aboutsummaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java
Commit message (Collapse)AuthorAgeFilesLines
* Implement RequireCapabilitiesFilter in jrt + miscBjørn Christian Seime2022-07-203-8/+9
| | | | | Add peerSpec to Target/Connection. Always provide ConnectionAuthContext. Add helper for creating default, all-granting ConnectionAuthContext.
* Add to-string helper to ConnectionAuthContextBjørn Christian Seime2022-07-201-1/+38
|
* Simplify type definition for subject alternative namesBjørn Christian Seime2022-07-204-17/+17
|
* Add 'X509CertificateUtils.getSubjectCommonName()'Bjørn Christian Seime2022-07-201-1/+7
|
* Move generic crypto helpers from 'c.y.s.tls' to 'c.y.s'Bjørn Christian Seime2022-07-209-20/+10
|
* Merge Java package 'c.y.s.tls.{auth,json,policy}' into 'c.y.s.tls'Bjørn Christian Seime2022-07-2019-66/+20
| | | | Facilitate improved encapsulation of Vespa mTLS related classes
* Remove empty packageBjørn Christian Seime2022-07-201-8/+0
|
* Add 'CapabilitySet.has()' methodsBjørn Christian Seime2022-07-201-0/+3
|
* Add environment variable for capabilities enforcement modeBjørn Christian Seime2022-07-202-0/+33
|
* Rename method/variable names to match new class nameBjørn Christian Seime2022-07-191-1/+1
|
* Include mode in log messageBjørn Christian Seime2022-07-151-3/+4
|
* Rename 'toCapabilityNames()' to 'toNames()'Bjørn Christian Seime2022-07-152-2/+2
|
* Always run PeerAutorizerBjørn Christian Seime2022-07-159-45/+44
| | | | | Interpret empty AuthorizedPeers as granting all capabilities unconditionally. Assume AuthorizedPeers as always present.
* Rename 'hasAllCapabilities()' => 'hasAll()'Bjørn Christian Seime2022-07-152-2/+2
|
* Change type from SortedSet to SetBjørn Christian Seime2022-07-152-7/+4
|
* Rename 'succeeded' => 'authorized'Bjørn Christian Seime2022-07-152-2/+2
|
* Include full certificate chain in auth contextBjørn Christian Seime2022-07-153-15/+26
|
* Return granted capabilities from PeerAuthorizerBjørn Christian Seime2022-07-155-53/+46
| | | | Introduce new ConnectionAuthContext as replacement for AuthorizationResult/SecurityContext.
* Add Capability and CapabilitySet including JSON serializationBjørn Christian Seime2022-07-135-4/+147
|
* Convert POJOs to recordBjørn Christian Seime2022-07-132-79/+9
|
* Remove 'role' concept from 'authorized-peers'Bjørn Christian Seime2022-07-116-86/+9
|
* Add NTokenGeneratorHåkon Hallingstad2022-03-161-0/+8
|
* Disable '?' as single char wildcard for URI matchingBjørn Christian Seime2021-12-093-6/+6
|
* Support glob pattern for URIs with '/' as boundaryBjørn Christian Seime2021-12-022-15/+11
|
* Add glob pattern helper that handles multiple alternative boundariesBjørn Christian Seime2021-12-022-35/+89
|
* Disable ciphers that are only supported by some JDK-11 versionsBjørn Christian Seime2021-11-091-4/+5
|
* Update 2020 Oath copyrights.gjoranv2021-10-271-1/+1
|
* Update 2019 Oath copyrights.gjoranv2021-10-279-9/+9
|
* Update Verizon Media copyright notices.gjoranv2021-10-073-3/+3
|
* Update 2018 copyright notices.gjoranv2021-10-0738-38/+38
|
* Read certificate fingerprintMorten Tokle2021-09-221-0/+15
|
* Revert "Revert mortent/cfg operator cert"Morten Tokle2021-05-281-0/+17
|
* Revert "Add top-level object, simplify tests"Morten Tokle2021-05-251-17/+0
| | | | This reverts commit d97430f1bb633fc9eb541f2fb057a41a012d088f.
* Add top-level object, simplify testsMorten Tokle2021-05-251-0/+17
|
* Remove com.yahoo.vespa.jdk8compatBjørn Christian Seime2021-03-1011-96/+21
| | | | These types are often accidentally imported, and the JDK8 replacement is typically a one-liner.
* Make TLS protocol version configurable in TLS config fileBjørn Christian Seime2021-02-245-10/+44
| | | | | Only protocols listed in allowlist can be configured. TLSv1.2 is the only supported version at the moment, but TLSv1.3 will most likely be included in the future.
* Disable TLSV1.3Bjørn Christian Seime2021-02-241-1/+2
|
* Allow TLSv1.3Bjørn Christian Seime2021-02-181-1/+1
|
* Use singleton already present.Henning Baldersheim2021-01-281-4/+0
|
* Use a single, shared TlsContext instanceBjørn Christian Seime2021-01-142-18/+31
| | | | | The configuration is based on environment variables, which are effectively fixed through the life of the JVM instance. This simplifaction removes the need for complex cleanup logic based on manual reference counting and weak references.
* Revert "Use a single reloader per tls config file, and not one per instance."Bjørn Christian Seime2021-01-142-162/+135
| | | | This reverts commit c58415566e23dcac5f0daa352f39f567a4d7b44f.
* Revert "Use reference counting to avoid relying on GC to drop threads."Bjørn Christian Seime2021-01-142-36/+8
| | | | This reverts commit 1c6c89eb52ac80c583c0cd90efdd0784344af434.
* Support SAN URI based rules in authorization policiesBjørn Christian Seime2020-11-265-3/+55
|
* Add convenience method for adding SANBjørn Christian Seime2020-11-251-0/+5
|
* Encapsulate pattern implementation in RequiredPeerCredentialBjørn Christian Seime2020-11-253-7/+27
|
* Revert "Revert "Bjorncs/health check proxy https""Bjørn Christian Seime2020-10-151-0/+27
|
* Revert "Bjorncs/health check proxy https"Arnstein Ressem2020-10-151-27/+0
|
* Add trust manager that accepts any server certificateBjørn Christian Seime2020-10-141-0/+27
|
* Revert "Revert "Expose underlying certificate and private key from ↵Bjørn Christian Seime2020-06-022-1/+42
| | | | SiaIdentityProvider ""
* Revert "Expose underlying certificate and private key from SiaIdentityProvider "Harald Musum2020-05-282-42/+1
|