diff options
Diffstat (limited to 'container-core/src/main/java/com')
2 files changed, 9 insertions, 39 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index c0b3a336a39..965575f8b30 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -133,7 +133,6 @@ public class JettyHttpServer extends AbstractServerProvider { private HandlerCollection createRootHandler( ServerConfig serverCfg, List<JDiscServerConnector> connectors, ServletHolder jdiscServlet) { - List<ConnectorConfig> connectorCfgs = connectors.stream().map(JDiscServerConnector::connectorConfig).toList(); List<ContextHandler> perConnectorHandlers = new ArrayList<>(); for (JDiscServerConnector connector : connectors) { ConnectorConfig connectorCfg = connector.connectorConfig(); @@ -142,7 +141,7 @@ public class JettyHttpServer extends AbstractServerProvider { chain.add(newResponseStatisticsHandler(serverCfg)); chain.add(newGzipHandler(serverCfg)); if (connectorCfg.tlsClientAuthEnforcer().enable()) { - chain.add(newTlsClientAuthEnforcerHandler(connectorCfgs)); + chain.add(newTlsClientAuthEnforcerHandler(connectorCfg)); } if (connectorCfg.healthCheckProxy().enable()) { chain.add(newHealthCheckProxyHandler(connectors)); @@ -246,8 +245,8 @@ public class JettyHttpServer extends AbstractServerProvider { return new HealthCheckProxyHandler(connectors); } - private static TlsClientAuthenticationEnforcer newTlsClientAuthEnforcerHandler(List<ConnectorConfig> connectorCfgs) { - return new TlsClientAuthenticationEnforcer(connectorCfgs); + private static TlsClientAuthenticationEnforcer newTlsClientAuthEnforcerHandler(ConnectorConfig cfg) { + return new TlsClientAuthenticationEnforcer(cfg.tlsClientAuthEnforcer()); } private static HttpResponseStatisticsCollector newResponseStatisticsHandler(ServerConfig cfg) { diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/TlsClientAuthenticationEnforcer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/TlsClientAuthenticationEnforcer.java index ce949074bfa..b420aabc598 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/TlsClientAuthenticationEnforcer.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/TlsClientAuthenticationEnforcer.java @@ -11,11 +11,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import static com.yahoo.jdisc.http.server.jetty.RequestUtils.getConnectorLocalPort; /** * A Jetty handler that enforces TLS client authentication with configurable white list. @@ -24,10 +19,11 @@ import static com.yahoo.jdisc.http.server.jetty.RequestUtils.getConnectorLocalPo */ class TlsClientAuthenticationEnforcer extends HandlerWrapper { - private final Map<Integer, List<String>> portToWhitelistedPathsMapping; + private final ConnectorConfig.TlsClientAuthEnforcer cfg; - TlsClientAuthenticationEnforcer(List<ConnectorConfig> connectorConfigs) { - portToWhitelistedPathsMapping = createWhitelistMapping(connectorConfigs); + TlsClientAuthenticationEnforcer(ConnectorConfig.TlsClientAuthEnforcer cfg) { + if (!cfg.enable()) throw new IllegalArgumentException(); + this.cfg = cfg; } @Override @@ -44,36 +40,11 @@ class TlsClientAuthenticationEnforcer extends HandlerWrapper { } } - private static Map<Integer, List<String>> createWhitelistMapping(List<ConnectorConfig> connectorConfigs) { - var mapping = new HashMap<Integer, List<String>>(); - for (ConnectorConfig connectorConfig : connectorConfigs) { - var enforcerConfig = connectorConfig.tlsClientAuthEnforcer(); - if (enforcerConfig.enable()) { - mapping.put(connectorConfig.listenPort(), enforcerConfig.pathWhitelist()); - } - } - return mapping; - } - - private boolean isRequest(Request request) { - return request.getDispatcherType() == DispatcherType.REQUEST; - } + private boolean isRequest(Request request) { return request.getDispatcherType() == DispatcherType.REQUEST; } private boolean isRequestToWhitelistedBinding(Request jettyRequest) { - int localPort = getConnectorLocalPort(jettyRequest); - List<String> whiteListedPaths = getWhitelistedPathsForPort(localPort); - if (whiteListedPaths == null) { - return true; // enforcer not enabled - } // Note: Same path definition as HttpRequestFactory.getUri() - return whiteListedPaths.contains(jettyRequest.getRequestURI()); - } - - private List<String> getWhitelistedPathsForPort(int localPort) { - if (portToWhitelistedPathsMapping.containsKey(0) && portToWhitelistedPathsMapping.size() == 1) { - return portToWhitelistedPathsMapping.get(0); // for unit tests which uses 0 for listen port - } - return portToWhitelistedPathsMapping.get(localPort); + return cfg.pathWhitelist().contains(jettyRequest.getRequestURI()); } private boolean isClientAuthenticated(HttpServletRequest servletRequest) { |