/**
* Copyright 2016 Yahoo Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.yahoo.pulsar.broker.authentication;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.naming.AuthenticationException;
import com.yahoo.pulsar.broker.ServiceConfiguration;
public class AuthenticationProviderTls implements AuthenticationProvider {
@Override
public void close() throws IOException {
// noop
}
@Override
public void initialize(ServiceConfiguration config) throws IOException {
// noop
}
@Override
public String getAuthMethodName() {
return "tls";
}
@Override
public String authenticate(AuthenticationDataSource authData) throws AuthenticationException {
String commonName = null;
if (authData.hasDataFromTls()) {
/**
* Maybe authentication type should be checked if it is a HTTPS session. However this check fails actually
* because authType is null.
*
* This check is not necessarily needed, because an untrusted certificate is not passed to
* HttpServletRequest.
*
* <code>
* if (authData.hasDataFromHttp()) {
* String authType = authData.getHttpAuthType();
* if (!HttpServletRequest.CLIENT_CERT_AUTH.equals(authType)) {
* throw new AuthenticationException(
* String.format( "Authentication type mismatch, Expected: %s, Found: %s",
* HttpServletRequest.CLIENT_CERT_AUTH, authType));
* }
* }
* </code>
*/
// Extract CommonName
// The format is defined in RFC 2253.
// Example:
// CN=Steve Kille,O=Isode Limited,C=GB
Certificate[] certs = authData.getTlsCertificates();
String distinguishedName = ((X509Certificate) certs[0]).getSubjectX500Principal().getName();
for (String keyValueStr : distinguishedName.split(",")) {
String[] keyValue = keyValueStr.split("=", 2);
if (keyValue.length == 2 && "CN".equals(keyValue[0]) && !keyValue[1].isEmpty()) {
commonName = keyValue[1];
break;
}
}
}
if (commonName == null) {
throw new AuthenticationException("Client unable to authenticate with TLS certificate");
}
return commonName;
}
}