Force caller to handle failed capability verification check

3 files changed, 35 insertions, 18 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index 5292b70a43f..f231e8429ce 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -7,7 +7,6 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
-import java.util.function.Supplier;
 import java.util.logging.Logger;
 
 import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
@@ -36,27 +35,29 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
 
     public boolean authorized() { return !capabilities.hasNone(); }
 
-    public boolean hasCapabilities(CapabilitySet requiredCapabilities) {
-        return hasCapabilities(requiredCapabilities, null, null, null);
+    /** Throws checked exception to force caller to handle verification failed. */
+    public void verifyCapabilities(CapabilitySet requiredCapabilities) throws MissingCapabilitiesException {
+        verifyCapabilities(requiredCapabilities, null, null, null);
     }
 
-    /** Provided strings are used for improved logging only */
-    public boolean hasCapabilities(CapabilitySet requiredCapabilities, String action, String resource, String peer) {
-        if (capabilityMode == DISABLE) return authorized();
+    /**
+     * Throws checked exception to force caller to handle verification failed.
+     * Provided strings are used for improved logging only
+     * */
+    public void verifyCapabilities(CapabilitySet requiredCapabilities, String action, String resource, String peer)
+            throws MissingCapabilitiesException {
+        if (capabilityMode == DISABLE) return;
         boolean hasCapabilities = capabilities.has(requiredCapabilities);
         if (!hasCapabilities) {
-            Supplier<String> errorMessageProvider = () ->
-                    createPermissionDeniedErrorMessage(requiredCapabilities, action, resource, peer);
+            String msg = createPermissionDeniedErrorMessage(requiredCapabilities, action, resource, peer);
             if (capabilityMode == LOG_ONLY) {
-                log.info(errorMessageProvider);
-                return true;
+                log.info(msg);
             } else {
-                // Ideally log as warning but we have no mechanism for de-duplicating repeated log spamming.
-                log.fine(errorMessageProvider);
-                return false;
+                // Ideally log as warning, but we have no mechanism for de-duplicating repeated log spamming.
+                log.fine(msg);
+                throw new MissingCapabilitiesException(msg);
             }
         }
-        return true;
     }
 
     String createPermissionDeniedErrorMessage(
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java b/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java
new file mode 100644
index 00000000000..1c3ad9444e4
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java
@@ -0,0 +1,13 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+/**
+ * Intentionally checked to force caller to handle missing permissions at call site.
+ *
+ * @author bjorncs
+ */
+public class MissingCapabilitiesException extends Exception {
+
+    public MissingCapabilitiesException(String message) { super(message); }
+
+}
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
index 92caa2d7aaa..c30a812a30d 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
@@ -1,4 +1,5 @@
-package com.yahoo.security.tls;// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
 
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
@@ -16,16 +17,18 @@ import java.util.Set;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
-import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  * @author bjorncs
  */
 class ConnectionAuthContextTest {
+
     @Test
     void fails_on_missing_capabilities() {
         ConnectionAuthContext ctx = createConnectionAuthContext();
-        assertFalse(ctx.hasCapabilities(CapabilitySet.from(Capability.CONTENT__STATUS_PAGES)));
+        assertThrows(MissingCapabilitiesException.class,
+                () -> ctx.verifyCapabilities(CapabilitySet.from(Capability.CONTENT__STATUS_PAGES)));
     }
 
     @Test
@@ -56,4 +59,4 @@ class ConnectionAuthContextTest {
     }
 
 
-}
\ No newline at end of file
+}