laminelam opened a new pull request, #3029:
URL: https://github.com/apache/solr/pull/3029

   https://issues.apache.org/jira/browse/SOLR-17309
   
   # Description
   
   This contribution introduces an enhancements to the Certificate 
Authentication (CertAuth) plugin offering more flexibility in the _principal_ 
resolution.  
   
   The **_CertPrincipalResolver_** interface has been introduced to allow 
implementations to extract the _principal_ information from an X.509 
certificate. This flexibility enables more granular control over which part of 
the certificate is used for the Principal.
   
   The provided implementing class  (**_PathBasedCertPrincipalResolver_**) uses 
fields paths based pattern to find the right information to extract.  The 
current supported fields/paths are:  Subject DN, Issuer DN, and SANs (Subject 
Alternative Name).
   
   The list of supported SAN fields is compatible with RFC 5280: 
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
       
   **Backward compatibility:** The default implementation 
(_DEFAULT_PRINCIPAL_RESOLVER_) extracts the whole subject DN which makes it 
backward compatible with the current implmentation.
   
   # Examples: 
   
   Given a cert with 
SAN.email=[user_ad...@example.com](mailto:user_ad...@example.com), the 
following configuration resolves "admin" as the request's Principal. This is 
done in 2 steps:
   
   1. Read SAN.email fields. Filter out to accept only emails ending with 
"@example.com" (pick the first match).
   2. In the resolved email extract the string between "_" and "@".
   
   ```
   "principalResolver": {
     "class": "solr.PathBasedCertPrincipalResolver",
     "params": {
       "path": "SAN.email",
       "filter": {
         "checkType": "endsWith",
         "values": ["@example.com"]
       }
       "extract": {
                    "after": "_",
                    "before": "@",
            }
     }
   }
   
   ```
   
     
   # Tests
   Test cases included.  
   
   TODO: Add documentation
   # Checklist
   
   Please review the following and check all that apply:
   
   - [x] I have reviewed the guidelines for [How to 
Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my 
code conforms to the standards described there to the best of my ability.
   - [x] I have created a Jira issue and added the issue ID to my pull request 
title.
   - [x] I have given Solr maintainers 
[access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork)
 to contribute to my PR branch. (optional but recommended, not available for 
branches on forks living under an organisation)
   - [x] I have developed this patch against the `main` branch.
   - [x] I have run `./gradlew check`.
   - [x] I have added tests for my changes.
   - [ ] I have added documentation for the [Reference 
Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to