diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:44:00 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:56:34 +0200 |
commit | 2e3005c471ba6520b17438c93f4a36369cbc3acd (patch) | |
tree | 90d3d6c4a9acbf323512d201f62b5bf1c8df3480 /security-utils/src | |
parent | 6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c (diff) |
Implement RequireCapabilitiesFilter in jrt + misc
Add peerSpec to Target/Connection. Always provide ConnectionAuthContext.
Add helper for creating default, all-granting ConnectionAuthContext.
Diffstat (limited to 'security-utils/src')
3 files changed, 9 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java index e244d5ad23f..3ee6ed1dcaa 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -18,8 +18,10 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, CapabilitySet capabilities, Set<String> matchedPolicies) { + private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = + new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of()); + public ConnectionAuthContext { - if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty"); peerCertificateChain = List.copyOf(peerCertificateChain); matchedPolicies = Set.copyOf(matchedPolicies); } @@ -33,7 +35,7 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, public Optional<String> peerCertificateString() { X509Certificate cert = peerCertificate().orElse(null); if (cert == null) return Optional.empty(); - StringBuilder b = new StringBuilder("X.509Cert{"); + StringBuilder b = new StringBuilder("["); String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null); if (cn != null) { b.append("CN='").append(cn).append("'"); @@ -55,7 +57,9 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, if (cn != null || !dnsNames.isEmpty()) b.append(", "); b.append("SAN_URI=").append(uris); } - return Optional.of(b.append("}").toString()); + return Optional.of(b.append("]").toString()); } + public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; } + } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java index 608a8c9c933..99787725063 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java @@ -35,9 +35,7 @@ public class PeerAuthorizer { public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); } public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) { - if (authorizedPeers.isEmpty()) { - return new ConnectionAuthContext(certChain, CapabilitySet.all(), Set.of()); - } + if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(); X509Certificate cert = certChain.get(0); Set<String> matchedPolicies = new HashSet<>(); Set<CapabilitySet> grantedCapabilities = new HashSet<>(); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java index 089023e55f1..e6239e3f694 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java @@ -14,7 +14,6 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import java.util.Set; import java.util.logging.Logger; /** @@ -106,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient)); ConnectionAuthContext result = mode != AuthorizationMode.DISABLE ? authorizer.authorizePeer(List.of(certChain)) - : new ConnectionAuthContext(List.of(certChain), CapabilitySet.all(), Set.of()); + : ConnectionAuthContext.defaultAllCapabilities(); if (sslEngine != null) { // getHandshakeSession() will never return null in this context sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result); } |