[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6032: NIFI-10010: ListenTCP adds client certificate's Subject and Issuer DN…

Thu, 12 May 2022 08:22:33 -0700 


exceptionfactory commented on code in PR #6032:
URL: https://github.com/apache/nifi/pull/6032#discussion_r871461795


##########
nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/codec/SocketByteArrayMessageDecoder.java:
##########
@@ -38,7 +48,37 @@ public class SocketByteArrayMessageDecoder extends 
MessageToMessageDecoder<byte[
     protected void decode(final ChannelHandlerContext channelHandlerContext, 
final byte[] bytes, final List<Object> decoded) {
         final InetSocketAddress remoteAddress = (InetSocketAddress) 
channelHandlerContext.channel().remoteAddress();
         final String address = remoteAddress.getHostString();
-        final ByteArrayMessage message = new ByteArrayMessage(bytes, address);
+
+        final SslSessionStatus sslSessionStatus = 
getSslSessionStatus(channelHandlerContext);
+        final ByteArrayMessage message = new ByteArrayMessage(bytes, address, 
sslSessionStatus);
+
         decoded.add(message);
     }
+
+    private SslSessionStatus getSslSessionStatus(final ChannelHandlerContext 
channelHandlerContext) {
+        final Iterator<Map.Entry<String, ChannelHandler>> iterator = 
channelHandlerContext.channel().pipeline().iterator();
+        while (iterator.hasNext()) {
+            final ChannelHandler channelHandler = iterator.next().getValue();
+            if (channelHandler instanceof SslHandler) {
+                return createSslSessionStatusFromSslHandler((SslHandler) 
channelHandler);
+            }
+        }
+        return null;
+    }
+
+    private SslSessionStatus createSslSessionStatusFromSslHandler(final 
SslHandler sslHandler) {
+        final SSLSession sslSession = sslHandler.engine().getSession();
+        try {
+            final Certificate[] certificates = 
sslSession.getPeerCertificates();
+            if (certificates.length > 0) {
+                final X509Certificate certificate = (X509Certificate) 
certificates[0];
+                final X500Principal subject = 
certificate.getSubjectX500Principal();
+                final X500Principal issuer = 
certificate.getIssuerX500Principal();
+                return new SslSessionStatus(subject, issuer);
+            }
+        } catch (SSLPeerUnverifiedException peerUnverifiedException) {
+            return null;
+        }
+        return null;

Review Comment:
   It would be helpful to adjust this method to have a single return statement, 
and also log the exception as a warning. It would require getting the remote 
address to the ChannelHandlerContext for the log.
   ```suggestion
           final SslSessionStatus sslSessionStatus;
           try {
               final Certificate[] certificates = 
sslSession.getPeerCertificates();
               if (certificates.length > 0) {
                   final X509Certificate certificate = (X509Certificate) 
certificates[0];
                   final X500Principal subject = 
certificate.getSubjectX500Principal();
                   final X500Principal issuer = 
certificate.getIssuerX500Principal();
                   sslSessionStatus = new SslSessionStatus(subject, issuer);
               } else {
                   sslSessionStatus = null;
               }
           } catch (final SSLPeerUnverifiedException e) {
               logger.warn("Peer Unverified [{}]", 
channelHandlerContext.channel().remoteAddress(), e);
               sslSessionStatus = null;
           }
           return sslSessionStatus;
   ```



##########
nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/codec/SocketByteArrayMessageDecoder.java:
##########
@@ -38,7 +48,37 @@ public class SocketByteArrayMessageDecoder extends 
MessageToMessageDecoder<byte[
     protected void decode(final ChannelHandlerContext channelHandlerContext, 
final byte[] bytes, final List<Object> decoded) {
         final InetSocketAddress remoteAddress = (InetSocketAddress) 
channelHandlerContext.channel().remoteAddress();
         final String address = remoteAddress.getHostString();
-        final ByteArrayMessage message = new ByteArrayMessage(bytes, address);
+
+        final SslSessionStatus sslSessionStatus = 
getSslSessionStatus(channelHandlerContext);
+        final ByteArrayMessage message = new ByteArrayMessage(bytes, address, 
sslSessionStatus);
+
         decoded.add(message);
     }
+
+    private SslSessionStatus getSslSessionStatus(final ChannelHandlerContext 
channelHandlerContext) {
+        final Iterator<Map.Entry<String, ChannelHandler>> iterator = 
channelHandlerContext.channel().pipeline().iterator();
+        while (iterator.hasNext()) {
+            final ChannelHandler channelHandler = iterator.next().getValue();
+            if (channelHandler instanceof SslHandler) {
+                return createSslSessionStatusFromSslHandler((SslHandler) 
channelHandler);
+            }
+        }
+        return null;

Review Comment:
   This could be refactored to use a single return statement. ChannelPipeline 
also implements `Iterable`, so it could be streamlined.
   ```suggestion
           SslHandler sslHandler = null;
           for (final Map.Entry<String, ChannelHandler> entry : 
channelHandlerContext.channel().pipeline()) {
               final ChannelHandler channelHandler = entry.getValue();
               if (channelHandler instanceof SslHandler) {
                   sslHandler = (SslHandler) channelHandler;
                   break;
               }
           }
           return sslHandler == null ? 
createSslSessionStatusFromSslHandler(sslHandler);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to