diff options
| author | Tor Brede Vekterli <vekterli@oath.com> | 2018-11-20 12:27:37 +0000 |
|---|---|---|
| committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-11-20 12:27:37 +0000 |
| commit | fa78e3273688c776c0b5f84468d7910232e26f40 (patch) | |
| tree | 448ee5d36ec6c3fd306a5661bad319bfbe2aacf8 /vespalib | |
| parent | a549b3d81757eb3670982c936c1312a939003816 (diff) | |
Rename `allowed-peers` to `authorized-peers`
Diffstat (limited to 'vespalib')
14 files changed, 123 insertions, 143 deletions
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp index 1ae4d622b4f..dbfd77aa1c4 100644 --- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp +++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp @@ -418,9 +418,9 @@ struct CertFixture : Fixture { return {std::move(cert), std::move(key)}; } - void reset_client_with_cert_opts(const CertKeyWrapper& ck, AllowedPeers allowed) { + void reset_client_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions client_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), - ck.key->private_to_pem(), std::move(allowed)); + ck.key->private_to_pem(), std::move(authorized)); client = create_openssl_codec(client_opts, CryptoCodec::Mode::Client); } @@ -429,9 +429,9 @@ struct CertFixture : Fixture { client = create_openssl_codec(client_opts, std::move(cert_cb), CryptoCodec::Mode::Client); } - void reset_server_with_cert_opts(const CertKeyWrapper& ck, AllowedPeers allowed) { + void reset_server_with_cert_opts(const CertKeyWrapper& ck, AuthorizedPeers authorized) { TransportSecurityOptions server_opts(root_ca.cert->to_pem(), ck.cert->to_pem(), - ck.key->private_to_pem(), std::move(allowed)); + ck.key->private_to_pem(), std::move(authorized)); server = create_openssl_codec(server_opts, CryptoCodec::Mode::Server); } @@ -541,46 +541,46 @@ TEST_F("Only DNS SANs are enumerated", CertFixture) { TEST_F("Client rejects server with certificate that DOES NOT match peer policy", CertFixture) { auto client_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_client_with_cert_opts(client_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_client_with_cert_opts(client_ck, std::move(authorized)); // crash.wile.example.com not present in certificate auto server_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:roadrunner.wile.example.com"}}); - f.reset_server_with_cert_opts(server_ck, AllowedPeers::allow_all_authenticated()); + f.reset_server_with_cert_opts(server_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_FALSE(f.handshake()); } TEST_F("Client allows server with certificate that DOES match peer policy", CertFixture) { auto client_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_client_with_cert_opts(client_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_client_with_cert_opts(client_ck, std::move(authorized)); auto server_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:crash.wile.example.com"}}); - f.reset_server_with_cert_opts(server_ck, AllowedPeers::allow_all_authenticated()); + f.reset_server_with_cert_opts(server_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_TRUE(f.handshake()); } TEST_F("Server rejects client with certificate that DOES NOT match peer policy", CertFixture) { auto server_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_server_with_cert_opts(server_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_server_with_cert_opts(server_ck, std::move(authorized)); // crash.wile.example.com not present in certificate auto client_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:roadrunner.wile.example.com"}}); - f.reset_client_with_cert_opts(client_ck, AllowedPeers::allow_all_authenticated()); + f.reset_client_with_cert_opts(client_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_FALSE(f.handshake()); } TEST_F("Server allows client with certificate that DOES match peer policy", CertFixture) { auto server_ck = f.create_ca_issued_peer_cert({"hello.world.example.com"}, {}); - auto allowed = allowed_peers({policy_with({required_san_dns("crash.wile.example.com")})}); - f.reset_server_with_cert_opts(server_ck, std::move(allowed)); + auto authorized = authorized_peers({policy_with({required_san_dns("crash.wile.example.com")})}); + f.reset_server_with_cert_opts(server_ck, std::move(authorized)); auto client_ck = f.create_ca_issued_peer_cert( {}, {{"DNS:birdseed.wile.example.com"}, {"DNS:crash.wile.example.com"}}); - f.reset_client_with_cert_opts(client_ck, AllowedPeers::allow_all_authenticated()); + f.reset_client_with_cert_opts(client_ck, AuthorizedPeers::allow_all_authenticated()); EXPECT_TRUE(f.handshake()); } diff --git a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp index 6e9e0304c89..ad45c217701 100644 --- a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp +++ b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp @@ -76,109 +76,109 @@ PeerCredentials creds_with_cn(vespalib::stringref cn) { return creds; } -bool verify(AllowedPeers allowed_peers, const PeerCredentials& peer_creds) { - auto verifier = create_verify_callback_from(std::move(allowed_peers)); +bool verify(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) { + auto verifier = create_verify_callback_from(std::move(authorized_peers)); return verifier->verify(peer_creds); } -TEST("Default-constructed AllowedPeers does not allow all authenticated peers") { - EXPECT_FALSE(AllowedPeers().allows_all_authenticated()); +TEST("Default-constructed AuthorizedPeers does not allow all authenticated peers") { + EXPECT_FALSE(AuthorizedPeers().allows_all_authenticated()); } TEST("Specially constructed set of policies allows all authenticated peers") { - auto allow_all = AllowedPeers::allow_all_authenticated(); + auto allow_all = AuthorizedPeers::allow_all_authenticated(); EXPECT_TRUE(allow_all.allows_all_authenticated()); EXPECT_TRUE(verify(allow_all, creds_with_dns_sans({{"anything.goes"}}))); } TEST("Non-empty policies do not allow all authenticated peers") { - auto allow_not_all = allowed_peers({policy_with({required_san_dns("hello.world")})}); + auto allow_not_all = authorized_peers({policy_with({required_san_dns("hello.world")})}); EXPECT_FALSE(allow_not_all.allows_all_authenticated()); } TEST("SAN requirement without glob pattern is matched as exact string") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.bar"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.worlds"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hhello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.world.bar"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.worlds"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hhello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.world.bar"}}))); } TEST("SAN requirement can include glob wildcards") { - auto allowed = allowed_peers({policy_with({required_san_dns("*.w?rld")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"greetings.w0rld"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.wrld"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("*.w?rld")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"greetings.w0rld"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.wrld"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"world"}}))); } TEST("multi-SAN policy requires all SANs to be present in certificate") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world"), - required_san_dns("foo.bar")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world"), + required_san_dns("foo.bar")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}}))); // Need both - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"foo.bar"}}))); // OK with more SANs that strictly required - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"baz.blorg"}}))); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"baz.blorg"}}))); } TEST("wildcard SAN in certificate is not treated as a wildcard match by policy") { - auto allowed = allowed_peers({policy_with({required_san_dns("hello.world")})}); - EXPECT_FALSE(verify(allowed, creds_with_dns_sans({{"*.world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("hello.world")})}); + EXPECT_FALSE(verify(authorized, creds_with_dns_sans({{"*.world"}}))); } TEST("wildcard SAN in certificate is still matched by wildcard policy SAN") { - auto allowed = allowed_peers({policy_with({required_san_dns("*.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_dns_sans({{"*.world"}}))); + auto authorized = authorized_peers({policy_with({required_san_dns("*.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_dns_sans({{"*.world"}}))); } struct MultiPolicyMatchFixture { - AllowedPeers allowed; + AuthorizedPeers authorized; MultiPolicyMatchFixture(); ~MultiPolicyMatchFixture(); }; MultiPolicyMatchFixture::MultiPolicyMatchFixture() - : allowed(allowed_peers({policy_with({required_san_dns("hello.world")}), - policy_with({required_san_dns("foo.bar")}), - policy_with({required_san_dns("zoid.berg")})})) + : authorized(authorized_peers({policy_with({required_san_dns("hello.world")}), + policy_with({required_san_dns("foo.bar")}), + policy_with({required_san_dns("zoid.berg")})})) {} MultiPolicyMatchFixture::~MultiPolicyMatchFixture() = default; TEST_F("peer verifies if it matches at least 1 policy of multiple", MultiPolicyMatchFixture) { - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"hello.world"}}))); - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"foo.bar"}}))); - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"zoid.berg"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"foo.bar"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"zoid.berg"}}))); } TEST_F("peer verifies if it matches multiple policies", MultiPolicyMatchFixture) { - EXPECT_TRUE(verify(f.allowed, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}}))); + EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}}))); } TEST_F("peer must match at least 1 of multiple policies", MultiPolicyMatchFixture) { - EXPECT_FALSE(verify(f.allowed, creds_with_dns_sans({{"does.not.exist"}}))); + EXPECT_FALSE(verify(f.authorized, creds_with_dns_sans({{"does.not.exist"}}))); } TEST("CN requirement without glob pattern is matched as exact string") { - auto allowed = allowed_peers({policy_with({required_cn("hello.world")})}); - EXPECT_TRUE(verify(allowed, creds_with_cn("hello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("foo.bar"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.worlds"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hhello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("foo.hello.world"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.world.bar"))); + auto authorized = authorized_peers({policy_with({required_cn("hello.world")})}); + EXPECT_TRUE(verify(authorized, creds_with_cn("hello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("foo.bar"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.worlds"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hhello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("foo.hello.world"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.world.bar"))); } TEST("CN requirement can include glob wildcards") { - auto allowed = allowed_peers({policy_with({required_cn("*.w?rld")})}); - EXPECT_TRUE(verify(allowed, creds_with_cn("hello.world"))); - EXPECT_TRUE(verify(allowed, creds_with_cn("greetings.w0rld"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("hello.wrld"))); - EXPECT_FALSE(verify(allowed, creds_with_cn("world"))); + auto authorized = authorized_peers({policy_with({required_cn("*.w?rld")})}); + EXPECT_TRUE(verify(authorized, creds_with_cn("hello.world"))); + EXPECT_TRUE(verify(authorized, creds_with_cn("greetings.w0rld"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("hello.wrld"))); + EXPECT_FALSE(verify(authorized, creds_with_cn("world"))); } // TODO test CN _and_ SAN diff --git a/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp index 380bb0a3d71..1a442dc54f0 100644 --- a/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp +++ b/vespalib/src/tests/net/tls/transport_options/transport_options_reading_test.cpp @@ -66,7 +66,7 @@ vespalib::string json_with_policies(const vespalib::string& policies) { const char* fmt = R"({"files":{"private-key":"dummy_privkey.txt", "certificates":"dummy_certs.txt", "ca-certificates":"dummy_ca_certs.txt"}, - "allowed-peers":[%s]})"; + "authorized-peers":[%s]})"; return vespalib::make_string(fmt, policies.c_str()); } @@ -74,18 +74,18 @@ TransportSecurityOptions parse_policies(const vespalib::string& policies) { return *read_options_from_json_string(json_with_policies(policies)); } -TEST("config file without allowed-peers accepts all pre-verified certificates") { +TEST("config file without authorized-peers accepts all pre-verified certificates") { const char* json = R"({"files":{"private-key":"dummy_privkey.txt", "certificates":"dummy_certs.txt", "ca-certificates":"dummy_ca_certs.txt"}})"; - EXPECT_TRUE(read_options_from_json_string(json)->allowed_peers().allows_all_authenticated()); + EXPECT_TRUE(read_options_from_json_string(json)->authorized_peers().allows_all_authenticated()); } // Instead of contemplating what the semantics of an empty allow list should be, // we do the easy way out and just say it's not allowed in the first place. TEST("empty policy array throws exception") { EXPECT_EXCEPTION(parse_policies(""), vespalib::IllegalArgumentException, - "\"allowed-peers\" must either be not present (allows " + "\"authorized-peers\" must either be not present (allows " "all peers with valid certificates) or a non-empty array"); } @@ -95,8 +95,8 @@ TEST("can parse single peer policy with single requirement") { {"field": "SAN_DNS", "must-match": "hello.world"} ] })"; - EXPECT_EQUAL(allowed_peers({policy_with({required_san_dns("hello.world")})}), - parse_policies(json).allowed_peers()); + EXPECT_EQUAL(authorized_peers({policy_with({required_san_dns("hello.world")})}), + parse_policies(json).authorized_peers()); } TEST("can parse single peer policy with multiple requirements") { @@ -106,9 +106,9 @@ TEST("can parse single peer policy with multiple requirements") { {"field": "CN", "must-match": "goodbye.moon"} ] })"; - EXPECT_EQUAL(allowed_peers({policy_with({required_san_dns("hello.world"), - required_cn("goodbye.moon")})}), - parse_policies(json).allowed_peers()); + EXPECT_EQUAL(authorized_peers({policy_with({required_san_dns("hello.world"), + required_cn("goodbye.moon")})}), + parse_policies(json).authorized_peers()); } TEST("unknown field type throws exception") { diff --git a/vespalib/src/vespa/vespalib/net/tls/peer_policies.cpp b/vespalib/src/vespa/vespalib/net/tls/peer_policies.cpp index d6ae16011a7..8d2fb04d853 100644 --- a/vespalib/src/vespa/vespalib/net/tls/peer_policies.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/peer_policies.cpp @@ -103,9 +103,9 @@ std::ostream& operator<<(std::ostream& os, const PeerPolicy& policy) { return os; } -std::ostream& operator<<(std::ostream& os, const AllowedPeers& allowed){ - os << "AllowedPeers("; - print_joined(os, allowed.peer_policies(), ", "); +std::ostream& operator<<(std::ostream& os, const AuthorizedPeers& authorized){ + os << "AuthorizedPeers("; + print_joined(os, authorized.peer_policies(), ", "); os << ")"; return os; } diff --git a/vespalib/src/vespa/vespalib/net/tls/peer_policies.h b/vespalib/src/vespa/vespalib/net/tls/peer_policies.h index c445698c75e..44cbe70fd92 100644 --- a/vespalib/src/vespa/vespalib/net/tls/peer_policies.h +++ b/vespalib/src/vespa/vespalib/net/tls/peer_policies.h @@ -21,7 +21,7 @@ public: CN, SAN_DNS }; private: - Field _field; + Field _field = Field::SAN_DNS; vespalib::string _original_pattern; std::shared_ptr<const HostGlobPattern> _match_pattern; public: @@ -61,27 +61,27 @@ public: } }; -class AllowedPeers { - // A peer will be allowed iff it matches _one or more_ policies. +class AuthorizedPeers { + // A peer will be authorized iff it matches _one or more_ policies. std::vector<PeerPolicy> _peer_policies; bool _allow_all_if_empty = false; - AllowedPeers(bool allow_all_if_empty) + explicit AuthorizedPeers(bool allow_all_if_empty) : _peer_policies(), _allow_all_if_empty(allow_all_if_empty) {} public: - AllowedPeers() = default; - explicit AllowedPeers(std::vector<PeerPolicy> peer_policies_) + AuthorizedPeers() = default; + explicit AuthorizedPeers(std::vector<PeerPolicy> peer_policies_) : _peer_policies(std::move(peer_policies_)), _allow_all_if_empty(false) {} - static AllowedPeers allow_all_authenticated() { - return AllowedPeers(true); + static AuthorizedPeers allow_all_authenticated() { + return AuthorizedPeers(true); } - bool operator==(const AllowedPeers& rhs) const { + bool operator==(const AuthorizedPeers& rhs) const { return (_peer_policies == rhs._peer_policies); } bool allows_all_authenticated() const noexcept { @@ -92,6 +92,6 @@ public: std::ostream& operator<<(std::ostream&, const RequiredPeerCredential&); std::ostream& operator<<(std::ostream&, const PeerPolicy&); -std::ostream& operator<<(std::ostream&, const AllowedPeers&); +std::ostream& operator<<(std::ostream&, const AuthorizedPeers&); } // vespalib::net::tls diff --git a/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.cpp b/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.cpp index b3746182205..b8398746d38 100644 --- a/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.cpp @@ -41,25 +41,25 @@ bool matches_all_policy_requirements(const PeerCredentials& peer_creds, const Pe } // anon ns class PolicyConfiguredCertificateVerifier : public CertificateVerificationCallback { - AllowedPeers _allowed_peers; + AuthorizedPeers _authorized_peers; public: - explicit PolicyConfiguredCertificateVerifier(AllowedPeers allowed_peers); + explicit PolicyConfiguredCertificateVerifier(AuthorizedPeers authorized_peers); ~PolicyConfiguredCertificateVerifier() override; bool verify(const PeerCredentials& peer_creds) const override; }; -PolicyConfiguredCertificateVerifier::PolicyConfiguredCertificateVerifier(AllowedPeers allowed_peers) - : _allowed_peers(std::move(allowed_peers)) {} +PolicyConfiguredCertificateVerifier::PolicyConfiguredCertificateVerifier(AuthorizedPeers authorized_peers) + : _authorized_peers(std::move(authorized_peers)) {} PolicyConfiguredCertificateVerifier::~PolicyConfiguredCertificateVerifier() = default; bool PolicyConfiguredCertificateVerifier::verify(const PeerCredentials& peer_creds) const { - if (_allowed_peers.allows_all_authenticated()) { + if (_authorized_peers.allows_all_authenticated()) { return true; } - for (const auto& policy : _allowed_peers.peer_policies()) { + for (const auto& policy : _authorized_peers.peer_policies()) { if (matches_all_policy_requirements(peer_creds, policy)) { return true; } @@ -67,8 +67,8 @@ bool PolicyConfiguredCertificateVerifier::verify(const PeerCredentials& peer_cre return false; } -std::shared_ptr<CertificateVerificationCallback> create_verify_callback_from(AllowedPeers allowed_peers) { - return std::make_shared<PolicyConfiguredCertificateVerifier>(std::move(allowed_peers)); +std::shared_ptr<CertificateVerificationCallback> create_verify_callback_from(AuthorizedPeers authorized_peers) { + return std::make_shared<PolicyConfiguredCertificateVerifier>(std::move(authorized_peers)); } } // vespalib::net::tls diff --git a/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.h b/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.h index 6eac4e8c2ab..6e7ea44861a 100644 --- a/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.h +++ b/vespalib/src/vespa/vespalib/net/tls/policy_checking_certificate_verifier.h @@ -6,6 +6,6 @@ namespace vespalib::net::tls { -std::shared_ptr<CertificateVerificationCallback> create_verify_callback_from(AllowedPeers allowed_peers); +std::shared_ptr<CertificateVerificationCallback> create_verify_callback_from(AuthorizedPeers authorized_peers); } diff --git a/vespalib/src/vespa/vespalib/net/tls/tls_context.cpp b/vespalib/src/vespa/vespalib/net/tls/tls_context.cpp index 8b62e5ce280..c02ed5aed4a 100644 --- a/vespalib/src/vespa/vespalib/net/tls/tls_context.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/tls_context.cpp @@ -7,7 +7,7 @@ namespace vespalib::net::tls { std::shared_ptr<TlsContext> TlsContext::create_default_context(const TransportSecurityOptions& opts) { - auto verifier = create_verify_callback_from(opts.allowed_peers()); + auto verifier = create_verify_callback_from(opts.authorized_peers()); return std::make_shared<impl::OpenSslTlsContextImpl>(opts, std::move(verifier)); } diff --git a/vespalib/src/vespa/vespalib/net/tls/tls_context.h b/vespalib/src/vespa/vespalib/net/tls/tls_context.h index 90cc67f716b..09fe31efd8e 100644 --- a/vespalib/src/vespa/vespalib/net/tls/tls_context.h +++ b/vespalib/src/vespa/vespalib/net/tls/tls_context.h @@ -12,10 +12,10 @@ struct TlsContext { virtual ~TlsContext() = default; // Create a TLS context which verifies certificates according to the provided options' - // CA trust roots AND allowed peer policies + // CA trust roots AND authorized peer policies static std::shared_ptr<TlsContext> create_default_context(const TransportSecurityOptions&); // Create a TLS context where the certificate verification callback is explicitly provided. - // IMPORTANT: This does NOT verify that the peer satisfies the allowed peer policies! + // IMPORTANT: This does NOT verify that the peer satisfies the authorized peer policies! // It only verifies that a peer is signed by a trusted CA. This function should // therefore only be used in very special circumstances, such as unit tests. static std::shared_ptr<TlsContext> create_default_context( diff --git a/vespalib/src/vespa/vespalib/net/tls/transport_security_options.cpp b/vespalib/src/vespa/vespalib/net/tls/transport_security_options.cpp index 829da94a448..e79fee6cabf 100644 --- a/vespalib/src/vespa/vespalib/net/tls/transport_security_options.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/transport_security_options.cpp @@ -10,7 +10,7 @@ TransportSecurityOptions::TransportSecurityOptions(Builder builder) : _ca_certs_pem(std::move(builder._ca_certs_pem)), _cert_chain_pem(std::move(builder._cert_chain_pem)), _private_key_pem(std::move(builder._private_key_pem)), - _allowed_peers(std::move(builder._allowed_peers)) + _authorized_peers(std::move(builder._authorized_peers)) { } @@ -20,18 +20,18 @@ TransportSecurityOptions::TransportSecurityOptions(vespalib::string ca_certs_pem : _ca_certs_pem(std::move(ca_certs_pem)), _cert_chain_pem(std::move(cert_chain_pem)), _private_key_pem(std::move(private_key_pem)), - _allowed_peers(AllowedPeers::allow_all_authenticated()) + _authorized_peers(AuthorizedPeers::allow_all_authenticated()) { } TransportSecurityOptions::TransportSecurityOptions(vespalib::string ca_certs_pem, vespalib::string cert_chain_pem, vespalib::string private_key_pem, - AllowedPeers allowed_peers) + AuthorizedPeers authorized_peers) : _ca_certs_pem(std::move(ca_certs_pem)), _cert_chain_pem(std::move(cert_chain_pem)), _private_key_pem(std::move(private_key_pem)), - _allowed_peers(std::move(allowed_peers)) + _authorized_peers(std::move(authorized_peers)) { } diff --git a/vespalib/src/vespa/vespalib/net/tls/transport_security_options.h b/vespalib/src/vespa/vespalib/net/tls/transport_security_options.h index 1463bfba248..16427fcbf1d 100644 --- a/vespalib/src/vespa/vespalib/net/tls/transport_security_options.h +++ b/vespalib/src/vespa/vespalib/net/tls/transport_security_options.h @@ -12,7 +12,7 @@ class TransportSecurityOptions { vespalib::string _ca_certs_pem; vespalib::string _cert_chain_pem; vespalib::string _private_key_pem; - AllowedPeers _allowed_peers; + AuthorizedPeers _authorized_peers; public: TransportSecurityOptions() = default; @@ -20,12 +20,12 @@ public: vespalib::string _ca_certs_pem; vespalib::string _cert_chain_pem; vespalib::string _private_key_pem; - AllowedPeers _allowed_peers; + AuthorizedPeers _authorized_peers; Builder& ca_certs_pem(vespalib::stringref pem) { _ca_certs_pem = pem; return *this; } Builder& cert_chain_pem(vespalib::stringref pem) { _cert_chain_pem = pem; return *this; } Builder& private_key_pem(vespalib::stringref pem) { _private_key_pem = pem; return *this; } - Builder& allowed_peers(AllowedPeers allowed) { _allowed_peers = std::move(allowed); return *this; } + Builder& authorized_peers(AuthorizedPeers auth) { _authorized_peers = std::move(auth); return *this; } }; explicit TransportSecurityOptions(Builder builder); @@ -37,14 +37,14 @@ public: TransportSecurityOptions(vespalib::string ca_certs_pem, vespalib::string cert_chain_pem, vespalib::string private_key_pem, - AllowedPeers allowed_peers); + AuthorizedPeers authorized_peers); ~TransportSecurityOptions(); const vespalib::string& ca_certs_pem() const noexcept { return _ca_certs_pem; } const vespalib::string& cert_chain_pem() const noexcept { return _cert_chain_pem; } const vespalib::string& private_key_pem() const noexcept { return _private_key_pem; } - const AllowedPeers& allowed_peers() const noexcept { return _allowed_peers; } + const AuthorizedPeers& authorized_peers() const noexcept { return _authorized_peers; } }; } // vespalib::net::tls diff --git a/vespalib/src/vespa/vespalib/net/tls/transport_security_options_reading.cpp b/vespalib/src/vespa/vespalib/net/tls/transport_security_options_reading.cpp index f14ad78dc91..1b6398153ca 100644 --- a/vespalib/src/vespa/vespalib/net/tls/transport_security_options_reading.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/transport_security_options_reading.cpp @@ -18,27 +18,7 @@ namespace vespalib::net::tls { "ca-certificates": "my_cas.pem", "certificates": "certs.pem" }, - // for later: - "peer-taggers": [ - { - "requirements":[ - { - "field": "SAN" - "must-match": "DNS:foo.bar.baz.*" - } - ], - // TODO skip tags for now? just binary decision? - "tags": ["cluster-peers", "config-server"] // or "roles"? Avoid ambiguities with Athenz concepts - }, - { - "requirements":[ - { "field":"CN", "must-match": "config.blarg.*"} - ], - "tags": ["config-server"] - } - ] - // alternative 2: - "allowed-peers": [ + "authorized-peers": [ { "required-credentials":[ { "field":"CN", "must-match": "*.config.blarg"}, @@ -98,20 +78,20 @@ PeerPolicy parse_peer_policy(const Inspector& peer_entry) { return PeerPolicy(std::move(required_creds)); } -AllowedPeers parse_allowed_peers(const Inspector& allowed_peers) { - if (!allowed_peers.valid()) { - // If there's no "allowed-peers" object, valid CA signing is sufficient. - return AllowedPeers::allow_all_authenticated(); +AuthorizedPeers parse_authorized_peers(const Inspector& authorized_peers) { + if (!authorized_peers.valid()) { + // If there's no "authorized-peers" object, valid CA signing is sufficient. + return AuthorizedPeers::allow_all_authenticated(); } - if (allowed_peers.children() == 0) { - throw IllegalArgumentException("\"allowed-peers\" must either be not present (allows " + if (authorized_peers.children() == 0) { + throw IllegalArgumentException("\"authorized-peers\" must either be not present (allows " "all peers with valid certificates) or a non-empty array"); } std::vector<PeerPolicy> policies; - for (size_t i = 0; i < allowed_peers.children(); ++i) { - policies.emplace_back(parse_peer_policy(allowed_peers[i])); + for (size_t i = 0; i < authorized_peers.children(); ++i) { + policies.emplace_back(parse_peer_policy(authorized_peers[i])); } - return AllowedPeers(std::move(policies)); + return AuthorizedPeers(std::move(policies)); } std::unique_ptr<TransportSecurityOptions> load_from_input(Input& input) { @@ -130,10 +110,10 @@ std::unique_ptr<TransportSecurityOptions> load_from_input(Input& input) { auto ca_certs = load_file_referenced_by_field(files, "ca-certificates"); auto certs = load_file_referenced_by_field(files, "certificates"); auto priv_key = load_file_referenced_by_field(files, "private-key"); - auto allowed_peers = parse_allowed_peers(root["allowed-peers"]); + auto authorized_peers = parse_authorized_peers(root["authorized-peers"]); return std::make_unique<TransportSecurityOptions>(std::move(ca_certs), std::move(certs), - std::move(priv_key), std::move(allowed_peers)); + std::move(priv_key), std::move(authorized_peers)); } } // anon ns diff --git a/vespalib/src/vespa/vespalib/test/peer_policy_utils.cpp b/vespalib/src/vespa/vespalib/test/peer_policy_utils.cpp index 7d116b8893c..981ebd0c18d 100644 --- a/vespalib/src/vespa/vespalib/test/peer_policy_utils.cpp +++ b/vespalib/src/vespa/vespalib/test/peer_policy_utils.cpp @@ -16,8 +16,8 @@ PeerPolicy policy_with(std::vector<RequiredPeerCredential> creds) { return PeerPolicy(std::move(creds)); } -AllowedPeers allowed_peers(std::vector<PeerPolicy> peer_policies) { - return AllowedPeers(std::move(peer_policies)); +AuthorizedPeers authorized_peers(std::vector<PeerPolicy> peer_policies) { + return AuthorizedPeers(std::move(peer_policies)); } } diff --git a/vespalib/src/vespa/vespalib/test/peer_policy_utils.h b/vespalib/src/vespa/vespalib/test/peer_policy_utils.h index f5adf31d08e..1a720330e7d 100644 --- a/vespalib/src/vespa/vespalib/test/peer_policy_utils.h +++ b/vespalib/src/vespa/vespalib/test/peer_policy_utils.h @@ -8,6 +8,6 @@ namespace vespalib::net::tls { RequiredPeerCredential required_cn(vespalib::stringref pattern); RequiredPeerCredential required_san_dns(vespalib::stringref pattern); PeerPolicy policy_with(std::vector<RequiredPeerCredential> creds); -AllowedPeers allowed_peers(std::vector<PeerPolicy> peer_policies); +AuthorizedPeers authorized_peers(std::vector<PeerPolicy> peer_policies); } |