diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-07-19 14:30:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-19 14:30:27 +0200 |
commit | 46ba1b00aa19e937e2c257b34c23417adeef56eb (patch) | |
tree | 7e595f7ca0c17bc74b07c18472f4cd2d4f57c4d4 /configserver/src | |
parent | 8be6dd28753425126507b68c93a24607124871eb (diff) | |
parent | 529a26d7e1062a006196366454f1a047ca31202c (diff) |
Merge pull request #23496 from vespa-engine/bjorncs/capabilitiesv8.21.11
Bjorncs/capabilities
Diffstat (limited to 'configserver/src')
2 files changed, 9 insertions, 8 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index f5b570fed40..288d064f150 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -10,9 +10,9 @@ import com.yahoo.config.provision.security.NodeIdentifier; import com.yahoo.config.provision.security.NodeIdentifierException; import com.yahoo.config.provision.security.NodeIdentity; import com.yahoo.jrt.Request; -import com.yahoo.jrt.SecurityContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.security.tls.authz.ConnectionAuthContext; import com.yahoo.vespa.config.ConfigKey; import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3; import com.yahoo.vespa.config.server.RequestHandler; @@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { // TODO Make peer identity mandatory once TLS mixed mode is removed private Optional<NodeIdentity> getPeerIdentity(Request request) { - Optional<SecurityContext> securityContext = request.target().getSecurityContext(); - if (securityContext.isEmpty()) { + Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext(); + if (authCtx.isEmpty()) { if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) { throw new IllegalStateException("Security context missing"); // security context should always be present } return Optional.empty(); // client choose to communicate over insecure channel } - List<X509Certificate> certChain = securityContext.get().peerCertificateChain(); + List<X509Certificate> certChain = authCtx.get().peerCertificateChain(); if (certChain.isEmpty()) { throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled } diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java index 2650b23a38e..5b5b795a412 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java @@ -11,7 +11,6 @@ import com.yahoo.config.provision.security.NodeIdentifier; import com.yahoo.config.provision.security.NodeIdentifierException; import com.yahoo.config.provision.security.NodeIdentity; import com.yahoo.jrt.Request; -import com.yahoo.jrt.SecurityContext; import com.yahoo.jrt.StringValue; import com.yahoo.jrt.Target; import com.yahoo.jrt.Values; @@ -19,6 +18,8 @@ import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.policy.CapabilitySet; import com.yahoo.slime.Cursor; import com.yahoo.slime.JsonFormat; import com.yahoo.slime.Slime; @@ -248,10 +249,10 @@ public class MultiTenantRpcAuthorizerTest { } private static Request mockJrtRpcRequest(String payload) { - SecurityContext securityContext = mock(SecurityContext.class); - when(securityContext.peerCertificateChain()).thenReturn(PEER_CERTIFICATE_CHAIN); + ConnectionAuthContext authContext = + new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.none(), Set.of()); Target target = mock(Target.class); - when(target.getSecurityContext()).thenReturn(Optional.of(securityContext)); + when(target.getConnectionAuthContext()).thenReturn(Optional.of(authContext)); Request request = mock(Request.class); when(request.target()).thenReturn(target); Values values = new Values(); |