Include client certificate chain even when authorization is disabled

3 files changed, 11 insertions, 4 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index 3ee6ed1dcaa..b4e8878fb01 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -18,14 +18,15 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
                                     CapabilitySet capabilities,
                                     Set<String> matchedPolicies) {
 
-    private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES =
-            new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of());
+    private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = new ConnectionAuthContext(List.of());
 
     public ConnectionAuthContext {
         peerCertificateChain = List.copyOf(peerCertificateChain);
         matchedPolicies = Set.copyOf(matchedPolicies);
     }
 
+    private ConnectionAuthContext(List<X509Certificate> certs) { this(certs, CapabilitySet.all(), Set.of()); }
+
     public boolean authorized() { return !capabilities.hasNone(); }
 
     public Optional<X509Certificate> peerCertificate() {
@@ -60,6 +61,12 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
         return Optional.of(b.append("]").toString());
     }
 
+    /** Construct instance with all capabilities */
     public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; }
 
+    /** Construct instance with all capabilities */
+    public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> certs) {
+        return new ConnectionAuthContext(certs);
+    }
+
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
index 99787725063..5db86fd93bc 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
@@ -35,7 +35,7 @@ public class PeerAuthorizer {
     public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); }
 
     public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) {
-        if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities();
+        if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(certChain);
         X509Certificate cert = certChain.get(0);
         Set<String> matchedPolicies = new HashSet<>();
         Set<CapabilitySet> grantedCapabilities = new HashSet<>();
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
index e6239e3f694..b92cd6c9538 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
@@ -105,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
         log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient));
         ConnectionAuthContext result = mode != AuthorizationMode.DISABLE
                 ? authorizer.authorizePeer(List.of(certChain))
-                : ConnectionAuthContext.defaultAllCapabilities();
+                : ConnectionAuthContext.defaultAllCapabilities(List.of(certChain));
         if (sslEngine != null) { // getHandshakeSession() will never return null in this context
             sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result);
         }