Re: [PR] CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate age [cassandra]

via GitHub Thu, 15 Feb 2024 17:25:34 -0800


tolbertam commented on code in PR #3109:
URL: https://github.com/apache/cassandra/pull/3109#discussion_r1491856502



##########
src/java/org/apache/cassandra/auth/MutualTlsCertificateValidator.java:
##########
@@ -35,29 +35,55 @@ public interface MutualTlsCertificateValidator
      * Perform any checks that are to be performed on the certificate before 
making authorization check to grant the
      * access to the client during mTLS connection.
      *
-     * For example
-     *  - Verifying CA information
-     *  - Checking CN information
-     *  - Validating Issuer information
-     *  - Checking organization information etc
+     * <p>For example:
+     * <ul>
+     *  <li>Verifying CA information
+     *  <li>Checking CN information
+     *  <li>Validating Issuer information
+     *  <li>Checking organization information etc
+     * </ul>
      *
      * @param clientCertificateChain client certificate chain
-     * @return returns if the certificate is valid or not
+     * @return returns {@code true} if the certificate is valid, {@code false} 
otherwise
      */
-    boolean isValidCertificate(Certificate[] clientCertificateChain);
+    default boolean isValidCertificate(Certificate[] clientCertificateChain)
+    {
+        return isValidCertificate(clientCertificateChain, Integer.MAX_VALUE);
+    }
+
+    /**
+     * Perform any checks that are to be performed on the certificate before 
making authorization check to grant the
+     * access to the client during mTLS connection.
+     *
+     * <p>For example:
+     * <ul>
+     *  <li>Verifying CA information
+     *  <li>Checking CN information
+     *  <li>Validating Issuer information
+     *  <li>Checking organization information etc
+     * </ul>
+     *
+     * @param clientCertificateChain   client certificate chain
+     * @param maxCertificateAgeMinutes the maximum age allowed for the 
certificates in the chain
+     * @return returns {@code true} if the certificate is valid, {@code false} 
otherwise
+     * @throws AuthenticationException when the age of the certificate is 
greater than the maximum allowed age
+     *                                 for the certificate
+     */
+    boolean isValidCertificate(Certificate[] clientCertificateChain, int 
maxCertificateAgeMinutes) throws AuthenticationException;

Review Comment:
   maybe `isValidCertificate(Certificate[] clientCertificateChain, int 
maxCertificateAgeMinutes)` should be `default` and call 
`isValidCertificate(Certificate[] clientCertificateChain)`, instead of how it 
currently works.  This way existing implementations don't need to make any 
implementation changes for this to work.  (this may be moot if you end up 
moving out the age verification from the validator)



##########
src/java/org/apache/cassandra/auth/MutualTlsCertificateValidator.java:
##########
@@ -35,29 +35,55 @@ public interface MutualTlsCertificateValidator
      * Perform any checks that are to be performed on the certificate before 
making authorization check to grant the
      * access to the client during mTLS connection.
      *
-     * For example
-     *  - Verifying CA information
-     *  - Checking CN information
-     *  - Validating Issuer information
-     *  - Checking organization information etc
+     * <p>For example:
+     * <ul>
+     *  <li>Verifying CA information
+     *  <li>Checking CN information
+     *  <li>Validating Issuer information
+     *  <li>Checking organization information etc
+     * </ul>
      *
      * @param clientCertificateChain client certificate chain
-     * @return returns if the certificate is valid or not
+     * @return returns {@code true} if the certificate is valid, {@code false} 
otherwise
      */
-    boolean isValidCertificate(Certificate[] clientCertificateChain);
+    default boolean isValidCertificate(Certificate[] clientCertificateChain)

Review Comment:
   (this may be moot if you end up moving out the age verification from the 
validator)



##########
src/java/org/apache/cassandra/auth/MutualTlsCertificateValidator.java:
##########
@@ -35,29 +35,55 @@ public interface MutualTlsCertificateValidator
      * Perform any checks that are to be performed on the certificate before 
making authorization check to grant the
      * access to the client during mTLS connection.
      *
-     * For example
-     *  - Verifying CA information
-     *  - Checking CN information
-     *  - Validating Issuer information
-     *  - Checking organization information etc
+     * <p>For example:
+     * <ul>
+     *  <li>Verifying CA information
+     *  <li>Checking CN information
+     *  <li>Validating Issuer information
+     *  <li>Checking organization information etc
+     * </ul>
      *
      * @param clientCertificateChain client certificate chain
-     * @return returns if the certificate is valid or not
+     * @return returns {@code true} if the certificate is valid, {@code false} 
otherwise
      */
-    boolean isValidCertificate(Certificate[] clientCertificateChain);
+    default boolean isValidCertificate(Certificate[] clientCertificateChain)

Review Comment:
   (this may be moot if you end up moving out the age verification from the 
validator)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate age [cassandra]

Reply via email to