From f4965306b79f0015ca9e8e32072877e57f7f532c Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Thu, 21 Jul 2022 14:56:51 +0200
Subject: Move logic for capability checking/logging to ConnectionAuthContext

---
 .../com/yahoo/jrt/RequireCapabilitiesFilter.java   | 30 ++--------------------
 1 file changed, 2 insertions(+), 28 deletions(-)

(limited to 'jrt/src')

diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
index bb2eafcf711..8b7fc3c1a46 100644
--- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
+++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
@@ -2,24 +2,13 @@
 package com.yahoo.jrt;
 
 import com.yahoo.security.tls.Capability;
-import com.yahoo.security.tls.CapabilityMode;
 import com.yahoo.security.tls.CapabilitySet;
-import com.yahoo.security.tls.ConnectionAuthContext;
-import com.yahoo.security.tls.TransportSecurityUtils;
-
-import java.util.logging.Logger;
-
-import static com.yahoo.security.tls.CapabilityMode.DISABLE;
-import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY;
 
 /**
  * @author bjorncs
  */
 public class RequireCapabilitiesFilter implements RequestAccessFilter {
 
-    private static final Logger log = Logger.getLogger(RequireCapabilitiesFilter.class.getName());
-    private static final CapabilityMode MODE = TransportSecurityUtils.getCapabilityMode();
-
     private final CapabilitySet requiredCapabilities;
 
     public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) {
@@ -32,23 +21,8 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter {
 
     @Override
     public boolean allow(Request r) {
-        if (MODE == DISABLE) return true;
-        ConnectionAuthContext ctx = r.target().connectionAuthContext();
-        CapabilitySet peerCapabilities = ctx.capabilities();
-        boolean authorized = peerCapabilities.has(requiredCapabilities);
-        if (!authorized) {
-            String msg = "%sPermission denied for RPC method '%s'. Peer at %s with %s. Call requires %s, but peer has %s"
-                    .formatted(MODE == LOG_ONLY ? "Dry-run: " : "", r.methodName(), r.target().peerSpec(), ctx.peerCertificateString().orElseThrow(),
-                            requiredCapabilities.toNames(), peerCapabilities.toNames());
-            if (MODE == LOG_ONLY) {
-                log.info(msg);
-                return true;
-            } else {
-                log.warning(msg);
-                return false;
-            }
-        }
-        return true;
+        return r.target().connectionAuthContext()
+                .hasCapabilities(requiredCapabilities, "RPC", r.methodName(), r.target().peerSpec().toString());
     }
 
 }
-- 
cgit v1.2.3