blob: bcb2eb0e403fe54d52ab08bb2de8dd0491690802 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
#include "policy_checking_certificate_verifier.h"
namespace vespalib::net::tls {
namespace {
bool matches_single_san_dns_requirement(const PeerCredentials& peer_creds, const RequiredPeerCredential& requirement) {
for (const auto& provided_cred : peer_creds.dns_sans) {
if (requirement.matches(provided_cred)) {
return true;
}
}
return false;
}
bool matches_single_san_uri_requirement(const PeerCredentials& peer_creds, const RequiredPeerCredential& requirement) {
for (const auto& provided_cred : peer_creds.uri_sans) {
if (requirement.matches(provided_cred)) {
return true;
}
}
return false;
}
bool matches_cn_requirement(const PeerCredentials& peer_creds, const RequiredPeerCredential& requirement) {
return requirement.matches(peer_creds.common_name);
}
bool matches_all_policy_requirements(const PeerCredentials& peer_creds, const PeerPolicy& policy) {
for (const auto& required_cred : policy.required_peer_credentials()) {
switch (required_cred.field()) {
case RequiredPeerCredential::Field::SAN_DNS:
if (!matches_single_san_dns_requirement(peer_creds, required_cred)) {
return false;
}
continue;
case RequiredPeerCredential::Field::SAN_URI:
if (!matches_single_san_uri_requirement(peer_creds, required_cred)) {
return false;
}
continue;
case RequiredPeerCredential::Field::CN:
if (!matches_cn_requirement(peer_creds, required_cred)) {
return false;
}
continue;
}
abort();
}
return true;
}
} // anon ns
class PolicyConfiguredCertificateVerifier : public CertificateVerificationCallback {
AuthorizedPeers _authorized_peers;
public:
explicit PolicyConfiguredCertificateVerifier(AuthorizedPeers authorized_peers) noexcept;
~PolicyConfiguredCertificateVerifier() override;
[[nodiscard]] VerificationResult verify(const PeerCredentials& peer_creds) const override;
};
PolicyConfiguredCertificateVerifier::PolicyConfiguredCertificateVerifier(AuthorizedPeers authorized_peers) noexcept
: _authorized_peers(std::move(authorized_peers)) {}
PolicyConfiguredCertificateVerifier::~PolicyConfiguredCertificateVerifier() = default;
VerificationResult PolicyConfiguredCertificateVerifier::verify(const PeerCredentials& peer_creds) const {
if (_authorized_peers.allows_all_authenticated()) {
return VerificationResult::make_authorized_with_all_capabilities();
}
CapabilitySet caps;
bool matched_any_policy = false;
for (const auto& policy : _authorized_peers.peer_policies()) {
if (matches_all_policy_requirements(peer_creds, policy)) {
caps.add_all(policy.granted_capabilities());
matched_any_policy = true;
}
}
if (matched_any_policy) {
return VerificationResult::make_authorized_with_capabilities(caps);
} else {
return VerificationResult::make_not_authorized();
}
}
std::shared_ptr<CertificateVerificationCallback> create_verify_callback_from(AuthorizedPeers authorized_peers) {
return std::make_shared<PolicyConfiguredCertificateVerifier>(std::move(authorized_peers));
}
} // vespalib::net::tls
|