diff options
author | Morten Tokle <morten.tokle@gmail.com> | 2019-11-12 08:35:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-11-12 08:35:46 +0100 |
commit | 350d026bbce1dc634519fe1fff31feecb24f2d90 (patch) | |
tree | d25153bd8b60b3125b392cf67525b4d0f5bbf3f1 /athenz-identity-provider-service/src/test | |
parent | b3e8c27f981c5c2b3119148433816a01d5b57703 (diff) |
Revert "Reapply #11146 Validate register and refresh"
Diffstat (limited to 'athenz-identity-provider-service/src/test')
6 files changed, 21 insertions, 206 deletions
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index a35dfd878c5..5ce0f3cdd7e 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -58,12 +58,10 @@ public class InstanceValidatorTest { private final String domain = "domain"; private final String service = "service"; - private final AthenzService vespaTenantDomain = new AthenzService("vespa.vespa.tenant"); - @Test public void application_does_not_exist() { SuperModelProvider superModelProvider = mockSuperModelProvider(); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -71,7 +69,7 @@ public class InstanceValidatorTest { public void application_does_not_have_domain_set() { SuperModelProvider superModelProvider = mockSuperModelProvider( mockApplicationInfo(applicationId, 5, Collections.emptyList())); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, new IdentityDocumentSigner(), vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -83,7 +81,7 @@ public class InstanceValidatorTest { SuperModelProvider superModelProvider = mockSuperModelProvider( mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo))); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -101,7 +99,7 @@ public class InstanceValidatorTest { mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo))); IdentityDocumentSigner signer = mock(IdentityDocumentSigner.class); when(signer.hasValidSignature(any(), any())).thenReturn(true); - InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer, vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer); assertTrue(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -109,7 +107,7 @@ public class InstanceValidatorTest { @Test public void rejects_invalid_provider_unique_id_in_csr() { SuperModelProvider superModelProvider = mockSuperModelProvider(); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); InstanceConfirmation instanceConfirmation = createRegisterInstanceConfirmation(applicationId, domain, service); VespaUniqueInstanceId tamperedId = new VespaUniqueInstanceId(0, "default", "instance", "app", "tenant", "us-north-1", "dev", IdentityType.NODE); instanceConfirmation.set("sanDNS", tamperedId.asDottedString() + ".instanceid.athenz.dev-us-north-1.vespa.yahoo.cloud"); @@ -119,7 +117,7 @@ public class InstanceValidatorTest { @Test public void accepts_valid_refresh_requests() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); List<Node> nodeList = createNodes(10); Node node = nodeList.get(0); @@ -134,7 +132,7 @@ public class InstanceValidatorTest { @Test public void rejects_refresh_on_ip_mismatch() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); List<Node> nodeList = createNodes(10); Node node = nodeList.get(0); @@ -151,7 +149,7 @@ public class InstanceValidatorTest { @Test public void rejects_refresh_when_node_is_not_allocated() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); List<Node> nodeList = createNodes(10); when(nodeRepository.getNodes()).thenReturn(nodeList); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index 88ee154dee8..e377009b18c 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -2,34 +2,25 @@ package com.yahoo.vespa.hosted.ca.restapi; import com.yahoo.application.container.handler.Request; -import com.yahoo.jdisc.http.servlet.ServletRequest; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.Pkcs10CsrUtils; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.text.StringUtilities; -import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.config.SlimeUtils; import com.yahoo.vespa.hosted.ca.CertificateTester; -import org.apache.http.client.ResponseHandler; -import org.apache.http.client.methods.HttpUriRequest; import org.junit.Before; import org.junit.Test; import javax.net.ssl.SSLContext; import java.net.URI; import java.nio.charset.StandardCharsets; -import java.security.Principal; -import java.security.cert.X509Certificate; import java.util.List; -import java.util.Optional; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; /** * @author mpolden @@ -38,8 +29,6 @@ public class CertificateAuthorityApiTest extends ContainerTester { private static final String INSTANCE_ID = "1.cluster1.default.app1.tenant1.us-north-1.prod.node"; private static final String INSTANCE_ID_WITH_SUFFIX = INSTANCE_ID + ".instanceid.athenz.dev-us-north-1.vespa.aws.oath.cloud"; - private static final String INVALID_INSTANCE_ID = "1.cluster1.default.otherapp.othertenant.us-north-1.prod.node"; - private static final String INVALID_INSTANCE_ID_WITH_SUFFIX = INVALID_INSTANCE_ID + ".instanceid.athenz.dev-us-north-1.vespa.aws.oath.cloud"; @Before public void before() { @@ -55,47 +44,24 @@ public class CertificateAuthorityApiTest extends ContainerTester { Request.Method.POST)); // POST instance registration with ZTS client - var ztsClient = new TestZtsClient(new AthenzPrincipal(new AthenzService("vespa.external.tenant-host")), null, URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); + var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); var instanceIdentity = ztsClient.registerInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), new AthenzService("vespa.external", "tenant"), - getAttestationData(), + "identity document generated by config server", csr); assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName()); } - private X509Certificate registerInstance() throws Exception { - // POST instance registration - var csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); - assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/", - instanceRegistrationJson(csr), - Request.Method.POST)); - - // POST instance registration with ZTS client - var ztsClient = new TestZtsClient(new AthenzPrincipal(new AthenzService("vespa.external.tenant-host")), null, URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); - var instanceIdentity = ztsClient.registerInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), - new AthenzService("vespa.external", "tenant"), - getAttestationData(), - csr); - return instanceIdentity.certificate(); - } - @Test public void refresh_instance() throws Exception { - // Register instance to get cert - var certificate = registerInstance(); - // POST instance refresh var csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); - var principal = new AthenzPrincipal(new AthenzService("vespa.external.tenant")); - var request = new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/" + INSTANCE_ID, + assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/" + INSTANCE_ID, instanceRefreshJson(csr), - Request.Method.POST, - principal); - request.getAttributes().put(ServletRequest.JDISC_REQUEST_X509CERT, new X509Certificate[]{certificate}); - assertIdentityResponse(request); + Request.Method.POST)); // POST instance refresh with ZTS client - var ztsClient = new TestZtsClient(principal, certificate, URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); + var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); var instanceIdentity = ztsClient.refreshInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), new AthenzService("vespa.external", "tenant"), INSTANCE_ID, @@ -104,7 +70,7 @@ public class CertificateAuthorityApiTest extends ContainerTester { } @Test - public void invalid_requests() throws Exception { + public void invalid_requests() { // POST instance registration with missing fields assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: Missing required field 'provider'\"}", new Request("http://localhost:12345/ca/v1/instance/", @@ -125,28 +91,11 @@ public class CertificateAuthorityApiTest extends ContainerTester { Request.Method.POST)); // POST instance refresh where instanceId does not match CSR dnsName - var principal = new AthenzPrincipal(new AthenzService("vespa.external.tenant")); csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/foobar failed: Mismatch between instance ID in URL path and instance ID in CSR [instanceId=foobar,instanceIdFromCsr=1.cluster1.default.app1.tenant1.us-north-1.prod.node]\"}", new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/foobar", instanceRefreshJson(csr), - Request.Method.POST, - principal)); - - // POST instance refresh using zts client where client cert does not contain instanceid - var certificate = registerInstance(); - var ztsClient = new TestZtsClient(principal, certificate, URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); - try { - var invalidCsr = CertificateTester.createCsr(List.of("node1.example.com", INVALID_INSTANCE_ID_WITH_SUFFIX)); - var instanceIdentity = ztsClient.refreshInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), - new AthenzService("vespa.external", "tenant"), - INSTANCE_ID, - invalidCsr); - fail("Refresh instance should have failed"); - } catch (Exception e) { - String expectedMessage = "Received error from ZTS: code=0, message=\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/1.cluster1.default.app1.tenant1.us-north-1.prod.node failed: Mismatch between instance ID in URL path and instance ID in CSR [instanceId=1.cluster1.default.app1.tenant1.us-north-1.prod.node,instanceIdFromCsr=1.cluster1.default.otherapp.othertenant.us-north-1.prod.node]\""; - assertEquals(expectedMessage, e.getMessage()); - } + Request.Method.POST)); } private void setCaCertificateAndKey() { @@ -183,52 +132,10 @@ public class CertificateAuthorityApiTest extends ContainerTester { " \"provider\": \"vespa.external.provider_prod_us-north-1\",\n" + " \"domain\": \"vespa.external\",\n" + " \"service\": \"tenant\",\n" + - " \"attestationData\": \""+getAttestationData()+"\",\n" + + " \"attestationData\": \"identity document generated by config server\",\n" + " \"csr\": \"" + csrPem + "\"\n" + "}"; return json.getBytes(StandardCharsets.UTF_8); } - private static String getAttestationData () { - var json = "{\n" + - " \"signature\": \"SIGNATURE\",\n" + - " \"signing-key-version\": 0,\n" + - " \"provider-unique-id\": \"0.default.default.application.tenant.us-north-1.dev.tenant\",\n" + - " \"provider-service\": \"domain.service\",\n" + - " \"document-version\": 1,\n" + - " \"configserver-hostname\": \"localhost\",\n" + - " \"instance-hostname\": \"docker-container\",\n" + - " \"created-at\": 1572000079.00000,\n" + - " \"ip-addresses\": [\n" + - " \"::1\"\n" + - " ],\n" + - " \"identity-type\": \"tenant\"\n" + - "}"; - return StringUtilities.escape(json); - } - - /* - Zts client that adds principal as header (since setting up ssl in test is cumbersome) - */ - private static class TestZtsClient extends DefaultZtsClient { - - private final Principal principal; - private final X509Certificate certificate; - - public TestZtsClient(Principal principal, X509Certificate certificate, URI ztsUrl, SSLContext sslContext) { - super(ztsUrl, sslContext); - this.principal = principal; - this.certificate = certificate; - } - - @Override - protected <T> T execute(HttpUriRequest request, ResponseHandler<T> responseHandler) { - request.addHeader("PRINCIPAL", principal.getName()); - Optional.ofNullable(certificate).ifPresent(cert -> { - var pem = X509CertificateUtils.toPem(certificate); - request.addHeader("CERTIFICATE", StringUtilities.escape(pem)); - }); - return super.execute(request, responseHandler); - } - } } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java index 0eda6bd946b..139314b0f86 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java @@ -67,20 +67,13 @@ public class ContainerTester { " <ztsUrl>https://localhost:123/</ztsUrl>\n" + " </config>\n" + " <component id='com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock'/>\n" + - " <component id='com.yahoo.vespa.hosted.ca.restapi.mock.InstanceValidatorMock'/>\n" + " <handler id='com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler'>\n" + " <binding>http://*/ca/v1/*</binding>\n" + " </handler>\n" + " <http>\n" + " <server id='default' port='12345'/>\n" + - " <filtering>\n" + - " <request-chain id=\"my-default-chain\">\n" + - " <filter id='com.yahoo.vespa.hosted.ca.restapi.mock.PrincipalFromHeaderFilter' />\n" + - " <binding>http://*/*</binding>\n" + - " </request-chain>\n" + - " </filtering>\n" + " </http>\n" + "</container>"; } -}
\ No newline at end of file +} diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java index edc8bec2370..83ea9249ad0 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java @@ -4,12 +4,6 @@ package com.yahoo.vespa.hosted.ca.restapi; import com.yahoo.security.Pkcs10CsrUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.slime.Slime; -import com.yahoo.text.StringUtilities; -import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; -import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; -import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; -import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.config.SlimeUtils; import com.yahoo.vespa.hosted.ca.CertificateTester; import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity; @@ -20,9 +14,6 @@ import org.junit.Test; import java.io.IOException; import java.io.UncheckedIOException; import java.nio.charset.StandardCharsets; -import java.time.Instant; -import java.time.temporal.ChronoUnit; -import java.util.Collections; import java.util.Optional; import static org.junit.Assert.assertEquals; @@ -36,28 +27,15 @@ public class InstanceSerializerTest { public void deserialize_instance_registration() { var csr = CertificateTester.createCsr(); var csrPem = Pkcs10CsrUtils.toPem(csr); - SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument( - "signature", - 0, - new VespaUniqueInstanceId(0, "cluster", "instance", "application", "tenant", "region", "prod", IdentityType.NODE), - new AthenzService("domain", "service"), - 0, - "configserverhostname", - "instancehostname", - Instant.now().truncatedTo(ChronoUnit.MILLIS), - // Instant.ofEpochSecond(1572000079), - Collections.emptySet(), - IdentityType.NODE); - - var json = String.format("{\n" + + var json = "{\n" + " \"provider\": \"provider_prod_us-north-1\",\n" + " \"domain\": \"vespa.external\",\n" + " \"service\": \"tenant\",\n" + - " \"attestationData\":\"%s\",\n" + + " \"attestationData\": \"identity document from configserevr\",\n" + " \"csr\": \"" + csrPem + "\"\n" + - "}", StringUtilities.escape(EntityBindingsMapper.toAttestationData(signedIdentityDocument))); + "}"; var instanceRegistration = new InstanceRegistration("provider_prod_us-north-1", "vespa.external", - "tenant", signedIdentityDocument, + "tenant", "identity document from configserevr", csr); var deserialized = InstanceSerializer.registrationFromSlime(SlimeUtils.jsonToSlime(json)); assertEquals(instanceRegistration, deserialized); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java deleted file mode 100644 index 9c1d4c49b07..00000000000 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.ca.restapi.mock; - -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation.InstanceConfirmation; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation.InstanceValidator; - -/** - * @author mortent - */ -public class InstanceValidatorMock extends InstanceValidator { - - public InstanceValidatorMock() { - super(null, null, null, null, null); - } - - @Override - public boolean isValidInstance(InstanceConfirmation instanceConfirmation) { - return instanceConfirmation.attributes.get(SAN_DNS_ATTRNAME) != null && - instanceConfirmation.attributes.get(SAN_IPS_ATTRNAME) != null; - } - - @Override - public boolean isValidRefresh(InstanceConfirmation confirmation) { - return confirmation.attributes.get(SAN_DNS_ATTRNAME) != null && - confirmation.attributes.get(SAN_IPS_ATTRNAME) != null; - } -} diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/PrincipalFromHeaderFilter.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/PrincipalFromHeaderFilter.java deleted file mode 100644 index d9ee4c8bb9b..00000000000 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/PrincipalFromHeaderFilter.java +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.ca.restapi.mock; - -import com.yahoo.jdisc.handler.ResponseHandler; -import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.jdisc.http.servlet.ServletRequest; -import com.yahoo.security.X509CertificateUtils; -import com.yahoo.text.StringUtilities; -import com.yahoo.vespa.athenz.api.AthenzPrincipal; -import com.yahoo.vespa.athenz.api.AthenzService; - -import java.security.cert.X509Certificate; -import java.util.Optional; - -/** - * Read principal from http header - * - * @author mortent - */ -public class PrincipalFromHeaderFilter implements SecurityRequestFilter { - - @Override - public void filter(DiscFilterRequest request, ResponseHandler handler) { - String principal = request.getHeader("PRINCIPAL"); - request.setUserPrincipal(new AthenzPrincipal(new AthenzService(principal))); - - Optional<String> certificate = Optional.ofNullable(request.getHeader("CERTIFICATE")); - certificate.ifPresent(cert -> { - var x509cert = X509CertificateUtils.fromPem(StringUtilities.unescape(cert)); - request.setAttribute(ServletRequest.JDISC_REQUEST_X509CERT, new X509Certificate[]{x509cert}); - }); - } -} |