tolbertam commented on code in PR #3109:
URL: https://github.com/apache/cassandra/pull/3109#discussion_r1491823435
##########
src/java/org/apache/cassandra/auth/SpiffeCertificateValidator.java:
##########
@@ -31,27 +32,45 @@
* This class assumes that the identity of a certificate is SPIFFE which is a
URI that is present as part of the SAN
* of the client certificate. It has logic to extract identity (Spiffe) out of
a certificate & knows how to validate
* the client certificates.
- * <p>
*
- * <p>
- * Example:
+ * <p>Example:
+ * <pre>
* internode_authenticator:
- * class_name : org.apache.cassandra.auth.MutualTlsAuthenticator
- * parameters :
- * validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+ * class_name: org.apache.cassandra.auth.MutualTlsAuthenticator
+ * parameters:
+ * validator_class_name:
org.apache.cassandra.auth.SpiffeCertificateValidator
+ * </pre>
+ *
+ * <pre>
* authenticator:
- * class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
- * parameters :
- * validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+ * class_name: org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
+ * parameters:
+ * validator_class_name:
org.apache.cassandra.auth.SpiffeCertificateValidator
+ * </pre>
*/
public class SpiffeCertificateValidator implements
MutualTlsCertificateValidator
{
+ /**
+ * {@inheritDoc}
+ */
@Override
- public boolean isValidCertificate(Certificate[] clientCertificateChain)
+ public boolean isValidCertificate(Certificate[] clientCertificateChain,
int maxCertificateAgeMinutes) throws AuthenticationException
{
+ X509Certificate[] castedCerts =
castCertsToX509(clientCertificateChain);
+ int certificateAgeInMinutes =
getCertificateAgeInMinutes(castedCerts[0]);
+ if (certificateAgeInMinutes > maxCertificateAgeMinutes)
+ {
+ String errorMessage = String.format("The age of the provided
certificate exceeds the maximum allowed age of %d minutes",
Review Comment:
Is there a way to introspect what resolution the given duration is in and
report it in that way? e.g. if I configure `max_certificate_age: 5d` , could
we have the message be The age of the provided certificate exceeds the maximum
allowed age of 5d?.
It would also be useful to include the age of the certificate in the message.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
