diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-27 17:05:34 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-27 17:05:34 +0100 |
commit | cb866b024f4ab7a5a4944f2cdd7e3a9a00a23212 (patch) | |
tree | 22da02bd9f0a08eaa94fd04df5d54a56f7e80359 /security-utils | |
parent | 26180a3cf9c00f829412a974097ff1869a3650cb (diff) |
Propagate authz result through ssl handshake session object
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java index 95d590b2e56..b8c97f9e258 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java @@ -20,10 +20,11 @@ import java.util.logging.Logger; * * @author bjorncs */ -// TODO Propagate verification results // Note: Implementation assumes that provided X509ExtendedTrustManager will throw IllegalArgumentException when chain is empty or null public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { + public static final String HANDSHAKE_SESSION_AUTHZ_RESULT_PROPERTY = "vespa.tls.authorization.result"; + private static final Logger log = Logger.getLogger(PeerAuthorizerTrustManager.class.getName()); public enum Mode { DRY_RUN, ENFORCE } @@ -59,37 +60,37 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType); - authorizePeer(chain[0], authType, true); + authorizePeer(chain[0], authType, true, null); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { defaultTrustManager.checkServerTrusted(chain, authType); - authorizePeer(chain[0], authType, false); + authorizePeer(chain[0], authType, false, null); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType, socket); - authorizePeer(chain[0], authType, true); + authorizePeer(chain[0], authType, true, null); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { defaultTrustManager.checkServerTrusted(chain, authType, socket); - authorizePeer(chain[0], authType, false); + authorizePeer(chain[0], authType, false, null); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType, sslEngine); - authorizePeer(chain[0], authType, true); + authorizePeer(chain[0], authType, true, sslEngine); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { defaultTrustManager.checkServerTrusted(chain, authType, sslEngine); - authorizePeer(chain[0], authType, false); + authorizePeer(chain[0], authType, false, sslEngine); } @Override @@ -97,9 +98,12 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { return defaultTrustManager.getAcceptedIssuers(); } - private void authorizePeer(X509Certificate certificate, String authType, boolean isVerifyingClient) throws CertificateException { + private void authorizePeer(X509Certificate certificate, String authType, boolean isVerifyingClient, SSLEngine sslEngine) throws CertificateException { log.fine(() -> "Verifying certificate: " + createInfoString(certificate, authType, isVerifyingClient)); AuthorizationResult result = authorizer.authorizePeer(certificate); + if (sslEngine != null) { // getHandshakeSession() will never return null in this context + sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTHZ_RESULT_PROPERTY, result); + } if (result.succeeded()) { log.fine(() -> String.format("Verification result: %s", result)); } else { |