diff options
author | Martin Polden <mpolden@mpolden.no> | 2018-03-13 14:03:33 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-13 14:03:33 +0100 |
commit | 0f69157c9f65f0ee22787effc2532d692354bc29 (patch) | |
tree | 094e3d86b751f91ceb2dfd84334c2ac075947559 /controller-server | |
parent | fd2b9eb63a0ac58cedf9addee2235d329b4a4477 (diff) | |
parent | c224f1bfa5e087be63a0f6df2321ebde7778cbfb (diff) |
Merge pull request #5306 from vespa-engine/bjorncs/tls-cert-in-filter
Bjorncs/tls cert in filter
Diffstat (limited to 'controller-server')
3 files changed, 19 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java index 81692e790a9..5ad44b82370 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java @@ -13,6 +13,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.security.cert.X509Certificate; +import java.util.List; import java.util.Optional; import java.util.concurrent.Executor; @@ -81,8 +82,9 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter { } private static Optional<X509Certificate> getClientCertificate(DiscFilterRequest request) { - return Optional.ofNullable((X509Certificate[]) request.getAttribute("jdisc.request.X509Certificate")) - .map(chain -> chain[0]); + List<X509Certificate> chain = request.getClientCertificateChain(); + if (chain.isEmpty()) return Optional.empty(); + return Optional.of(chain.get(0)); } private static Optional<NToken> getPrincipalToken(DiscFilterRequest request, String principalTokenHeaderName) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java index 697f69d8da3..53ced43a9ba 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java @@ -38,6 +38,8 @@ import java.util.Date; import java.util.Objects; import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED; +import static java.util.Collections.emptyList; +import static java.util.Collections.singletonList; import static java.util.stream.Collectors.joining; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -69,6 +71,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); + when(request.getClientCertificateChain()).thenReturn(emptyList()); when(validator.validate(NTOKEN)).thenReturn(principal); AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER); @@ -81,6 +84,7 @@ public class AthenzPrincipalFilterTest { public void missing_token_and_certificate_is_unauthorized() { DiscFilterRequest request = mock(DiscFilterRequest.class); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null); + when(request.getClientCertificateChain()).thenReturn(emptyList()); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -95,6 +99,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); String errorMessage = "Invalid token"; when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); + when(request.getClientCertificateChain()).thenReturn(emptyList()); when(validator.validate(NTOKEN)).thenThrow(new InvalidTokenException(errorMessage)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -109,7 +114,7 @@ public class AthenzPrincipalFilterTest { public void certificate_is_accepted() { DiscFilterRequest request = mock(DiscFilterRequest.class); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null); - when(request.getAttribute("jdisc.request.X509Certificate")).thenReturn(new X509Certificate[]{CERTIFICATE}); + when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -125,7 +130,7 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); - when(request.getAttribute("jdisc.request.X509Certificate")).thenReturn(new X509Certificate[]{CERTIFICATE}); + when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE)); when(validator.validate(NTOKEN)).thenReturn(principalWithToken); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); @@ -141,8 +146,8 @@ public class AthenzPrincipalFilterTest { DiscFilterRequest request = mock(DiscFilterRequest.class); AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory"); when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken()); - when(request.getAttribute("jdisc.request.X509Certificate")) - .thenReturn(new X509Certificate[]{createSelfSignedCertificate(conflictingIdentity)}); + when(request.getClientCertificateChain()) + .thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity))); when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY)); ResponseHandlerMock responseHandler = new ResponseHandlerMock(); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java index da9dd1f0786..eee0519b12b 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java @@ -11,6 +11,7 @@ import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpRequest; import java.net.SocketAddress; import java.net.URI; import java.security.Principal; +import java.security.cert.X509Certificate; import java.util.Collections; import java.util.Enumeration; import java.util.List; @@ -176,6 +177,11 @@ public class ApplicationRequestToDiscFilterRequestWrapper extends DiscFilterRequ } @Override + public List<X509Certificate> getClientCertificateChain() { + return Collections.emptyList(); + } + + @Override public void clearCookies() { throw new UnsupportedOperationException(); } |