diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/policy')
9 files changed, 0 insertions, 441 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java deleted file mode 100644 index 5e49a5b341c..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Set; - -/** - * @author bjorncs - */ -public record AuthorizedPeers(Set<PeerPolicy> peerPolicies) { - - private static final AuthorizedPeers EMPTY = new AuthorizedPeers(Set.of()); - - public AuthorizedPeers { - peerPolicies = verifyPeerPolicies(peerPolicies); - } - - public static AuthorizedPeers empty() { return EMPTY; } - - private static Set<PeerPolicy> verifyPeerPolicies(Set<PeerPolicy> peerPolicies) { - long distinctNames = peerPolicies.stream() - .map(PeerPolicy::policyName) - .distinct() - .count(); - if (distinctNames != peerPolicies.size()) { - throw new IllegalArgumentException("'authorized-peers' contains entries with duplicate names"); - } - return Set.copyOf(peerPolicies); - } - - public boolean isEmpty() { return peerPolicies.isEmpty(); } - -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java deleted file mode 100644 index 09d4de37831..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Arrays; - -/** - * @author bjorncs - */ -public enum Capability { - CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API("vespa.content.cluster_controller.internal_state_api"), - CONTENT__DOCUMENT_API("vespa.content.document_api"), - CONTENT__METRICS_API("vespa.content.metrics_api"), - CONTENT__SEARCH_API("vespa.content.search_api"), - CONTENT__STATUS_PAGES("vespa.content.status_pages"), - CONTENT__STORAGE_API("vespa.content.storage_api"), - SLOBROK__API("vespa.slobrok.api"), - ; - - private final String name; - - Capability(String name) { this.name = name; } - - public String asString() { return name; } - - public static Capability fromName(String name) { - return Arrays.stream(values()) - .filter(c -> c.name.equals(name)) - .findAny().orElseThrow(() -> - new IllegalArgumentException("Cannot find predefined capability set with name '" + name + "'")); - } - -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java deleted file mode 100644 index 28e235ff672..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.EnumSet; -import java.util.List; -import java.util.Objects; -import java.util.Optional; -import java.util.Set; -import java.util.SortedSet; -import java.util.TreeSet; -import java.util.stream.Collectors; - -/** - * @author bjorncs - */ -public class CapabilitySet { - public enum Predefined { - CONTENT_NODE("vespa.content_node", - Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.SLOBROK__API), - CONTAINER_NODE("vespa.container_node", - Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, Capability.SLOBROK__API), - TELEMETRY("vespa.telemetry", - Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API), - CLUSTER_CONTROLLER_NODE("vespa.cluster_controller_node", - Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API), - CONFIG_SERVER("vespa.config_server"), - ; - - private final String name; - private final EnumSet<Capability> caps; - - Predefined(String name, Capability... caps) { - this.name = name; - this.caps = caps.length == 0 ? EnumSet.noneOf(Capability.class) : EnumSet.copyOf(List.of(caps)); } - - public static Optional<Predefined> fromName(String name) { - return Arrays.stream(values()).filter(p -> p.name.equals(name)).findAny(); - } - } - - private static final CapabilitySet ALL_CAPABILITIES = new CapabilitySet(EnumSet.allOf(Capability.class)); - private static final CapabilitySet NO_CAPABILITIES = new CapabilitySet(EnumSet.noneOf(Capability.class)); - - private final EnumSet<Capability> caps; - - private CapabilitySet(EnumSet<Capability> caps) { this.caps = caps; } - - public static CapabilitySet fromNames(Collection<String> names) { - EnumSet<Capability> caps = EnumSet.noneOf(Capability.class); - for (String name : names) { - Predefined predefined = Predefined.fromName(name).orElse(null); - if (predefined != null) caps.addAll(predefined.caps); - else caps.add(Capability.fromName(name)); - } - return new CapabilitySet(caps); - } - - public static CapabilitySet unionOf(Collection<CapabilitySet> capSets) { - EnumSet<Capability> union = EnumSet.noneOf(Capability.class); - capSets.forEach(cs -> union.addAll(cs.caps)); - return new CapabilitySet(union); - } - - public static CapabilitySet from(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } - public static CapabilitySet from(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } - public static CapabilitySet from(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); } - public static CapabilitySet all() { return ALL_CAPABILITIES; } - public static CapabilitySet none() { return NO_CAPABILITIES; } - - public boolean hasAll() { return this.caps.equals(ALL_CAPABILITIES.caps); } - public boolean hasNone() { return this.caps.equals(NO_CAPABILITIES.caps); } - public boolean has(CapabilitySet caps) { return this.caps.containsAll(caps.caps); } - public boolean has(Collection<Capability> caps) { return this.caps.containsAll(caps); } - public boolean has(Capability... caps) { return this.caps.containsAll(List.of(caps)); } - - public SortedSet<String> toNames() { - return caps.stream().map(Capability::asString).collect(Collectors.toCollection(TreeSet::new)); - } - - public Set<Capability> asSet() { return Collections.unmodifiableSet(caps); } - - @Override - public String toString() { - return "CapabilitySet{" + - "caps=" + caps + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - CapabilitySet that = (CapabilitySet) o; - return Objects.equals(caps, that.caps); - } - - @Override - public int hashCode() { - return Objects.hash(caps); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java deleted file mode 100644 index 46a38a77844..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java +++ /dev/null @@ -1,82 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Arrays; -import java.util.Objects; -import java.util.regex.Pattern; - -/** - * Matching engine for glob patterns having where one ore more alternative characters acts a boundary for wildcard matching. - * - * @author bjorncs - */ -class GlobPattern { - private final String pattern; - private final char[] boundaries; - private final Pattern regexPattern; - - GlobPattern(String pattern, char[] boundaries, boolean enableSingleCharWildcard) { - this.pattern = pattern; - this.boundaries = boundaries; - this.regexPattern = toRegexPattern(pattern, boundaries, enableSingleCharWildcard); - } - - boolean matches(String value) { return regexPattern.matcher(value).matches(); } - - String asString() { return pattern; } - Pattern regexPattern() { return regexPattern; } - char[] boundaries() { return boundaries; } - - private static Pattern toRegexPattern(String pattern, char[] boundaries, boolean enableSingleCharWildcard) { - StringBuilder builder = new StringBuilder("^"); - StringBuilder precedingCharactersToQuote = new StringBuilder(); - char[] chars = pattern.toCharArray(); - for (char c : chars) { - if ((enableSingleCharWildcard && c == '?') || c == '*') { - builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote)); - // Note: we explicitly stop matching at a separator boundary. - // This is to make matching less vulnerable to dirty tricks (e.g dot as boundary for hostnames). - // Same applies for single chars; they should only match _within_ a boundary. - builder.append("[^").append(Pattern.quote(new String(boundaries))).append("]"); - if (c == '*') builder.append('*'); - } else { - precedingCharactersToQuote.append(c); - } - } - return Pattern.compile(builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote)).append('$').toString()); - } - - // Combines multiple subsequent literals inside a single quote to simplify produced regex patterns - private static String quotePrecedingLiteralsAndReset(StringBuilder literals) { - if (literals.length() > 0) { - String quoted = literals.toString(); - literals.setLength(0); - return Pattern.quote(quoted); - } - return ""; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - GlobPattern that = (GlobPattern) o; - return Objects.equals(pattern, that.pattern) && Arrays.equals(boundaries, that.boundaries); - } - - @Override - public int hashCode() { - int result = Objects.hash(pattern); - result = 31 * result + Arrays.hashCode(boundaries); - return result; - } - - @Override - public String toString() { - return "GlobPattern{" + - "pattern='" + pattern + '\'' + - ", boundaries=" + Arrays.toString(boundaries) + - ", regexPattern=" + regexPattern + - '}'; - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java deleted file mode 100644 index cb9ba13cae4..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Objects; - -/** - * @author bjorncs - */ -class HostGlobPattern implements RequiredPeerCredential.Pattern { - - private final GlobPattern globPattern; - - HostGlobPattern(String pattern) { - this.globPattern = new GlobPattern(pattern, new char[] {'.'}, true); - } - - @Override - public String asString() { - return globPattern.asString(); - } - - @Override - public boolean matches(String hostString) { - return globPattern.matches(hostString); - } - - @Override - public String toString() { - return "HostGlobPattern{" + - "pattern='" + globPattern + '\'' + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - HostGlobPattern that = (HostGlobPattern) o; - return Objects.equals(globPattern, that.globPattern); - } - - @Override - public int hashCode() { - return Objects.hash(globPattern); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java deleted file mode 100644 index cb39e5e9c3c..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.List; -import java.util.Optional; - -/** - * @author bjorncs - */ -public record PeerPolicy(String policyName, Optional<String> description, CapabilitySet capabilities, - List<RequiredPeerCredential> requiredCredentials) { - - public PeerPolicy { - requiredCredentials = List.copyOf(requiredCredentials); - } - - public PeerPolicy(String policyName, List<RequiredPeerCredential> requiredCredentials) { - this(policyName, Optional.empty(), CapabilitySet.all(), requiredCredentials); - } - - public PeerPolicy(String policyName, String description, List<RequiredPeerCredential> requiredCredentials) { - this(policyName, Optional.ofNullable(description), CapabilitySet.all(), requiredCredentials); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java deleted file mode 100644 index 4c96a2935f8..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java +++ /dev/null @@ -1,71 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class RequiredPeerCredential { - - public enum Field { CN, SAN_DNS, SAN_URI } - - private final Field field; - private final Pattern pattern; - - private RequiredPeerCredential(Field field, Pattern pattern) { - this.field = field; - this.pattern = pattern; - } - - public static RequiredPeerCredential of(Field field, String pattern) { - return new RequiredPeerCredential(field, createPattern(field, pattern)); - } - - private static Pattern createPattern(Field field, String pattern) { - switch (field) { - case CN: - case SAN_DNS: - return new HostGlobPattern(pattern); - case SAN_URI: - return new UriGlobPattern(pattern); - default: - throw new IllegalArgumentException("Unknown field: " + field); - } - } - - public Field field() { - return field; - } - - public Pattern pattern() { - return pattern; - } - - @Override - public String toString() { - return "RequiredPeerCredential{" + - "field=" + field + - ", pattern=" + pattern + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - RequiredPeerCredential that = (RequiredPeerCredential) o; - return field == that.field && - Objects.equals(pattern, that.pattern); - } - - @Override - public int hashCode() { - return Objects.hash(field, pattern); - } - - public interface Pattern { - String asString(); - boolean matches(String fieldValue); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java deleted file mode 100644 index b2cc0688bb9..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Objects; - -/** - * Pattern used for matching URIs in X.509 certificate subject alternative names. - * - * @author bjorncs - */ -class UriGlobPattern implements RequiredPeerCredential.Pattern { - - private final GlobPattern globPattern; - - UriGlobPattern(String globPattern) { - this.globPattern = new GlobPattern(globPattern, new char[] {'/'}, false); - } - - @Override public String asString() { return globPattern.asString(); } - - @Override public boolean matches(String fieldValue) { return globPattern.matches(fieldValue); } - - @Override - public String toString() { - return "UriPattern{" + - "pattern='" + globPattern + '\'' + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - UriGlobPattern that = (UriGlobPattern) o; - return Objects.equals(globPattern, that.globPattern); - } - - @Override - public int hashCode() { - return Objects.hash(globPattern); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java deleted file mode 100644 index 61ce90654f8..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.policy; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |