diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-06-19 11:16:58 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-06-19 11:19:17 +0200 |
commit | 3caa0acf54f360a3cd090ea583a933376461a32b (patch) | |
tree | 2eb6b3246ac0e95382d59e0c8a9413600ff77d5a | |
parent | 030425589c31cd4f20343c635251a33a753dc2fa (diff) |
Split each certificate into separate config entries
3 files changed, 5 insertions, 3 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java index 2217b58c508..2deaf81d338 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilter.java @@ -49,7 +49,7 @@ class CloudDataPlaneFilter extends Filter implements CloudDataPlaneFilterConfig. var clientsCfg = clients.stream() .map(x -> new CloudDataPlaneFilterConfig.Clients.Builder() .id(x.id()) - .certificates(X509CertificateUtils.toPem(x.certificates())) + .certificates(x.certificates().stream().map(X509CertificateUtils::toPem).toList()) .tokens(tokensConfig(x.tokens())) .permissions(x.permissions())) .toList(); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java index 5bb0254f1cc..e11eec1ffd7 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java @@ -88,6 +88,7 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { CloudDataPlaneFilterConfig.Clients client = clients.get(0); assertEquals("foo", client.id()); assertIterableEquals(List.of("read", "write"), client.permissions()); + assertTrue(client.tokens().isEmpty()); assertIterableEquals(List.of(X509CertificateUtils.toPem(certificate)), client.certificates()); ConnectorConfig connectorConfig = connectorConfig(); @@ -144,6 +145,7 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { var tokenClient = cfg.clients().stream().filter(c -> c.id().equals("bar")).findAny().orElse(null); assertNotNull(tokenClient); assertEquals(List.of("read"), tokenClient.permissions()); + assertTrue(tokenClient.certificates().isEmpty()); var expectedTokenCfg = tokenConfig( "my-token", List.of("myfingerprint1", "myfingerprint2"), List.of("myaccesshash1", "myaccesshash2")); assertEquals(List.of(expectedTokenCfg), tokenClient.tokens()); diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java index 07f586b2123..7d8b9ba3c60 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java @@ -18,7 +18,6 @@ import com.yahoo.security.token.TokenCheckHash; import com.yahoo.security.token.TokenDomain; import com.yahoo.security.token.TokenFingerprint; -import java.nio.charset.StandardCharsets; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -98,7 +97,8 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { if (!c.certificates().isEmpty()) { List<X509Certificate> certs; try { - certs = c.certificates().stream().map(X509CertificateUtils::fromPem).toList(); + certs = c.certificates().stream() + .flatMap(pem -> X509CertificateUtils.certificateListFromPem(pem).stream()).toList(); } catch (Exception e) { throw new IllegalArgumentException( "Client '%s' contains invalid X.509 certificate PEM: %s".formatted(c.id(), e.toString()), e); |