Implement RequireCapabilitiesFilter in jrt + misc

Add peerSpec to Target/Connection. Always provide ConnectionAuthContext. Add helper for creating default, all-granting ConnectionAuthContext.
author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:44:00 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:56:34 +0200
commit: 2e3005c471ba6520b17438c93f4a36369cbc3acd (patch)
tree: 90d3d6c4a9acbf323512d201f62b5bf1c8df3480 /security-utils
parent: 6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c (diff)
3 files changed, 9 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index e244d5ad23f..3ee6ed1dcaa 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -18,8 +18,10 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
                                     CapabilitySet capabilities,
                                     Set<String> matchedPolicies) {
 
+    private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES =
+            new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of());
+
     public ConnectionAuthContext {
-        if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty");
         peerCertificateChain = List.copyOf(peerCertificateChain);
         matchedPolicies = Set.copyOf(matchedPolicies);
     }
@@ -33,7 +35,7 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
     public Optional<String> peerCertificateString() {
         X509Certificate cert = peerCertificate().orElse(null);
         if (cert == null) return Optional.empty();
-        StringBuilder b = new StringBuilder("X.509Cert{");
+        StringBuilder b = new StringBuilder("[");
         String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null);
         if (cn != null) {
             b.append("CN='").append(cn).append("'");
@@ -55,7 +57,9 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
             if (cn != null || !dnsNames.isEmpty()) b.append(", ");
             b.append("SAN_URI=").append(uris);
         }
-        return Optional.of(b.append("}").toString());
+        return Optional.of(b.append("]").toString());
     }
 
+    public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; }
+
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
index 608a8c9c933..99787725063 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
@@ -35,9 +35,7 @@ public class PeerAuthorizer {
     public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); }
 
     public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) {
-        if (authorizedPeers.isEmpty()) {
-            return new ConnectionAuthContext(certChain, CapabilitySet.all(), Set.of());
-        }
+        if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities();
         X509Certificate cert = certChain.get(0);
         Set<String> matchedPolicies = new HashSet<>();
         Set<CapabilitySet> grantedCapabilities = new HashSet<>();
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
index 089023e55f1..e6239e3f694 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
@@ -14,7 +14,6 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
-import java.util.Set;
 import java.util.logging.Logger;
 
 /**
@@ -106,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
         log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient));
         ConnectionAuthContext result = mode != AuthorizationMode.DISABLE
                 ? authorizer.authorizePeer(List.of(certChain))
-                : new ConnectionAuthContext(List.of(certChain), CapabilitySet.all(), Set.of());
+                : ConnectionAuthContext.defaultAllCapabilities();
         if (sslEngine != null) { // getHandshakeSession() will never return null in this context
             sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result);
         }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:44:00 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:56:34 +0200
commit	2e3005c471ba6520b17438c93f4a36369cbc3acd (patch)
tree	90d3d6c4a9acbf323512d201f62b5bf1c8df3480 /security-utils
parent	6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c (diff)