diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 14:56:51 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 15:30:19 +0200 |
commit | f4965306b79f0015ca9e8e32072877e57f7f532c (patch) | |
tree | c3bc93a0916de30dcb70435531c1aa850b27c51c /jrt | |
parent | d2864cf3be9a93d784ac98b6beee0813dc60b290 (diff) |
Move logic for capability checking/logging to ConnectionAuthContext
Diffstat (limited to 'jrt')
-rw-r--r-- | jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java | 30 |
1 files changed, 2 insertions, 28 deletions
diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java index bb2eafcf711..8b7fc3c1a46 100644 --- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java +++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java @@ -2,24 +2,13 @@ package com.yahoo.jrt; import com.yahoo.security.tls.Capability; -import com.yahoo.security.tls.CapabilityMode; import com.yahoo.security.tls.CapabilitySet; -import com.yahoo.security.tls.ConnectionAuthContext; -import com.yahoo.security.tls.TransportSecurityUtils; - -import java.util.logging.Logger; - -import static com.yahoo.security.tls.CapabilityMode.DISABLE; -import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY; /** * @author bjorncs */ public class RequireCapabilitiesFilter implements RequestAccessFilter { - private static final Logger log = Logger.getLogger(RequireCapabilitiesFilter.class.getName()); - private static final CapabilityMode MODE = TransportSecurityUtils.getCapabilityMode(); - private final CapabilitySet requiredCapabilities; public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) { @@ -32,23 +21,8 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter { @Override public boolean allow(Request r) { - if (MODE == DISABLE) return true; - ConnectionAuthContext ctx = r.target().connectionAuthContext(); - CapabilitySet peerCapabilities = ctx.capabilities(); - boolean authorized = peerCapabilities.has(requiredCapabilities); - if (!authorized) { - String msg = "%sPermission denied for RPC method '%s'. Peer at %s with %s. Call requires %s, but peer has %s" - .formatted(MODE == LOG_ONLY ? "Dry-run: " : "", r.methodName(), r.target().peerSpec(), ctx.peerCertificateString().orElseThrow(), - requiredCapabilities.toNames(), peerCapabilities.toNames()); - if (MODE == LOG_ONLY) { - log.info(msg); - return true; - } else { - log.warning(msg); - return false; - } - } - return true; + return r.target().connectionAuthContext() + .hasCapabilities(requiredCapabilities, "RPC", r.methodName(), r.target().peerSpec().toString()); } } |