Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Ignore calls to SystemTlsContext.close() | Bjørn Christian Seime | 2022-08-30 | 1 | -2/+1 |
| | |||||
* | Force caller to handle failed capability verification check | Bjørn Christian Seime | 2022-07-21 | 2 | -14/+28 |
| | |||||
* | Improve error message | Bjørn Christian Seime | 2022-07-21 | 1 | -1/+1 |
| | |||||
* | Move logic for capability checking/logging to ConnectionAuthContext | Bjørn Christian Seime | 2022-07-21 | 3 | -9/+63 |
| | |||||
* | Use getSubjectCommonName() | Bjørn Christian Seime | 2022-07-21 | 1 | -7/+1 |
| | |||||
* | Get ConnectionAuthContext from SSL session after handshake is complete | Bjørn Christian Seime | 2022-07-21 | 3 | -28/+67 |
| | | | | | Bound key-value pairs from SSL handshake session are now copied to the final SSL session object. This simplifies the dataflow - not need to retrieve the instance right after our custom trust manager is invoked. | ||||
* | Include client certificate chain even when authorization is disabled | Bjørn Christian Seime | 2022-07-20 | 3 | -4/+11 |
| | |||||
* | Implement RequireCapabilitiesFilter in jrt + misc | Bjørn Christian Seime | 2022-07-20 | 3 | -8/+9 |
| | | | | | Add peerSpec to Target/Connection. Always provide ConnectionAuthContext. Add helper for creating default, all-granting ConnectionAuthContext. | ||||
* | Add to-string helper to ConnectionAuthContext | Bjørn Christian Seime | 2022-07-20 | 1 | -1/+38 |
| | |||||
* | Simplify type definition for subject alternative names | Bjørn Christian Seime | 2022-07-20 | 4 | -17/+17 |
| | |||||
* | Add 'X509CertificateUtils.getSubjectCommonName()' | Bjørn Christian Seime | 2022-07-20 | 1 | -1/+7 |
| | |||||
* | Move generic crypto helpers from 'c.y.s.tls' to 'c.y.s' | Bjørn Christian Seime | 2022-07-20 | 9 | -20/+10 |
| | |||||
* | Merge Java package 'c.y.s.tls.{auth,json,policy}' into 'c.y.s.tls' | Bjørn Christian Seime | 2022-07-20 | 19 | -66/+20 |
| | | | | Facilitate improved encapsulation of Vespa mTLS related classes | ||||
* | Remove empty package | Bjørn Christian Seime | 2022-07-20 | 1 | -8/+0 |
| | |||||
* | Add 'CapabilitySet.has()' methods | Bjørn Christian Seime | 2022-07-20 | 1 | -0/+3 |
| | |||||
* | Add environment variable for capabilities enforcement mode | Bjørn Christian Seime | 2022-07-20 | 2 | -0/+33 |
| | |||||
* | Rename method/variable names to match new class name | Bjørn Christian Seime | 2022-07-19 | 1 | -1/+1 |
| | |||||
* | Include mode in log message | Bjørn Christian Seime | 2022-07-15 | 1 | -3/+4 |
| | |||||
* | Rename 'toCapabilityNames()' to 'toNames()' | Bjørn Christian Seime | 2022-07-15 | 2 | -2/+2 |
| | |||||
* | Always run PeerAutorizer | Bjørn Christian Seime | 2022-07-15 | 9 | -45/+44 |
| | | | | | Interpret empty AuthorizedPeers as granting all capabilities unconditionally. Assume AuthorizedPeers as always present. | ||||
* | Rename 'hasAllCapabilities()' => 'hasAll()' | Bjørn Christian Seime | 2022-07-15 | 2 | -2/+2 |
| | |||||
* | Change type from SortedSet to Set | Bjørn Christian Seime | 2022-07-15 | 2 | -7/+4 |
| | |||||
* | Rename 'succeeded' => 'authorized' | Bjørn Christian Seime | 2022-07-15 | 2 | -2/+2 |
| | |||||
* | Include full certificate chain in auth context | Bjørn Christian Seime | 2022-07-15 | 3 | -15/+26 |
| | |||||
* | Return granted capabilities from PeerAuthorizer | Bjørn Christian Seime | 2022-07-15 | 5 | -53/+46 |
| | | | | Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext. | ||||
* | Add Capability and CapabilitySet including JSON serialization | Bjørn Christian Seime | 2022-07-13 | 5 | -4/+147 |
| | |||||
* | Convert POJOs to record | Bjørn Christian Seime | 2022-07-13 | 2 | -79/+9 |
| | |||||
* | Remove 'role' concept from 'authorized-peers' | Bjørn Christian Seime | 2022-07-11 | 6 | -86/+9 |
| | |||||
* | Add NTokenGenerator | Håkon Hallingstad | 2022-03-16 | 1 | -0/+8 |
| | |||||
* | Disable '?' as single char wildcard for URI matching | Bjørn Christian Seime | 2021-12-09 | 3 | -6/+6 |
| | |||||
* | Support glob pattern for URIs with '/' as boundary | Bjørn Christian Seime | 2021-12-02 | 2 | -15/+11 |
| | |||||
* | Add glob pattern helper that handles multiple alternative boundaries | Bjørn Christian Seime | 2021-12-02 | 2 | -35/+89 |
| | |||||
* | Disable ciphers that are only supported by some JDK-11 versions | Bjørn Christian Seime | 2021-11-09 | 1 | -4/+5 |
| | |||||
* | Update 2020 Oath copyrights. | gjoranv | 2021-10-27 | 1 | -1/+1 |
| | |||||
* | Update 2019 Oath copyrights. | gjoranv | 2021-10-27 | 9 | -9/+9 |
| | |||||
* | Update Verizon Media copyright notices. | gjoranv | 2021-10-07 | 3 | -3/+3 |
| | |||||
* | Update 2018 copyright notices. | gjoranv | 2021-10-07 | 38 | -38/+38 |
| | |||||
* | Read certificate fingerprint | Morten Tokle | 2021-09-22 | 1 | -0/+15 |
| | |||||
* | Revert "Revert mortent/cfg operator cert" | Morten Tokle | 2021-05-28 | 1 | -0/+17 |
| | |||||
* | Revert "Add top-level object, simplify tests" | Morten Tokle | 2021-05-25 | 1 | -17/+0 |
| | | | | This reverts commit d97430f1bb633fc9eb541f2fb057a41a012d088f. | ||||
* | Add top-level object, simplify tests | Morten Tokle | 2021-05-25 | 1 | -0/+17 |
| | |||||
* | Remove com.yahoo.vespa.jdk8compat | Bjørn Christian Seime | 2021-03-10 | 11 | -96/+21 |
| | | | | These types are often accidentally imported, and the JDK8 replacement is typically a one-liner. | ||||
* | Make TLS protocol version configurable in TLS config file | Bjørn Christian Seime | 2021-02-24 | 5 | -10/+44 |
| | | | | | Only protocols listed in allowlist can be configured. TLSv1.2 is the only supported version at the moment, but TLSv1.3 will most likely be included in the future. | ||||
* | Disable TLSV1.3 | Bjørn Christian Seime | 2021-02-24 | 1 | -1/+2 |
| | |||||
* | Allow TLSv1.3 | Bjørn Christian Seime | 2021-02-18 | 1 | -1/+1 |
| | |||||
* | Use singleton already present. | Henning Baldersheim | 2021-01-28 | 1 | -4/+0 |
| | |||||
* | Use a single, shared TlsContext instance | Bjørn Christian Seime | 2021-01-14 | 2 | -18/+31 |
| | | | | | The configuration is based on environment variables, which are effectively fixed through the life of the JVM instance. This simplifaction removes the need for complex cleanup logic based on manual reference counting and weak references. | ||||
* | Revert "Use a single reloader per tls config file, and not one per instance." | Bjørn Christian Seime | 2021-01-14 | 2 | -162/+135 |
| | | | | This reverts commit c58415566e23dcac5f0daa352f39f567a4d7b44f. | ||||
* | Revert "Use reference counting to avoid relying on GC to drop threads." | Bjørn Christian Seime | 2021-01-14 | 2 | -36/+8 |
| | | | | This reverts commit 1c6c89eb52ac80c583c0cd90efdd0784344af434. | ||||
* | Support SAN URI based rules in authorization policies | Bjørn Christian Seime | 2020-11-26 | 5 | -3/+55 |
| |