From b3f8495a03e488b1f162452d7f37642531b08ca0 Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Wed, 3 Aug 2016 10:39:37 -0400
Subject: [PATCH] clarify comments and add assert client auth type

Original commit: elastic/x-pack-elasticsearch@0e3d134bc6e621e251cf4ada2b90b4a80b3da45a
---
 .../xpack/security/rest/SecurityRestFilter.java              | 5 ++++-
 .../xpack/security/transport/ServerTransportFilter.java      | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
index 4914ac2c3cf..e192218e7be 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
@@ -101,7 +101,10 @@ public class SecurityRestFilter extends RestFilter {
                 threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, certs);
             }
         } catch (SSLPeerUnverifiedException e) {
-            // this happens when we only request client authentication and the client does not provide it
+            // this happens when client authentication is optional and the client does not provide credentials. If client
+            // authentication was required then this connection should be closed before ever getting into this class
+            assert sslEngine.getNeedClientAuth() == false;
+            assert sslEngine.getWantClientAuth();
             if (logger.isTraceEnabled()) {
                 logger.trace("SSL Peer did not present a certificate on channel [{}]", e, channel);
             } else if (logger.isDebugEnabled()) {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
index c8849cabd41..308aa454679 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
@@ -109,7 +109,10 @@ public interface ServerTransportFilter {
                     threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, certs);
                 }
             } catch (SSLPeerUnverifiedException e) {
-                // this happens when we only request client authentication and the client does not provide it
+                // this happens when client authentication is optional and the client does not provide credentials. If client
+                // authentication was required then this connection should be closed before ever getting into this class
+                assert sslEngine.getNeedClientAuth() == false;
+                assert sslEngine.getWantClientAuth();
                 if (logger.isTraceEnabled()) {
                     logger.trace("SSL Peer did not present a certificate on channel [{}]", e, channel);
                 } else if (logger.isDebugEnabled()) {