Examples with XfccSourceConfig keywhiz.service.config.XfccSourceConfig used on opensource projects

Search in sources :

Example 1 with XfccSourceConfig

use of keywhiz.service.config.XfccSourceConfig in project keywhiz by square.

the class ClientAuthFactory method doProvide.

private Client doProvide(ContainerRequest containerRequest, HttpServletRequest httpServletRequest) {
    // Check whether this port is configured to be used by a proxy.
    // If this configuration is present, traffic on this port _must_
    // identify its clients using the x-forwarded-client-cert header or
    // caller ID header.
    // If the configuration is not present, traffic _must_ identify its
    // clients using the request's security context.
    int requestPort = httpServletRequest.getLocalPort();
    Optional<XfccSourceConfig> possibleXfccConfig = getXfccConfigForPort(requestPort);
    List<String> xfccHeaderValues = Optional.ofNullable(containerRequest.getRequestHeader(XFCC_HEADER_NAME)).orElse(List.of());
    // the callerSpiffeIdHeader identifies the client.)
    if (possibleXfccConfig.isEmpty() != xfccHeaderValues.isEmpty()) {
        throw new NotAuthorizedException(format("Port %d is configured to %s receive traffic with the %s header set", requestPort, possibleXfccConfig.isEmpty() ? "never" : "only", XFCC_HEADER_NAME));
    }
    // Extract information about the entity that connected directly to Keywhiz.
    // This must be identified from the request's security context, rather than
    // easily modified information like a header.
    // 
    // This entity may be a Keywhiz client, or it may be a proxy
    // forwarding the real Keywhiz client information.
    Principal connectedPrincipal = getPrincipal(containerRequest).orElseThrow(() -> new NotAuthorizedException("Not authorized as Keywhiz client"));
    setTag("principal", connectedPrincipal.getName());
    // on the security context of this request
    if (possibleXfccConfig.isEmpty()) {
        // identify the client
        return authenticateClientFromPrincipal(connectedPrincipal);
    } else {
        // Use either the XFCC header or a caller-ID header to identify the client.
        return authenticateClientFromForwardedData(possibleXfccConfig.get(), xfccHeaderValues, connectedPrincipal, containerRequest);
    }
}
Also used : XfccSourceConfig(keywhiz.service.config.XfccSourceConfig) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) SpiffePrincipal(keywhiz.auth.mutualssl.SpiffePrincipal) CertificatePrincipal(keywhiz.auth.mutualssl.CertificatePrincipal) Principal(java.security.Principal)

Aggregations

Principal (java.security.Principal)1 NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1 CertificatePrincipal (keywhiz.auth.mutualssl.CertificatePrincipal)1 SpiffePrincipal (keywhiz.auth.mutualssl.SpiffePrincipal)1 XfccSourceConfig (keywhiz.service.config.XfccSourceConfig)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial