diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls')
6 files changed, 9 insertions, 86 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java index 963bb469d6e..6fa97e30d63 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java @@ -1,8 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls.authz; -import com.yahoo.security.tls.policy.Role; - import java.util.Collections; import java.util.Objects; import java.util.Set; @@ -11,18 +9,12 @@ import java.util.Set; * @author bjorncs */ public class AuthorizationResult { - private final Set<Role> assumedRoles; private final Set<String> matchedPolicies; - public AuthorizationResult(Set<Role> assumedRoles, Set<String> matchedPolicies) { - this.assumedRoles = Collections.unmodifiableSet(assumedRoles); + public AuthorizationResult(Set<String> matchedPolicies) { this.matchedPolicies = Collections.unmodifiableSet(matchedPolicies); } - public Set<Role> assumedRoles() { - return assumedRoles; - } - public Set<String> matchedPolicies() { return matchedPolicies; } @@ -34,7 +26,6 @@ public class AuthorizationResult { @Override public String toString() { return "AuthorizationResult{" + - "assumedRoles=" + assumedRoles + ", matchedPolicies=" + matchedPolicies + '}'; } @@ -44,12 +35,11 @@ public class AuthorizationResult { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; AuthorizationResult that = (AuthorizationResult) o; - return Objects.equals(assumedRoles, that.assumedRoles) && - Objects.equals(matchedPolicies, that.matchedPolicies); + return Objects.equals(matchedPolicies, that.matchedPolicies); } @Override public int hashCode() { - return Objects.hash(assumedRoles, matchedPolicies); + return Objects.hash(matchedPolicies); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java index 40f3817c5f9..8c4e87c1de2 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java @@ -6,7 +6,6 @@ import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; import java.security.cert.X509Certificate; import java.util.HashSet; @@ -36,18 +35,16 @@ public class PeerAuthorizer { } public AuthorizationResult authorizePeer(X509Certificate peerCertificate) { - Set<Role> assumedRoles = new HashSet<>(); Set<String> matchedPolicies = new HashSet<>(); String cn = getCommonName(peerCertificate).orElse(null); List<String> sans = getSubjectAlternativeNames(peerCertificate); log.fine(() -> String.format("Subject info from x509 certificate: CN=[%s], 'SAN=%s", cn, sans)); for (PeerPolicy peerPolicy : authorizedPeers.peerPolicies()) { if (matchesPolicy(peerPolicy, cn, sans)) { - assumedRoles.addAll(peerPolicy.assumedRoles()); matchedPolicies.add(peerPolicy.policyName()); } } - return new AuthorizationResult(assumedRoles, matchedPolicies); + return new AuthorizationResult(matchedPolicies); } private static boolean matchesPolicy(PeerPolicy peerPolicy, String cn, List<String> sans) { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java index 12ac75aae80..02c6fe2ab99 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java @@ -36,7 +36,6 @@ class TransportSecurityOptionsEntity { @JsonProperty("required-credentials") List<RequiredCredential> requiredCredentials; @JsonProperty("name") String name; @JsonProperty("description") @JsonInclude(NON_NULL) String description; - @JsonProperty("roles") @JsonInclude(NON_EMPTY) List<String> roles; } @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java index 516a0c83d37..5deebf48d1b 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java @@ -10,7 +10,6 @@ import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.RequiredCreden import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.PeerPolicy; import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; import java.io.IOException; import java.io.InputStream; @@ -18,7 +17,6 @@ import java.io.OutputStream; import java.io.UncheckedIOException; import java.nio.file.Paths; import java.util.ArrayList; -import java.util.Collections; import java.util.Comparator; import java.util.List; import java.util.Set; @@ -101,14 +99,7 @@ public class TransportSecurityOptionsJsonSerializer { if (authorizedPeer.requiredCredentials == null) { throw missingFieldException("required-credentials"); } - return new PeerPolicy(authorizedPeer.name, authorizedPeer.description, toRoles(authorizedPeer.roles), toRequestPeerCredentials(authorizedPeer.requiredCredentials)); - } - - private static Set<Role> toRoles(List<String> roles) { - if (roles == null) return Collections.emptySet(); - return roles.stream() - .map(Role::new) - .collect(toSet()); + return new PeerPolicy(authorizedPeer.name, authorizedPeer.description, toRequestPeerCredentials(authorizedPeer.requiredCredentials)); } private static List<RequiredPeerCredential> toRequestPeerCredentials(List<RequiredCredential> requiredCredentials) { @@ -157,11 +148,6 @@ public class TransportSecurityOptionsJsonSerializer { requiredCredential.matchExpression = requiredPeerCredential.pattern().asString(); authorizedPeer.requiredCredentials.add(requiredCredential); } - if (!peerPolicy.assumedRoles().isEmpty()) { - authorizedPeer.roles = new ArrayList<>(); - peerPolicy.assumedRoles().forEach(role -> authorizedPeer.roles.add(role.name())); - } - return authorizedPeer; }) .collect(toList())); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java index 4783889ec62..ff518622f53 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java @@ -5,7 +5,6 @@ import java.util.Collections; import java.util.List; import java.util.Objects; import java.util.Optional; -import java.util.Set; /** * @author bjorncs @@ -14,18 +13,16 @@ public class PeerPolicy { private final String policyName; private final String description; - private final Set<Role> assumedRoles; private final List<RequiredPeerCredential> requiredCredentials; - public PeerPolicy(String policyName, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) { - this(policyName, null, assumedRoles, requiredCredentials); + public PeerPolicy(String policyName, List<RequiredPeerCredential> requiredCredentials) { + this(policyName, null, requiredCredentials); } public PeerPolicy( - String policyName, String description, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) { + String policyName, String description, List<RequiredPeerCredential> requiredCredentials) { this.policyName = policyName; this.description = description; - this.assumedRoles = assumedRoles; this.requiredCredentials = Collections.unmodifiableList(requiredCredentials); } @@ -35,10 +32,6 @@ public class PeerPolicy { public Optional<String> description() { return Optional.ofNullable(description); } - public Set<Role> assumedRoles() { - return assumedRoles; - } - public List<RequiredPeerCredential> requiredCredentials() { return requiredCredentials; } @@ -48,7 +41,6 @@ public class PeerPolicy { return "PeerPolicy{" + "policyName='" + policyName + '\'' + ", description='" + description + '\'' + - ", assumedRoles=" + assumedRoles + ", requiredCredentials=" + requiredCredentials + '}'; } @@ -60,12 +52,11 @@ public class PeerPolicy { PeerPolicy that = (PeerPolicy) o; return Objects.equals(policyName, that.policyName) && Objects.equals(description, that.description) && - Objects.equals(assumedRoles, that.assumedRoles) && Objects.equals(requiredCredentials, that.requiredCredentials); } @Override public int hashCode() { - return Objects.hash(policyName, description, assumedRoles, requiredCredentials); + return Objects.hash(policyName, description, requiredCredentials); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java deleted file mode 100644 index b35bf328847..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class Role { - - private final String name; - - public Role(String name) { - this.name = name; - } - - public String name() { - return name; - } - - @Override - public String toString() { - return "Role{" + - "name='" + name + '\'' + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - Role role = (Role) o; - return Objects.equals(name, role.name); - } - - @Override - public int hashCode() { - return Objects.hash(name); - } -} |