diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-12-14 17:06:34 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-12-18 10:58:34 +0100 |
commit | aabc055f423aecdfae04f85e4b3fb9f694b0cb45 (patch) | |
tree | 35fa873d972bab4bf5d0e201e7169be22c1db8ec /controller-api | |
parent | 012722079ebdf505ae141be8e2b41bb6370c0bea (diff) |
Move logic from determing Athenz identity from x509 certificate to AthenzUtils
Diffstat (limited to 'controller-api')
2 files changed, 21 insertions, 15 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java index 9eacbb48ddc..bfaa6c2acda 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java @@ -1,8 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; -import javax.naming.NamingException; -import javax.naming.ldap.LdapName; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; @@ -31,7 +29,7 @@ public class AthenzIdentityVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { try { X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(getCommonName(cert)); + AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(cert); return allowedIdentities.contains(certificateIdentity); } catch (SSLPeerUnverifiedException e) { log.log(Level.WARNING, "Unverified client: " + hostname); @@ -39,17 +37,5 @@ public class AthenzIdentityVerifier implements HostnameVerifier { } } - private static String getCommonName(X509Certificate certificate) { - try { - String subjectPrincipal = certificate.getSubjectX500Principal().getName(); - return new LdapName(subjectPrincipal).getRdns().stream() - .filter(rdn -> rdn.getType().equalsIgnoreCase("cn")) - .map(rdn -> rdn.getValue().toString()) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal)); - } catch (NamingException e) { - throw new IllegalArgumentException("Invalid CN: " + e, e); - } - } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java index 62a7049a7c6..6c6bc61f502 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java @@ -4,6 +4,10 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.vespa.hosted.controller.api.identifiers.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; +import javax.naming.NamingException; +import javax.naming.ldap.LdapName; +import java.security.cert.X509Certificate; + /** * @author bjorncs */ @@ -35,4 +39,20 @@ public class AthenzUtils { return createAthenzIdentity(domain, identityName); } + public static AthenzIdentity createAthenzIdentity(X509Certificate certificate) { + return createAthenzIdentity(getCommonName(certificate)); + } + + private static String getCommonName(X509Certificate certificate) { + try { + String subjectPrincipal = certificate.getSubjectX500Principal().getName(); + return new LdapName(subjectPrincipal).getRdns().stream() + .filter(rdn -> rdn.getType().equalsIgnoreCase("cn")) + .map(rdn -> rdn.getValue().toString()) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal)); + } catch (NamingException e) { + throw new IllegalArgumentException("Invalid CN: " + e, e); + } + } } |