Allow whitelisting of uri paths in combination with implicit ssl connector

1 files changed, 30 insertions, 5 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
index 615cd5d46ad..f753084152e 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
@@ -1,24 +1,49 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jdisc.http.ssl.impl;
 
+import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
+import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
 import com.yahoo.security.tls.ConfigFileBasedTlsContext;
+import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.TransportSecurityUtils;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+import java.nio.file.Path;
+
 /**
- * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration
+ * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration.
  *
  * @author bjorncs
  */
 public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider {
 
-    private final SslContextFactoryProvider instance = TransportSecurityUtils.getConfigFile()
-            .map(configFile -> (SslContextFactoryProvider) new StaticTlsContextBasedProvider(
-                    new ConfigFileBasedTlsContext(configFile, TransportSecurityUtils.getInsecureAuthorizationMode())))
-            .orElseGet(ThrowingSslContextFactoryProvider::new);
+    private final SslContextFactoryProvider instance;
+
+    @Inject
+    public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) {
+        this.instance = TransportSecurityUtils.getConfigFile()
+                .map(configFile -> createTlsContextBasedProvider(connectorConfig, configFile))
+                .orElseGet(ThrowingSslContextFactoryProvider::new);
+    }
+
+    private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) {
+        return new StaticTlsContextBasedProvider(
+                new ConfigFileBasedTlsContext(
+                        configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig)));
+    }
+
+    /**
+     * Allows white-listing of user provided uri paths.
+     * JDisc will delegate the enforcement of peer authentication from the TLS to the HTTP layer if {@link ConnectorConfig.TlsClientAuthEnforcer#enable()} is true.
+     */
+    private static PeerAuthentication getPeerAuthenticationMode(ConnectorConfig connectorConfig) {
+        return connectorConfig.tlsClientAuthEnforcer().enable()
+                ? PeerAuthentication.WANT
+                : PeerAuthentication.NEED;
+    }
 
     @Override
     public SslContextFactory getInstance(String containerId, int port) {