summaryrefslogtreecommitdiffstats
path: root/configserver
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-13 16:53:43 +0200
committerBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-15 15:35:10 +0200
commiteed3e5deaf3fd13c353361e45420735a93d0f3d0 (patch)
treeb4e738c5cf85775153237ec07ea08f4e97d224f1 /configserver
parentff26daaf31ec0567dc6a9049d5e275cf7c4810dc (diff)
Return granted capabilities from PeerAuthorizer
Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext.
Diffstat (limited to 'configserver')
-rw-r--r--configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java8
-rw-r--r--configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java10
2 files changed, 10 insertions, 8 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
index f5b570fed40..6ca39a25d9c 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
@@ -10,9 +10,9 @@ import com.yahoo.config.provision.security.NodeIdentifier;
import com.yahoo.config.provision.security.NodeIdentifierException;
import com.yahoo.config.provision.security.NodeIdentity;
import com.yahoo.jrt.Request;
-import com.yahoo.jrt.SecurityContext;
import com.yahoo.security.tls.MixedMode;
import com.yahoo.security.tls.TransportSecurityUtils;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
import com.yahoo.vespa.config.ConfigKey;
import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3;
import com.yahoo.vespa.config.server.RequestHandler;
@@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
// TODO Make peer identity mandatory once TLS mixed mode is removed
private Optional<NodeIdentity> getPeerIdentity(Request request) {
- Optional<SecurityContext> securityContext = request.target().getSecurityContext();
- if (securityContext.isEmpty()) {
+ Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext();
+ if (authCtx.isEmpty()) {
if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) {
throw new IllegalStateException("Security context missing"); // security context should always be present
}
return Optional.empty(); // client choose to communicate over insecure channel
}
- List<X509Certificate> certChain = securityContext.get().peerCertificateChain();
+ List<X509Certificate> certChain = authCtx.get().peerCertificate();
if (certChain.isEmpty()) {
throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled
}
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
index 2650b23a38e..7a2e0f00433 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
@@ -11,7 +11,6 @@ import com.yahoo.config.provision.security.NodeIdentifier;
import com.yahoo.config.provision.security.NodeIdentifierException;
import com.yahoo.config.provision.security.NodeIdentity;
import com.yahoo.jrt.Request;
-import com.yahoo.jrt.SecurityContext;
import com.yahoo.jrt.StringValue;
import com.yahoo.jrt.Target;
import com.yahoo.jrt.Values;
@@ -19,6 +18,8 @@ import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.policy.CapabilitySet;
import com.yahoo.slime.Cursor;
import com.yahoo.slime.JsonFormat;
import com.yahoo.slime.Slime;
@@ -40,6 +41,7 @@ import java.time.Instant;
import java.util.List;
import java.util.Optional;
import java.util.Set;
+import java.util.TreeSet;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executor;
@@ -248,10 +250,10 @@ public class MultiTenantRpcAuthorizerTest {
}
private static Request mockJrtRpcRequest(String payload) {
- SecurityContext securityContext = mock(SecurityContext.class);
- when(securityContext.peerCertificateChain()).thenReturn(PEER_CERTIFICATE_CHAIN);
+ ConnectionAuthContext authContext =
+ new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.none(), new TreeSet<>());
Target target = mock(Target.class);
- when(target.getSecurityContext()).thenReturn(Optional.of(securityContext));
+ when(target.getConnectionAuthContext()).thenReturn(Optional.of(authContext));
Request request = mock(Request.class);
when(request.target()).thenReturn(target);
Values values = new Values();