Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-11918 Used java.security.cert in ListenGRPC 

This closes #7580

Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
Peter Turcsanyi 2023-08-07 23:36:10 +02:00 committed by exceptionfactory
parent 964f56043c
commit 2a3ce1cb69
No known key found for this signature in database
GPG Key ID: 29B6A52D2AAE8DBA
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-common/src/main/java/org/apache/nifi/processors/grpc/FlowFileIngestServiceInterceptor.java
View File

@ -26,12 +26,14 @@ import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.exception.ProcessException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.cert.X509Certificate;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.regex.Pattern;
import static java.util.Objects.requireNonNull;
@ -100,10 +102,11 @@ public class FlowFileIngestServiceInterceptor implements ServerInterceptor {
final SSLSession sslSession = attributes.get(Grpc.TRANSPORT_ATTR_SSL_SESSION);
if (this.authorizedDNPattern != null && sslSession != null) {
try {
final X509Certificate[] certs = sslSession.getPeerCertificateChain();
final Certificate[] certs = sslSession.getPeerCertificates();
if (certs != null && certs.length > 0) {
for (final X509Certificate cert : certs) {
foundSubject = cert.getSubjectDN().getName();
for (final Certificate cert : certs) {
final X509Certificate x509Cert = toX509Certificate(cert);
foundSubject = x509Cert.getSubjectX500Principal().getName();
if (authorizedDNPattern.matcher(foundSubject).matches()) {
break;
} else {
@ -147,4 +150,12 @@ public class FlowFileIngestServiceInterceptor implements ServerInterceptor {
return hostString == null ? UNKNOWN_IP : hostString;
}
private X509Certificate toX509Certificate(final Certificate certificate) {
if (certificate instanceof X509Certificate) {
return (X509Certificate) certificate;
} else {
throw new ProcessException("Certificate is not an X.509 certificate. Certificate type: " + certificate.getClass());
}
}
}