aboutsummaryrefslogtreecommitdiffstats
path: root/zookeeper-server/zookeeper-server-3.9.2/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
blob: 9055491029355a5bcd87e6f00b842aa45eb5bc74 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.zookeeper;

import com.yahoo.security.X509SslContext;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.security.tls.TransportSecurityUtils;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.common.ClientX509Util;
import org.apache.zookeeper.common.X509Exception;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.ServerCnxn;
import org.apache.zookeeper.server.auth.AuthenticationProvider;
import org.apache.zookeeper.server.auth.X509AuthenticationProvider;

import javax.net.ssl.KeyManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;

/**
 * A {@link AuthenticationProvider} to be used in combination with Vespa mTLS.
 *
 * @author bjorncs
 */
public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider {

    private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName());

    public VespaMtlsAuthenticationProvider() {
        super(null, null);
    }

    @Override
    public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
        // Vespa's mTLS peer authorization rules are performed by the underlying trust manager implementation.
        // The client is authorized once the SSL handshake has completed.
        X509Certificate[] certificateChain = (X509Certificate[]) cnxn.getClientCertificateChain();
        if (certificateChain == null || certificateChain.length == 0) {
            log.warning("Client not authenticated - should not be possible with clientAuth=NEED");
            return KeeperException.Code.AUTHFAILED;
        }
        X509Certificate certificate = certificateChain[0];
        cnxn.addAuthInfo(new Id(getScheme(), certificate.getSubjectX500Principal().getName()));
        return KeeperException.Code.OK;
    }

}