Merge pull request #4307 from vespa-engine/bjorncs/ssl-details-access-log

Bjorncs/ssl details access log

5 files changed, 29 insertions, 5 deletions

diff --git a/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java b/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java
index 9120c747293..24078151d64 100644
--- a/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java
+++ b/container-accesslogging/src/main/java/com/yahoo/container/logging/AccessLogEntry.java
@@ -4,6 +4,7 @@ package com.yahoo.container.logging;
 import com.yahoo.collections.ListMap;
 import org.apache.commons.lang.builder.ReflectionToStringBuilder;
 
+import javax.security.auth.x500.X500Principal;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.URI;
@@ -94,6 +95,7 @@ public class AccessLogEntry {
     private String scheme;
     private int localPort;
     private Principal principal;
+    private X500Principal sslPrincipal;
 
     private ListMap<String,String> keyValues=null;
 
@@ -724,6 +726,19 @@ public class AccessLogEntry {
         }
     }
 
+    public Principal getSslPrincipal() {
+        synchronized (monitor) {
+            return sslPrincipal;
+        }
+    }
+
+    public void setSslPrincipal(X500Principal sslPrincipal) {
+        synchronized (monitor) {
+            requireNull(this.sslPrincipal);
+            this.sslPrincipal = sslPrincipal;
+        }
+    }
+
     @Override
     public String toString() {
         synchronized (monitor) {
diff --git a/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java b/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java
index cca8da2e936..a8be7c5ed13 100644
--- a/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java
+++ b/container-accesslogging/src/main/java/com/yahoo/container/logging/JSONFormatter.java
@@ -65,10 +65,12 @@ public class JSONFormatter {
 
             Principal principal = accessLogEntry.getUserPrincipal();
             if (principal != null) {
-                generator.writeObjectFieldStart("user-principal");
-                generator.writeStringField("name", principal.getName());
-                generator.writeStringField("type", principal.getClass().getName());
-                generator.writeEndObject();
+                generator.writeStringField("user-principal", principal.getName());
+            }
+
+            Principal sslPrincipal = accessLogEntry.getSslPrincipal();
+            if (sslPrincipal != null) {
+                generator.writeStringField("ssl-principal", principal.getName());
             }
 
             // Only add remote address/port fields if relevant
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java
index c3c83474e56..771e57b0437 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java
@@ -19,6 +19,7 @@ import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.Optional;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -115,6 +116,10 @@ public class AccessLogRequestLog extends AbstractLifeCycle implements RequestLog
         if (principal != null) {
             accessLogEntry.setUserPrincipal(principal);
         }
+        X509Certificate[] clientCert = (X509Certificate[]) request.getAttribute(ServletRequest.JDISC_REQUEST_X509CERT);
+        if (clientCert != null && clientCert.length > 0) {
+            accessLogEntry.setSslPrincipal(clientCert[0].getSubjectX500Principal());
+        }
     }
 
     private static String getRemoteAddress(final HttpServletRequest request) {
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
index 714d75f9d1e..a005ea7d96e 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java
@@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty;
 
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.HttpRequest;
+import com.yahoo.jdisc.http.servlet.ServletRequest;
 import com.yahoo.jdisc.service.CurrentContainer;
 
 import javax.servlet.http.HttpServletRequest;
@@ -27,7 +28,7 @@ class HttpRequestFactory {
                 HttpRequest.Version.fromString(servletRequest.getProtocol()),
                 new InetSocketAddress(servletRequest.getRemoteAddr(), servletRequest.getRemotePort()),
                 getConnection(servletRequest).getCreatedTimeStamp());
-        httpRequest.context().put("jdisc.request.X509Certificate", getCertChain(servletRequest));
+        httpRequest.context().put(ServletRequest.JDISC_REQUEST_X509CERT, getCertChain(servletRequest));
         return httpRequest;
     }
 
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java
index db8780b087c..ea36237bc45 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletRequest.java
@@ -38,6 +38,7 @@ import static com.yahoo.jdisc.http.core.HttpServletRequestUtils.getConnection;
  */
 public class ServletRequest extends HttpServletRequestWrapper implements ServletOrJdiscHttpRequest {
     public static final String JDISC_REQUEST_PRINCIPAL = "jdisc.request.principal";
+    public static final String JDISC_REQUEST_X509CERT = "jdisc.request.X509Certificate";
 
     private final HttpServletRequest request;
     private final HeaderFields headerFields;