| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the following:
* Named capabilities and capability sets that represent (respectively)
a single Vespa access API (such as Document API, search API etc)
or a concrete subset of individual capabilities that make up a
particular Vespa service (such as a content node).
* A new `capabilities` array field to the mTLS authorization policies
that allows for constraining what requests sent over a particular
connection are allowed to actually do. Capabilities are referenced
by name and may include any combination of capability sets and
individual capabilities. If multiple capabilities/sets are configured,
the resulting set of capabilities is the union set of all of them.
* An FRT RPC-level access filter that can be set up as part of RPC
method definitions. If set, filters are invoked prior to RPC methods.
* A new `PERMISSION_DENIED` error code to FRT RPC that is invoked if
an access filter denies a request.
This also GCs the unused `AssumedRoles` concept which is now deprecated
in favor of capabilities.
Note: this is **not yet** a public or stable API, and capability
names/semantics may change at any time.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exposes the following information via the OpenSSL-backed CryptoCodec:
* Credentials retrieved from authenticated peer certificate.
* Union set of assumed roles from all peer authorization rules that
matched the peer certificate.
Note that this does not add parsing of any mTLS config file role fields,
nor any FNET/FRT wiring required for RPC requests to be associated with
a particular peer authz context. Syntax and semantics etc still pending.
|
|
|
|
|
|
|
| |
This is much like the DNS_SAN matching, but with two major differences:
* Implicit delimiting around `/` characters instead of `.` characters.
* Only wildcard `*` globbing is supported. `?` may be present in a valid
URI and is matched as a literal character instead of _any_ single char.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds extraction of X509 URI peer credentials during the handshake
process as well as a new SAN_URI field to the transport security
options peer policy section.
This implementation is NOT conformant with RFC 2459 since we don't
currently support case insensitive matching of scheme, host etc.,
but it's good enough for our purposes for now.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces guaranteed upper bounds for memory usage and
CPU time during regex evaluation. Most importantly, it removes
the danger of catastrophic backtracking that is currrently
present in GCC's std::regex implementation.
With this commit, RE2 will be used instead of std::regex for:
* Document selection regex/glob operators
* Attribute regex search
* Evaluation of mTLS authorization rules
|
| |
|
| |
|
|
Extends TLS config JSON file with an `allowed-peers` object, which
if non-empty specifies a set of policies that a peer may match. If
at least one policy exists a peer must match all requirements in
any single policy to be allowed to connect. I.e. it's sufficient
to match 1 policy out of many.
|