diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-13 16:53:43 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-15 15:35:10 +0200 |
commit | eed3e5deaf3fd13c353361e45420735a93d0f3d0 (patch) | |
tree | b4e738c5cf85775153237ec07ea08f4e97d224f1 /configserver | |
parent | ff26daaf31ec0567dc6a9049d5e275cf7c4810dc (diff) |
Return granted capabilities from PeerAuthorizer
Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext.
Diffstat (limited to 'configserver')
2 files changed, 10 insertions, 8 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index f5b570fed40..6ca39a25d9c 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -10,9 +10,9 @@ import com.yahoo.config.provision.security.NodeIdentifier; import com.yahoo.config.provision.security.NodeIdentifierException; import com.yahoo.config.provision.security.NodeIdentity; import com.yahoo.jrt.Request; -import com.yahoo.jrt.SecurityContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.security.tls.authz.ConnectionAuthContext; import com.yahoo.vespa.config.ConfigKey; import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3; import com.yahoo.vespa.config.server.RequestHandler; @@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { // TODO Make peer identity mandatory once TLS mixed mode is removed private Optional<NodeIdentity> getPeerIdentity(Request request) { - Optional<SecurityContext> securityContext = request.target().getSecurityContext(); - if (securityContext.isEmpty()) { + Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext(); + if (authCtx.isEmpty()) { if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) { throw new IllegalStateException("Security context missing"); // security context should always be present } return Optional.empty(); // client choose to communicate over insecure channel } - List<X509Certificate> certChain = securityContext.get().peerCertificateChain(); + List<X509Certificate> certChain = authCtx.get().peerCertificate(); if (certChain.isEmpty()) { throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled } diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java index 2650b23a38e..7a2e0f00433 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java @@ -11,7 +11,6 @@ import com.yahoo.config.provision.security.NodeIdentifier; import com.yahoo.config.provision.security.NodeIdentifierException; import com.yahoo.config.provision.security.NodeIdentity; import com.yahoo.jrt.Request; -import com.yahoo.jrt.SecurityContext; import com.yahoo.jrt.StringValue; import com.yahoo.jrt.Target; import com.yahoo.jrt.Values; @@ -19,6 +18,8 @@ import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.tls.authz.ConnectionAuthContext; +import com.yahoo.security.tls.policy.CapabilitySet; import com.yahoo.slime.Cursor; import com.yahoo.slime.JsonFormat; import com.yahoo.slime.Slime; @@ -40,6 +41,7 @@ import java.time.Instant; import java.util.List; import java.util.Optional; import java.util.Set; +import java.util.TreeSet; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; @@ -248,10 +250,10 @@ public class MultiTenantRpcAuthorizerTest { } private static Request mockJrtRpcRequest(String payload) { - SecurityContext securityContext = mock(SecurityContext.class); - when(securityContext.peerCertificateChain()).thenReturn(PEER_CERTIFICATE_CHAIN); + ConnectionAuthContext authContext = + new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.none(), new TreeSet<>()); Target target = mock(Target.class); - when(target.getSecurityContext()).thenReturn(Optional.of(securityContext)); + when(target.getConnectionAuthContext()).thenReturn(Optional.of(authContext)); Request request = mock(Request.class); when(request.target()).thenReturn(target); Values values = new Values(); |