From 730cb6dc10b4012002a6c5c49f140c33a55ba1ea Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 19 Apr 2018 12:45:33 +0200 Subject: Rename TlsPrincipal -> NodePrincipal --- .../restapi/v2/filter/AuthorizationFilter.java | 2 +- .../restapi/v2/filter/HostAuthenticator.java | 6 ++-- .../provision/restapi/v2/filter/NodePrincipal.java | 33 ++++++++++++++++++++ .../provision/restapi/v2/filter/TlsPrincipal.java | 35 ---------------------- .../restapi/v2/filter/HostAuthenticatorTest.java | 6 ++-- 5 files changed, 40 insertions(+), 42 deletions(-) create mode 100644 node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodePrincipal.java delete mode 100644 node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/TlsPrincipal.java (limited to 'node-repository') diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index 360a6a1aa73..ccc09aad24a 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -70,7 +70,7 @@ public class AuthorizationFilter implements SecurityRequestFilter { List clientCertificateChain = request.getClientCertificateChain(); if (clientCertificateChain.isEmpty()) return Optional.of(ErrorResponse.unauthorized(createErrorMessage(request, "Missing credentials"))); - TlsPrincipal hostIdentity = hostAuthenticator.authenticate(clientCertificateChain); + NodePrincipal hostIdentity = hostAuthenticator.authenticate(clientCertificateChain); if (!authorizer.test(hostIdentity, request.getUri())) return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials"))); request.setUserPrincipal(hostIdentity); diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java index a6e56e2073d..de8d117de11 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java @@ -33,7 +33,7 @@ class HostAuthenticator { this.nodeRepository = nodeRepository; } - TlsPrincipal authenticate(List certificateChain) throws AuthenticationException { + NodePrincipal authenticate(List certificateChain) throws AuthenticationException { X509Certificate clientCertificate = certificateChain.get(0); String subjectCommonName = X509CertificateUtils.getSubjectCommonNames(clientCertificate).stream() .findFirst() @@ -51,10 +51,10 @@ class HostAuthenticator { default: throw new AuthenticationException("Untrusted common name in subject: " + subjectCommonName); } - return new TlsPrincipal(hostname, certificateChain); + return new NodePrincipal(hostname, certificateChain); } else { // self-signed where common name is hostname // TODO Remove this branch once self-signed certificates are gone - return new TlsPrincipal(subjectCommonName, certificateChain); + return new NodePrincipal(subjectCommonName, certificateChain); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodePrincipal.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodePrincipal.java new file mode 100644 index 00000000000..dbff2b0da34 --- /dev/null +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodePrincipal.java @@ -0,0 +1,33 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.provision.restapi.v2.filter; + +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * @author bjorncs + */ +public class NodePrincipal implements Principal { + private final String hostIdentity; + private final List clientCertificateChain; + + public NodePrincipal(String hostIdentity, List clientCertificateChain) { + this.hostIdentity = hostIdentity; + this.clientCertificateChain = clientCertificateChain; + } + + public String getHostIdentityName() { + return hostIdentity; + } + + public List getClientCertificateChain() { + return clientCertificateChain; + } + + @Override + public String getName() { + return hostIdentity; + } + +} diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/TlsPrincipal.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/TlsPrincipal.java deleted file mode 100644 index 227c514160b..00000000000 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/TlsPrincipal.java +++ /dev/null @@ -1,35 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.provision.restapi.v2.filter; - -import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; - -import java.security.Principal; -import java.security.cert.X509Certificate; -import java.util.List; - -/** - * @author bjorncs - */ -public class TlsPrincipal implements Principal { - private final String hostIdentity; - private final List clientCertificateChain; - - public TlsPrincipal(String hostIdentity, List clientCertificateChain) { - this.hostIdentity = hostIdentity; - this.clientCertificateChain = clientCertificateChain; - } - - public String getHostIdentityName() { - return hostIdentity; - } - - public List getClientCertificateChain() { - return clientCertificateChain; - } - - @Override - public String getName() { - return hostIdentity; - } - -} diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java index fa6c25c189b..e301d8a80f9 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java @@ -55,7 +55,7 @@ public class HostAuthenticatorTest { KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) .build(); HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - TlsPrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); assertEquals(HOSTNAME, identity.getName()); } @@ -72,7 +72,7 @@ public class HostAuthenticatorTest { .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.provider-name.ostk.yahoo.cloud") .build(); HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - TlsPrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); assertEquals(HOSTNAME, identity.getName()); } @@ -96,7 +96,7 @@ public class HostAuthenticatorTest { .addSubjectAlternativeName(vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.provider-name.vespa.yahoo.cloud") .build(); HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - TlsPrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); assertEquals(HOSTNAME, identity.getName()); } -- cgit v1.2.3