Move logic from determing Athenz identity from x509 certificate to AthenzUtils

author: Bjørn Christian Seime <bjorncs@oath.com> 2017-12-14 17:06:34 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2017-12-18 10:58:34 +0100
commit: aabc055f423aecdfae04f85e4b3fb9f694b0cb45 (patch)
tree: 35fa873d972bab4bf5d0e201e7169be22c1db8ec /controller-api
parent: 012722079ebdf505ae141be8e2b41bb6370c0bea (diff)
2 files changed, 21 insertions, 15 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java
index 9eacbb48ddc..bfaa6c2acda 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java
@@ -1,8 +1,6 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
-import javax.naming.NamingException;
-import javax.naming.ldap.LdapName;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
@@ -31,7 +29,7 @@ public class AthenzIdentityVerifier implements HostnameVerifier {
     public boolean verify(String hostname, SSLSession session) {
         try {
             X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0];
-            AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(getCommonName(cert));
+            AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(cert);
             return allowedIdentities.contains(certificateIdentity);
         } catch (SSLPeerUnverifiedException e) {
             log.log(Level.WARNING, "Unverified client: " + hostname);
@@ -39,17 +37,5 @@ public class AthenzIdentityVerifier implements HostnameVerifier {
         }
     }
 
-    private static String getCommonName(X509Certificate certificate) {
-        try {
-            String subjectPrincipal = certificate.getSubjectX500Principal().getName();
-            return new LdapName(subjectPrincipal).getRdns().stream()
-                    .filter(rdn -> rdn.getType().equalsIgnoreCase("cn"))
-                    .map(rdn -> rdn.getValue().toString())
-                    .findFirst()
-                    .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal));
-        } catch (NamingException e) {
-            throw new IllegalArgumentException("Invalid CN: " + e, e);
-        }
-    }
 }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
index 62a7049a7c6..6c6bc61f502 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
@@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 import com.yahoo.vespa.hosted.controller.api.identifiers.AthenzDomain;
 import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
 
+import javax.naming.NamingException;
+import javax.naming.ldap.LdapName;
+import java.security.cert.X509Certificate;
+
 /**
  * @author bjorncs
  */
@@ -35,4 +39,20 @@ public class AthenzUtils {
         return createAthenzIdentity(domain, identityName);
     }
 
+    public static AthenzIdentity createAthenzIdentity(X509Certificate certificate) {
+        return createAthenzIdentity(getCommonName(certificate));
+    }
+
+    private static String getCommonName(X509Certificate certificate) {
+        try {
+            String subjectPrincipal = certificate.getSubjectX500Principal().getName();
+            return new LdapName(subjectPrincipal).getRdns().stream()
+                    .filter(rdn -> rdn.getType().equalsIgnoreCase("cn"))
+                    .map(rdn -> rdn.getValue().toString())
+                    .findFirst()
+                    .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal));
+        } catch (NamingException e) {
+            throw new IllegalArgumentException("Invalid CN: " + e, e);
+        }
+    }
 }
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-12-14 17:06:34 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2017-12-18 10:58:34 +0100
commit	aabc055f423aecdfae04f85e4b3fb9f694b0cb45 (patch)
tree	35fa873d972bab4bf5d0e201e7169be22c1db8ec /controller-api
parent	012722079ebdf505ae141be8e2b41bb6370c0bea (diff)