Merge pull request #23496 from vespa-engine/bjorncs/capabilitiesv8.21.11

Bjorncs/capabilities

1 files changed, 26 insertions, 0 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java
new file mode 100644
index 00000000000..877ba4e74bd
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java
@@ -0,0 +1,26 @@
+package com.yahoo.security.tls.authz;
+
+import com.yahoo.security.tls.policy.CapabilitySet;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * @author bjorncs
+ */
+public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
+                                    CapabilitySet capabilities,
+                                    Set<String> matchedPolicies) {
+
+    public ConnectionAuthContext {
+        if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty");
+        peerCertificateChain = List.copyOf(peerCertificateChain);
+        matchedPolicies = Set.copyOf(matchedPolicies);
+    }
+
+    public boolean authorized() { return !capabilities.hasNone(); }
+
+    public X509Certificate peerCertificate() { return peerCertificateChain.get(0); }
+
+}