diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 15:21:39 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 15:21:39 +0200 |
commit | 4dcb1c83c96b51ec9a1770c269e75a94debebb9d (patch) | |
tree | f53aa75709ae5018809faa2a547c46bb70fb8981 /configserver/src/main/java/com/yahoo/vespa/config/server/rpc | |
parent | ea71048bca7b1d5633040ce8d13f9b418632f843 (diff) |
Include client certificate chain even when authorization is disabled
Diffstat (limited to 'configserver/src/main/java/com/yahoo/vespa/config/server/rpc')
-rw-r--r-- | configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index 59635461a2d..536a446df2f 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { // TODO Make peer identity mandatory once TLS mixed mode is removed private Optional<NodeIdentity> getPeerIdentity(Request request) { - Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext(); - if (authCtx.isEmpty()) { + ConnectionAuthContext authCtx = request.target().connectionAuthContext(); + if (authCtx.peerCertificate().isEmpty()) { if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) { throw new IllegalStateException("Security context missing"); // security context should always be present } return Optional.empty(); // client choose to communicate over insecure channel } - List<X509Certificate> certChain = authCtx.get().peerCertificateChain(); + List<X509Certificate> certChain = authCtx.peerCertificateChain(); if (certChain.isEmpty()) { throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled } |