Merge pull request #27473 from vespa-engine/bjorncs/fix

Split each certificate into separate config entries
author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-06-19 11:46:30 +0200
committer: GitHub <noreply@github.com> 2023-06-19 11:46:30 +0200
commit: 79d21be845c44c08369a81cefb32578006c692d7 (patch)
tree: 5fa30936c36f0316785794a106de62a6686990ab
parent: 9d742274e85d773f67a4ebaf00fb0c3d96ab300a (diff)
parent: 5b2df4778f222694005c6d9a9032d87b0c52ed9f (diff)
3 files changed, 7 insertions, 3 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java
index 2217b58c508..2deaf81d338 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java
@@ -49,7 +49,7 @@ class CloudDataPlaneFilter extends Filter implements CloudDataPlaneFilterConfig.
             var clientsCfg = clients.stream()
                     .map(x -> new CloudDataPlaneFilterConfig.Clients.Builder()
                             .id(x.id())
-                            .certificates(X509CertificateUtils.toPem(x.certificates()))
+                            .certificates(x.certificates().stream().map(X509CertificateUtils::toPem).toList())
                             .tokens(tokensConfig(x.tokens()))
                             .permissions(x.permissions()))
                     .toList();
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java
index 5bb0254f1cc..e11eec1ffd7 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java
@@ -88,6 +88,7 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase {
         CloudDataPlaneFilterConfig.Clients client = clients.get(0);
         assertEquals("foo", client.id());
         assertIterableEquals(List.of("read", "write"), client.permissions());
+        assertTrue(client.tokens().isEmpty());
         assertIterableEquals(List.of(X509CertificateUtils.toPem(certificate)), client.certificates());
 
         ConnectorConfig connectorConfig = connectorConfig();
@@ -144,6 +145,7 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase {
         var tokenClient = cfg.clients().stream().filter(c -> c.id().equals("bar")).findAny().orElse(null);
         assertNotNull(tokenClient);
         assertEquals(List.of("read"), tokenClient.permissions());
+        assertTrue(tokenClient.certificates().isEmpty());
         var expectedTokenCfg = tokenConfig(
                 "my-token", List.of("myfingerprint1", "myfingerprint2"), List.of("myaccesshash1", "myaccesshash2"));
         assertEquals(List.of(expectedTokenCfg), tokenClient.tokens());
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
index 07f586b2123..96602fcd899 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
@@ -18,7 +18,6 @@ import com.yahoo.security.token.TokenCheckHash;
 import com.yahoo.security.token.TokenDomain;
 import com.yahoo.security.token.TokenFingerprint;
 
-import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -98,11 +97,14 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase {
             if (!c.certificates().isEmpty()) {
                 List<X509Certificate> certs;
                 try {
-                    certs = c.certificates().stream().map(X509CertificateUtils::fromPem).toList();
+                    certs = c.certificates().stream()
+                            .flatMap(pem -> X509CertificateUtils.certificateListFromPem(pem).stream()).toList();
                 } catch (Exception e) {
                     throw new IllegalArgumentException(
                             "Client '%s' contains invalid X.509 certificate PEM: %s".formatted(c.id(), e.toString()), e);
                 }
+                if (certs.isEmpty()) throw new IllegalArgumentException(
+                        "Client '%s' certificate PEM contains no valid X.509 entries".formatted(c.id()));
                 clients.add(new Client(c.id(), permissions, certs, Map.of()));
                 hasClientRequiringCertificate = true;
             } else {
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-06-19 11:46:30 +0200
committer	GitHub <noreply@github.com>	2023-06-19 11:46:30 +0200
commit	79d21be845c44c08369a81cefb32578006c692d7 (patch)
tree	5fa30936c36f0316785794a106de62a6686990ab
parent	9d742274e85d773f67a4ebaf00fb0c3d96ab300a (diff)
parent	5b2df4778f222694005c6d9a9032d87b0c52ed9f (diff)