Use getClientCertificateChain

2 files changed, 3 insertions, 15 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index bd0512ee306..64af3d5c0ca 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -8,7 +8,6 @@ import com.yahoo.jdisc.handler.ResponseDispatch;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.jdisc.http.servlet.ServletRequest;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
 import com.yahoo.vespa.hosted.provision.restapi.v2.Authorizer;
 import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
@@ -55,7 +54,7 @@ public class AuthorizationFilter implements SecurityRequestFilter {
 
     @Override
     public void filter(DiscFilterRequest request, ResponseHandler handler) {
-        Optional<X509Certificate> cert = certificateFrom(request);
+        Optional<X509Certificate> cert = request.getClientCertificateChain().stream().findFirst();
         if (cert.isPresent()) {
             if (!authorizer.test(() -> commonName(cert.get()), request.getUri())) {
                 responseWriter.accept(ErrorResponse.forbidden(
@@ -101,14 +100,4 @@ public class AuthorizationFilter implements SecurityRequestFilter {
         }
     }
 
-    /** Get client certificate from request */
-    private static Optional<X509Certificate> certificateFrom(DiscFilterRequest request) {
-        Object x509cert = request.getAttribute(ServletRequest.JDISC_REQUEST_X509CERT);
-        return Optional.ofNullable(x509cert)
-                       .filter(X509Certificate[].class::isInstance)
-                       .map(X509Certificate[].class::cast)
-                       .filter(certs -> certs.length > 0)
-                       .map(certs -> certs[0]);
-    }
-
 }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
index ceb34cdfea8..3916be9d826 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
@@ -5,7 +5,6 @@ import com.yahoo.application.container.handler.Request.Method;
 import com.yahoo.container.jdisc.RequestHandlerTestDriver;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.jdisc.http.servlet.ServletRequest;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
@@ -27,6 +26,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.Date;
 import java.util.Optional;
 
@@ -72,8 +72,7 @@ public class FilterTester {
         when(r.getRemoteAddr()).thenReturn(request.remoteAddr());
         if (request.commonName().isPresent()) {
             X509Certificate cert = certificateFor(request.commonName().get(), keyPair());
-            when(r.getAttribute(ServletRequest.JDISC_REQUEST_X509CERT))
-                    .thenReturn(new X509Certificate[]{cert});
+            when(r.getClientCertificateChain()).thenReturn(Collections.singletonList(cert));
         }
         return r;
     }