/** * Returns the {@code Principal} identifying the peer. * * @return the {@code Principal} identifying the peer. * @throws SSLPeerUnverifiedException * if the identity of the peer has not been verified. */ public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return session.getPeerPrincipal(); }
/** * SSLSession's peerPrincipal for the remote host. * @return Principal */ public Principal peerPrincipal() { try { return sslEngine.getSession().getPeerPrincipal(); } catch (SSLPeerUnverifiedException se) { log.debug("SSL peer is not authenticated, returning ANONYMOUS instead"); return KafkaPrincipal.ANONYMOUS; } }
public void verify(SSLSession session) throws SecurityException { Principal principal=null; try { principal=session.getPeerPrincipal(); String name=principal.getName(); Matcher m=pattern.matcher(name); boolean find=m.find(); if(!find) throw new SecurityException(String.format("pattern '%s' not found in peer certificate '%s'", cn_name, name)); else System.out.printf("** pattern '%s' found in peer certificate '%s'\n", cn_name, name); } catch(SSLPeerUnverifiedException e) { throw new SecurityException(e); } } }
private static String stringifyPrincipal(SSLSocket socket) { try { return String.format(" (%s)", socket.getSession().getPeerPrincipal().toString()); } catch (Exception e) { // Principal information is not available. return ""; } }
@Override public boolean verify(String hostname, SSLSession session) { try { String principalName = session.getPeerPrincipal().getName(); if (hostname.equals(requestHostname) && principalName.equals(certPrincipalName)) return true; } catch (SSLPeerUnverifiedException e) { } return HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session); } };
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return unwrap().getPeerPrincipal(); }
public static Principal getPeerPrincipalFromConnection(RemotingConnection remotingConnection) { Principal result = null; if (remotingConnection != null) { Connection transportConnection = remotingConnection.getTransportConnection(); if (transportConnection instanceof NettyConnection) { NettyConnection nettyConnection = (NettyConnection) transportConnection; ChannelHandler channelHandler = nettyConnection.getChannel().pipeline().get("ssl"); if (channelHandler != null && channelHandler instanceof SslHandler) { SslHandler sslHandler = (SslHandler) channelHandler; try { result = sslHandler.engine().getSession().getPeerPrincipal(); } catch (SSLPeerUnverifiedException ignored) { } } } } return result; } }
final String principalName = sslSession.getPeerPrincipal().getName();
peerPrincipal = session.getPeerPrincipal();
@Test public void testPrincipalIfSSLPeerIsNotAuthenticated() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(KafkaPrincipal.ANONYMOUS); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.ANONYMOUS, principal); builder.close(); verify(session, atLeastOnce()).getPeerPrincipal(); }
@Override public KafkaPrincipal build(AuthenticationContext context) { if (context instanceof PlaintextAuthenticationContext) { if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); return KafkaPrincipal.ANONYMOUS; } else if (context instanceof SslAuthenticationContext) { SSLSession sslSession = ((SslAuthenticationContext) context).session(); if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); try { return applySslPrincipalMapper(sslSession.getPeerPrincipal()); } catch (SSLPeerUnverifiedException se) { return KafkaPrincipal.ANONYMOUS; } } else if (context instanceof SaslAuthenticationContext) { SaslServer saslServer = ((SaslAuthenticationContext) context).server(); if (SaslConfigs.GSSAPI_MECHANISM.equals(saslServer.getMechanismName())) return applyKerberosShortNamer(saslServer.getAuthorizationID()); else return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, saslServer.getAuthorizationID()); } else { throw new IllegalArgumentException("Unhandled authentication context type: " + context.getClass().getName()); } }
@Test public void testUseSessionPeerPrincipalForSsl() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(session, atLeastOnce()).getPeerPrincipal(); }
@Test public void testPrincipalWithSslPrincipalMapper() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(new X500Principal("CN=Duke, OU=ServiceUsers, O=Org, C=US")) .thenReturn(new X500Principal("CN=Duke, OU=SME, O=mycp, L=Fulton, ST=MD, C=US")) .thenReturn(new X500Principal("CN=duke, OU=JavaSoft, O=Sun Microsystems")) .thenReturn(new X500Principal("OU=JavaSoft, O=Sun Microsystems, C=US")); List<String> rules = Arrays.asList( "RULE:^CN=(.*),OU=ServiceUsers.*$/$1/L", "RULE:^CN=(.*),OU=(.*),O=(.*),L=(.*),ST=(.*),C=(.*)$/$1@$2/L", "RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/U", "DEFAULT" ); SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, mapper); SslAuthenticationContext sslContext = new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name()); KafkaPrincipal principal = builder.build(sslContext); assertEquals("duke", principal.getName()); principal = builder.build(sslContext); assertEquals("duke@sme", principal.getName()); principal = builder.build(sslContext); assertEquals("DUKE", principal.getName()); principal = builder.build(sslContext); assertEquals("OU=JavaSoft,O=Sun Microsystems,C=US", principal.getName()); builder.close(); verify(session, times(4)).getPeerPrincipal(); }
if (sslChannel != null && (sslSession = sslChannel.getSslSession()) != null) { connection.setIdentity((SecurityIdentity) sslSession.getValue(SSLUtils.SSL_SESSION_IDENTITY_KEY)); final Principal principal = sslSession.getPeerPrincipal();
private void checkCertForAllowedPrincipals(HttpsExchange pHttpsExchange) { if (allowedPrincipals != null) { X500Principal certPrincipal; try { certPrincipal = (X500Principal) pHttpsExchange.getSSLSession().getPeerPrincipal(); Set<Rdn> certPrincipalRdns = getPrincipalRdns(certPrincipal); boolean matchFound = false; for (LdapName principal : allowedPrincipals) { if (certPrincipalRdns.containsAll(principal.getRdns())) { matchFound = true; break; } } if (!matchFound) { throw new SecurityException("Principal " + certPrincipal + " not allowed"); } } catch (SSLPeerUnverifiedException e) { throw new SecurityException("SSLPeer unverified"); } catch (ClassCastException e) { throw new SecurityException("Internal: Invalid Principal class provided " + e); } } }
log.debug("Not using certificates for peers, try verifying the principal"); try { Principal peerPrincipal = session.getPeerPrincipal(); log.debug("peerPrincipal = {}", peerPrincipal); if (peerPrincipal instanceof KerberosPrincipal) {
/** * Returns the {@code Principal} identifying the peer. * * @return the {@code Principal} identifying the peer. * @throws SSLPeerUnverifiedException * if the identity of the peer has not been verified. */ public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return session.getPeerPrincipal(); }
@Override public Result authenticate(HttpExchange httpExchange) { if( !(httpExchange instanceof HttpsExchange) ) { return new Failure(500); } try { HttpsExchange httpsExchange = (HttpsExchange) httpExchange; X509Certificate certificate = getClientCert(httpsExchange); if (certificate == null) { return new Failure(401); } checkCertForClientUsage(certificate); checkCertForAllowedPrincipals(httpsExchange); String name=""; try { name = httpsExchange.getSSLSession().getPeerPrincipal().getName(); } catch (SSLPeerUnverifiedException ignore) { } return new Success(new HttpPrincipal(name, "ssl")); } catch (SecurityException e) { return new Failure(403); } }
public class MyHandshakeCompletedListener implements HandshakeCompletedListener { @Override public void handshakeCompleted(HandshakeCompletedEvent event) { SSLSession session = event.getSession(); String protocol = session.getProtocol(); String cipherSuite = session.getCipherSuite(); String peerName = null; try { peerName = session.getPeerPrincipal().getName(); } catch (SSLPeerUnverifiedException e) { } }
@Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { SecureCacheResponse cacheResponse = delegate.getSecureCacheResponse(); if (cacheResponse != null) { return cacheResponse.getPeerPrincipal(); } SSLSocket sslSocket = getSslSocket(); if (sslSocket != null) { return sslSocket.getSession().getPeerPrincipal(); } return null; }