diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-13 13:22:53 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-13 13:25:20 +0100 |
commit | c224f1bfa5e087be63a0f6df2321ebde7778cbfb (patch) | |
tree | f86dc0d834e14105f56374995afb2fdcf722d629 | |
parent | a72221f64cd61a8a5d10dbc5acea1aa560d3c97d (diff) |
Change return type of getClientCertificateChain() to List<X509Certificate>
6 files changed, 31 insertions, 18 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java index c5406669f67..5ad44b82370 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java @@ -13,6 +13,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.security.cert.X509Certificate; +import java.util.List; import java.util.Optional; import java.util.concurrent.Executor; @@ -81,8 +82,9 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter { } private static Optional<X509Certificate> getClientCertificate(DiscFilterRequest request) { - return request.getClientCertificateChain() - .map(chain -> chain[0]); + List<X509Certificate> chain = request.getClientCertificateChain(); + if (chain.isEmpty()) return Optional.empty(); + return Optional.of(chain.get(0)); } private static Optional<NToken> getPrincipalToken(DiscFilterRequest request, String principalTokenHeaderName) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java index b0a51ecb16f..53ced43a9ba 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java @@ -36,9 +36,10 @@ import java.time.Duration; import java.time.Instant; import java.util.Date; import java.util.Objects; -import java.util.Optional; import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED; +import static java.util.Collections.emptyList; +import static java.util.Collections.singletonList; import static java.util.stream.Collectors.joining; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -70,7 +71,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); - when(request.getClientCertificateChain()).thenReturn(Optional.empty()); + when(request.getClientCertificateChain()).thenReturn(emptyList()); when(validator.validate(NTOKEN)).thenReturn(principal); AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER); @@ -83,7 +84,7 @@ public class AthenzPrincipalFilterTest { public void missing_token_and_certificate_is_unauthorized() { DiscFilterRequest request = mock(DiscFilterRequest.class); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null); - when(request.getClientCertificateChain()).thenReturn(Optional.empty()); + when(request.getClientCertificateChain()).thenReturn(emptyList()); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -98,7 +99,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); String errorMessage = "Invalid token"; when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); - when(request.getClientCertificateChain()).thenReturn(Optional.empty()); + when(request.getClientCertificateChain()).thenReturn(emptyList()); when(validator.validate(NTOKEN)).thenThrow(new InvalidTokenException(errorMessage)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -113,7 +114,7 @@ public class AthenzPrincipalFilterTest { public void certificate_is_accepted() { DiscFilterRequest request = mock(DiscFilterRequest.class); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null); - when(request.getClientCertificateChain()).thenReturn(Optional.of(new X509Certificate[]{CERTIFICATE})); + when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -129,7 +130,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); - when(request.getClientCertificateChain()).thenReturn(Optional.of(new X509Certificate[]{CERTIFICATE})); + when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE)); when(validator.validate(NTOKEN)).thenReturn(principalWithToken); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -146,7 +147,7 @@ public class AthenzPrincipalFilterTest { AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory"); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); when(request.getClientCertificateChain()) - .thenReturn(Optional.of(new X509Certificate[]{createSelfSignedCertificate(conflictingIdentity)})); + .thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity))); when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java index d5b1b85de5f..eee0519b12b 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java @@ -16,7 +16,6 @@ import java.util.Collections; import java.util.Enumeration; import java.util.List; import java.util.Map; -import java.util.Optional; import java.util.concurrent.TimeUnit; /** @@ -178,8 +177,8 @@ public class ApplicationRequestToDiscFilterRequestWrapper extends DiscFilterRequ } @Override - public Optional<X509Certificate[]> getClientCertificateChain() { - return Optional.empty(); + public List<X509Certificate> getClientCertificateChain() { + return Collections.emptyList(); } @Override diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java index 2cb68462005..da76e288a2a 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java @@ -22,7 +22,6 @@ import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; -import java.util.Optional; import java.util.concurrent.TimeUnit; import java.util.regex.Pattern; @@ -371,7 +370,11 @@ public abstract class DiscFilterRequest { public abstract void setUserPrincipal(Principal principal); - public abstract Optional<X509Certificate[]> getClientCertificateChain(); + /** + * @return The client certificate chain in ascending order of trust. The first certificate is the one sent from the client. + * Returns an empty list if the client did not provide a certificate. + */ + public abstract List<X509Certificate> getClientCertificateChain(); public void setUserRoles(String[] roles) { this.roles = roles; diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java index c161b374e83..f8d9e6b2642 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java @@ -9,6 +9,7 @@ import java.net.URI; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.Enumeration; import java.util.List; @@ -117,8 +118,11 @@ public class JdiscFilterRequest extends DiscFilterRequest { } @Override - public Optional<X509Certificate[]> getClientCertificateChain() { - return Optional.ofNullable((X509Certificate[]) parent.context().get(ServletRequest.JDISC_REQUEST_X509CERT)); + public List<X509Certificate> getClientCertificateChain() { + return Optional.ofNullable(parent.context().get(ServletRequest.JDISC_REQUEST_X509CERT)) + .map(X509Certificate[].class::cast) + .map(Arrays::asList) + .orElse(Collections.emptyList()); } @Override diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java index 6f23f128b4e..5921f0b8e0a 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java @@ -8,6 +8,7 @@ import java.io.UnsupportedEncodingException; import java.net.URI; import java.security.Principal; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.Collections; import java.util.Enumeration; import java.util.HashSet; @@ -141,8 +142,11 @@ class ServletFilterRequest extends DiscFilterRequest { } @Override - public Optional<X509Certificate[]> getClientCertificateChain() { - return Optional.ofNullable((X509Certificate[]) parent.context().get(ServletRequest.SERVLET_REQUEST_X509CERT)); + public List<X509Certificate> getClientCertificateChain() { + return Optional.ofNullable(parent.context().get(ServletRequest.SERVLET_REQUEST_X509CERT)) + .map(X509Certificate[].class::cast) + .map(Arrays::asList) + .orElse(Collections.emptyList()); } @Override |