[GitHub] [solr] janhoy commented on a change in pull request #139: SOLR-15423 JWTAuthPlugin support for custom truststore

Fri, 21 May 2021 15:45:33 -0700 


janhoy commented on a change in pull request #139:
URL: https://github.com/apache/solr/pull/139#discussion_r637277985



##########
File path: solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
##########
@@ -335,33 +346,49 @@ public boolean isValid() {
     return jwkConfigured > 0;
   }
 
+  public void setTrustedCerts(Collection<X509Certificate> trustedCerts) {
+    this.trustedCerts = trustedCerts;
+  }
+
   /**
    *
    */
   static class HttpsJwksFactory {
     private final long jwkCacheDuration;
     private final long refreshReprieveThreshold;
+    private Collection<X509Certificate> trustedCerts;
 
     public HttpsJwksFactory(long jwkCacheDuration, long 
refreshReprieveThreshold) {
       this.jwkCacheDuration = jwkCacheDuration;
       this.refreshReprieveThreshold = refreshReprieveThreshold;
     }
-    
+
+    public HttpsJwksFactory(long jwkCacheDuration, long 
refreshReprieveThreshold, Collection<X509Certificate> trustedCerts) {
+      this.jwkCacheDuration = jwkCacheDuration;
+      this.refreshReprieveThreshold = refreshReprieveThreshold;
+      this.trustedCerts = trustedCerts;
+    }
+
     /**
      * While the class name is HttpsJwks, it actually works with plain http 
formatted url as well.
+     *
      * @param url the Url to connect to for JWK details.
      */
     private HttpsJwks create(String url) {
       try {
         URL jwksUrl = new URL(url);
         checkAllowOutboundHttpConnections(PARAM_JWKS_URL, jwksUrl);
-        
       } catch (MalformedURLException e) {
         throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Url " + 
url + " configured in " + PARAM_JWKS_URL + " is not a valid URL");
       }
       HttpsJwks httpsJkws = new HttpsJwks(url);
       httpsJkws.setDefaultCacheDuration(jwkCacheDuration);
       httpsJkws.setRefreshReprieveThreshold(refreshReprieveThreshold);
+      if (trustedCerts != null) {
+        Get getWithCustomTrust = new Get();
+        getWithCustomTrust.setTrustedCertificates(trustedCerts);
+        log.info("Trusting custom SSL certificate(s) for the IdP");

Review comment:
       I moved ths to the first config parsing in JwtAuthPlugin instead. It 
will print on every re-initialization / change of security.json.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to