Return granted capabilities from PeerAuthorizer

Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext.

7 files changed, 36 insertions, 64 deletions

diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index 00aceb7e352..644e2ef4ff3 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SelectionKey;
@@ -436,9 +438,9 @@ class Connection extends Target {
     }
 
     @Override
-    public Optional<SecurityContext> getSecurityContext() {
+    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
         return Optional.ofNullable(socket)
-                .flatMap(CryptoSocket::getSecurityContext);
+                .flatMap(CryptoSocket::getConnectionAuthContext);
     }
 
     public boolean isClient() {
diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java
index 78308b76624..aac91362405 100644
--- a/jrt/src/com/yahoo/jrt/CryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java
@@ -2,6 +2,8 @@
 package com.yahoo.jrt;
 
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
@@ -103,10 +105,10 @@ public interface CryptoSocket {
     public void dropEmptyBuffers();
 
     /**
-     * Returns the security context for the current connection (given handshake completed),
+     * Returns the auth context for the current connection (given handshake completed),
      * or empty if the current connection is not secure.
      */
-    default public Optional<SecurityContext> getSecurityContext() {
+    default public Optional<ConnectionAuthContext> getConnectionAuthContext() {
         return Optional.empty();
     }
 }
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index df01f4f2fa7..42442289cd1 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
@@ -130,5 +132,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
     @Override public int write(ByteBuffer src) throws IOException { return socket.write(src); }
     @Override public FlushResult flush() throws IOException { return socket.flush(); }
     @Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); }
-    @Override public Optional<SecurityContext> getSecurityContext() { return Optional.ofNullable(socket).flatMap(CryptoSocket::getSecurityContext); }
+    @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+        return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext);
+    }
 }
diff --git a/jrt/src/com/yahoo/jrt/SecurityContext.java b/jrt/src/com/yahoo/jrt/SecurityContext.java
deleted file mode 100644
index 4eef99cb93f..00000000000
--- a/jrt/src/com/yahoo/jrt/SecurityContext.java
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jrt;
-
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-/**
- * @author bjorncs
- */
-public class SecurityContext {
-
-    private final List<X509Certificate> peerCertificateChain;
-
-    public SecurityContext(List<X509Certificate> peerCertificateChain) {
-        this.peerCertificateChain = peerCertificateChain;
-    }
-
-    /**
-     * @return the peer certificate chain if the peer was authenticated, empty list if not.
-     */
-    public List<X509Certificate> peerCertificateChain() {
-        return peerCertificateChain;
-    }
-}
diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java
index a59aa341fe0..239a71f53b3 100644
--- a/jrt/src/com/yahoo/jrt/Target.java
+++ b/jrt/src/com/yahoo/jrt/Target.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
 import java.util.Optional;
 
 /**
@@ -69,9 +71,9 @@ public abstract class Target {
     public Exception getConnectionLostReason() { return null; }
 
     /**
-     * Returns the security context associated with this target, or empty if no connection or is insecure.
+     * Returns the connection auth context associated with this target, or empty if no connection or is insecure.
      */
-    public abstract Optional<SecurityContext> getSecurityContext();
+    public abstract Optional<ConnectionAuthContext> getConnectionAuthContext();
 
     /**
      * Check if this target represents the client side of a
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index a899938dd45..40cb7c3938a 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -1,7 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.AuthorizationResult;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 
 import javax.net.ssl.SSLEngine;
@@ -9,19 +9,14 @@ import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
-import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ClosedChannelException;
 import java.nio.channels.SocketChannel;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.List;
 import java.util.Optional;
 import java.util.logging.Logger;
 
-import static java.util.stream.Collectors.toList;
 import static javax.net.ssl.SSLEngineResult.Status;
 
 /**
@@ -46,7 +41,7 @@ public class TlsCryptoSocket implements CryptoSocket {
     private int sessionApplicationBufferSize;
     private ByteBuffer handshakeDummyBuffer;
     private HandshakeState handshakeState;
-    private AuthorizationResult authorizationResult;
+    private ConnectionAuthContext authorizationResult;
 
     public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) {
         this.channel = channel;
@@ -224,19 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket {
     }
 
     @Override
-    public Optional<SecurityContext> getSecurityContext() {
-        try {
-            if (handshakeState != HandshakeState.COMPLETED) {
-                return Optional.empty();
-            }
-            List<X509Certificate> peerCertificateChain =
-                    Arrays.stream(sslEngine.getSession().getPeerCertificates())
-                            .map(X509Certificate.class::cast)
-                            .collect(toList());
-            return Optional.of(new SecurityContext(peerCertificateChain));
-        } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate
-            return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain.
-        }
+    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+        if (handshakeState != HandshakeState.COMPLETED) return Optional.empty();
+        return Optional.ofNullable(authorizationResult);
     }
 
     private boolean handshakeWrap() throws IOException {
diff --git a/jrt/tests/com/yahoo/jrt/EchoTest.java b/jrt/tests/com/yahoo/jrt/EchoTest.java
index 26d4315fad6..7213068c0f9 100644
--- a/jrt/tests/com/yahoo/jrt/EchoTest.java
+++ b/jrt/tests/com/yahoo/jrt/EchoTest.java
@@ -2,6 +2,7 @@
 package com.yahoo.jrt;
 
 
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.runner.RunWith;
@@ -28,19 +29,19 @@ public class EchoTest {
     Supervisor client;
     Target     target;
     Values     refValues;
-    SecurityContext securityContext;
+    ConnectionAuthContext connAuthCtx;
 
     private interface MetricsAssertions {
         void assertMetrics(TransportMetrics.Snapshot snapshot) throws AssertionError;
     }
 
-    private interface SecurityContextAssertion {
-        void assertSecurityContext(SecurityContext securityContext) throws AssertionError;
+    private interface ConnectionAuthContextAssertion {
+        void assertConnectionAuthContext(ConnectionAuthContext authContext) throws AssertionError;
     }
 
     @Parameter(value = 0) public CryptoEngine crypto;
     @Parameter(value = 1) public MetricsAssertions metricsAssertions;
-    @Parameter(value = 2) public SecurityContextAssertion securityContextAssertion;
+    @Parameter(value = 2) public ConnectionAuthContextAssertion connAuthCtxAssertion;
 
 
     @Parameters(name = "{0}") public static Object[] engines() {
@@ -62,8 +63,8 @@ public class EchoTest {
                             assertEquals(1, metrics.serverTlsConnectionsEstablished());
                             assertEquals(1, metrics.clientTlsConnectionsEstablished());
                         },
-                        (SecurityContextAssertion) context -> {
-                            List<X509Certificate> chain = context.peerCertificateChain();
+                        (ConnectionAuthContextAssertion) context -> {
+                            List<X509Certificate> chain = context.peerCertificate();
                             assertEquals(1, chain.size());
                             assertEquals(CryptoUtils.certificate, chain.get(0));
                         }},
@@ -80,8 +81,8 @@ public class EchoTest {
                              assertEquals(1, metrics.serverTlsConnectionsEstablished());
                              assertEquals(1, metrics.clientTlsConnectionsEstablished());
                         },
-                        (SecurityContextAssertion) context -> {
-                            List<X509Certificate> chain = context.peerCertificateChain();
+                        (ConnectionAuthContextAssertion) context -> {
+                            List<X509Certificate> chain = context.peerCertificate();
                             assertEquals(1, chain.size());
                             assertEquals(CryptoUtils.certificate, chain.get(0));
                         }}};
@@ -146,7 +147,7 @@ public class EchoTest {
         for (int i = 0; i < p.size(); i++) {
             r.add(p.get(i));
         }
-        securityContext = req.target().getSecurityContext().orElse(null);
+        connAuthCtx = req.target().getConnectionAuthContext().orElse(null);
     }
 
     @org.junit.Test
@@ -164,11 +165,11 @@ public class EchoTest {
         if (metricsAssertions != null) {
             metricsAssertions.assertMetrics(metrics.snapshot().changesSince(startSnapshot));
         }
-        if (securityContextAssertion != null) {
-            assertNotNull(securityContext);
-            securityContextAssertion.assertSecurityContext(securityContext);
+        if (connAuthCtxAssertion != null) {
+            assertNotNull(connAuthCtx);
+            connAuthCtxAssertion.assertConnectionAuthContext(connAuthCtx);
         } else {
-            assertNull(securityContext);
+            assertNull(connAuthCtx);
         }
     }
 }