-
Notifications
You must be signed in to change notification settings - Fork 25.8k
Add REST handler for PKI delegation #44561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
albertzaharovits
merged 33 commits into
elastic:proxied-pki
from
albertzaharovits:security-pki-delegation-add-rest-handler
Aug 1, 2019
Merged
Changes from all commits
Commits
Show all changes
33 commits
Select commit
Hold shift + click to select a range
9758afb
REST handler & javadoc
albertzaharovits 9d6eac1
@code not @link between projects
albertzaharovits b178f63
Nits
albertzaharovits 05b5209
X509 chain
albertzaharovits 48e439c
Delegate PKI request and response
albertzaharovits 56591f5
DelegatePkiAuthenticationRequestTests
albertzaharovits d18b34f
PkiAuthDelegationIntegTests
albertzaharovits f251bb2
PkiAuthnDeleg nits
albertzaharovits b5a52ed
Rest high level WIP
albertzaharovits 91a034a
WIP
albertzaharovits e9df4a4
DelegatePkiAuthenticationRequestTests
albertzaharovits edac26a
DelegatePkiAuthenticationResponseTests
albertzaharovits 1ec439c
Remaining SecurityDocumentationIT
albertzaharovits 47931a9
Checkstyle
albertzaharovits 6592b08
Checkstyle
albertzaharovits bd85324
Mark SecurityClient javadocs as TODO
albertzaharovits 62765e4
SecurityDocumentationIT WIP
albertzaharovits 6e09785
SecurityDocumentationIT and Bootstrap realm
albertzaharovits 706c7e2
SecurityClient javadocs
albertzaharovits 730f8d9
Delete srl files
albertzaharovits 5f5eac7
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits b0b7020
Adjustment after Streamable is gone
albertzaharovits 0686267
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits 20ac395
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits 49d3ffa
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits be88872
Update docs/java-rest/high-level/security/delegate-pki-authentication…
albertzaharovits adbc1ed
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits 84798ec
Review
albertzaharovits 6ecddd2
Tim's review
albertzaharovits db63b86
Nit
albertzaharovits 3423df7
Test
albertzaharovits 12e9d58
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits faa81db
Merge branch 'proxied-pki' into security-pki-delegation-add-rest-hand…
albertzaharovits File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
...vel/src/main/java/org/elasticsearch/client/security/DelegatePkiAuthenticationRequest.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| /* | ||
| * Licensed to Elasticsearch under one or more contributor | ||
| * license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright | ||
| * ownership. Elasticsearch licenses this file to you under | ||
| * the Apache License, Version 2.0 (the "License"); you may | ||
| * not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.elasticsearch.client.security; | ||
|
|
||
| import org.elasticsearch.client.Validatable; | ||
| import org.elasticsearch.client.ValidationException; | ||
| import org.elasticsearch.common.xcontent.ToXContentObject; | ||
| import org.elasticsearch.common.xcontent.XContentBuilder; | ||
|
|
||
| import java.io.IOException; | ||
| import java.security.cert.CertificateEncodingException; | ||
| import java.security.cert.X509Certificate; | ||
| import java.util.Base64; | ||
| import java.util.List; | ||
| import java.util.Objects; | ||
| import java.util.Optional; | ||
|
|
||
| import static java.util.Collections.unmodifiableList; | ||
|
|
||
| public final class DelegatePkiAuthenticationRequest implements Validatable, ToXContentObject { | ||
|
|
||
| private final List<X509Certificate> x509CertificateChain; | ||
|
|
||
| public DelegatePkiAuthenticationRequest(final List<X509Certificate> x509CertificateChain) { | ||
| if (x509CertificateChain == null || x509CertificateChain.isEmpty()) { | ||
| throw new IllegalArgumentException("certificate chain must not be empty or null"); | ||
| } | ||
| this.x509CertificateChain = unmodifiableList(x509CertificateChain); | ||
| } | ||
|
|
||
| @Override | ||
| public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException { | ||
| builder.startObject().startArray("x509_certificate_chain"); | ||
| try { | ||
| for (X509Certificate cert : x509CertificateChain) { | ||
| builder.value(Base64.getEncoder().encodeToString(cert.getEncoded())); | ||
| } | ||
| } catch (CertificateEncodingException e) { | ||
| throw new IOException(e); | ||
| } | ||
| return builder.endArray().endObject(); | ||
| } | ||
|
|
||
| public List<X509Certificate> getCertificateChain() { | ||
| return this.x509CertificateChain; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean equals(Object o) { | ||
| if (this == o) { | ||
| return true; | ||
| } | ||
| if (o == null || getClass() != o.getClass()) { | ||
| return false; | ||
| } | ||
| final DelegatePkiAuthenticationRequest that = (DelegatePkiAuthenticationRequest) o; | ||
| return Objects.equals(x509CertificateChain, that.x509CertificateChain); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(x509CertificateChain); | ||
| } | ||
|
|
||
| @Override | ||
| public Optional<ValidationException> validate() { | ||
| ValidationException validationException = new ValidationException(); | ||
| if (false == isOrderedCertificateChain(x509CertificateChain)) { | ||
| validationException.addValidationError("certificates chain must be an ordered chain"); | ||
| } | ||
| return validationException.validationErrors().isEmpty() ? Optional.empty() : Optional.of(validationException); | ||
| } | ||
|
|
||
| /** | ||
| * Checks that the {@code X509Certificate} list is ordered, such that the end-entity certificate is first and it is followed by any | ||
| * certificate authorities'. The check validates that the {@code issuer} of every certificate is the {@code subject} of the certificate | ||
| * in the next array position. No other certificate attributes are checked. | ||
| */ | ||
| private static boolean isOrderedCertificateChain(List<X509Certificate> chain) { | ||
| for (int i = 1; i < chain.size(); i++) { | ||
| X509Certificate cert = chain.get(i - 1); | ||
| X509Certificate issuer = chain.get(i); | ||
| if (false == cert.getIssuerX500Principal().equals(issuer.getSubjectX500Principal())) { | ||
| return false; | ||
| } | ||
| } | ||
| return true; | ||
| } | ||
|
|
||
| } |
88 changes: 88 additions & 0 deletions
88
...el/src/main/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponse.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| /* | ||
| * Licensed to Elasticsearch under one or more contributor | ||
| * license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright | ||
| * ownership. Elasticsearch licenses this file to you under | ||
| * the Apache License, Version 2.0 (the "License"); you may | ||
| * not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.elasticsearch.client.security; | ||
|
|
||
| import org.elasticsearch.common.ParseField; | ||
| import org.elasticsearch.common.unit.TimeValue; | ||
| import org.elasticsearch.common.xcontent.ConstructingObjectParser; | ||
| import org.elasticsearch.common.xcontent.XContentParser; | ||
|
|
||
| import java.io.IOException; | ||
| import java.util.Objects; | ||
|
|
||
| import static org.elasticsearch.common.xcontent.ConstructingObjectParser.constructorArg; | ||
|
|
||
| public final class DelegatePkiAuthenticationResponse { | ||
|
|
||
| private final String accessToken; | ||
| private final String type; | ||
| private final TimeValue expiresIn; | ||
|
|
||
| public DelegatePkiAuthenticationResponse(String accessToken, String type, TimeValue expiresIn) { | ||
| this.accessToken = accessToken; | ||
| this.type = type; | ||
| this.expiresIn = expiresIn; | ||
| } | ||
|
|
||
| public String getAccessToken() { | ||
| return accessToken; | ||
| } | ||
|
|
||
| public String getType() { | ||
| return type; | ||
| } | ||
|
|
||
| public TimeValue getExpiresIn() { | ||
| return expiresIn; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean equals(Object o) { | ||
| if (this == o) { | ||
| return true; | ||
| } | ||
| if (o == null || getClass() != o.getClass()) { | ||
| return false; | ||
| } | ||
| final DelegatePkiAuthenticationResponse that = (DelegatePkiAuthenticationResponse) o; | ||
| return Objects.equals(accessToken, that.accessToken) && | ||
| Objects.equals(type, that.type) && | ||
| Objects.equals(expiresIn, that.expiresIn); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(accessToken, type, expiresIn); | ||
| } | ||
|
|
||
| private static final ConstructingObjectParser<DelegatePkiAuthenticationResponse, Void> PARSER = new ConstructingObjectParser<>( | ||
| "delegate_pki_response", true, | ||
| args -> new DelegatePkiAuthenticationResponse((String) args[0], (String) args[1], TimeValue.timeValueSeconds((Long) args[2]))); | ||
|
|
||
| static { | ||
| PARSER.declareString(constructorArg(), new ParseField("access_token")); | ||
| PARSER.declareString(constructorArg(), new ParseField("type")); | ||
| PARSER.declareLong(constructorArg(), new ParseField("expires_in")); | ||
| } | ||
|
|
||
| public static DelegatePkiAuthenticationResponse fromXContent(XContentParser parser) throws IOException { | ||
| return PARSER.parse(parser, null); | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added a certificate chain (
testClient.crt,testIntermediateCA.crtandtestRootCA.crtfiles) as resources to these two projects.