aboutsummaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/tls
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java16
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java5
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java1
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java16
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java17
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java40
6 files changed, 9 insertions, 86 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java
index 963bb469d6e..6fa97e30d63 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java
@@ -1,8 +1,6 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.security.tls.authz;
-import com.yahoo.security.tls.policy.Role;
-
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
@@ -11,18 +9,12 @@ import java.util.Set;
* @author bjorncs
*/
public class AuthorizationResult {
- private final Set<Role> assumedRoles;
private final Set<String> matchedPolicies;
- public AuthorizationResult(Set<Role> assumedRoles, Set<String> matchedPolicies) {
- this.assumedRoles = Collections.unmodifiableSet(assumedRoles);
+ public AuthorizationResult(Set<String> matchedPolicies) {
this.matchedPolicies = Collections.unmodifiableSet(matchedPolicies);
}
- public Set<Role> assumedRoles() {
- return assumedRoles;
- }
-
public Set<String> matchedPolicies() {
return matchedPolicies;
}
@@ -34,7 +26,6 @@ public class AuthorizationResult {
@Override
public String toString() {
return "AuthorizationResult{" +
- "assumedRoles=" + assumedRoles +
", matchedPolicies=" + matchedPolicies +
'}';
}
@@ -44,12 +35,11 @@ public class AuthorizationResult {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
AuthorizationResult that = (AuthorizationResult) o;
- return Objects.equals(assumedRoles, that.assumedRoles) &&
- Objects.equals(matchedPolicies, that.matchedPolicies);
+ return Objects.equals(matchedPolicies, that.matchedPolicies);
}
@Override
public int hashCode() {
- return Objects.hash(assumedRoles, matchedPolicies);
+ return Objects.hash(matchedPolicies);
}
}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java
index 40f3817c5f9..8c4e87c1de2 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java
@@ -6,7 +6,6 @@ import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.tls.policy.AuthorizedPeers;
import com.yahoo.security.tls.policy.PeerPolicy;
import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.Role;
import java.security.cert.X509Certificate;
import java.util.HashSet;
@@ -36,18 +35,16 @@ public class PeerAuthorizer {
}
public AuthorizationResult authorizePeer(X509Certificate peerCertificate) {
- Set<Role> assumedRoles = new HashSet<>();
Set<String> matchedPolicies = new HashSet<>();
String cn = getCommonName(peerCertificate).orElse(null);
List<String> sans = getSubjectAlternativeNames(peerCertificate);
log.fine(() -> String.format("Subject info from x509 certificate: CN=[%s], 'SAN=%s", cn, sans));
for (PeerPolicy peerPolicy : authorizedPeers.peerPolicies()) {
if (matchesPolicy(peerPolicy, cn, sans)) {
- assumedRoles.addAll(peerPolicy.assumedRoles());
matchedPolicies.add(peerPolicy.policyName());
}
}
- return new AuthorizationResult(assumedRoles, matchedPolicies);
+ return new AuthorizationResult(matchedPolicies);
}
private static boolean matchesPolicy(PeerPolicy peerPolicy, String cn, List<String> sans) {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
index 12ac75aae80..02c6fe2ab99 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
@@ -36,7 +36,6 @@ class TransportSecurityOptionsEntity {
@JsonProperty("required-credentials") List<RequiredCredential> requiredCredentials;
@JsonProperty("name") String name;
@JsonProperty("description") @JsonInclude(NON_NULL) String description;
- @JsonProperty("roles") @JsonInclude(NON_EMPTY) List<String> roles;
}
@JsonIgnoreProperties(ignoreUnknown = true)
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
index 516a0c83d37..5deebf48d1b 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
@@ -10,7 +10,6 @@ import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.RequiredCreden
import com.yahoo.security.tls.policy.AuthorizedPeers;
import com.yahoo.security.tls.policy.PeerPolicy;
import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.Role;
import java.io.IOException;
import java.io.InputStream;
@@ -18,7 +17,6 @@ import java.io.OutputStream;
import java.io.UncheckedIOException;
import java.nio.file.Paths;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Set;
@@ -101,14 +99,7 @@ public class TransportSecurityOptionsJsonSerializer {
if (authorizedPeer.requiredCredentials == null) {
throw missingFieldException("required-credentials");
}
- return new PeerPolicy(authorizedPeer.name, authorizedPeer.description, toRoles(authorizedPeer.roles), toRequestPeerCredentials(authorizedPeer.requiredCredentials));
- }
-
- private static Set<Role> toRoles(List<String> roles) {
- if (roles == null) return Collections.emptySet();
- return roles.stream()
- .map(Role::new)
- .collect(toSet());
+ return new PeerPolicy(authorizedPeer.name, authorizedPeer.description, toRequestPeerCredentials(authorizedPeer.requiredCredentials));
}
private static List<RequiredPeerCredential> toRequestPeerCredentials(List<RequiredCredential> requiredCredentials) {
@@ -157,11 +148,6 @@ public class TransportSecurityOptionsJsonSerializer {
requiredCredential.matchExpression = requiredPeerCredential.pattern().asString();
authorizedPeer.requiredCredentials.add(requiredCredential);
}
- if (!peerPolicy.assumedRoles().isEmpty()) {
- authorizedPeer.roles = new ArrayList<>();
- peerPolicy.assumedRoles().forEach(role -> authorizedPeer.roles.add(role.name()));
- }
-
return authorizedPeer;
})
.collect(toList()));
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
index 4783889ec62..ff518622f53 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
@@ -5,7 +5,6 @@ import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
-import java.util.Set;
/**
* @author bjorncs
@@ -14,18 +13,16 @@ public class PeerPolicy {
private final String policyName;
private final String description;
- private final Set<Role> assumedRoles;
private final List<RequiredPeerCredential> requiredCredentials;
- public PeerPolicy(String policyName, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) {
- this(policyName, null, assumedRoles, requiredCredentials);
+ public PeerPolicy(String policyName, List<RequiredPeerCredential> requiredCredentials) {
+ this(policyName, null, requiredCredentials);
}
public PeerPolicy(
- String policyName, String description, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) {
+ String policyName, String description, List<RequiredPeerCredential> requiredCredentials) {
this.policyName = policyName;
this.description = description;
- this.assumedRoles = assumedRoles;
this.requiredCredentials = Collections.unmodifiableList(requiredCredentials);
}
@@ -35,10 +32,6 @@ public class PeerPolicy {
public Optional<String> description() { return Optional.ofNullable(description); }
- public Set<Role> assumedRoles() {
- return assumedRoles;
- }
-
public List<RequiredPeerCredential> requiredCredentials() {
return requiredCredentials;
}
@@ -48,7 +41,6 @@ public class PeerPolicy {
return "PeerPolicy{" +
"policyName='" + policyName + '\'' +
", description='" + description + '\'' +
- ", assumedRoles=" + assumedRoles +
", requiredCredentials=" + requiredCredentials +
'}';
}
@@ -60,12 +52,11 @@ public class PeerPolicy {
PeerPolicy that = (PeerPolicy) o;
return Objects.equals(policyName, that.policyName) &&
Objects.equals(description, that.description) &&
- Objects.equals(assumedRoles, that.assumedRoles) &&
Objects.equals(requiredCredentials, that.requiredCredentials);
}
@Override
public int hashCode() {
- return Objects.hash(policyName, description, assumedRoles, requiredCredentials);
+ return Objects.hash(policyName, description, requiredCredentials);
}
}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java
deleted file mode 100644
index b35bf328847..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
-
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class Role {
-
- private final String name;
-
- public Role(String name) {
- this.name = name;
- }
-
- public String name() {
- return name;
- }
-
- @Override
- public String toString() {
- return "Role{" +
- "name='" + name + '\'' +
- '}';
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) return true;
- if (o == null || getClass() != o.getClass()) return false;
- Role role = (Role) o;
- return Objects.equals(name, role.name);
- }
-
- @Override
- public int hashCode() {
- return Objects.hash(name);
- }
-}