Implement RequireCapabilitiesFilter in jrt + misc

Add peerSpec to Target/Connection. Always provide ConnectionAuthContext. Add helper for creating default, all-granting ConnectionAuthContext.
author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:44:00 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:56:34 +0200
commit: 2e3005c471ba6520b17438c93f4a36369cbc3acd (patch)
tree: 90d3d6c4a9acbf323512d201f62b5bf1c8df3480 /security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
parent: 6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index e244d5ad23f..3ee6ed1dcaa 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -18,8 +18,10 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
                                     CapabilitySet capabilities,
                                     Set<String> matchedPolicies) {
 
+    private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES =
+            new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of());
+
     public ConnectionAuthContext {
-        if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty");
         peerCertificateChain = List.copyOf(peerCertificateChain);
         matchedPolicies = Set.copyOf(matchedPolicies);
     }
@@ -33,7 +35,7 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
     public Optional<String> peerCertificateString() {
         X509Certificate cert = peerCertificate().orElse(null);
         if (cert == null) return Optional.empty();
-        StringBuilder b = new StringBuilder("X.509Cert{");
+        StringBuilder b = new StringBuilder("[");
         String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null);
         if (cn != null) {
             b.append("CN='").append(cn).append("'");
@@ -55,7 +57,9 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
             if (cn != null || !dnsNames.isEmpty()) b.append(", ");
             b.append("SAN_URI=").append(uris);
         }
-        return Optional.of(b.append("}").toString());
+        return Optional.of(b.append("]").toString());
     }
 
+    public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; }
+
 }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:44:00 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:56:34 +0200
commit	2e3005c471ba6520b17438c93f4a36369cbc3acd (patch)
tree	90d3d6c4a9acbf323512d201f62b5bf1c8df3480 /security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
parent	6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c (diff)