summaryrefslogtreecommitdiffstats
path: root/jrt
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-21 14:56:51 +0200
committerBjørn Christian Seime <bjorncs@yahooinc.com>2022-07-21 15:30:19 +0200
commitf4965306b79f0015ca9e8e32072877e57f7f532c (patch)
treec3bc93a0916de30dcb70435531c1aa850b27c51c /jrt
parentd2864cf3be9a93d784ac98b6beee0813dc60b290 (diff)
Move logic for capability checking/logging to ConnectionAuthContext
Diffstat (limited to 'jrt')
-rw-r--r--jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java30
1 files changed, 2 insertions, 28 deletions
diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
index bb2eafcf711..8b7fc3c1a46 100644
--- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
+++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
@@ -2,24 +2,13 @@
package com.yahoo.jrt;
import com.yahoo.security.tls.Capability;
-import com.yahoo.security.tls.CapabilityMode;
import com.yahoo.security.tls.CapabilitySet;
-import com.yahoo.security.tls.ConnectionAuthContext;
-import com.yahoo.security.tls.TransportSecurityUtils;
-
-import java.util.logging.Logger;
-
-import static com.yahoo.security.tls.CapabilityMode.DISABLE;
-import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY;
/**
* @author bjorncs
*/
public class RequireCapabilitiesFilter implements RequestAccessFilter {
- private static final Logger log = Logger.getLogger(RequireCapabilitiesFilter.class.getName());
- private static final CapabilityMode MODE = TransportSecurityUtils.getCapabilityMode();
-
private final CapabilitySet requiredCapabilities;
public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) {
@@ -32,23 +21,8 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter {
@Override
public boolean allow(Request r) {
- if (MODE == DISABLE) return true;
- ConnectionAuthContext ctx = r.target().connectionAuthContext();
- CapabilitySet peerCapabilities = ctx.capabilities();
- boolean authorized = peerCapabilities.has(requiredCapabilities);
- if (!authorized) {
- String msg = "%sPermission denied for RPC method '%s'. Peer at %s with %s. Call requires %s, but peer has %s"
- .formatted(MODE == LOG_ONLY ? "Dry-run: " : "", r.methodName(), r.target().peerSpec(), ctx.peerCertificateString().orElseThrow(),
- requiredCapabilities.toNames(), peerCapabilities.toNames());
- if (MODE == LOG_ONLY) {
- log.info(msg);
- return true;
- } else {
- log.warning(msg);
- return false;
- }
- }
- return true;
+ return r.target().connectionAuthContext()
+ .hasCapabilities(requiredCapabilities, "RPC", r.methodName(), r.target().peerSpec().toString());
}
}