Merge pull request #3448 from vespa-engine/bjorncs/client-certificate

Bjorncs/client certificate
author: Henning Baldersheim <balder@yahoo-inc.com> 2017-09-19 19:39:42 +0200
committer: GitHub <noreply@github.com> 2017-09-19 19:39:42 +0200
commit: 5d92db079b6faf80cc2dcfb150889d452c3ac265 (patch)
tree: ce309859b08f92dda4f9bce8846e4c324945725d
parent: ff6ea0bf5b34b906d3008bd1ca6560967c91f561 (diff)
parent: fe5deac0ec0cf6423638efdfd73a9e8dec71733c (diff)
4 files changed, 20 insertions, 4 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index a8dbf66f537..af83a159b2d 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -135,6 +135,8 @@ public class ConnectorFactory {
         Ssl sslConfig = connectorConfig.ssl();
 
         final SslContextFactory factory = new SslContextFactory();
+        factory.setNeedClientAuth(sslConfig.needClientAuth());
+
         if (!sslConfig.excludeProtocol().isEmpty()) {
             final String[] prots = new String[sslConfig.excludeProtocol().size()];
             for (int i = 0; i < prots.length; i++) {
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
index d137632f1fe..714d75f9d1e 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
@@ -8,6 +8,7 @@ import com.yahoo.jdisc.service.CurrentContainer;
 import javax.servlet.http.HttpServletRequest;
 import java.net.InetSocketAddress;
 import java.net.URI;
+import java.security.cert.X509Certificate;
 import java.util.Enumeration;
 
 import static com.yahoo.jdisc.http.core.HttpServletRequestUtils.getConnection;
@@ -19,13 +20,15 @@ import static com.yahoo.jdisc.http.core.HttpServletRequestUtils.getConnection;
 class HttpRequestFactory {
 
     public static HttpRequest newJDiscRequest(CurrentContainer container, HttpServletRequest servletRequest) {
-        return HttpRequest.newServerRequest(
+        HttpRequest httpRequest = HttpRequest.newServerRequest(
                 container,
                 getUri(servletRequest),
                 HttpRequest.Method.valueOf(servletRequest.getMethod()),
                 HttpRequest.Version.fromString(servletRequest.getProtocol()),
                 new InetSocketAddress(servletRequest.getRemoteAddr(), servletRequest.getRemotePort()),
                 getConnection(servletRequest).getCreatedTimeStamp());
+        httpRequest.context().put("jdisc.request.X509Certificate", getCertChain(servletRequest));
+        return httpRequest;
     }
 
     public static URI getUri(HttpServletRequest servletRequest) {
@@ -93,4 +96,7 @@ class HttpRequestFactory {
         }
     }
 
+    private static X509Certificate[] getCertChain(HttpServletRequest servletRequest) {
+        return (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
+    }
 }
diff --git a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
index 00b089ae3f9..45821b92f0f 100644
--- a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
+++ b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
@@ -77,3 +77,6 @@ ssl.sslKeyManagerFactoryAlgorithm   string   default="SunX509"
 
 # The SSL protocol passed to SSLContext.getInstance()
 ssl.protocol                        string   default="TLS"
+
+# Whether connector requires client authentication. See SSLEngine.getNeedClientAuth() for details.
+ssl.needClientAuth                  bool     default=false
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactoryTest.java
index 862c85c187e..476718ac906 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactoryTest.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactoryTest.java
@@ -70,9 +70,14 @@ public class HttpRequestFactoryTest {
 
         @Override
         public Object getAttribute(String name) {
-            HttpConnection connection = mock(HttpConnection.class);
-            when(connection.getCreatedTimeStamp()).thenReturn(System.currentTimeMillis());
-            return connection;
+            switch (name) {
+                case "org.eclipse.jetty.server.HttpConnection":
+                    HttpConnection connection = mock(HttpConnection.class);
+                    when(connection.getCreatedTimeStamp()).thenReturn(System.currentTimeMillis());
+                    return connection;
+                default:
+                    return null;
+            }
         }
 
         @Override
author	Henning Baldersheim <balder@yahoo-inc.com>	2017-09-19 19:39:42 +0200
committer	GitHub <noreply@github.com>	2017-09-19 19:39:42 +0200
commit	5d92db079b6faf80cc2dcfb150889d452c3ac265 (patch)
tree	ce309859b08f92dda4f9bce8846e4c324945725d
parent	ff6ea0bf5b34b906d3008bd1ca6560967c91f561 (diff)
parent	fe5deac0ec0cf6423638efdfd73a9e8dec71733c (diff)