aboutsummaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters
diff options
context:
space:
mode:
authorMorten Tokle <mortent@verizonmedia.com>2020-11-23 14:55:22 +0100
committerMorten Tokle <mortent@verizonmedia.com>2020-11-23 14:55:22 +0100
commit885cb31bad09bae15067c9c527f051ade6bb2d44 (patch)
tree81e98a80333cbc3fcaf1b14c418de7ed55b5518e /jdisc-security-filters
parentce9ccaf1a95050f1df8b0c9be3c1daab7dc416fe (diff)
Create default connector request chain
Diffstat (limited to 'jdisc-security-filters')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java21
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java66
2 files changed, 87 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java
new file mode 100644
index 00000000000..b891212031f
--- /dev/null
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilter.java
@@ -0,0 +1,21 @@
+// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.jdisc.http.filter.security.misc;
+
+import com.yahoo.jdisc.Response;
+import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+
+public class VespaTlsFilter extends JsonSecurityRequestFilterBase {
+
+ @Override
+ protected Optional<ErrorResponse> filter(DiscFilterRequest request) {
+ return request.getClientCertificateChain().isEmpty()
+ ? Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden to access this path"))
+ : Optional.empty();
+ }
+}
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java
new file mode 100644
index 00000000000..294126eb349
--- /dev/null
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/VespaTlsFilterTest.java
@@ -0,0 +1,66 @@
+// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.jdisc.http.filter.security.misc;
+
+import com.yahoo.container.jdisc.RequestHandlerTestDriver;
+import com.yahoo.jdisc.Response;
+import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.mockito.Mockito.when;
+
+public class VespaTlsFilterTest {
+
+ @Test
+ public void testFilter() {
+ assertSuccess(createRequest(List.of(createCertificate())));
+ assertForbidden(createRequest(Collections.emptyList()));
+ }
+
+ private static X509Certificate createCertificate() {
+ return X509CertificateBuilder
+ .fromKeypair(
+ KeyUtils.generateKeypair(KeyAlgorithm.EC), new X500Principal("CN=test"),
+ Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS),
+ SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1))
+ .build();
+ }
+
+ private static DiscFilterRequest createRequest(List<X509Certificate> certChain) {
+ DiscFilterRequest request = Mockito.mock(DiscFilterRequest.class);
+ when(request.getClientCertificateChain()).thenReturn(certChain);
+ when(request.getMethod()).thenReturn("GET");
+ when(request.getUri()).thenReturn(URI.create("http://localhost:8080/"));
+ return request;
+ }
+
+ private static void assertForbidden(DiscFilterRequest request) {
+ VespaTlsFilter filter = new VespaTlsFilter();
+ RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler();
+ filter.filter(request, handler);
+ assertEquals(Response.Status.FORBIDDEN, handler.getStatus());
+ }
+
+ private static void assertSuccess(DiscFilterRequest request) {
+ VespaTlsFilter filter = new VespaTlsFilter();
+ RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler();
+ filter.filter(request, handler);
+ assertNull(handler.getResponse());
+ }
+}