6 files changed, 31 insertions, 18 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
index c5406669f67..5ad44b82370 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
@@ -13,6 +13,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsKeystore;
 import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
 
 import java.security.cert.X509Certificate;
+import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.Executor;
 
@@ -81,8 +82,9 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter {
     }
 
     private static Optional<X509Certificate> getClientCertificate(DiscFilterRequest request) {
-        return request.getClientCertificateChain()
-                .map(chain -> chain[0]);
+        List<X509Certificate> chain = request.getClientCertificateChain();
+        if (chain.isEmpty()) return Optional.empty();
+        return Optional.of(chain.get(0));
     }
 
     private static Optional<NToken> getPrincipalToken(DiscFilterRequest request, String principalTokenHeaderName) {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
index b0a51ecb16f..53ced43a9ba 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilterTest.java
@@ -36,9 +36,10 @@ import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.Objects;
-import java.util.Optional;
 
 import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
 import static java.util.stream.Collectors.joining;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -70,7 +71,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         AthenzPrincipal principal = new AthenzPrincipal(IDENTITY, NTOKEN);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
-        when(request.getClientCertificateChain()).thenReturn(Optional.empty());
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
         when(validator.validate(NTOKEN)).thenReturn(principal);
 
         AthenzPrincipalFilter filter = new AthenzPrincipalFilter(validator, Runnable::run, ATHENZ_PRINCIPAL_HEADER);
@@ -83,7 +84,7 @@ public class AthenzPrincipalFilterTest {
     public void missing_token_and_certificate_is_unauthorized() {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
-        when(request.getClientCertificateChain()).thenReturn(Optional.empty());
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
@@ -98,7 +99,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         String errorMessage = "Invalid token";
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
-        when(request.getClientCertificateChain()).thenReturn(Optional.empty());
+        when(request.getClientCertificateChain()).thenReturn(emptyList());
         when(validator.validate(NTOKEN)).thenThrow(new InvalidTokenException(errorMessage));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -113,7 +114,7 @@ public class AthenzPrincipalFilterTest {
     public void certificate_is_accepted() {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(null);
-        when(request.getClientCertificateChain()).thenReturn(Optional.of(new X509Certificate[]{CERTIFICATE}));
+        when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
 
@@ -129,7 +130,7 @@ public class AthenzPrincipalFilterTest {
         DiscFilterRequest request = mock(DiscFilterRequest.class);
         AthenzPrincipal principalWithToken = new AthenzPrincipal(IDENTITY, NTOKEN);
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
-        when(request.getClientCertificateChain()).thenReturn(Optional.of(new X509Certificate[]{CERTIFICATE}));
+        when(request.getClientCertificateChain()).thenReturn(singletonList(CERTIFICATE));
         when(validator.validate(NTOKEN)).thenReturn(principalWithToken);
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
@@ -146,7 +147,7 @@ public class AthenzPrincipalFilterTest {
         AthenzUser conflictingIdentity = AthenzUser.fromUserId("mallory");
         when(request.getHeader(ATHENZ_PRINCIPAL_HEADER)).thenReturn(NTOKEN.getRawToken());
         when(request.getClientCertificateChain())
-                .thenReturn(Optional.of(new X509Certificate[]{createSelfSignedCertificate(conflictingIdentity)}));
+                .thenReturn(singletonList(createSelfSignedCertificate(conflictingIdentity)));
         when(validator.validate(NTOKEN)).thenReturn(new AthenzPrincipal(IDENTITY));
 
         ResponseHandlerMock responseHandler = new ResponseHandlerMock();
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
index d5b1b85de5f..eee0519b12b 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ApplicationRequestToDiscFilterRequestWrapper.java
@@ -16,7 +16,6 @@ import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -178,8 +177,8 @@ public class ApplicationRequestToDiscFilterRequestWrapper extends DiscFilterRequ
     }
 
     @Override
-    public Optional<X509Certificate[]> getClientCertificateChain() {
-        return Optional.empty();
+    public List<X509Certificate> getClientCertificateChain() {
+        return Collections.emptyList();
     }
 
     @Override
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java
index 2cb68462005..da76e288a2a 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/DiscFilterRequest.java
@@ -22,7 +22,6 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Pattern;
 
@@ -371,7 +370,11 @@ public abstract class DiscFilterRequest {
 
     public abstract void setUserPrincipal(Principal principal);
 
-    public abstract Optional<X509Certificate[]> getClientCertificateChain();
+    /**
+     * @return The client certificate chain in ascending order of trust. The first certificate is the one sent from the client.
+     *         Returns an empty list if the client did not provide a certificate.
+     */
+    public abstract List<X509Certificate> getClientCertificateChain();
 
     public void setUserRoles(String[] roles) {
         this.roles = roles;
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java
index c161b374e83..f8d9e6b2642 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JdiscFilterRequest.java
@@ -9,6 +9,7 @@ import java.net.URI;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -117,8 +118,11 @@ public class JdiscFilterRequest extends DiscFilterRequest {
     }
 
     @Override
-    public Optional<X509Certificate[]> getClientCertificateChain() {
-        return Optional.ofNullable((X509Certificate[]) parent.context().get(ServletRequest.JDISC_REQUEST_X509CERT));
+    public List<X509Certificate> getClientCertificateChain() {
+        return Optional.ofNullable(parent.context().get(ServletRequest.JDISC_REQUEST_X509CERT))
+                .map(X509Certificate[].class::cast)
+                .map(Arrays::asList)
+                .orElse(Collections.emptyList());
     }
 
     @Override
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java
index 6f23f128b4e..5921f0b8e0a 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterRequest.java
@@ -8,6 +8,7 @@ import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
@@ -141,8 +142,11 @@ class ServletFilterRequest extends DiscFilterRequest {
     }
 
     @Override
-    public Optional<X509Certificate[]> getClientCertificateChain() {
-        return Optional.ofNullable((X509Certificate[]) parent.context().get(ServletRequest.SERVLET_REQUEST_X509CERT));
+    public List<X509Certificate> getClientCertificateChain() {
+        return Optional.ofNullable(parent.context().get(ServletRequest.SERVLET_REQUEST_X509CERT))
+                .map(X509Certificate[].class::cast)
+                .map(Arrays::asList)
+                .orElse(Collections.emptyList());
     }
 
     @Override