Merge pull request #5306 from vespa-engine/bjorncs/tls-cert-in-filter

Bjorncs/tls cert in filter
author: Martin Polden <mpolden@mpolden.no> 2018-03-13 14:03:33 +0100
committer: GitHub <noreply@github.com> 2018-03-13 14:03:33 +0100
commit: 0f69157c9f65f0ee22787effc2532d692354bc29 (patch)
tree: 094e3d86b751f91ceb2dfd84334c2ac075947559 /controller-server
parent: fd2b9eb63a0ac58cedf9addee2235d329b4a4477 (diff)
parent: c224f1bfa5e087be63a0f6df2321ebde7778cbfb (diff)
3 files changed, 19 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
index 81692e790a9..5ad44b82370 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
@@ -13,6 +13,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore;
 import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
 
 import java.security.cert.X509Certificate;
+import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.Executor;
 
@@ -81,8 +82,9 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter {
     }
 
     private static Optional<X509Certificate> getClientCertificate(DiscFilterRequest request) {
-        return Optional.ofNullable((X509Certificate[]) request.getAttribute("jdisc.request.X509Certificate"))
-                .map(chain -> chain[0]);
+        List<X509Certificate> chain = request.getClientCertificateChain();
+        if (chain.isEmpty()) return Optional.empty();
+        return Optional.of(chain.get(0));
     }
 
     private static Optional<NToken> getPrincipalToken(DiscFilterRequest request, String principalTokenHeaderName) {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
index 697f69d8da3..53ced43a9ba 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
@@ -38,6 +38,8 @@ import java.util.Date;
 import java.util.Objects;
 
 import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
 import static java.util.stream.Collectors.joining;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -69,6 +71,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
         when(validator.validate(NTOKEN)).thenReturn(principal);
 
         AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
@@ -81,6 +84,7 @@ public class AthenzPrincipalFilterTest {
     public void missing_token_and_certificate_is_unauthorized() {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
@@ -95,6 +99,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         String errorMessage = "Invalid token";
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
         when(validator.validate(NTOKEN)).thenThrow(new InvalidTokenException(errorMessage));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -109,7 +114,7 @@ public class AthenzPrincipalFilterTest {
     public void certificate_is_accepted() {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
-        when(request.getAttribute("jdisc.request.X509Certificate")).thenReturn(new X509Certificate[]{CERTIFICATE});
+        when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
@@ -125,7 +130,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
-        when(request.getAttribute("jdisc.request.X509Certificate")).thenReturn(new X509Certificate[]{CERTIFICATE});
+        when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
         when(validator.validate(NTOKEN)).thenReturn(principalWithToken);
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -141,8 +146,8 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
-        when(request.getAttribute("jdisc.request.X509Certificate"))
-                .thenReturn(new X509Certificate[]{createSelfSignedCertificate(conflictingIdentity)});
+        when(request.getClientCertificateChain())
+                .thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
         when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
index da9dd1f0786..eee0519b12b 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
@@ -11,6 +11,7 @@ import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpRequest;
 import java.net.SocketAddress;
 import java.net.URI;
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -176,6 +177,11 @@ public class ApplicationRequestToDiscFilterRequestWrapper extends DiscFilterRequ
     }
 
     @Override
+    public List<X509Certificate> getClientCertificateChain() {
+        return Collections.emptyList();
+    }
+
+    @Override
     public void clearCookies() {
         throw new UnsupportedOperationException();
     }
author	Martin Polden <mpolden@mpolden.no>	2018-03-13 14:03:33 +0100
committer	GitHub <noreply@github.com>	2018-03-13 14:03:33 +0100
commit	0f69157c9f65f0ee22787effc2532d692354bc29 (patch)
tree	094e3d86b751f91ceb2dfd84334c2ac075947559 /controller-server
parent	fd2b9eb63a0ac58cedf9addee2235d329b4a4477 (diff)
parent	c224f1bfa5e087be63a0f6df2321ebde7778cbfb (diff)