Return granted capabilities from PeerAuthorizer

Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext.

6 files changed, 22 insertions, 51 deletions

diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index 00aceb7e352..644e2ef4ff3 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SelectionKey;
@@ -436,9 +438,9 @@ class Connection extends Target {
     }
 
     @Override
-    public Optional<SecurityContext> getSecurityContext() {
+    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
         return Optional.ofNullable(socket)
-                .flatMap(CryptoSocket::getSecurityContext);
+                .flatMap(CryptoSocket::getConnectionAuthContext);
     }
 
     public boolean isClient() {
diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java
index 78308b76624..aac91362405 100644
--- a/jrt/src/com/yahoo/jrt/CryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java
@@ -2,6 +2,8 @@
 package com.yahoo.jrt;
 
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
@@ -103,10 +105,10 @@ public interface CryptoSocket {
     public void dropEmptyBuffers();
 
     /**
-     * Returns the security context for the current connection (given handshake completed),
+     * Returns the auth context for the current connection (given handshake completed),
      * or empty if the current connection is not secure.
      */
-    default public Optional<SecurityContext> getSecurityContext() {
+    default public Optional<ConnectionAuthContext> getConnectionAuthContext() {
         return Optional.empty();
     }
 }
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index df01f4f2fa7..42442289cd1 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
@@ -130,5 +132,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
     @Override public int write(ByteBuffer src) throws IOException { return socket.write(src); }
     @Override public FlushResult flush() throws IOException { return socket.flush(); }
     @Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); }
-    @Override public Optional<SecurityContext> getSecurityContext() { return Optional.ofNullable(socket).flatMap(CryptoSocket::getSecurityContext); }
+    @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+        return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext);
+    }
 }
diff --git a/jrt/src/com/yahoo/jrt/SecurityContext.java b/jrt/src/com/yahoo/jrt/SecurityContext.java
deleted file mode 100644
index 4eef99cb93f..00000000000
--- a/jrt/src/com/yahoo/jrt/SecurityContext.java
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jrt;
-
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-/**
- * @author bjorncs
- */
-public class SecurityContext {
-
-    private final List<X509Certificate> peerCertificateChain;
-
-    public SecurityContext(List<X509Certificate> peerCertificateChain) {
-        this.peerCertificateChain = peerCertificateChain;
-    }
-
-    /**
-     * @return the peer certificate chain if the peer was authenticated, empty list if not.
-     */
-    public List<X509Certificate> peerCertificateChain() {
-        return peerCertificateChain;
-    }
-}
diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java
index a59aa341fe0..239a71f53b3 100644
--- a/jrt/src/com/yahoo/jrt/Target.java
+++ b/jrt/src/com/yahoo/jrt/Target.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.util.Optional;
 
 /**
@@ -69,9 +71,9 @@ public abstract class Target {
     public Exception getConnectionLostReason() { return null; }
 
     /**
-     * Returns the security context associated with this target, or empty if no connection or is insecure.
+     * Returns the connection auth context associated with this target, or empty if no connection or is insecure.
      */
-    public abstract Optional<SecurityContext> getSecurityContext();
+    public abstract Optional<ConnectionAuthContext> getConnectionAuthContext();
 
     /**
      * Check if this target represents the client side of a
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index a899938dd45..40cb7c3938a 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -1,7 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.AuthorizationResult;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 
 import javax.net.ssl.SSLEngine;
@@ -9,19 +9,14 @@ import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
-import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ClosedChannelException;
 import java.nio.channels.SocketChannel;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.List;
 import java.util.Optional;
 import java.util.logging.Logger;
 
-import static java.util.stream.Collectors.toList;
 import static javax.net.ssl.SSLEngineResult.Status;
 
 /**
@@ -46,7 +41,7 @@ public class TlsCryptoSocket implements CryptoSocket {
     private int sessionApplicationBufferSize;
     private ByteBuffer handshakeDummyBuffer;
     private HandshakeState handshakeState;
-    private AuthorizationResult authorizationResult;
+    private ConnectionAuthContext authorizationResult;
 
     public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) {
         this.channel = channel;
@@ -224,19 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket {
     }
 
     @Override
-    public Optional<SecurityContext> getSecurityContext() {
-        try {
-            if (handshakeState != HandshakeState.COMPLETED) {
-                return Optional.empty();
-            }
-            List<X509Certificate> peerCertificateChain =
-                    Arrays.stream(sslEngine.getSession().getPeerCertificates())
-                            .map(X509Certificate.class::cast)
-                            .collect(toList());
-            return Optional.of(new SecurityContext(peerCertificateChain));
-        } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate
-            return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain.
-        }
+    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+        if (handshakeState != HandshakeState.COMPLETED) return Optional.empty();
+        return Optional.ofNullable(authorizationResult);
     }
 
     private boolean handshakeWrap() throws IOException {