wmccarley opened a new pull request #12355:
URL: https://github.com/apache/pulsar/pull/12355
### Motivation
This PR includes additional logic to the ```AuthenticationProviderTls```
class that will check the supplied client cert for the following conditions:
- Close to expiration
- Issued for long durations
- Self-signed
- Small RSA key size
- Wildcard in the CN
When these conditions are met and the broker is configured to do so, the
broker will emit application logs and increment Prometheus metrics.
In addition there is a new boolean property
:```tlsLogEntireCertificateChain``` in ```broker.conf``` that will control
whether the broker logs the entire certificate chain.
These settings can be useful for identifying certificates currently in use
that are allowable but are in danger of becoming unusable in the near future
due to upcoming policy changes or expiration.
### Modifications
Changes made to the ```initialize(...)``` and ```authenticate(...)```
methods in the ```AuthenticationProviderTls``` class
### Verifying this change
This change added tests and can be verified as follows:
- *Added six (6) unit tests to new class AuthenticationProviderTlsTest to
test the the checking logic
### Does this pull request potentially affect one of the following parts:
N/A
### Documentation
This PR contains doc changes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
