Support new SAN format for principal name in Athenz role certificates

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-01-07 16:24:45 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-01-07 16:24:45 +0100
commit: dd77c1ed1c3546383a943293e2241f8d9f3dcfbc (patch)
tree: 1a14e077486e306f848452266fdb1cafd3356baf /vespa-athenz
parent: cdb6a8521b56ff30ff8abda7b5342986df977f2e (diff)
1 files changed, 19 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
index 4b54b392d12..bb62dc51603 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
@@ -26,13 +26,29 @@ public class AthenzX509CertificateUtils {
     private AthenzX509CertificateUtils() {}
 
     public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) {
-        List<com.yahoo.security.SubjectAlternativeName> sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate);
+        List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(certificate);
+        return getRoleIdentityFromEmail(sans)
+                .or(() -> getRoleIdentityFromUri(sans))
+                .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans));
+    }
+
+    private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) {
         return sans.stream()
                 .filter(san -> san.getType() == RFC822_NAME)
                 .map(com.yahoo.security.SubjectAlternativeName::getValue)
                 .map(AthenzX509CertificateUtils::getIdentityFromSanEmail)
-                .findFirst()
-                .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans));
+                .findFirst();
+    }
+
+    private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) {
+        String uriPrefix = "athenz://principal/";
+        return sans.stream()
+                .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix))
+                .map(san -> {
+                    String uriPath = URI.create(san.getValue()).getPath();
+                    return AthenzIdentities.from(uriPath.substring(uriPrefix.length()));
+                })
+                .findFirst();
     }
 
     public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) {
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-01-07 16:24:45 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-01-07 16:24:45 +0100
commit	dd77c1ed1c3546383a943293e2241f8d9f3dcfbc (patch)
tree	1a14e077486e306f848452266fdb1cafd3356baf /vespa-athenz
parent	cdb6a8521b56ff30ff8abda7b5342986df977f2e (diff)