Use AuthorizationMode to configure behaviour of PeerAuthorizerTrustManager

6 files changed, 30 insertions, 28 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index 28f05b3c6d9..dcf3a4162ee 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -2,7 +2,6 @@
 package com.yahoo.security.tls;
 
 import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
@@ -43,11 +42,11 @@ public class DefaultTlsContext implements TlsContext {
                              PrivateKey privateKey,
                              List<X509Certificate> caCertificates,
                              AuthorizedPeers authorizedPeers,
-                             PeerAuthorizerTrustManager.Mode mode) {
+                             AuthorizationMode mode) {
         this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode);
     }
 
-    public DefaultTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+    public DefaultTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
         this.sslContext = createSslContext(tlsOptionsConfigFile, mode);
     }
 
@@ -73,7 +72,7 @@ public class DefaultTlsContext implements TlsContext {
                                                PrivateKey privateKey,
                                                List<X509Certificate> caCertificates,
                                                AuthorizedPeers authorizedPeers,
-                                               PeerAuthorizerTrustManager.Mode mode) {
+                                               AuthorizationMode mode) {
         SslContextBuilder builder = new SslContextBuilder();
         if (!certificates.isEmpty()) {
             builder.withKeyStore(privateKey, certificates);
@@ -87,14 +86,16 @@ public class DefaultTlsContext implements TlsContext {
         return builder.build();
     }
 
-    private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+    private static SSLContext createSslContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
         TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
         SslContextBuilder builder = new SslContextBuilder();
         options.getCertificatesFile()
                 .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates));
         options.getCaCertificatesFile().ifPresent(builder::withTrustStore);
-        options.getAuthorizedPeers().ifPresent(
-                authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode)));
+        if (mode != AuthorizationMode.DISABLE) {
+            options.getAuthorizedPeers().ifPresent(
+                    authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode)));
+        }
         return builder.build();
     }
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
index 04e36d24a04..5add13e067d 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
@@ -1,8 +1,6 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.security.tls;
 
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
-
 import javax.net.ssl.SSLEngine;
 import java.nio.file.Path;
 import java.time.Duration;
@@ -25,7 +23,7 @@ public class ReloadingTlsContext implements TlsContext {
     private static final Logger log = Logger.getLogger(ReloadingTlsContext.class.getName());
 
     private final Path tlsOptionsConfigFile;
-    private final PeerAuthorizerTrustManager.Mode mode;
+    private final AuthorizationMode mode;
     private final AtomicReference<TlsContext> currentTlsContext;
     private final ScheduledExecutorService scheduler =
             Executors.newSingleThreadScheduledExecutor(runnable -> {
@@ -34,7 +32,7 @@ public class ReloadingTlsContext implements TlsContext {
                 return thread;
             });
 
-    public ReloadingTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+    public ReloadingTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
         this.tlsOptionsConfigFile = tlsOptionsConfigFile;
         this.mode = mode;
         this.currentTlsContext = new AtomicReference<>(new DefaultTlsContext(tlsOptionsConfigFile, mode));
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
index e93b880b085..f07924f3ce9 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
@@ -14,6 +14,7 @@ public class TransportSecurityUtils {
 
     public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE";
     public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE";
+    public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE";
 
     private TransportSecurityUtils() {}
 
@@ -31,6 +32,12 @@ public class TransportSecurityUtils {
                 .map(MixedMode::fromConfigValue);
     }
 
+    public static Optional<AuthorizationMode> getInsecureAuthorizationMode() {
+        if (!isInsecureMixedModeEnabled()) return Optional.empty();
+        return getEnvironmentVariable(INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE)
+                .map(AuthorizationMode::fromConfigValue);
+    }
+
     public static Optional<Path> getConfigFile() {
         return getEnvironmentVariable(CONFIG_FILE_ENVIRONMENT_VARIABLE).map(Paths::get);
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
index aca4f86b639..05524cdffea 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
@@ -2,6 +2,7 @@
 package com.yahoo.security.tls.authz;
 
 import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.security.tls.AuthorizationMode;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLEngine;
@@ -27,25 +28,23 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
 
     private static final Logger log = Logger.getLogger(PeerAuthorizerTrustManager.class.getName());
 
-    public enum Mode { DRY_RUN, ENFORCE }
-
     private final PeerAuthorizer authorizer;
     private final X509ExtendedTrustManager defaultTrustManager;
-    private final Mode mode;
+    private final AuthorizationMode mode;
 
-    public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, Mode mode, X509ExtendedTrustManager defaultTrustManager) {
+    public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, X509ExtendedTrustManager defaultTrustManager) {
         this.authorizer = new PeerAuthorizer(authorizedPeers);
         this.mode = mode;
         this.defaultTrustManager = defaultTrustManager;
     }
 
-    public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, Mode mode, KeyStore keystore) throws GeneralSecurityException {
+    public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore keystore) throws GeneralSecurityException {
         TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         factory.init(keystore);
         return wrapTrustManagers(authorizedPeers, mode, factory.getTrustManagers());
     }
 
-    public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, Mode mode, TrustManager[] managers) {
+    public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, AuthorizationMode mode, TrustManager[] managers) {
         TrustManager[] wrappedManagers = new TrustManager[managers.length];
         for (int i = 0; i < managers.length; i++) {
             if (managers[i] instanceof X509ExtendedTrustManager) {
@@ -99,6 +98,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
     }
 
     private void authorizePeer(X509Certificate certificate, String authType, boolean isVerifyingClient, SSLEngine sslEngine) throws CertificateException {
+        if (mode == AuthorizationMode.DISABLE) return;
+
         log.fine(() -> "Verifying certificate: " + createInfoString(certificate, authType, isVerifyingClient));
         AuthorizationResult result = authorizer.authorizePeer(certificate);
         if (sslEngine != null) { // getHandshakeSession() will never return null in this context
@@ -109,13 +110,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
         } else {
             String errorMessage = "Authorization failed: " + createInfoString(certificate, authType, isVerifyingClient);
             log.warning(errorMessage);
-            switch (mode) {
-                case ENFORCE:
-                    throw new CertificateException(errorMessage);
-                case DRY_RUN:
-                    break;
-                default:
-                    throw new UnsupportedOperationException();
+            if (mode == AuthorizationMode.ENFORCE) {
+                throw new CertificateException(errorMessage);
             }
         }
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
index 0bb99aea886..c0a3b4e41a5 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
@@ -2,6 +2,7 @@
 package com.yahoo.security.tls.authz;
 
 import com.yahoo.security.SslContextBuilder;
+import com.yahoo.security.tls.AuthorizationMode;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.TrustManager;
@@ -13,9 +14,9 @@ import java.security.KeyStore;
  */
 public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagersFactory {
     private final AuthorizedPeers authorizedPeers;
-    private PeerAuthorizerTrustManager.Mode mode;
+    private AuthorizationMode mode;
 
-    public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, PeerAuthorizerTrustManager.Mode mode) {
+    public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, AuthorizationMode mode) {
         this.authorizedPeers = authorizedPeers;
         this.mode = mode;
     }
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index 4809bad80c5..a1a3ba6548b 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -3,7 +3,6 @@ package com.yahoo.security.tls;
 
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.security.tls.policy.HostGlobPattern;
 import com.yahoo.security.tls.policy.PeerPolicy;
@@ -47,7 +46,7 @@ public class DefaultTlsContextTest {
                                 singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy"))))));
 
         DefaultTlsContext tlsContext =
-                new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, Mode.ENFORCE);
+                new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE);
 
         SSLEngine sslEngine = tlsContext.createSslEngine();
         assertThat(sslEngine).isNotNull();