laminelam opened a new pull request, #3029: URL: https://github.com/apache/solr/pull/3029
https://issues.apache.org/jira/browse/SOLR-17309 # Description This contribution introduces an enhancements to the Certificate Authentication (CertAuth) plugin offering more flexibility in the _principal_ resolution. The **_CertPrincipalResolver_** interface has been introduced to allow implementations to extract the _principal_ information from an X.509 certificate. This flexibility enables more granular control over which part of the certificate is used for the Principal. The provided implementing class (**_PathBasedCertPrincipalResolver_**) uses fields paths based pattern to find the right information to extract. The current supported fields/paths are: Subject DN, Issuer DN, and SANs (Subject Alternative Name). The list of supported SAN fields is compatible with RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 **Backward compatibility:** The default implementation (_DEFAULT_PRINCIPAL_RESOLVER_) extracts the whole subject DN which makes it backward compatible with the current implmentation. # Examples: Given a cert with SAN.email=[user_ad...@example.com](mailto:user_ad...@example.com), the following configuration resolves "admin" as the request's Principal. This is done in 2 steps: 1. Read SAN.email fields. Filter out to accept only emails ending with "@example.com" (pick the first match). 2. In the resolved email extract the string between "_" and "@". ``` "principalResolver": { "class": "solr.PathBasedCertPrincipalResolver", "params": { "path": "SAN.email", "filter": { "checkType": "endsWith", "values": ["@example.com"] } "extract": { "after": "_", "before": "@", } } } ``` # Tests Test cases included. TODO: Add documentation # Checklist Please review the following and check all that apply: - [x] I have reviewed the guidelines for [How to Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my code conforms to the standards described there to the best of my ability. - [x] I have created a Jira issue and added the issue ID to my pull request title. - [x] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation) - [x] I have developed this patch against the `main` branch. - [x] I have run `./gradlew check`. - [x] I have added tests for my changes. - [ ] I have added documentation for the [Reference Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org