublicKeysCert() throws IOException {
        
        Path path = Paths.get("src/test/resources/valid_provider_refresh.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        path = Paths.get("src/test/resources/valid_provider_refresh.pem");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertTrue(certReq.validatePublicKeys(cert));
    }
    
    @Test
    public void testValidatePublicKeysCertFailure() throws IOException {
        
        Path path = Paths.get("src/test/resources/valid_provider_refresh.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        X509Certificate cert = Mockito.mock(X509Certificate.class);
        Mockito.when(cert.getPublicKey()).thenReturn(null);
        
        assertFalse(certReq.validatePublicKeys(cert));
    }
    
    @Test
    public void testValidatePublicKeysCertCSRFailure() throws IOException {
        
        Path path = Paths.get("src/test/resources/valid_provider_refresh.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        PKCS10CertificationRequest req = Mockito.mock(PKCS10CertificationRequest.class);
        Mockito.when(req.getSubjectPublicKeyInfo()).thenReturn(null);
        certReq.setCertReq(req);

        path = Paths.get("src/test/resources/valid_provider_refresh.pem");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertFalse(certReq.validatePublicKeys(cert));
    }
    
    @Test
    public void testValidatePublicKeysCertMismatch() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.mismatch.dns.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        path = Paths.get("src/test/resources/athenz.instanceid.pem");
        String pem = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(pem);
        
        assertFalse(certReq.validatePublicKeys(cert));
    }
    
    @Test
    public void testValidatePublicKeysNull() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        assertFalse(certReq.validatePublicKeys((String) null));
    }
    
    @Test
    public void testValidatePublicKeysFailure() throws IOException {
        
        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        PKCS10CertificationRequest req = Mockito.mock(PKCS10CertificationRequest.class);
        Mockito.when(req.getSubjectPublicKeyInfo()).thenReturn(null);
        certReq.setCertReq(req);
        
        assertFalse(certReq.validatePublicKeys("publickey"));
    }
    
    @Test
    public void testValidatePublicKeysString() throws IOException {
        
        Path path = Paths.get("src/test/resources/valid.csr");
        String csr = new String(Files.readAllBytes(path));
        X509CertRequest certReq = new X509CertRequest(csr);
        
        final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n"
                + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrvfvBgXWqWAorw5hYJu3dpOJe0gp3n\n"
                + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ==\n"
                + "-----END PUBLIC KEY-----";
        
        assertTrue(certReq.validatePublicKeys(ztsPublicKey));
    }
    
    @Test
    public void testValidateCertReqPublicKey() throws IOException {
        Path path = Paths.get("src/test/resources/valid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n"
                + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrvfvBgXWqWAorw5hYJu3dpOJe0gp3n\n"
                + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ==\n"
                + "-----END PUBLIC KEY-----";
        
        assertTrue(certReq.validatePublicKeys(ztsPublicKey));
    }

    @Test
    public void testValidateCertReqPublicKeyMismatch() throws IOException {
        Path path = Paths.get("src/test/resources/valid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        final String ztsPublicKey = "-----BEGIN PUBLIC KEY-----\n"
                + "MFwwDQYJKoZIhvcNasdfsdfsadfwSAJBAKrvfvBgXWqWAorw5hYJu3dpOJe0gp3n\n"
                + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ==\n"
                + "-----END PUBLIC KEY-----";
        
        assertFalse(certReq.validatePublicKeys(ztsPublicKey));
    }
    
    @Test
    public void testValidateCertReqPublicKeyWhitespace() throws IOException {
        Path path = Paths.get("src/test/resources/valid.csr");
        String csr = new String(Files.readAllBytes(path));
        
        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);
        
        final String ztsPublicKey1 = "   -----BEGIN PUBLIC KEY-----\n"
                + "MFwwDQYJKoZIhvcNA QEBBQADSwAwSAJBAKrvfvBgXWqW Aorw5hYJu3dpOJe0gp3n\n\r\r\n"
                + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ==\n\r"
                + "-----END PUBLIC KEY-----  \n";
        final String ztsPublicKey2 = "-----BEGIN PUBLIC KEY-----"
                + "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrvfvBgXWqWAorw5hYJu3dpOJe0gp3n"
                + "TgiiPGT7+jzm6BRcssOBTPFIMkePT2a8Tq+FYSmFnHfbQjwmYw2uMK8CAwEAAQ=="
                + "-----END PUBLIC KEY-----";
        
        assertTrue(certReq.validatePublicKeys(ztsPublicKey1));
        assertTrue(certReq.validatePublicKeys(ztsPublicKey2));
    }

    @Test
    public void testValidateCertCNFailure() throws IOException {

        Path path = Paths.get("src/test/resources/multiple_cn.csr");
        String csr = new String(Files.readAllBytes(path));

        try {
            new X509CertRequest(csr);
            fail();
        } catch (CryptoException ex) {
            assertTrue(ex.getMessage().contains("Subject contains multiple values"));
        }
    }

    @Test
    public void testValidateSpiffeURINoValues() throws IOException {

        Path path = Paths.get("src/test/resources/valid.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertTrue(certReq.validateSpiffeURI("domain", "sa", "api"));
    }

    @Test
    public void testValidateSpiffeURIMultipleValues() throws IOException {

        Path path = Paths.get("src/test/resources/multiple_uri.csr");
        String csr = new String(Files.readAllBytes(path));

        try {
            new X509CertRequest(csr);
            fail();
        } catch (CryptoException ex) {
            assertTrue(ex.getMessage().contains("Invalid SPIFFE URI present"));
        }
    }

    @Test
    public void testValidateSpiffeURI() throws IOException {

        Path path = Paths.get("src/test/resources/spiffe_role.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertTrue(certReq.validateSpiffeURI("coretech", "ra", "api"));
        assertFalse(certReq.validateSpiffeURI("coretech", "ra", "backend"));
        assertFalse(certReq.validateSpiffeURI("coretech", "sa", "api"));
    }

    @Test
    public void testValidateOUFieldCheck() throws IOException {

        // the ou is "Testing Domain"

        Path path = Paths.get("src/test/resources/athenz.instanceid.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        HashSet<String> validOrgUnits = new HashSet<>();

        assertFalse(certReq.validateSubjectOUField(null, null, null));
        assertFalse(certReq.validateSubjectOUField("Testing Domains", null, null));
        assertFalse(certReq.validateSubjectOUField(null, "Testing Domains", null));
        assertFalse(certReq.validateSubjectOUField("Bad1", "Bad2", null));
        assertFalse(certReq.validateSubjectOUField(null, null, validOrgUnits));
        assertFalse(certReq.validateSubjectOUField("Testing Domains", "None Test", validOrgUnits));

        // add invalid entry into set
        validOrgUnits.add("Testing Domains");
        assertFalse(certReq.validateSubjectOUField("Testing Domains", "None Test", validOrgUnits));

        assertTrue(certReq.validateSubjectOUField("Testing Domain", null, null));
        assertTrue(certReq.validateSubjectOUField("Testing Domain", "Bad2", validOrgUnits));

        assertTrue(certReq.validateSubjectOUField(null, "Testing Domain", null));
        assertTrue(certReq.validateSubjectOUField("Bad1", "Testing Domain", validOrgUnits));

        // add valid entry inti set
        validOrgUnits.add("Testing Domain");
        assertTrue(certReq.validateSubjectOUField(null, null, validOrgUnits));
        assertTrue(certReq.validateSubjectOUField("Bad1", "Bad2", validOrgUnits));
    }

    @Test
    public void testValidateOUFieldCheckMissingOU() throws IOException {

        // no ou field available
        Path path = Paths.get("src/test/resources/athenz.single_ip.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        HashSet<String> validOrgUnits = new HashSet<>();
        validOrgUnits.add("Athenz");

        assertTrue(certReq.validateSubjectOUField(null, null, null));
        assertTrue(certReq.validateSubjectOUField("Testing Domains", null, null));
        assertTrue(certReq.validateSubjectOUField(null, "Testing Domains", null));
        assertTrue(certReq.validateSubjectOUField("Bad1", "Bad2", null));
        assertTrue(certReq.validateSubjectOUField(null, null, validOrgUnits));
        assertTrue(certReq.validateSubjectOUField("Testing Domains", "None Test", validOrgUnits));
    }

    @Test
    public void testValidateOUFieldCheckInvalidOU() throws IOException {

        // multiple ou field: Athenz and Yahoo which we don't support
        Path path = Paths.get("src/test/resources/athenz.multiple_ou.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        assertFalse(certReq.validateSubjectOUField("Athenz", null, null));
        assertFalse(certReq.validateSubjectOUField("Yahoo", null, null));
    }

    @Test
    public void testExtractInstanceIdURI() throws IOException {

        Path path = Paths.get("src/test/resources/athenz.instanceid.uri.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        StringBuilder errMsg = new StringBuilder();
        assertTrue(certReq.parseCertRequest(errMsg));
        assertEquals(certReq.getInstanceId(), "id-001");
    }

    @Test
    public void testValidateInstanceCnames() throws IOException {

        Path path = Paths.get("src/test/resources/athenz.instanceid.uri.csr");
        String csr = new String(Files.readAllBytes(path));

        X509CertRequest certReq = new X509CertRequest(csr);
        assertNotNull(certReq);

        // cnames null and empty is always true

        assertTrue(certReq.validateInstanceCnames(null, null, null, null, null));
        assertTrue(certReq.validateInstanceCnames(null, null, null, Collections.emptyList(), null));

        // if the name is empty or null, then it's failure

        assertFalse(certReq.validateInstanceCnames(null, null, null,
                Collections.singletonList("host1.athenz.cloud"), null));
        assertFalse(certReq.validateInstanceCnames(null, null, "",
                Collections.singletonList("host1.athenz.cloud"), null));

        DataCache athenzSysDomainCache = Mockito.mock(DataCache.class);
        List<String> providerHostnameAllowedSuffixList = Collections.singletonList("athenz.cloud");
        Mockito.when(athenzSysDomainCache.getProviderHostnameAllowedSuffixList("provider"))
                .thenReturn(providerHostnameAllowedSuffixList);
        List<String> providerHostnameDeniedSuffixList = Collections.singletonList("athenz.info");
        Mockito.when(athenzSysDomainCache.getProviderHostnameDeniedSuffixList("provider"))
                .thenReturn(providerHostnameDeniedSuffixList);

        // cname does not match allowed suffix list thus denied

        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                Collections.singletonList("host1.athenz.data"), null));

        List<String> cnameList = new ArrayList<>();
        cnameList.add("host1.athenz.cloud");
        cnameList.add("host1.athenz.data");

        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                cnameList, null));

        // cname is explicitly denied

        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                Collections.singletonList("host1.athenz.info"), null));

        cnameList.add("host1.athenz.info");
        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                cnameList, null));

        // no hostname resolver thus denied

        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                Collections.singletonList("host1.athenz.cloud"), null));

        HostnameResolver resolver = Mockito.mock(HostnameResolver.class);
        Mockito.when(resolver.isValidHostCnameList("hostname.athenz.cloud", Collections.singletonList("host1.athenz.cloud"), CertType.X509))
                .thenReturn(false);

        assertFalse(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                Collections.singletonList("host1.athenz.cloud"), resolver));

        // set resolver to return true for host2

        Mockito.when(resolver.isValidHostCnameList("hostname.athenz.cloud", Collections.singletonList("host2.athenz.cloud"), CertType.X509))
                .thenReturn(true);

        assertTrue(certReq.validateInstanceCnames("provider", athenzSysDomainCache, "hostname.athenz.cloud",
                Collections.singletonList("host2.athenz.cloud"), resolver));
    }
}