AuthenticationProviderTls.java

/**
 * Copyright 2016 Yahoo Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.yahoo.pulsar.broker.authentication;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import javax.naming.AuthenticationException;

import com.yahoo.pulsar.broker.ServiceConfiguration;

public class AuthenticationProviderTls implements AuthenticationProvider {

    @Override
    public void close() throws IOException {
        // noop
    }

    @Override
    public void initialize(ServiceConfiguration config) throws IOException {
        // noop
    }

    @Override
    public String getAuthMethodName() {
        return "tls";
    }

    @Override
    public String authenticate(AuthenticationDataSource authData) throws AuthenticationException {
        String commonName = null;

        if (authData.hasDataFromTls()) {
            /**
             * Maybe authentication type should be checked if it is a HTTPS session. However this check fails actually
             * because authType is null.
             *
             * This check is not necessarily needed, because an untrusted certificate is not passed to
             * HttpServletRequest.
             *
             * <code>
             * if (authData.hasDataFromHttp()) {
             *     String authType = authData.getHttpAuthType();
             *     if (!HttpServletRequest.CLIENT_CERT_AUTH.equals(authType)) {
             *         throw new AuthenticationException(
             *              String.format( "Authentication type mismatch, Expected: %s, Found: %s",
             *                       HttpServletRequest.CLIENT_CERT_AUTH, authType));
             *     }
             * }
             * </code>
             */

            // Extract CommonName
            // The format is defined in RFC 2253.
            // Example:
            // CN=Steve Kille,O=Isode Limited,C=GB
            Certificate[] certs = authData.getTlsCertificates();
            String distinguishedName = ((X509Certificate) certs[0]).getSubjectX500Principal().getName();
            for (String keyValueStr : distinguishedName.split(",")) {
                String[] keyValue = keyValueStr.split("=", 2);
                if (keyValue.length == 2 && "CN".equals(keyValue[0]) && !keyValue[1].isEmpty()) {
                    commonName = keyValue[1];
                    break;
                }
            }
        }

        if (commonName == null) {
            throw new AuthenticationException("Client unable to authenticate with TLS certificate");
        }

        return commonName;
    }

}