diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security')
39 files changed, 543 insertions, 422 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java index 259d4b50d3f..243343240cb 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java +++ b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java @@ -1,11 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; - -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.X509CertificateWithKey; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java index c9216d7273c..5611ef5162b 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java @@ -1,8 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; - -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; +package com.yahoo.security; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java index 6d784efc3e8..3ba6c8f2723 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java +++ b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java index 6db43ef94a9..afbd0a6fa86 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedTrustManager; diff --git a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java index 9b999e056e0..d7353711a2a 100644 --- a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java @@ -21,7 +21,7 @@ import java.security.KeyPair; import java.util.ArrayList; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** * @author bjorncs @@ -49,7 +49,7 @@ public class Pkcs10CsrBuilder { } public Pkcs10CsrBuilder addSubjectAlternativeName(String dns) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dns)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dns)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index 5c16e4ed70d..d91c47e5eed 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,10 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; -import com.yahoo.security.tls.KeyManagerUtils; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TrustManagerUtils; - import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -133,7 +129,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); + SSLContext sslContext = SSLContext.getInstance("TLS"); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java index 92dd41f7f88..c01de58987c 100644 --- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java +++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java @@ -99,15 +99,15 @@ public class SubjectAlternativeName { } public enum Type { - OTHER_NAME(0), - RFC822_NAME(1), - DNS_NAME(2), - X400_ADDRESS(3), - DIRECTORY_NAME(4), - EDI_PARITY_NAME(5), - UNIFORM_RESOURCE_IDENTIFIER(6), - IP_ADDRESS(7), - REGISTERED_ID(8); + OTHER(0), + EMAIL(1), + DNS(2), + X400(3), + DIRECTORY(4), + EDI_PARITY(5), + URI(6), + IP(7), + REGISTERED(8); final int tag; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java index b0303620cf7..89a737b1ef7 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedTrustManager; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java index 4172e337789..bb852ee89a3 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls; +package com.yahoo.security; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java index 6ec10a2f803..f59d34ebb10 100644 --- a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java @@ -28,7 +28,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** @@ -116,7 +116,7 @@ public class X509CertificateBuilder { } public X509CertificateBuilder addSubjectAlternativeName(String dnsName) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dnsName)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java index f9f23ee1eb2..feb3b4df3e0 100644 --- a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java @@ -32,10 +32,10 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import java.time.temporal.ChronoUnit; import java.util.ArrayList; import java.util.Collections; import java.util.List; +import java.util.Optional; import java.util.Random; import static com.yahoo.security.Extension.SUBJECT_ALTERNATIVE_NAMES; @@ -115,6 +115,12 @@ public class X509CertificateUtils { return getCommonNames(certificate.getSubjectX500Principal()); } + public static Optional<String> getSubjectCommonName(X509Certificate c) { + List<String> names = getSubjectCommonNames(c); + if (names.isEmpty()) return Optional.empty(); + return Optional.of(names.get(names.size() - 1)); + } + public static List<String> getIssuerCommonNames(X509Certificate certificate) { return getCommonNames(certificate.getIssuerX500Principal()); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java new file mode 100644 index 00000000000..9631ab32334 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java @@ -0,0 +1,32 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.Set; + +/** + * @author bjorncs + */ +public record AuthorizedPeers(Set<PeerPolicy> peerPolicies) { + + private static final AuthorizedPeers EMPTY = new AuthorizedPeers(Set.of()); + + public AuthorizedPeers { + peerPolicies = verifyPeerPolicies(peerPolicies); + } + + public static AuthorizedPeers empty() { return EMPTY; } + + private static Set<PeerPolicy> verifyPeerPolicies(Set<PeerPolicy> peerPolicies) { + long distinctNames = peerPolicies.stream() + .map(PeerPolicy::policyName) + .distinct() + .count(); + if (distinctNames != peerPolicies.size()) { + throw new IllegalArgumentException("'authorized-peers' contains entries with duplicate names"); + } + return Set.copyOf(peerPolicies); + } + + public boolean isEmpty() { return peerPolicies.isEmpty(); } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java new file mode 100644 index 00000000000..0ae253985a6 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java @@ -0,0 +1,32 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.Arrays; + +/** + * @author bjorncs + */ +public enum Capability { + CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API("vespa.content.cluster_controller.internal_state_api"), + CONTENT__DOCUMENT_API("vespa.content.document_api"), + CONTENT__METRICS_API("vespa.content.metrics_api"), + CONTENT__SEARCH_API("vespa.content.search_api"), + CONTENT__STATUS_PAGES("vespa.content.status_pages"), + CONTENT__STORAGE_API("vespa.content.storage_api"), + SLOBROK__API("vespa.slobrok.api"), + ; + + private final String name; + + Capability(String name) { this.name = name; } + + public String asString() { return name; } + + public static Capability fromName(String name) { + return Arrays.stream(values()) + .filter(c -> c.name.equals(name)) + .findAny().orElseThrow(() -> + new IllegalArgumentException("Cannot find predefined capability set with name '" + name + "'")); + } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java new file mode 100644 index 00000000000..c2fa11ce7f7 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java @@ -0,0 +1,26 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.Arrays; + +/** + * @author bjorncs + */ +public enum CapabilityMode { + DISABLE("disable"), LOG_ONLY("log_only"), ENFORCE("enforce"); + + private final String configValue; + + CapabilityMode(String configValue) { this.configValue = configValue; } + + public String configValue() { return configValue; } + + /** @return Default value when mode is not explicitly specified */ + public static CapabilityMode defaultValue() { return DISABLE; } + + public static CapabilityMode fromConfigValue(String configValue) { + return Arrays.stream(values()) + .filter(c -> c.configValue.equals(configValue)) + .findFirst().orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue)); + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java new file mode 100644 index 00000000000..7e6c7f394cd --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java @@ -0,0 +1,106 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.EnumSet; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import java.util.Set; +import java.util.SortedSet; +import java.util.TreeSet; +import java.util.stream.Collectors; + +/** + * @author bjorncs + */ +public class CapabilitySet { + public enum Predefined { + CONTENT_NODE("vespa.content_node", + Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.SLOBROK__API), + CONTAINER_NODE("vespa.container_node", + Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, Capability.SLOBROK__API), + TELEMETRY("vespa.telemetry", + Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API), + CLUSTER_CONTROLLER_NODE("vespa.cluster_controller_node", + Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API), + CONFIG_SERVER("vespa.config_server"), + ; + + private final String name; + private final CapabilitySet set; + + Predefined(String name, Capability... caps) { + this.name = name; + this.set = caps.length == 0 ? CapabilitySet.none() : CapabilitySet.from(caps); } + + public static Optional<Predefined> fromName(String name) { + return Arrays.stream(values()).filter(p -> p.name.equals(name)).findAny(); + } + + public CapabilitySet capabilities() { return set; } + } + + private static final CapabilitySet ALL_CAPABILITIES = new CapabilitySet(EnumSet.allOf(Capability.class)); + private static final CapabilitySet NO_CAPABILITIES = new CapabilitySet(EnumSet.noneOf(Capability.class)); + + private final EnumSet<Capability> caps; + + private CapabilitySet(EnumSet<Capability> caps) { this.caps = caps; } + + public static CapabilitySet fromNames(Collection<String> names) { + EnumSet<Capability> caps = EnumSet.noneOf(Capability.class); + for (String name : names) { + Predefined predefined = Predefined.fromName(name).orElse(null); + if (predefined != null) caps.addAll(predefined.set.caps); + else caps.add(Capability.fromName(name)); + } + return new CapabilitySet(caps); + } + + public static CapabilitySet unionOf(Collection<CapabilitySet> capSets) { + EnumSet<Capability> union = EnumSet.noneOf(Capability.class); + capSets.forEach(cs -> union.addAll(cs.caps)); + return new CapabilitySet(union); + } + + public static CapabilitySet from(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } + public static CapabilitySet from(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } + public static CapabilitySet from(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); } + public static CapabilitySet all() { return ALL_CAPABILITIES; } + public static CapabilitySet none() { return NO_CAPABILITIES; } + + public boolean hasAll() { return this.caps.equals(ALL_CAPABILITIES.caps); } + public boolean hasNone() { return this.caps.equals(NO_CAPABILITIES.caps); } + public boolean has(CapabilitySet caps) { return this.caps.containsAll(caps.caps); } + public boolean has(Collection<Capability> caps) { return this.caps.containsAll(caps); } + public boolean has(Capability... caps) { return this.caps.containsAll(List.of(caps)); } + + public SortedSet<String> toNames() { + return caps.stream().map(Capability::asString).collect(Collectors.toCollection(TreeSet::new)); + } + + public Set<Capability> asSet() { return Collections.unmodifiableSet(caps); } + + @Override + public String toString() { + return "CapabilitySet{" + + "caps=" + caps + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + CapabilitySet that = (CapabilitySet) o; + return Objects.equals(caps, that.caps); + } + + @Override + public int hashCode() { + return Objects.hash(caps); + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java index 6d4684666ea..69635b92e74 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java @@ -4,10 +4,10 @@ package com.yahoo.security.tls; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; +import com.yahoo.security.MutableX509KeyManager; +import com.yahoo.security.MutableX509TrustManager; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; -import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -19,7 +19,6 @@ import java.nio.file.Files; import java.nio.file.Path; import java.security.KeyStore; import java.time.Duration; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -112,9 +111,8 @@ public class ConfigFileBasedTlsContext implements TlsContext { PeerAuthentication peerAuthentication) { HostnameVerification hostnameVerification = options.isHostnameValidationDisabled() ? HostnameVerification.DISABLED : HostnameVerification.ENABLED; - PeerAuthorizerTrustManager authorizerTrustManager = options.getAuthorizedPeers() - .map(authorizedPeers -> new PeerAuthorizerTrustManager(authorizedPeers, mode, hostnameVerification, mutableTrustManager)) - .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Collections.emptySet()), AuthorizationMode.DISABLE, hostnameVerification, mutableTrustManager)); + PeerAuthorizerTrustManager authorizerTrustManager = + new PeerAuthorizerTrustManager(options.getAuthorizedPeers(), mode, hostnameVerification, mutableTrustManager); SSLContext sslContext = new SslContextBuilder() .withKeyManager(mutableKeyManager) .withTrustManager(authorizerTrustManager) diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java new file mode 100644 index 00000000000..f231e8429ce --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -0,0 +1,122 @@ +package com.yahoo.security.tls; + +import com.yahoo.security.SubjectAlternativeName; +import com.yahoo.security.X509CertificateUtils; + +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Optional; +import java.util.Set; +import java.util.logging.Logger; + +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.URI; +import static com.yahoo.security.tls.CapabilityMode.DISABLE; +import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY; + +/** + * @author bjorncs + */ +public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, + CapabilitySet capabilities, + Set<String> matchedPolicies, + CapabilityMode capabilityMode) { + + private static final Logger log = Logger.getLogger(ConnectionAuthContext.class.getName()); + + public ConnectionAuthContext { + peerCertificateChain = List.copyOf(peerCertificateChain); + matchedPolicies = Set.copyOf(matchedPolicies); + } + + private ConnectionAuthContext(List<X509Certificate> certs, CapabilityMode capabilityMode) { + this(certs, CapabilitySet.all(), Set.of(), capabilityMode); + } + + public boolean authorized() { return !capabilities.hasNone(); } + + /** Throws checked exception to force caller to handle verification failed. */ + public void verifyCapabilities(CapabilitySet requiredCapabilities) throws MissingCapabilitiesException { + verifyCapabilities(requiredCapabilities, null, null, null); + } + + /** + * Throws checked exception to force caller to handle verification failed. + * Provided strings are used for improved logging only + * */ + public void verifyCapabilities(CapabilitySet requiredCapabilities, String action, String resource, String peer) + throws MissingCapabilitiesException { + if (capabilityMode == DISABLE) return; + boolean hasCapabilities = capabilities.has(requiredCapabilities); + if (!hasCapabilities) { + String msg = createPermissionDeniedErrorMessage(requiredCapabilities, action, resource, peer); + if (capabilityMode == LOG_ONLY) { + log.info(msg); + } else { + // Ideally log as warning, but we have no mechanism for de-duplicating repeated log spamming. + log.fine(msg); + throw new MissingCapabilitiesException(msg); + } + } + } + + String createPermissionDeniedErrorMessage( + CapabilitySet required, String action, String resource, String peer) { + StringBuilder b = new StringBuilder(); + if (capabilityMode == LOG_ONLY) b.append("Dry-run: "); + b.append("Permission denied"); + if (resource != null) { + b.append(" for '"); + if (action != null) { + b.append(action).append("' on '"); + } + b.append(resource).append("'"); + } + b.append(". Peer "); + if (peer != null) b.append("'").append(peer).append("' "); + return b.append("with ").append(peerCertificateString().orElse("<missing-certificate>")).append(". Requires capabilities ") + .append(required.toNames()).append(" but peer has ").append(capabilities.toNames()) + .append(".").toString(); + } + + public Optional<X509Certificate> peerCertificate() { + return peerCertificateChain.isEmpty() ? Optional.empty() : Optional.of(peerCertificateChain.get(0)); + } + + public Optional<String> peerCertificateString() { + X509Certificate cert = peerCertificate().orElse(null); + if (cert == null) return Optional.empty(); + StringBuilder b = new StringBuilder("["); + String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null); + if (cn != null) { + b.append("CN='").append(cn).append("'"); + } + var sans = X509CertificateUtils.getSubjectAlternativeNames(cert); + List<String> dnsNames = sans.stream() + .filter(s -> s.getType() == DNS) + .map(SubjectAlternativeName::getValue) + .toList(); + if (!dnsNames.isEmpty()) { + if (cn != null) b.append(", "); + b.append("SAN_DNS=").append(dnsNames); + } + List<String> uris = sans.stream() + .filter(s -> s.getType() == URI) + .map(SubjectAlternativeName::getValue) + .toList(); + if (!uris.isEmpty()) { + if (cn != null || !dnsNames.isEmpty()) b.append(", "); + b.append("SAN_URI=").append(uris); + } + return Optional.of(b.append("]").toString()); + } + + /** Construct instance with all capabilities */ + public static ConnectionAuthContext defaultAllCapabilities() { return new ConnectionAuthContext(List.of(), DISABLE); } + + /** Construct instance with all capabilities */ + public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> certs) { + return new ConnectionAuthContext(certs, DISABLE); + } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index a01283318b6..88e4f409260 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -2,8 +2,6 @@ package com.yahoo.security.tls; import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; -import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -11,7 +9,6 @@ import javax.net.ssl.SSLParameters; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.Arrays; -import java.util.Collections; import java.util.List; import java.util.Set; import java.util.logging.Level; @@ -136,13 +133,9 @@ public class DefaultTlsContext implements TlsContext { if (!caCertificates.isEmpty()) { builder.withTrustStore(caCertificates); } - if (authorizedPeers != null) { - builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(authorizedPeers, mode, hostnameVerification, truststore)); - } else { - builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager( - new AuthorizedPeers(Collections.emptySet()), AuthorizationMode.DISABLE, hostnameVerification, truststore)); - } - return builder.build(); + return builder.withTrustManagerFactory(truststore -> + new PeerAuthorizerTrustManager(authorizedPeers, mode, hostnameVerification, truststore)) + .build(); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java index 46a38a77844..c945e48a361 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Arrays; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java index cb9ba13cae4..7e2c40182f0 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java b/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java new file mode 100644 index 00000000000..1c3ad9444e4 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/MissingCapabilitiesException.java @@ -0,0 +1,13 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +/** + * Intentionally checked to force caller to handle missing permissions at call site. + * + * @author bjorncs + */ +public class MissingCapabilitiesException extends Exception { + + public MissingCapabilitiesException(String message) { super(message); } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizationFailedException.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizationFailedException.java new file mode 100644 index 00000000000..02dbf3bb8e7 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizationFailedException.java @@ -0,0 +1,23 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * @author bjorncs + */ +public class PeerAuthorizationFailedException extends CertificateException { + private final List<X509Certificate> certChain; + + public PeerAuthorizationFailedException(String msg, List<X509Certificate> certChain) { + super(msg); + this.certChain = certChain; + } + + public PeerAuthorizationFailedException(String msg) { this(msg, List.of()); } + + public List<X509Certificate> peerCertificateChain() { return certChain; } +} + diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java index 40f3817c5f9..951b5c57c9e 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java @@ -1,23 +1,18 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; +package com.yahoo.security.tls; import com.yahoo.security.SubjectAlternativeName; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; import java.security.cert.X509Certificate; import java.util.HashSet; import java.util.List; -import java.util.Optional; import java.util.Set; import java.util.logging.Logger; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.URI; import static java.util.stream.Collectors.toList; /** @@ -35,19 +30,27 @@ public class PeerAuthorizer { this.authorizedPeers = authorizedPeers; } - public AuthorizationResult authorizePeer(X509Certificate peerCertificate) { - Set<Role> assumedRoles = new HashSet<>(); + + public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); } + + public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) { + if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(certChain); + X509Certificate cert = certChain.get(0); Set<String> matchedPolicies = new HashSet<>(); - String cn = getCommonName(peerCertificate).orElse(null); - List<String> sans = getSubjectAlternativeNames(peerCertificate); + Set<CapabilitySet> grantedCapabilities = new HashSet<>(); + String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null); + List<String> sans = getSubjectAlternativeNames(cert); log.fine(() -> String.format("Subject info from x509 certificate: CN=[%s], 'SAN=%s", cn, sans)); for (PeerPolicy peerPolicy : authorizedPeers.peerPolicies()) { if (matchesPolicy(peerPolicy, cn, sans)) { - assumedRoles.addAll(peerPolicy.assumedRoles()); matchedPolicies.add(peerPolicy.policyName()); + grantedCapabilities.add(peerPolicy.capabilities()); } } - return new AuthorizationResult(assumedRoles, matchedPolicies); + // TODO Pass this through constructor + CapabilityMode capabilityMode = TransportSecurityUtils.getCapabilityMode(); + return new ConnectionAuthContext( + certChain, CapabilitySet.unionOf(grantedCapabilities), matchedPolicies, capabilityMode); } private static boolean matchesPolicy(PeerPolicy peerPolicy, String cn, List<String> sans) { @@ -68,14 +71,9 @@ public class PeerAuthorizer { } } - private static Optional<String> getCommonName(X509Certificate peerCertificate) { - return X509CertificateUtils.getSubjectCommonNames(peerCertificate).stream() - .findFirst(); - } - private static List<String> getSubjectAlternativeNames(X509Certificate peerCertificate) { return X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() - .filter(san -> san.getType() == DNS_NAME || san.getType() == IP_ADDRESS || san.getType() == UNIFORM_RESOURCE_IDENTIFIER) + .filter(san -> san.getType() == DNS || san.getType() == IP || san.getType() == URI) .map(SubjectAlternativeName::getValue) .collect(toList()); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java index e8d558205c4..c3dcdf1dc9e 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java @@ -1,32 +1,33 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; +package com.yahoo.security.tls; +import com.yahoo.security.TrustManagerUtils; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.AuthorizationMode; -import com.yahoo.security.tls.HostnameVerification; -import com.yahoo.security.tls.TrustManagerUtils; -import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.X509ExtendedTrustManager; import java.net.Socket; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; -import java.util.Optional; +import java.util.List; +import java.util.logging.Level; import java.util.logging.Logger; /** * A {@link X509ExtendedTrustManager} that performs additional certificate verification through {@link PeerAuthorizer}. * + * Implementation assumes that provided {@link X509ExtendedTrustManager} will throw {@link IllegalArgumentException} + * when chain is empty or null. + * * @author bjorncs */ -// Note: Implementation assumes that provided X509ExtendedTrustManager will throw IllegalArgumentException when chain is empty or null -public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { +class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { - public static final String HANDSHAKE_SESSION_AUTHZ_RESULT_PROPERTY = "vespa.tls.authorization.result"; + static final String AUTH_CONTEXT_PROPERTY = "vespa.tls.auth.ctx"; private static final Logger log = Logger.getLogger(PeerAuthorizerTrustManager.class.getName()); @@ -35,59 +36,55 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { private final AuthorizationMode mode; private final HostnameVerification hostnameVerification; - public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, - AuthorizationMode mode, - HostnameVerification hostnameVerification, - X509ExtendedTrustManager defaultTrustManager) { + PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, + HostnameVerification hostnameVerification, X509ExtendedTrustManager defaultTrustManager) { this.authorizer = new PeerAuthorizer(authorizedPeers); this.mode = mode; this.hostnameVerification = hostnameVerification; this.defaultTrustManager = defaultTrustManager; } - public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, - AuthorizationMode mode, - HostnameVerification hostnameVerification, - KeyStore truststore) { + PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, + HostnameVerification hostnameVerification, KeyStore truststore) { this(authorizedPeers, mode, hostnameVerification, TrustManagerUtils.createDefaultX509TrustManager(truststore)); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType); - authorizePeer(chain[0], authType, true, null); + authorizePeer(chain, authType, true, null); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { defaultTrustManager.checkServerTrusted(chain, authType); - authorizePeer(chain[0], authType, false, null); + authorizePeer(chain, authType, false, null); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType, socket); - authorizePeer(chain[0], authType, true, null); + authorizePeer(chain, authType, true, ((SSLSocket)socket).getHandshakeSession()); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { overrideHostnameVerificationForClient(socket); defaultTrustManager.checkServerTrusted(chain, authType, socket); - authorizePeer(chain[0], authType, false, null); + authorizePeer(chain, authType, false, ((SSLSocket)socket).getHandshakeSession()); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType, sslEngine); - authorizePeer(chain[0], authType, true, sslEngine); + authorizePeer(chain, authType, true, sslEngine.getHandshakeSession()); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { overrideHostnameVerificationForClient(sslEngine); defaultTrustManager.checkServerTrusted(chain, authType, sslEngine); - authorizePeer(chain[0], authType, false, sslEngine); + authorizePeer(chain, authType, false, sslEngine.getHandshakeSession()); } @Override @@ -95,36 +92,33 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { return defaultTrustManager.getAcceptedIssuers(); } - /** - * Note: The authorization result is only available during handshake. The underlying handshake session is removed once handshake is complete. - */ - public static Optional<AuthorizationResult> getAuthorizationResult(SSLEngine sslEngine) { - return Optional.ofNullable(sslEngine.getHandshakeSession()) - .flatMap(session -> Optional.ofNullable((AuthorizationResult) session.getValue(HANDSHAKE_SESSION_AUTHZ_RESULT_PROPERTY))); - } - - private void authorizePeer(X509Certificate certificate, String authType, boolean isVerifyingClient, SSLEngine sslEngine) throws CertificateException { - if (mode == AuthorizationMode.DISABLE) return; - - log.fine(() -> "Verifying certificate: " + createInfoString(certificate, authType, isVerifyingClient)); - AuthorizationResult result = authorizer.authorizePeer(certificate); - if (sslEngine != null) { // getHandshakeSession() will never return null in this context - sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTHZ_RESULT_PROPERTY, result); + private void authorizePeer(X509Certificate[] certChain, String authType, boolean isVerifyingClient, + SSLSession handshakeSessionOrNull) throws PeerAuthorizationFailedException { + log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient)); + ConnectionAuthContext result = mode != AuthorizationMode.DISABLE + ? authorizer.authorizePeer(List.of(certChain)) + : ConnectionAuthContext.defaultAllCapabilities(List.of(certChain)); + if (handshakeSessionOrNull != null) { + handshakeSessionOrNull.putValue(AUTH_CONTEXT_PROPERTY, result); + } else { + log.log(Level.FINE, + () -> "Warning: unable to provide ConnectionAuthContext as no SSLSession is available"); } - if (result.succeeded()) { + if (result.authorized()) { log.fine(() -> String.format("Verification result: %s", result)); } else { - String errorMessage = "Authorization failed: " + createInfoString(certificate, authType, isVerifyingClient); + String errorMessage = "Authorization failed: " + createInfoString(certChain[0], authType, isVerifyingClient); log.warning(errorMessage); if (mode == AuthorizationMode.ENFORCE) { - throw new CertificateException(errorMessage); + throw new PeerAuthorizationFailedException(errorMessage, List.of(certChain)); } } } - private static String createInfoString(X509Certificate certificate, String authType, boolean isVerifyingClient) { - return String.format("DN='%s', SANs=%s, authType='%s', isVerifyingClient='%b'", - certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(certificate), authType, isVerifyingClient); + private String createInfoString(X509Certificate certificate, String authType, boolean isVerifyingClient) { + return String.format("DN='%s', SANs=%s, authType='%s', isVerifyingClient='%b', mode=%s", + certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(certificate), + authType, isVerifyingClient, mode); } private void overrideHostnameVerificationForClient(SSLEngine engine) { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java new file mode 100644 index 00000000000..ea3d4cfe002 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java @@ -0,0 +1,24 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.util.List; +import java.util.Optional; + +/** + * @author bjorncs + */ +public record PeerPolicy(String policyName, Optional<String> description, CapabilitySet capabilities, + List<RequiredPeerCredential> requiredCredentials) { + + public PeerPolicy { + requiredCredentials = List.copyOf(requiredCredentials); + } + + public PeerPolicy(String policyName, List<RequiredPeerCredential> requiredCredentials) { + this(policyName, Optional.empty(), CapabilitySet.all(), requiredCredentials); + } + + public PeerPolicy(String policyName, String description, List<RequiredPeerCredential> requiredCredentials) { + this(policyName, Optional.ofNullable(description), CapabilitySet.all(), requiredCredentials); + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java index 4c96a2935f8..9a18da9dffd 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index 65c87bee0b9..4397f27ebb7 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -1,9 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls; -import com.yahoo.security.tls.json.TransportSecurityOptionsJsonSerializer; -import com.yahoo.security.tls.policy.AuthorizedPeers; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -55,9 +52,7 @@ public class TransportSecurityOptions { return Optional.ofNullable(caCertificatesFile); } - public Optional<AuthorizedPeers> getAuthorizedPeers() { - return Optional.ofNullable(authorizedPeers); - } + public AuthorizedPeers getAuthorizedPeers() { return authorizedPeers; } public List<String> getAcceptedCiphers() { return acceptedCiphers; } @@ -96,7 +91,7 @@ public class TransportSecurityOptions { private Path privateKeyFile; private Path certificatesFile; private Path caCertificatesFile; - private AuthorizedPeers authorizedPeers; + private AuthorizedPeers authorizedPeers = AuthorizedPeers.empty(); private List<String> acceptedCiphers = new ArrayList<>(); private boolean isHostnameValidationDisabled; private List<String> acceptedProtocols = new ArrayList<>(); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java index 12ac75aae80..f1799a64a57 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.json; +package com.yahoo.security.tls; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; @@ -36,7 +36,7 @@ class TransportSecurityOptionsEntity { @JsonProperty("required-credentials") List<RequiredCredential> requiredCredentials; @JsonProperty("name") String name; @JsonProperty("description") @JsonInclude(NON_NULL) String description; - @JsonProperty("roles") @JsonInclude(NON_EMPTY) List<String> roles; + @JsonProperty("capabilities") @JsonInclude(NON_EMPTY) List<String> capabilities; } @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java index 516a0c83d37..0349d4085db 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java @@ -1,16 +1,11 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.json; +package com.yahoo.security.tls; import com.fasterxml.jackson.databind.ObjectMapper; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.AuthorizedPeer; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.CredentialField; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.Files; -import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.RequiredCredential; -import com.yahoo.security.tls.policy.AuthorizedPeers; -import com.yahoo.security.tls.policy.PeerPolicy; -import com.yahoo.security.tls.policy.RequiredPeerCredential; -import com.yahoo.security.tls.policy.Role; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.AuthorizedPeer; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.CredentialField; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.Files; +import com.yahoo.security.tls.TransportSecurityOptionsEntity.RequiredCredential; import java.io.IOException; import java.io.InputStream; @@ -18,9 +13,9 @@ import java.io.OutputStream; import java.io.UncheckedIOException; import java.nio.file.Paths; import java.util.ArrayList; -import java.util.Collections; import java.util.Comparator; import java.util.List; +import java.util.Optional; import java.util.Set; import static java.util.stream.Collectors.toList; @@ -29,11 +24,11 @@ import static java.util.stream.Collectors.toSet; /** * @author bjorncs */ -public class TransportSecurityOptionsJsonSerializer { +class TransportSecurityOptionsJsonSerializer { private static final ObjectMapper mapper = new ObjectMapper(); - public TransportSecurityOptions deserialize(InputStream in) { + TransportSecurityOptions deserialize(InputStream in) { try { TransportSecurityOptionsEntity entity = mapper.readValue(in, TransportSecurityOptionsEntity.class); return toTransportSecurityOptions(entity); @@ -42,7 +37,7 @@ public class TransportSecurityOptionsJsonSerializer { } } - public void serialize(OutputStream out, TransportSecurityOptions options) { + void serialize(OutputStream out, TransportSecurityOptions options) { try { mapper.writerWithDefaultPrettyPrinter().writeValue(out, toTransportSecurityOptionsEntity(options)); } catch (IOException e) { @@ -101,14 +96,16 @@ public class TransportSecurityOptionsJsonSerializer { if (authorizedPeer.requiredCredentials == null) { throw missingFieldException("required-credentials"); } - return new PeerPolicy(authorizedPeer.name, authorizedPeer.description, toRoles(authorizedPeer.roles), toRequestPeerCredentials(authorizedPeer.requiredCredentials)); + return new PeerPolicy(authorizedPeer.name, Optional.ofNullable(authorizedPeer.description), + toCapabilities(authorizedPeer.capabilities), toRequestPeerCredentials(authorizedPeer.requiredCredentials)); } - private static Set<Role> toRoles(List<String> roles) { - if (roles == null) return Collections.emptySet(); - return roles.stream() - .map(Role::new) - .collect(toSet()); + private static CapabilitySet toCapabilities(List<String> capabilities) { + if (capabilities == null) return CapabilitySet.all(); + if (capabilities.isEmpty()) + throw new IllegalArgumentException("\"capabilities\" array must either be not present " + + "(implies all capabilities) or contain at least one capability name"); + return CapabilitySet.fromNames(capabilities); } private static List<RequiredPeerCredential> toRequestPeerCredentials(List<RequiredCredential> requiredCredentials) { @@ -142,29 +139,27 @@ public class TransportSecurityOptionsJsonSerializer { options.getCaCertificatesFile().ifPresent(value -> entity.files.caCertificatesFile = value.toString()); options.getCertificatesFile().ifPresent(value -> entity.files.certificatesFile = value.toString()); options.getPrivateKeyFile().ifPresent(value -> entity.files.privateKeyFile = value.toString()); - options.getAuthorizedPeers().ifPresent( authorizedPeers -> entity.authorizedPeers = - authorizedPeers.peerPolicies().stream() - // Makes tests stable - .sorted(Comparator.comparing(PeerPolicy::policyName)) - .map(peerPolicy -> { - AuthorizedPeer authorizedPeer = new AuthorizedPeer(); - authorizedPeer.name = peerPolicy.policyName(); - authorizedPeer.requiredCredentials = new ArrayList<>(); - authorizedPeer.description = peerPolicy.description().orElse(null); - for (RequiredPeerCredential requiredPeerCredential : peerPolicy.requiredCredentials()) { - RequiredCredential requiredCredential = new RequiredCredential(); - requiredCredential.field = toField(requiredPeerCredential.field()); - requiredCredential.matchExpression = requiredPeerCredential.pattern().asString(); - authorizedPeer.requiredCredentials.add(requiredCredential); - } - if (!peerPolicy.assumedRoles().isEmpty()) { - authorizedPeer.roles = new ArrayList<>(); - peerPolicy.assumedRoles().forEach(role -> authorizedPeer.roles.add(role.name())); - } - - return authorizedPeer; - }) - .collect(toList())); + entity.authorizedPeers = options.getAuthorizedPeers().peerPolicies().stream() + // Makes tests stable + .sorted(Comparator.comparing(PeerPolicy::policyName)) + .map(peerPolicy -> { + AuthorizedPeer authorizedPeer = new AuthorizedPeer(); + authorizedPeer.name = peerPolicy.policyName(); + authorizedPeer.requiredCredentials = new ArrayList<>(); + authorizedPeer.description = peerPolicy.description().orElse(null); + CapabilitySet caps = peerPolicy.capabilities(); + if (!caps.hasAll()) { + authorizedPeer.capabilities = List.copyOf(caps.toNames()); + } + for (RequiredPeerCredential requiredPeerCredential : peerPolicy.requiredCredentials()) { + RequiredCredential requiredCredential = new RequiredCredential(); + requiredCredential.field = toField(requiredPeerCredential.field()); + requiredCredential.matchExpression = requiredPeerCredential.pattern().asString(); + authorizedPeer.requiredCredentials.add(requiredCredential); + } + return authorizedPeer; + }) + .toList(); if (!options.getAcceptedCiphers().isEmpty()) { entity.acceptedCiphers = options.getAcceptedCiphers(); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java index cbd3857d2d5..ae6cef65156 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java @@ -1,6 +1,9 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import java.nio.file.Path; import java.nio.file.Paths; import java.util.Map; @@ -18,6 +21,7 @@ public class TransportSecurityUtils { public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE"; public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE"; public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE"; + public static final String CAPABILITIES_ENV_VAR = "VESPA_TLS_CAPABILITIES_ENFORCEMENT_MODE"; private TransportSecurityUtils() {} @@ -49,6 +53,12 @@ public class TransportSecurityUtils { .orElse(AuthorizationMode.defaultValue()); } + public static CapabilityMode getCapabilityMode() { + return getEnvironmentVariable(System.getenv(), CAPABILITIES_ENV_VAR) + .map(CapabilityMode::fromConfigValue) + .orElse(CapabilityMode.defaultValue()); + } + public static Optional<Path> getConfigFile() { return getConfigFile(System.getenv()); } @@ -80,6 +90,24 @@ public class TransportSecurityUtils { } } + /** + * @return {@link ConnectionAuthContext} instance if {@link SSLEngine} was constructed by a {@link TlsContext}. + * Only available after TLS handshake is completed. + */ + public static Optional<ConnectionAuthContext> getConnectionAuthContext(SSLSession s) { + return Optional.ofNullable((ConnectionAuthContext) s.getValue(PeerAuthorizerTrustManager.AUTH_CONTEXT_PROPERTY)); + } + + /** @see #getConnectionAuthContext(SSLSession) */ + public static Optional<ConnectionAuthContext> getConnectionAuthContext(SSLEngine e) { + return getConnectionAuthContext(e.getSession()); + } + + /** @see #getConnectionAuthContext(SSLSession) */ + public static Optional<ConnectionAuthContext> getConnectionAuthContext(SSLSocket s) { + return getConnectionAuthContext(s.getSession()); + } + private static Optional<String> getEnvironmentVariable(Map<String, String> environmentVariables, String variableName) { return Optional.ofNullable(environmentVariables.get(variableName)) .filter(var -> !var.isEmpty()); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java index b2cc0688bb9..18d18a5ab3c 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java @@ -1,5 +1,5 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; +package com.yahoo.security.tls; import java.util.Objects; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java deleted file mode 100644 index 963bb469d6e..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/AuthorizationResult.java +++ /dev/null @@ -1,55 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.authz; - -import com.yahoo.security.tls.policy.Role; - -import java.util.Collections; -import java.util.Objects; -import java.util.Set; - -/** - * @author bjorncs - */ -public class AuthorizationResult { - private final Set<Role> assumedRoles; - private final Set<String> matchedPolicies; - - public AuthorizationResult(Set<Role> assumedRoles, Set<String> matchedPolicies) { - this.assumedRoles = Collections.unmodifiableSet(assumedRoles); - this.matchedPolicies = Collections.unmodifiableSet(matchedPolicies); - } - - public Set<Role> assumedRoles() { - return assumedRoles; - } - - public Set<String> matchedPolicies() { - return matchedPolicies; - } - - public boolean succeeded() { - return matchedPolicies.size() > 0; - } - - @Override - public String toString() { - return "AuthorizationResult{" + - "assumedRoles=" + assumedRoles + - ", matchedPolicies=" + matchedPolicies + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AuthorizationResult that = (AuthorizationResult) o; - return Objects.equals(assumedRoles, that.assumedRoles) && - Objects.equals(matchedPolicies, that.matchedPolicies); - } - - @Override - public int hashCode() { - return Objects.hash(assumedRoles, matchedPolicies); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java deleted file mode 100644 index 5066026757d..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.authz; - -import com.yahoo.osgi.annotation.ExportPackage; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java deleted file mode 100644 index 91a1672e19f..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.https; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java deleted file mode 100644 index be7ec33bf04..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.json; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java deleted file mode 100644 index 66621224906..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Collections; -import java.util.Objects; -import java.util.Set; - -/** - * @author bjorncs - */ -public class AuthorizedPeers { - - private final Set<PeerPolicy> peerPolicies; - - public AuthorizedPeers(Set<PeerPolicy> peerPolicies) { - this.peerPolicies = verifyPeerPolicies(peerPolicies); - } - - private Set<PeerPolicy> verifyPeerPolicies(Set<PeerPolicy> peerPolicies) { - long distinctNames = peerPolicies.stream() - .map(PeerPolicy::policyName) - .distinct() - .count(); - if (distinctNames != peerPolicies.size()) { - throw new IllegalArgumentException("'authorized-peers' contains entries with duplicate names"); - } - return Collections.unmodifiableSet(peerPolicies); - } - - public Set<PeerPolicy> peerPolicies() { - return peerPolicies; - } - - @Override - public String toString() { - return "AuthorizedPeers{" + - "peerPolicies=" + peerPolicies + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AuthorizedPeers that = (AuthorizedPeers) o; - return Objects.equals(peerPolicies, that.peerPolicies); - } - - @Override - public int hashCode() { - return Objects.hash(peerPolicies); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java deleted file mode 100644 index 4783889ec62..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java +++ /dev/null @@ -1,71 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Collections; -import java.util.List; -import java.util.Objects; -import java.util.Optional; -import java.util.Set; - -/** - * @author bjorncs - */ -public class PeerPolicy { - - private final String policyName; - private final String description; - private final Set<Role> assumedRoles; - private final List<RequiredPeerCredential> requiredCredentials; - - public PeerPolicy(String policyName, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) { - this(policyName, null, assumedRoles, requiredCredentials); - } - - public PeerPolicy( - String policyName, String description, Set<Role> assumedRoles, List<RequiredPeerCredential> requiredCredentials) { - this.policyName = policyName; - this.description = description; - this.assumedRoles = assumedRoles; - this.requiredCredentials = Collections.unmodifiableList(requiredCredentials); - } - - public String policyName() { - return policyName; - } - - public Optional<String> description() { return Optional.ofNullable(description); } - - public Set<Role> assumedRoles() { - return assumedRoles; - } - - public List<RequiredPeerCredential> requiredCredentials() { - return requiredCredentials; - } - - @Override - public String toString() { - return "PeerPolicy{" + - "policyName='" + policyName + '\'' + - ", description='" + description + '\'' + - ", assumedRoles=" + assumedRoles + - ", requiredCredentials=" + requiredCredentials + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - PeerPolicy that = (PeerPolicy) o; - return Objects.equals(policyName, that.policyName) && - Objects.equals(description, that.description) && - Objects.equals(assumedRoles, that.assumedRoles) && - Objects.equals(requiredCredentials, that.requiredCredentials); - } - - @Override - public int hashCode() { - return Objects.hash(policyName, description, assumedRoles, requiredCredentials); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java deleted file mode 100644 index b35bf328847..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Role.java +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.policy; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class Role { - - private final String name; - - public Role(String name) { - this.name = name; - } - - public String name() { - return name; - } - - @Override - public String toString() { - return "Role{" + - "name='" + name + '\'' + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - Role role = (Role) o; - return Objects.equals(name, role.name); - } - - @Override - public int hashCode() { - return Objects.hash(name); - } -} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java deleted file mode 100644 index 61ce90654f8..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.security.tls.policy; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |