Re: [PR] CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate age [cassandra]

Thu, 22 Feb 2024 16:08:26 -0800 


tolbertam commented on code in PR #3109:
URL: https://github.com/apache/cassandra/pull/3109#discussion_r1500086508


##########
src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java:
##########
@@ -208,6 +234,16 @@ public AuthenticatedUser getAuthenticatedUser() throws 
AuthenticationException
                 nospamLogger.error(msg, identity);
                 throw new AuthenticationException(MessageFormatter.format(msg, 
identity).getMessage());
             }
+
+            // Validates that the certificate age does not exceed the maximum 
certificate age
+            
certificateValidator.certificateAgeConsumer(clientCertificateChain, 
certificateAgeMinutes -> {

Review Comment:
   Hrmm, I'm wondering why we need both `certificateAgeInMinutes` and 
`certificateAgeConsumer` on `MutualTlsCertificateValidator`, especiallly if 
`certificateAgeConsumer` calls `certificateAgeMinutes`?
   
   ```java
   int certificateAgeMinutes = 
certificateValidator.certificateAgeInMinutes(clientCertificateChain);
   
   if (certificateAgeMinutes > maxCertificateAgeMinutes)
   {
       String errorMessage = String.format("The age of the provided certificate 
(%d minutes) exceeds the maximum allowed age of %d minutes",  
certificateAgeMinutes, maxCertificateAgeMinutes);
        throw new AuthenticationException(errorMessage);
   }
   ```
   
   I'm guessing you are looking to avoid duplicating the logic between the 
Authenticator and InternodeAuthenticator implementations?   Could't we just 
make a static utility method instead that both can use? In that case we could 
potentially go about things in a way where we don't need any new API on 
`MutualTlsCertificateValidator` (not sure we need validator-specific logic for 
this).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to