diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-11-23 14:55:22 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2020-11-23 14:55:22 +0100 |
commit | 885cb31bad09bae15067c9c527f051ade6bb2d44 (patch) | |
tree | 81e98a80333cbc3fcaf1b14c418de7ed55b5518e /jdisc-security-filters | |
parent | ce9ccaf1a95050f1df8b0c9be3c1daab7dc416fe (diff) |
Create default connector request chain
Diffstat (limited to 'jdisc-security-filters')
2 files changed, 87 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java new file mode 100644 index 00000000000..b891212031f --- /dev/null +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java @@ -0,0 +1,21 @@ +// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.jdisc.http.filter.security.misc; + +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; + +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Optional; + +public class VespaTlsFilter extends JsonSecurityRequestFilterBase { + + @Override + protected Optional<ErrorResponse> filter(DiscFilterRequest request) { + return request.getClientCertificateChain().isEmpty() + ? Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden to access this path")) + : Optional.empty(); + } +} diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java new file mode 100644 index 00000000000..294126eb349 --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java @@ -0,0 +1,66 @@ +// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.jdisc.http.filter.security.misc; + +import com.yahoo.container.jdisc.RequestHandlerTestDriver; +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SignatureAlgorithm; +import com.yahoo.security.X509CertificateBuilder; +import org.junit.Test; +import org.mockito.Mockito; + +import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; +import java.net.URI; +import java.security.cert.X509Certificate; +import java.time.Instant; +import java.time.temporal.ChronoUnit; +import java.util.Collections; +import java.util.List; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; +import static org.mockito.Mockito.when; + +public class VespaTlsFilterTest { + + @Test + public void testFilter() { + assertSuccess(createRequest(List.of(createCertificate()))); + assertForbidden(createRequest(Collections.emptyList())); + } + + private static X509Certificate createCertificate() { + return X509CertificateBuilder + .fromKeypair( + KeyUtils.generateKeypair(KeyAlgorithm.EC), new X500Principal("CN=test"), + Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), + SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1)) + .build(); + } + + private static DiscFilterRequest createRequest(List<X509Certificate> certChain) { + DiscFilterRequest request = Mockito.mock(DiscFilterRequest.class); + when(request.getClientCertificateChain()).thenReturn(certChain); + when(request.getMethod()).thenReturn("GET"); + when(request.getUri()).thenReturn(URI.create("http://localhost:8080/")); + return request; + } + + private static void assertForbidden(DiscFilterRequest request) { + VespaTlsFilter filter = new VespaTlsFilter(); + RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler(); + filter.filter(request, handler); + assertEquals(Response.Status.FORBIDDEN, handler.getStatus()); + } + + private static void assertSuccess(DiscFilterRequest request) { + VespaTlsFilter filter = new VespaTlsFilter(); + RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler(); + filter.filter(request, handler); + assertNull(handler.getResponse()); + } +} |