summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-20 15:21:39 +0200
committerBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-20 15:21:39 +0200
commit4dcb1c83c96b51ec9a1770c269e75a94debebb9d (patch)
treef53aa75709ae5018809faa2a547c46bb70fb8981
parentea71048bca7b1d5633040ce8d13f9b418632f843 (diff)
Include client certificate chain even when authorization is disabled
Diffstat
-rw-r--r--configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java6
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java11
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java2
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java2
4 files changed, 14 insertions, 7 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
index 59635461a2d..536a446df2f 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
@@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
// TODO Make peer identity mandatory once TLS mixed mode is removed
private Optional<NodeIdentity> getPeerIdentity(Request request) {
- Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext();
- if (authCtx.isEmpty()) {
+ ConnectionAuthContext authCtx = request.target().connectionAuthContext();
+ if (authCtx.peerCertificate().isEmpty()) {
if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) {
throw new IllegalStateException("Security context missing"); // security context should always be present
}
return Optional.empty(); // client choose to communicate over insecure channel
}
- List<X509Certificate> certChain = authCtx.get().peerCertificateChain();
+ List<X509Certificate> certChain = authCtx.peerCertificateChain();
if (certChain.isEmpty()) {
throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled
}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index 3ee6ed1dcaa..b4e8878fb01 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -18,14 +18,15 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
CapabilitySet capabilities,
Set<String> matchedPolicies) {
- private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES =
- new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of());
+ private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = new ConnectionAuthContext(List.of());
public ConnectionAuthContext {
peerCertificateChain = List.copyOf(peerCertificateChain);
matchedPolicies = Set.copyOf(matchedPolicies);
}
+ private ConnectionAuthContext(List<X509Certificate> certs) { this(certs, CapabilitySet.all(), Set.of()); }
+
public boolean authorized() { return !capabilities.hasNone(); }
public Optional<X509Certificate> peerCertificate() {
@@ -60,6 +61,12 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
return Optional.of(b.append("]").toString());
}
+ /** Construct instance with all capabilities */
public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; }
+ /** Construct instance with all capabilities */
+ public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> certs) {
+ return new ConnectionAuthContext(certs);
+ }
+
}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
index 99787725063..5db86fd93bc 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
@@ -35,7 +35,7 @@ public class PeerAuthorizer {
public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); }
public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) {
- if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities();
+ if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(certChain);
X509Certificate cert = certChain.get(0);
Set<String> matchedPolicies = new HashSet<>();
Set<CapabilitySet> grantedCapabilities = new HashSet<>();
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
index e6239e3f694..b92cd6c9538 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
@@ -105,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient));
ConnectionAuthContext result = mode != AuthorizationMode.DISABLE
? authorizer.authorizePeer(List.of(certChain))
- : ConnectionAuthContext.defaultAllCapabilities();
+ : ConnectionAuthContext.defaultAllCapabilities(List.of(certChain));
if (sslEngine != null) { // getHandshakeSession() will never return null in this context
sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result);
}