diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-07-20 16:01:16 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-20 16:01:16 +0200 |
commit | 37b82350dd673de1d7375c01838123bf0b1e1a91 (patch) | |
tree | d57a651f4c11589a5acefd26f70b612766857f3f | |
parent | 02c4a8fff7668971d0b82581081c1ea9466d5fc8 (diff) | |
parent | 4dcb1c83c96b51ec9a1770c269e75a94debebb9d (diff) |
Merge pull request #23528 from vespa-engine/bjorncs/capabilities
Bjorncs/capabilities [run-systemtest]
81 files changed, 448 insertions, 289 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java index 147a05bc27e..61a4a0fe41f 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java @@ -8,7 +8,7 @@ import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.tls.DefaultTlsContext; -import com.yahoo.security.tls.MutableX509KeyManager; +import com.yahoo.security.MutableX509KeyManager; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.vespa.athenz.api.AthenzService; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java index 61dc67bd7d4..df904bf8010 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java @@ -17,7 +17,7 @@ import java.util.Optional; import java.util.stream.Collectors; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** * Helper class for creating {@link X509Certificate}s. @@ -66,7 +66,7 @@ public class Certificates { private static Optional<String> getInstanceIdFromSAN(List<SubjectAlternativeName> subjectAlternativeNames) { return subjectAlternativeNames.stream() - .filter(san -> san.getType() == DNS_NAME) + .filter(san -> san.getType() == DNS) .map(SubjectAlternativeName::getValue) .map(Certificates::parseInstanceId) .flatMap(Optional::stream) diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index 9bd6153f159..f5dbcb6a699 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -97,8 +97,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler { var instanceRegistration = deserializeRequest(request, InstanceSerializer::registrationFromSlime); InstanceConfirmation confirmation = new InstanceConfirmation(instanceRegistration.provider(), instanceRegistration.domain(), instanceRegistration.service(), EntityBindingsMapper.toSignedIdentityDocumentEntity(instanceRegistration.attestationData())); - confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP_ADDRESS)); - confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS_NAME)); + confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP)); + confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS)); if (!instanceValidator.isValidInstance(confirmation)) { log.log(Level.INFO, "Invalid instance registration for " + instanceRegistration.toString()); return ErrorResponse.forbidden("Unable to launch service: " +instanceRegistration.service()); @@ -130,8 +130,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler { refreshesSameService(instanceRefresh, athenzService); InstanceConfirmation instanceConfirmation = new InstanceConfirmation(provider, athenzService.getDomain().getName(), athenzService.getName(), null); - instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP_ADDRESS)); - instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS_NAME)); + instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP)); + instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS)); if(!instanceValidator.isValidRefresh(instanceConfirmation)) { return ErrorResponse.forbidden("Unable to refresh cert: " + instanceRefresh.csr().getSubject().toString()); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java index b225cbef21c..4012776949e 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java @@ -68,10 +68,10 @@ public class CertificateTester { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA); for (var dnsName : dnsNames) { - builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName); + builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS, dnsName); } for (var ipAddress : ipAddresses) { - builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP_ADDRESS, ipAddress); + builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP, ipAddress); } return builder.build(); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java index 613ced895e9..19ee3d22330 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java @@ -48,9 +48,9 @@ public class CertificatesTest { assertEquals(2, certificate.getSubjectAlternativeNames().size()); var subjectAlternativeNames = List.copyOf(certificate.getSubjectAlternativeNames()); - assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName), + assertEquals(List.of(SubjectAlternativeName.Type.DNS.getTag(), dnsName), subjectAlternativeNames.get(0)); - assertEquals(List.of(SubjectAlternativeName.Type.IP_ADDRESS.getTag(), ip), + assertEquals(List.of(SubjectAlternativeName.Type.IP.getTag(), ip), subjectAlternativeNames.get(1)); } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index 288d064f150..536a446df2f 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -12,7 +12,7 @@ import com.yahoo.config.provision.security.NodeIdentity; import com.yahoo.jrt.Request; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.ConnectionAuthContext; import com.yahoo.vespa.config.ConfigKey; import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3; import com.yahoo.vespa.config.server.RequestHandler; @@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { // TODO Make peer identity mandatory once TLS mixed mode is removed private Optional<NodeIdentity> getPeerIdentity(Request request) { - Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext(); - if (authCtx.isEmpty()) { + ConnectionAuthContext authCtx = request.target().connectionAuthContext(); + if (authCtx.peerCertificate().isEmpty()) { if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) { throw new IllegalStateException("Security context missing"); // security context should always be present } return Optional.empty(); // client choose to communicate over insecure channel } - List<X509Certificate> certChain = authCtx.get().peerCertificateChain(); + List<X509Certificate> certChain = authCtx.peerCertificateChain(); if (certChain.isEmpty()) { throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled } diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java index 5b5b795a412..bffed6eb0b1 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java @@ -18,8 +18,8 @@ import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; -import com.yahoo.security.tls.authz.ConnectionAuthContext; -import com.yahoo.security.tls.policy.CapabilitySet; +import com.yahoo.security.tls.CapabilitySet; +import com.yahoo.security.tls.ConnectionAuthContext; import com.yahoo.slime.Cursor; import com.yahoo.slime.JsonFormat; import com.yahoo.slime.Slime; @@ -250,9 +250,9 @@ public class MultiTenantRpcAuthorizerTest { private static Request mockJrtRpcRequest(String payload) { ConnectionAuthContext authContext = - new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.none(), Set.of()); + new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.all(), Set.of()); Target target = mock(Target.class); - when(target.getConnectionAuthContext()).thenReturn(Optional.of(authContext)); + when(target.connectionAuthContext()).thenReturn(authContext); Request request = mock(Request.class); when(request.target()).thenReturn(target); Values values = new Values(); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java index f559a368fe3..18490765576 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java @@ -6,7 +6,7 @@ import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.tls.TransportSecurityOptions; import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.security.tls.TrustAllX509TrustManager; +import com.yahoo.security.TrustAllX509TrustManager; import org.eclipse.jetty.client.HttpClient; import org.eclipse.jetty.client.ProxyProtocolClientConnectionFactory; import org.eclipse.jetty.client.api.ContentResponse; diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java index 05a013c036e..27c5aff22a9 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java @@ -6,7 +6,7 @@ import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.KeyUtils; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.AutoReloadingX509KeyManager; +import com.yahoo.security.AutoReloadingX509KeyManager; import com.yahoo.security.tls.TlsContext; import javax.net.ssl.SSLContext; diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java index fce4d6ee74e..e8e358252dc 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java @@ -4,11 +4,11 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.tls.AuthorizationMode; +import com.yahoo.security.tls.AuthorizedPeers; import com.yahoo.security.tls.DefaultTlsContext; import com.yahoo.security.tls.HostnameVerification; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.policy.AuthorizedPeers; import org.junit.Test; import javax.security.auth.x500.X500Principal; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java index 9bfd8f9d34e..ecea1ce6913 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java @@ -59,7 +59,7 @@ public class EndpointCertificateValidatorImpl implements EndpointCertificateVali X509Certificate endEntityCertificate = x509CertificateList.get(0); Set<String> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(endEntityCertificate).stream() - .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME)) + .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS)) .map(SubjectAlternativeName::getValue).collect(Collectors.toSet()); if (!subjectAlternativeNames.containsAll(requiredNamesForZone)) diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index 63223f3c221..d74075831f1 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -37,7 +37,7 @@ import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFil import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.MATCHED_ROLE_ATTRIBUTE; import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.RESULT_ATTRIBUTE; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL; import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; @@ -262,7 +262,7 @@ public class AthenzAuthorizationFilterTest { Instant now = Instant.now(); return X509CertificateBuilder .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE) - .addSubjectAlternativeName(new SubjectAlternativeName(RFC822_NAME, identity.getFullName() + "@my.domain.my-identity-provider")) + .addSubjectAlternativeName(new SubjectAlternativeName(EMAIL, identity.getFullName() + "@my.domain.my-identity-provider")) .build(); } diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java index 644e2ef4ff3..1e4092efb75 100644 --- a/jrt/src/com/yahoo/jrt/Connection.java +++ b/jrt/src/com/yahoo/jrt/Connection.java @@ -1,9 +1,10 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.ConnectionAuthContext; import java.io.IOException; +import java.net.InetSocketAddress; import java.nio.ByteBuffer; import java.nio.channels.SelectionKey; import java.nio.channels.Selector; @@ -11,7 +12,6 @@ import java.nio.channels.SocketChannel; import java.util.HashMap; import java.util.IdentityHashMap; import java.util.Map; -import java.util.Optional; import java.util.concurrent.atomic.AtomicLong; import java.util.logging.Level; import java.util.logging.Logger; @@ -438,9 +438,16 @@ class Connection extends Target { } @Override - public Optional<ConnectionAuthContext> getConnectionAuthContext() { - return Optional.ofNullable(socket) - .flatMap(CryptoSocket::getConnectionAuthContext); + public ConnectionAuthContext connectionAuthContext() { + if (socket == null) throw new IllegalStateException("Not connected"); + return socket.connectionAuthContext(); + } + + @Override + public Spec peerSpec() { + if (socket == null) throw new IllegalStateException("Not connected"); + InetSocketAddress addr = (InetSocketAddress) socket.channel().socket().getRemoteSocketAddress(); + return new Spec(addr.getHostString(), addr.getPort()); } public boolean isClient() { diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java index aac91362405..e30579d2bdc 100644 --- a/jrt/src/com/yahoo/jrt/CryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java @@ -2,12 +2,11 @@ package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.ConnectionAuthContext; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; -import java.util.Optional; /** @@ -104,11 +103,6 @@ public interface CryptoSocket { **/ public void dropEmptyBuffers(); - /** - * Returns the auth context for the current connection (given handshake completed), - * or empty if the current connection is not secure. - */ - default public Optional<ConnectionAuthContext> getConnectionAuthContext() { - return Optional.empty(); - } + /** Returns the auth context for the current connection (given handshake completed) */ + default ConnectionAuthContext connectionAuthContext() { return ConnectionAuthContext.defaultAllCapabilities(); } } diff --git a/jrt/src/com/yahoo/jrt/ErrorCode.java b/jrt/src/com/yahoo/jrt/ErrorCode.java index beaabcea316..8e129cfef98 100644 --- a/jrt/src/com/yahoo/jrt/ErrorCode.java +++ b/jrt/src/com/yahoo/jrt/ErrorCode.java @@ -49,4 +49,7 @@ public class ErrorCode /** Method failed (111) **/ public static final int METHOD_FAILED = 111; + + /** Permission denied (112) **/ + public static final int PERMISSION_DENIED = 112; } diff --git a/jrt/src/com/yahoo/jrt/InvocationServer.java b/jrt/src/com/yahoo/jrt/InvocationServer.java index 9df92eb20a6..7704c0019ed 100644 --- a/jrt/src/com/yahoo/jrt/InvocationServer.java +++ b/jrt/src/com/yahoo/jrt/InvocationServer.java @@ -31,7 +31,11 @@ class InvocationServer { public void invoke() { if (method != null) { if (method.checkParameters(request)) { - method.invoke(request); + if (method.requestAccessFilter().allow(request)) { + method.invoke(request); + } else { + request.setError(ErrorCode.PERMISSION_DENIED, "Permission denied"); + } } else { request.setError(ErrorCode.WRONG_PARAMS, "Parameters in " + request + " does not match " + method); } diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java index 42442289cd1..ab9d78d2676 100644 --- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java @@ -1,12 +1,11 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.ConnectionAuthContext; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; -import java.util.Optional; /** * A crypto socket for the server side of a connection that @@ -132,7 +131,5 @@ public class MaybeTlsCryptoSocket implements CryptoSocket { @Override public int write(ByteBuffer src) throws IOException { return socket.write(src); } @Override public FlushResult flush() throws IOException { return socket.flush(); } @Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); } - @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() { - return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext); - } + @Override public ConnectionAuthContext connectionAuthContext() { return socket.connectionAuthContext(); } } diff --git a/jrt/src/com/yahoo/jrt/Method.java b/jrt/src/com/yahoo/jrt/Method.java index 4fc9f0714da..89c66747e0b 100644 --- a/jrt/src/com/yahoo/jrt/Method.java +++ b/jrt/src/com/yahoo/jrt/Method.java @@ -40,6 +40,8 @@ public class Method { private String[] returnName; private String[] returnDesc; + private RequestAccessFilter filter = RequestAccessFilter.ALLOW_ALL; + private static final String undocumented = "???"; @@ -147,6 +149,10 @@ public class Method { return this; } + public Method requestAccessFilter(RequestAccessFilter filter) { this.filter = filter; return this; } + + public RequestAccessFilter requestAccessFilter() { return filter; } + /** * Obtain the name of a parameter * diff --git a/jrt/src/com/yahoo/jrt/RequestAccessFilter.java b/jrt/src/com/yahoo/jrt/RequestAccessFilter.java new file mode 100644 index 00000000000..6701436d6ce --- /dev/null +++ b/jrt/src/com/yahoo/jrt/RequestAccessFilter.java @@ -0,0 +1,17 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jrt; + +/** + * Request access filter is invoked before any call to {@link Method#invoke(Request)}. + * If {@link #allow(Request)} returns false, the method is not invoked, and the request is failed with error + * {@link ErrorCode#PERMISSION_DENIED}. + * + * @author bjorncs + */ +public interface RequestAccessFilter { + + RequestAccessFilter ALLOW_ALL = __ -> true; + + boolean allow(Request r); + +} diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java new file mode 100644 index 00000000000..bb2eafcf711 --- /dev/null +++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java @@ -0,0 +1,54 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jrt; + +import com.yahoo.security.tls.Capability; +import com.yahoo.security.tls.CapabilityMode; +import com.yahoo.security.tls.CapabilitySet; +import com.yahoo.security.tls.ConnectionAuthContext; +import com.yahoo.security.tls.TransportSecurityUtils; + +import java.util.logging.Logger; + +import static com.yahoo.security.tls.CapabilityMode.DISABLE; +import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY; + +/** + * @author bjorncs + */ +public class RequireCapabilitiesFilter implements RequestAccessFilter { + + private static final Logger log = Logger.getLogger(RequireCapabilitiesFilter.class.getName()); + private static final CapabilityMode MODE = TransportSecurityUtils.getCapabilityMode(); + + private final CapabilitySet requiredCapabilities; + + public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) { + this.requiredCapabilities = requiredCapabilities; + } + + public RequireCapabilitiesFilter(Capability... requiredCapabilities) { + this(CapabilitySet.from(requiredCapabilities)); + } + + @Override + public boolean allow(Request r) { + if (MODE == DISABLE) return true; + ConnectionAuthContext ctx = r.target().connectionAuthContext(); + CapabilitySet peerCapabilities = ctx.capabilities(); + boolean authorized = peerCapabilities.has(requiredCapabilities); + if (!authorized) { + String msg = "%sPermission denied for RPC method '%s'. Peer at %s with %s. Call requires %s, but peer has %s" + .formatted(MODE == LOG_ONLY ? "Dry-run: " : "", r.methodName(), r.target().peerSpec(), ctx.peerCertificateString().orElseThrow(), + requiredCapabilities.toNames(), peerCapabilities.toNames()); + if (MODE == LOG_ONLY) { + log.info(msg); + return true; + } else { + log.warning(msg); + return false; + } + } + return true; + } + +} diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java index 239a71f53b3..0e8c27deac5 100644 --- a/jrt/src/com/yahoo/jrt/Target.java +++ b/jrt/src/com/yahoo/jrt/Target.java @@ -1,9 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; - -import java.util.Optional; +import com.yahoo.security.tls.ConnectionAuthContext; /** * A Target represents a connection endpoint with RPC @@ -71,9 +69,13 @@ public abstract class Target { public Exception getConnectionLostReason() { return null; } /** - * Returns the connection auth context associated with this target, or empty if no connection or is insecure. + * Returns the connection auth context associated with this target. */ - public abstract Optional<ConnectionAuthContext> getConnectionAuthContext(); + public abstract ConnectionAuthContext connectionAuthContext(); + + + /** @return address spec of socket peer */ + public abstract Spec peerSpec(); /** * Check if this target represents the client side of a diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index ecd76e1eb17..13274dc3ba5 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -1,8 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; +import com.yahoo.security.tls.ConnectionAuthContext; +import com.yahoo.security.tls.PeerAuthorizerTrustManager; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -14,7 +14,7 @@ import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.ClosedChannelException; import java.nio.channels.SocketChannel; -import java.util.Optional; +import java.util.Objects; import java.util.logging.Logger; import static javax.net.ssl.SSLEngineResult.Status; @@ -219,9 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket { } @Override - public Optional<ConnectionAuthContext> getConnectionAuthContext() { - if (handshakeState != HandshakeState.COMPLETED) return Optional.empty(); - return Optional.ofNullable(authContext); + public ConnectionAuthContext connectionAuthContext() { + if (handshakeState != HandshakeState.COMPLETED) throw new IllegalStateException("Handshake not complete"); + return Objects.requireNonNull(authContext); } private boolean handshakeWrap() throws IOException { diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java index d5ce32ee5ee..cef138ffba1 100644 --- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java +++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java @@ -4,14 +4,14 @@ package com.yahoo.jrt; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.tls.AuthorizationMode; +import com.yahoo.security.tls.AuthorizedPeers; import com.yahoo.security.tls.DefaultTlsContext; import com.yahoo.security.tls.HostnameVerification; import com.yahoo.security.tls.PeerAuthentication; +import com.yahoo.security.tls.PeerPolicy; +import com.yahoo.security.tls.RequiredPeerCredential; +import com.yahoo.security.tls.RequiredPeerCredential.Field; import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.RequiredPeerCredential.Field; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; diff --git a/jrt/tests/com/yahoo/jrt/EchoTest.java b/jrt/tests/com/yahoo/jrt/EchoTest.java index e6243eaf4da..47c6e806635 100644 --- a/jrt/tests/com/yahoo/jrt/EchoTest.java +++ b/jrt/tests/com/yahoo/jrt/EchoTest.java @@ -2,7 +2,7 @@ package com.yahoo.jrt; -import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.ConnectionAuthContext; import org.junit.After; import org.junit.Before; import org.junit.runner.RunWith; @@ -16,7 +16,6 @@ import java.util.List; import static com.yahoo.jrt.CryptoUtils.createTestTlsContext; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; @RunWith(Parameterized.class) @@ -147,7 +146,7 @@ public class EchoTest { for (int i = 0; i < p.size(); i++) { r.add(p.get(i)); } - connAuthCtx = req.target().getConnectionAuthContext().orElse(null); + connAuthCtx = req.target().connectionAuthContext(); } @org.junit.Test @@ -168,8 +167,6 @@ public class EchoTest { if (connAuthCtxAssertion != null) { assertNotNull(connAuthCtx); connAuthCtxAssertion.assertConnectionAuthContext(connAuthCtx); - } else { - assertNull(connAuthCtx); } } } diff --git a/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java b/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java index 5e9f426bb17..436b650198e 100644 --- a/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java +++ b/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java @@ -16,6 +16,7 @@ public class InvokeAsyncTest { Supervisor client; Target target; Test.Barrier barrier; + SimpleRequestAccessFilter filter; @Before public void setUp() throws ListenFailedException { @@ -23,11 +24,13 @@ public class InvokeAsyncTest { client = new Supervisor(new Transport()); acceptor = server.listen(new Spec(0)); target = client.connect(new Spec("localhost", acceptor.port())); + filter = new SimpleRequestAccessFilter(); server.addMethod(new Method("concat", "ss", "s", this::rpc_concat) .methodDesc("Concatenate 2 strings") .paramDesc(0, "str1", "a string") .paramDesc(1, "str2", "another string") - .returnDesc(0, "ret", "str1 followed by str2")); + .returnDesc(0, "ret", "str1 followed by str2") + .requestAccessFilter(filter)); barrier = new Test.Barrier(); } @@ -65,4 +68,21 @@ public class InvokeAsyncTest { assertEquals("abcdef", req.returnValues().get(0).asString()); } + @org.junit.Test + public void testFilterIsInvoked() { + Request req = new Request("concat"); + req.parameters().add(new StringValue("abc")); + req.parameters().add(new StringValue("def")); + assertFalse(filter.invoked); + Test.Waiter w = new Test.Waiter(); + target.invokeAsync(req, 10, w); + assertFalse(w.isDone()); + barrier.breakIt(); + w.waitDone(); + assertTrue(w.isDone()); + assertFalse(req.isError()); + assertEquals("abcdef", req.returnValues().get(0).asString()); + assertTrue(filter.invoked); + } + } diff --git a/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java b/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java index a9a0b18b5a1..3b58ba2f42e 100644 --- a/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java +++ b/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java @@ -6,6 +6,7 @@ import org.junit.After; import org.junit.Before; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; public class InvokeErrorTest { @@ -16,6 +17,8 @@ public class InvokeErrorTest { Supervisor client; Target target; Test.Barrier barrier; + SimpleRequestAccessFilter filter; + RpcTestMethod testMethod; @Before public void setUp() throws ListenFailedException { @@ -23,7 +26,9 @@ public class InvokeErrorTest { client = new Supervisor(new Transport()); acceptor = server.listen(new Spec(0)); target = client.connect(new Spec("localhost", acceptor.port())); - server.addMethod(new Method("test", "iib", "i", this::rpc_test)); + filter = new SimpleRequestAccessFilter(); + testMethod = new RpcTestMethod(); + server.addMethod(new Method("test", "iib", "i", testMethod).requestAccessFilter(filter)); server.addMethod(new Method("test_barrier", "iib", "i", this::rpc_test_barrier)); barrier = new Test.Barrier(); } @@ -36,22 +41,8 @@ public class InvokeErrorTest { server.transport().shutdown().join(); } - private void rpc_test(Request req) { - int value = req.parameters().get(0).asInt32(); - int error = req.parameters().get(1).asInt32(); - int extra = req.parameters().get(2).asInt8(); - - req.returnValues().add(new Int32Value(value)); - if (extra != 0) { - req.returnValues().add(new Int32Value(value)); - } - if (error != 0) { - req.setError(error, "Custom error"); - } - } - private void rpc_test_barrier(Request req) { - rpc_test(req); + testMethod.invoke(req); barrier.waitFor(); } @@ -157,4 +148,40 @@ public class InvokeErrorTest { assertEquals(ErrorCode.CONNECTION, req1.errorCode()); } + @org.junit.Test + public void testFilterFailsRequest() { + Request r = new Request("test"); + r.parameters().add(new Int32Value(42)); + r.parameters().add(new Int32Value(0)); + r.parameters().add(new Int8Value((byte)0)); + filter.allowed = false; + assertFalse(filter.invoked); + target.invokeSync(r, timeout); + assertTrue(r.isError()); + assertTrue(filter.invoked); + assertFalse(testMethod.invoked); + assertEquals(ErrorCode.PERMISSION_DENIED, r.errorCode()); + assertEquals("Permission denied", r.errorMessage()); + } + + private static class RpcTestMethod implements MethodHandler { + boolean invoked = false; + + @Override public void invoke(Request req) { invoked = true; rpc_test(req); } + + void rpc_test(Request req) { + int value = req.parameters().get(0).asInt32(); + int error = req.parameters().get(1).asInt32(); + int extra = req.parameters().get(2).asInt8(); + + req.returnValues().add(new Int32Value(value)); + if (extra != 0) { + req.returnValues().add(new Int32Value(value)); + } + if (error != 0) { + req.setError(error, "Custom error"); + } + } + } + } diff --git a/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java b/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java index ca7d0db129d..ec196bea47c 100644 --- a/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java +++ b/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java @@ -12,6 +12,7 @@ import java.io.IOException; import java.io.PrintStream; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -21,6 +22,7 @@ public class InvokeSyncTest { Acceptor acceptor; Supervisor client; Target target; + SimpleRequestAccessFilter filter; @Before public void setUp() throws ListenFailedException { @@ -28,11 +30,13 @@ public class InvokeSyncTest { client = new Supervisor(new Transport()); acceptor = server.listen(new Spec(0)); target = client.connect(new Spec("localhost", acceptor.port())); + filter = new SimpleRequestAccessFilter(); server.addMethod(new Method("concat", "ss", "s", this::rpc_concat) .methodDesc("Concatenate 2 strings") .paramDesc(0, "str1", "a string") .paramDesc(1, "str2", "another string") - .returnDesc(0, "ret", "str1 followed by str2")); + .returnDesc(0, "ret", "str1 followed by str2") + .requestAccessFilter(filter)); server.addMethod(new Method("alltypes", "bhilfds", "s", this::rpc_alltypes) .methodDesc("Method taking all types of params")); } @@ -84,4 +88,17 @@ public class InvokeSyncTest { assertEquals(baos.toString(), "This was alltypes. The string param was: baz\n"); } + @org.junit.Test + public void testFilterIsInvoked() { + Request req = new Request("concat"); + req.parameters().add(new StringValue("abc")); + req.parameters().add(new StringValue("def")); + assertFalse(filter.invoked); + target.invokeSync(req, 10); + assertFalse(req.isError()); + assertEquals("abcdef", req.returnValues().get(0).asString()); + assertTrue(filter.invoked); + } + + } diff --git a/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java b/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java new file mode 100644 index 00000000000..38d59720848 --- /dev/null +++ b/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java @@ -0,0 +1,9 @@ +package com.yahoo.jrt;// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +/** + * @author bjorncs + */ +class SimpleRequestAccessFilter implements RequestAccessFilter { + volatile boolean invoked = false, allowed = true; + @Override public boolean allow(Request r) { invoked = true; return allowed; } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java index 259d4b50d3f..243343240cb 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java +++ b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java @@ -1,11 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; - -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.X509CertificateWithKey; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java index c9216d7273c..5611ef5162b 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java @@ -1,8 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; - -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; +package com.yahoo.security; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java index 6d784efc3e8..3ba6c8f2723 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java +++ b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java index 6db43ef94a9..afbd0a6fa86 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedTrustManager; diff --git a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java index 9b999e056e0..d7353711a2a 100644 --- a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java @@ -21,7 +21,7 @@ import java.security.KeyPair; import java.util.ArrayList; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** * @author bjorncs @@ -49,7 +49,7 @@ public class Pkcs10CsrBuilder { } public Pkcs10CsrBuilder addSubjectAlternativeName(String dns) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dns)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dns)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index 5c16e4ed70d..d91c47e5eed 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,10 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; -import com.yahoo.security.tls.KeyManagerUtils; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TrustManagerUtils; - import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -133,7 +129,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); + SSLContext sslContext = SSLContext.getInstance("TLS"); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java index 92dd41f7f88..c01de58987c 100644 --- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java +++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java @@ -99,15 +99,15 @@ public class SubjectAlternativeName { } public enum Type { - OTHER_NAME(0), - RFC822_NAME(1), - DNS_NAME(2), - X400_ADDRESS(3), - DIRECTORY_NAME(4), - EDI_PARITY_NAME(5), - UNIFORM_RESOURCE_IDENTIFIER(6), - IP_ADDRESS(7), - REGISTERED_ID(8); + OTHER(0), + EMAIL(1), + DNS(2), + X400(3), + DIRECTORY(4), + EDI_PARITY(5), + URI(6), + IP(7), + REGISTERED(8); final int tag; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java index b0303620cf7..89a737b1ef7 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedTrustManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java index 4172e337789..bb852ee89a3 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java index 6ec10a2f803..f59d34ebb10 100644 --- a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java @@ -28,7 +28,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** @@ -116,7 +116,7 @@ public class X509CertificateBuilder { } public X509CertificateBuilder addSubjectAlternativeName(String dnsName) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dnsName)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java index f9f23ee1eb2..feb3b4df3e0 100644 --- a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java @@ -32,10 +32,10 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import java.time.temporal.ChronoUnit; import java.util.ArrayList; import java.util.Collections; import java.util.List; +import java.util.Optional; import java.util.Random; import static com.yahoo.security.Extension.SUBJECT_ALTERNATIVE_NAMES; @@ -115,6 +115,12 @@ public class X509CertificateUtils { return getCommonNames(certificate.getSubjectX500Principal()); } + public static Optional<String> getSubjectCommonName(X509Certificate c) { + List<String> names = getSubjectCommonNames(c); + if (names.isEmpty()) return Optional.empty(); + return Optional.of(names.get(names.size() - 1)); + } + public static List<String> getIssuerCommonNames(X509Certificate certificate) { return getCommonNames(certificate.getIssuerX500Principal()); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java index 5e49a5b341c..9631ab32334 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Set; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java index 09d4de37831..0ae253985a6 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Arrays; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java new file mode 100644 index 00000000000..c2fa11ce7f7 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java @@ -0,0 +1,26 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.Arrays; + +/** + * @author bjorncs + */ +public enum CapabilityMode { + DISABLE("disable"), LOG_ONLY("log_only"), ENFORCE("enforce"); + + private final String configValue; + + CapabilityMode(String configValue) { this.configValue = configValue; } + + public String configValue() { return configValue; } + + /** @return Default value when mode is not explicitly specified */ + public static CapabilityMode defaultValue() { return DISABLE; } + + public static CapabilityMode fromConfigValue(String configValue) { + return Arrays.stream(values()) + .filter(c -> c.configValue.equals(configValue)) + .findFirst().orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue)); + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java index 50de98c621c..ec402719efa 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Arrays; import java.util.Collection; @@ -72,6 +72,9 @@ public class CapabilitySet { public boolean hasAll() { return this.caps.equals(ALL_CAPABILITIES.caps); } public boolean hasNone() { return this.caps.equals(NO_CAPABILITIES.caps); } + public boolean has(CapabilitySet caps) { return this.caps.containsAll(caps.caps); } + public boolean has(Collection<Capability> caps) { return this.caps.containsAll(caps); } + public boolean has(Capability... caps) { return this.caps.containsAll(List.of(caps)); } public SortedSet<String> toNames() { return caps.stream().map(Capability::asString).collect(Collectors.toCollection(TreeSet::new)); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java index cc664786734..69635b92e74 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java @@ -4,9 +4,10 @@ package com.yahoo.security.tls; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; +import com.yahoo.security.MutableX509KeyManager; +import com.yahoo.security.MutableX509TrustManager; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java new file mode 100644 index 00000000000..b4e8878fb01 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -0,0 +1,72 @@ +package com.yahoo.security.tls; + +import com.yahoo.security.SubjectAlternativeName; +import com.yahoo.security.X509CertificateUtils; + +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Optional; +import java.util.Set; + +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.URI; + +/** + * @author bjorncs + */ +public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, + CapabilitySet capabilities, + Set<String> matchedPolicies) { + + private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = new ConnectionAuthContext(List.of()); + + public ConnectionAuthContext { + peerCertificateChain = List.copyOf(peerCertificateChain); + matchedPolicies = Set.copyOf(matchedPolicies); + } + + private ConnectionAuthContext(List<X509Certificate> certs) { this(certs, CapabilitySet.all(), Set.of()); } + + public boolean authorized() { return !capabilities.hasNone(); } + + public Optional<X509Certificate> peerCertificate() { + return peerCertificateChain.isEmpty() ? Optional.empty() : Optional.of(peerCertificateChain.get(0)); + } + + public Optional<String> peerCertificateString() { + X509Certificate cert = peerCertificate().orElse(null); + if (cert == null) return Optional.empty(); + StringBuilder b = new StringBuilder("["); + String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null); + if (cn != null) { + b.append("CN='").append(cn).append("'"); + } + var sans = X509CertificateUtils.getSubjectAlternativeNames(cert); + List<String> dnsNames = sans.stream() + .filter(s -> s.getType() == DNS) + .map(SubjectAlternativeName::getValue) + .toList(); + if (!dnsNames.isEmpty()) { + if (cn != null) b.append(", "); + b.append("SAN_DNS=").append(dnsNames); + } + List<String> uris = sans.stream() + .filter(s -> s.getType() == URI) + .map(SubjectAlternativeName::getValue) + .toList(); + if (!uris.isEmpty()) { + if (cn != null || !dnsNames.isEmpty()) b.append(", "); + b.append("SAN_URI=").append(uris); + } + return Optional.of(b.append("]").toString()); + } + + /** Construct instance with all capabilities */ + public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; } + + /** Construct instance with all capabilities */ + public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> certs) { + return new ConnectionAuthContext(certs); + } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index c2ee573dfc6..88e4f409260 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -2,8 +2,6 @@ package com.yahoo.security.tls; import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; -import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java index 46a38a77844..c945e48a361 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Arrays; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java index cb9ba13cae4..7e2c40182f0 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java index a87c578f8c6..5db86fd93bc 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java @@ -1,12 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; +package com.yahoo.security.tls; import com.yahoo.security.SubjectAlternativeName; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.CapabilitySet; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; import java.security.cert.X509Certificate; import java.util.HashSet; @@ -15,9 +11,9 @@ import java.util.Optional; import java.util.Set; import java.util.logging.Logger; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.URI; import static java.util.stream.Collectors.toList; /** @@ -39,9 +35,7 @@ public class PeerAuthorizer { public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); } public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) { - if (authorizedPeers.isEmpty()) { - return new ConnectionAuthContext(certChain, CapabilitySet.all(), Set.of()); - } + if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(certChain); X509Certificate cert = certChain.get(0); Set<String> matchedPolicies = new HashSet<>(); Set<CapabilitySet> grantedCapabilities = new HashSet<>(); @@ -82,7 +76,7 @@ public class PeerAuthorizer { private static List<String> getSubjectAlternativeNames(X509Certificate peerCertificate) { return X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() - .filter(san -> san.getType() == DNS_NAME || san.getType() == IP_ADDRESS || san.getType() == UNIFORM_RESOURCE_IDENTIFIER) + .filter(san -> san.getType() == DNS || san.getType() == IP || san.getType() == URI) .map(SubjectAlternativeName::getValue) .collect(toList()); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java index 334216a2c19..b92cd6c9538 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java @@ -1,12 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; +package com.yahoo.security.tls; +import com.yahoo.security.TrustManagerUtils; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.AuthorizationMode; -import com.yahoo.security.tls.HostnameVerification; -import com.yahoo.security.tls.TrustManagerUtils; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.CapabilitySet; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; @@ -18,7 +14,6 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import java.util.Set; import java.util.logging.Logger; /** @@ -110,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient)); ConnectionAuthContext result = mode != AuthorizationMode.DISABLE ? authorizer.authorizePeer(List.of(certChain)) - : new ConnectionAuthContext(List.of(certChain), CapabilitySet.all(), Set.of()); + : ConnectionAuthContext.defaultAllCapabilities(List.of(certChain)); if (sslEngine != null) { // getHandshakeSession() will never return null in this context sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java index cb39e5e9c3c..ea3d4cfe002 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.List; import java.util.Optional; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java index 4c96a2935f8..9a18da9dffd 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index a8802b7f0d3..4397f27ebb7 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -1,9 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls; -import com.yahoo.security.tls.json.TransportSecurityOptionsJsonSerializer; -import com.yahoo.security.tls.policy.AuthorizedPeers; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java index b80a7e4f2fb..f1799a64a57 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.json; +package com.yahoo.security.tls; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java index fcd84056212..0349d4085db 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java @@ -1,16 +1,11 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.json; +package com.yahoo.security.tls; import com.fasterxml.jackson.databind.ObjectMapper; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.AuthorizedPeer; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.CredentialField; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.Files; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.RequiredCredential; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.CapabilitySet; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.AuthorizedPeer; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.CredentialField; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.Files; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.RequiredCredential; import java.io.IOException; import java.io.InputStream; @@ -29,11 +24,11 @@ import static java.util.stream.Collectors.toSet; /** * @author bjorncs */ -public class TransportSecurityOptionsJsonSerializer { +class TransportSecurityOptionsJsonSerializer { private static final ObjectMapper mapper = new ObjectMapper(); - public TransportSecurityOptions deserialize(InputStream in) { + TransportSecurityOptions deserialize(InputStream in) { try { TransportSecurityOptionsEntity entity = mapper.readValue(in, TransportSecurityOptionsEntity.class); return toTransportSecurityOptions(entity); @@ -42,7 +37,7 @@ public class TransportSecurityOptionsJsonSerializer { } } - public void serialize(OutputStream out, TransportSecurityOptions options) { + void serialize(OutputStream out, TransportSecurityOptions options) { try { mapper.writerWithDefaultPrettyPrinter().writeValue(out, toTransportSecurityOptionsEntity(options)); } catch (IOException e) { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java index cbd3857d2d5..21d97613f95 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java @@ -18,6 +18,7 @@ public class TransportSecurityUtils { public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE"; public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE"; public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE"; + public static final String CAPABILITIES_ENV_VAR = "VESPA_TLS_CAPABILITIES_ENFORCEMENT_MODE"; private TransportSecurityUtils() {} @@ -49,6 +50,12 @@ public class TransportSecurityUtils { .orElse(AuthorizationMode.defaultValue()); } + public static CapabilityMode getCapabilityMode() { + return getEnvironmentVariable(System.getenv(), CAPABILITIES_ENV_VAR) + .map(CapabilityMode::fromConfigValue) + .orElse(CapabilityMode.defaultValue()); + } + public static Optional<Path> getConfigFile() { return getConfigFile(System.getenv()); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java index b2cc0688bb9..18d18a5ab3c 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java deleted file mode 100644 index 877ba4e74bd..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java +++ /dev/null @@ -1,26 +0,0 @@ -package com.yahoo.security.tls.authz; - -import com.yahoo.security.tls.policy.CapabilitySet; - -import java.security.cert.X509Certificate; -import java.util.List; -import java.util.Set; - -/** - * @author bjorncs - */ -public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, - CapabilitySet capabilities, - Set<String> matchedPolicies) { - - public ConnectionAuthContext { - if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty"); - peerCertificateChain = List.copyOf(peerCertificateChain); - matchedPolicies = Set.copyOf(matchedPolicies); - } - - public boolean authorized() { return !capabilities.hasNone(); } - - public X509Certificate peerCertificate() { return peerCertificateChain.get(0); } - -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java deleted file mode 100644 index 5066026757d..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.authz; - -import com.yahoo.osgi.annotation.ExportPackage; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java deleted file mode 100644 index 91a1672e19f..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.https; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java deleted file mode 100644 index be7ec33bf04..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.json; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java deleted file mode 100644 index 61ce90654f8..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.policy; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/AutoReloadingX509KeyManagerTest.java index f5bc2a9c84e..5bde63598c0 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/AutoReloadingX509KeyManagerTest.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; +import com.yahoo.security.AutoReloadingX509KeyManager; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.SignatureAlgorithm; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/MutableX509KeyManagerTest.java index 3f45d22d8ed..871b0937f18 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/MutableX509KeyManagerTest.java @@ -1,10 +1,11 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; +import com.yahoo.security.MutableX509KeyManager; import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; import org.junit.Test; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java b/security-utils/src/test/java/com/yahoo/security/MutableX509TrustManagerTest.java index 1d04ed86322..489aa7eb4da 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/MutableX509TrustManagerTest.java @@ -1,12 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; - -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.SignatureAlgorithm; -import com.yahoo.security.X509CertificateBuilder; +package com.yahoo.security; + import org.junit.Test; import javax.security.auth.x500.X500Principal; diff --git a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java index 6dd5eb52373..d03c52027bf 100644 --- a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java +++ b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java @@ -8,7 +8,7 @@ import java.security.KeyPair; import java.util.Arrays; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -21,8 +21,8 @@ public class Pkcs10CsrTest { public void can_read_subject_alternative_names() { X500Principal subject = new X500Principal("CN=subject"); KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); - SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com"); - SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com"); + SubjectAlternativeName san1 = new SubjectAlternativeName(DNS, "san1.com"); + SubjectAlternativeName san2 = new SubjectAlternativeName(DNS, "san2.com"); Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .addSubjectAlternativeName(san1) .addSubjectAlternativeName(san2) diff --git a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java index b2e800542b8..6bb87554de3 100644 --- a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java @@ -12,7 +12,7 @@ import java.time.temporal.ChronoUnit; import java.util.Arrays; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -54,7 +54,7 @@ public class X509CertificateUtilsTest { public void can_list_subject_alternative_names() { KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject = new X500Principal("CN=myservice"); - SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san"); + SubjectAlternativeName san = new SubjectAlternativeName(DNS, "dns-san"); X509Certificate cert = X509CertificateBuilder .fromKeypair( keypair, diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/AuthorizedPeersTest.java index 3ad826d3996..e4c530dbb0b 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/AuthorizedPeersTest.java @@ -1,11 +1,13 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; +import com.yahoo.security.tls.PeerPolicy; +import com.yahoo.security.tls.RequiredPeerCredential; import org.junit.Test; import java.util.HashSet; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN; import static java.util.Arrays.asList; import static java.util.Collections.singletonList; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/CapabilitySetTest.java b/security-utils/src/test/java/com/yahoo/security/tls/CapabilitySetTest.java index 429e5b24513..87b16dbff1f 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/CapabilitySetTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/CapabilitySetTest.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import org.junit.jupiter.api.Test; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 358929606cd..b6c40a0c2e1 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -3,9 +3,6 @@ package com.yahoo.security.tls; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; import org.junit.Test; import javax.net.ssl.SSLEngine; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/GlobPatternTest.java index 4350aa2b0a9..a93bffe6961 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/GlobPatternTest.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import org.junit.jupiter.api.Test; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/HostGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/HostGlobPatternTest.java index a42eaaf74b0..a5628a637f8 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/HostGlobPatternTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/HostGlobPatternTest.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import org.junit.Test; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java index 3791aed4155..94b0dc4f83e 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java @@ -1,16 +1,11 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; +package com.yahoo.security.tls; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.SubjectAlternativeName.Type; import com.yahoo.security.X509CertificateBuilder; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.Capability; -import com.yahoo.security.tls.policy.CapabilitySet; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.RequiredPeerCredential.Field; +import com.yahoo.security.tls.RequiredPeerCredential.Field; import org.junit.Test; import javax.security.auth.x500.X500Principal; @@ -25,9 +20,9 @@ import java.util.Optional; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_DNS; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_URI; import static java.util.Arrays.asList; import static java.util.Collections.emptyList; import static java.util.Collections.singletonList; @@ -136,8 +131,8 @@ public class PeerAuthorizerTest { Instant.EPOCH.plus(100000, ChronoUnit.DAYS), SHA256_WITH_ECDSA, BigInteger.ONE); - sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS_NAME, san)); - sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.UNIFORM_RESOURCE_IDENTIFIER, san)); + sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS, san)); + sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.URI, san)); return builder.build(); } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java index 852d6ae94c9..476ab689903 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java @@ -1,12 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.json; +package com.yahoo.security.tls; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.Capability; -import com.yahoo.security.tls.policy.CapabilitySet; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -24,9 +18,9 @@ import java.util.Collections; import java.util.LinkedHashSet; import java.util.Optional; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; -import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_DNS; +import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_URI; import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals; import static org.junit.Assert.assertEquals; diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/UriGlobPatternTest.java index c60c782da14..4d89d71cf85 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/UriGlobPatternTest.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import org.junit.jupiter.api.Test; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java index 92be935d293..5b129de412d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java @@ -29,10 +29,10 @@ public class RoleCsrGenerator { public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) { return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - Type.DNS_NAME, + Type.DNS, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName( - Type.RFC822_NAME, + Type.EMAIL, String.format("%s@%s", identity.getFullName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index e76384d4d8b..a032b23bfb3 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -5,7 +5,7 @@ import com.yahoo.component.annotation.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateWithKey; -import com.yahoo.security.tls.AutoReloadingX509KeyManager; +import com.yahoo.security.AutoReloadingX509KeyManager; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.utils.SiaUtils; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index c92f7259e77..52ce860bfce 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -14,7 +14,7 @@ import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateWithKey; -import com.yahoo.security.tls.MutableX509KeyManager; +import com.yahoo.security.MutableX509KeyManager; import com.yahoo.vespa.athenz.api.AthenzAccessToken; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzRole; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 518f77ae79c..21ce30fd244 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -13,9 +13,9 @@ import java.security.KeyPair; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL; /** * Generates a {@link Pkcs10Csr} for an instance. @@ -41,14 +41,14 @@ public class CsrGenerator { // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - DNS_NAME, + DNS, String.format( "%s.%s.%s", instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); - ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); + ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); } @@ -58,8 +58,8 @@ public class CsrGenerator { KeyPair keyPair) { X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)) - .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index bb62dc51603..7542e976260 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -12,9 +12,7 @@ import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type; /** * Utility methods for Athenz issued x509 certificates @@ -34,7 +32,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) { return sans.stream() - .filter(san -> san.getType() == RFC822_NAME) + .filter(san -> san.getType() == Type.EMAIL) .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) .findFirst(); @@ -43,7 +41,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) { String uriPrefix = "athenz://principal/"; return sans.stream() - .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix)) + .filter(s -> s.getType() == Type.URI && s.getValue().startsWith(uriPrefix)) .map(san -> { String uriPath = URI.create(san.getValue()).getPath(); return AthenzIdentities.from(uriPath.substring(uriPrefix.length())); @@ -78,7 +76,7 @@ public class AthenzX509CertificateUtils { String uriPrefix = "athenz://instanceid/"; return sans.stream() .filter(san -> { - if (san.getType() != UNIFORM_RESOURCE_IDENTIFIER) return false; + if (san.getType() != Type.URI) return false; return san.getValue().startsWith(uriPrefix); }) .map(san -> { @@ -92,7 +90,7 @@ public class AthenzX509CertificateUtils { String dnsNameDelimiter = ".instanceid.athenz."; return sans.stream() .filter(san -> { - if (san.getType() != DNS_NAME) return false; + if (san.getType() != Type.DNS) return false; return san.getValue().contains(dnsNameDelimiter); }) .map(san -> { diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java index d2361853436..6dcdc76a593 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -5,12 +5,12 @@ import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.tls.AuthorizationMode; +import com.yahoo.security.tls.AuthorizedPeers; import com.yahoo.security.tls.DefaultTlsContext; import com.yahoo.security.tls.HostnameVerification; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.yolean.Exceptions; import org.junit.Before; import org.junit.Rule; |