-
Notifications
You must be signed in to change notification settings - Fork 844
feat: RFC 8705 mutual-TLS client authentication for CF app instance identity #3972
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
rkoster
wants to merge
30
commits into
cloudfoundry:develop
Choose a base branch
from
rkoster:feat/rfc8705-mtls-client-auth
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
30 commits
Select commit
Hold shift + click to select a range
dc1149d
feat(model): add tls_client_auth constant and logic to ClientAuthenti…
rkoster 15b2859
feat(model): add CLIENT_AUTH_TLS_CLIENT_AUTH to TokenConstants
rkoster 07ac929
feat(model): add TlsClientAuthConfiguration model class
rkoster 6a16d21
feat(model): add tlsClientAuthConfiguration field to UaaClientDetails
rkoster 8a2838d
fix(model): add equals/hashCode to TlsClientAuthConfiguration and Cla…
rkoster b3c4146
feat(model): add mtls_endpoint_aliases and tls_client_auth to OpenIdC…
rkoster 0897d44
feat(server): add java-buildpack-client-certificate-mapper-jakarta de…
rkoster 8df59ec
feat(server): register ClientCertificateMapper filter for /oauth/mtls/*
rkoster ec0f706
feat(server): add TlsClientAuthentication cert chain validation service
rkoster 046d6dd
feat(server): add isTlsClientAuth / validateTlsClientAuth to ClientDe…
rkoster d5b38c9
fix(server): deserialize TlsClientAuthConfiguration from additionalIn…
rkoster 39b5c54
feat(server): allow tls_client_auth in ClientCredentialsTokenGranter
rkoster f8f3e97
feat(server): add MtlsClaimsEnhancer UaaTokenEnhancer for cert-derive…
rkoster 2e23b24
feat(server): add mtls_endpoint_aliases to OIDC discovery document
rkoster 7febe21
Fix @Value key in OpenIdConnectEndpoints to match ERB-emitted mtls.en…
rkoster f2974ef
fix(server): add OAUTH_11 order constant and dedicated mTLS security …
rkoster fe24445
fix(server): handle flat String PEM in getTlsClientAuthConfiguration;…
rkoster cf49990
fix(server): fix MtlsClaimsEnhancer for DB-loaded clients and Diego m…
rkoster 2f77a0b
fix(review): address PR feedback on mTLS client auth
rkoster 5438939
test: update OIDC discovery tests for mtls_endpoint_aliases and tls_c…
rkoster 2856a5d
fix(review): fix JsonProperty collision and support full cert chain i…
rkoster 864e086
test: update tlsClientAuthConfigRoundTripsViaJson for @JsonIgnore design
rkoster 5d89307
feat: add subTemplate and audTemplates to TlsClientAuthConfiguration
rkoster 7b31e15
test: fix audTemplates equality isolation in TlsClientAuthConfigurati…
rkoster 5d6d833
refactor: restructure enhance() into phase 1/2 (vars + dot-notation)
rkoster d937561
fix: document single-level nesting, add conflict test, restore comment
rkoster 5fa537b
feat: add phase 3 sub/aud template rendering to MtlsClaimsEnhancer
rkoster 558717d
fix: static PLACEHOLDER pattern, StringBuilder, restore comment, rena…
rkoster 0513c60
feat: read tls-client-auth-sub-template and aud-templates from flat B…
rkoster 98c09ab
fix: apply token enhancer overrides after UAA defaults so sub/aud tem…
rkoster File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
112 changes: 112 additions & 0 deletions
112
model/src/main/java/org/cloudfoundry/identity/uaa/client/TlsClientAuthConfiguration.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| package org.cloudfoundry.identity.uaa.client; | ||
|
|
||
| import com.fasterxml.jackson.annotation.JsonIgnoreProperties; | ||
| import com.fasterxml.jackson.annotation.JsonInclude; | ||
| import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
|
||
| import java.util.List; | ||
| import java.util.Objects; | ||
|
|
||
| @JsonInclude(JsonInclude.Include.NON_NULL) | ||
| @JsonIgnoreProperties(ignoreUnknown = true) | ||
| public class TlsClientAuthConfiguration { | ||
|
|
||
| public static final String TLS_CLIENT_AUTH_CA = "tls-client-auth-ca"; | ||
| public static final String TLS_CLIENT_AUTH_CLAIM_MAPPINGS = "tls-client-auth-claim-mappings"; | ||
| public static final String TLS_CLIENT_AUTH_SUB_TEMPLATE = "tls-client-auth-sub-template"; | ||
| public static final String TLS_CLIENT_AUTH_AUD_TEMPLATES = "tls-client-auth-aud-templates"; | ||
|
|
||
| @JsonProperty(TLS_CLIENT_AUTH_CA) | ||
| private String trustedCaPem; | ||
|
|
||
| @JsonProperty(TLS_CLIENT_AUTH_CLAIM_MAPPINGS) | ||
| private List<ClaimMapping> claimMappings; | ||
|
|
||
| @JsonProperty(TLS_CLIENT_AUTH_SUB_TEMPLATE) | ||
| private String subTemplate; | ||
|
|
||
| @JsonProperty(TLS_CLIENT_AUTH_AUD_TEMPLATES) | ||
| private List<String> audTemplates; | ||
|
|
||
| public TlsClientAuthConfiguration() {} | ||
|
|
||
| public TlsClientAuthConfiguration(String trustedCaPem, List<ClaimMapping> claimMappings) { | ||
| this.trustedCaPem = trustedCaPem; | ||
| this.claimMappings = claimMappings; | ||
| } | ||
|
|
||
| public String getTrustedCaPem() { return trustedCaPem; } | ||
| public void setTrustedCaPem(String trustedCaPem) { this.trustedCaPem = trustedCaPem; } | ||
|
|
||
| public List<ClaimMapping> getClaimMappings() { return claimMappings; } | ||
| public void setClaimMappings(List<ClaimMapping> claimMappings) { this.claimMappings = claimMappings; } | ||
|
|
||
| public String getSubTemplate() { return subTemplate; } | ||
| public void setSubTemplate(String subTemplate) { this.subTemplate = subTemplate; } | ||
|
|
||
| public List<String> getAudTemplates() { return audTemplates; } | ||
| public void setAudTemplates(List<String> audTemplates) { this.audTemplates = audTemplates; } | ||
|
|
||
| @Override | ||
| public boolean equals(Object o) { | ||
| if (this == o) return true; | ||
| if (!(o instanceof TlsClientAuthConfiguration that)) return false; | ||
| return Objects.equals(trustedCaPem, that.trustedCaPem) && | ||
| Objects.equals(claimMappings, that.claimMappings) && | ||
| Objects.equals(subTemplate, that.subTemplate) && | ||
| Objects.equals(audTemplates, that.audTemplates); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(trustedCaPem, claimMappings, subTemplate, audTemplates); | ||
| } | ||
|
|
||
| public static boolean isConfigured(TlsClientAuthConfiguration config) { | ||
| return config != null && config.getTrustedCaPem() != null && !config.getTrustedCaPem().isBlank(); | ||
| } | ||
|
|
||
| @JsonInclude(JsonInclude.Include.NON_NULL) | ||
| @JsonIgnoreProperties(ignoreUnknown = true) | ||
| public static class ClaimMapping { | ||
|
|
||
| @JsonProperty("field") | ||
| private String field; | ||
|
|
||
| @JsonProperty("pattern") | ||
| private String pattern; | ||
|
|
||
| @JsonProperty("claim") | ||
| private String claim; | ||
|
|
||
| public ClaimMapping() {} | ||
|
|
||
| public ClaimMapping(String field, String pattern, String claim) { | ||
| this.field = field; | ||
| this.pattern = pattern; | ||
| this.claim = claim; | ||
| } | ||
|
|
||
| public String getField() { return field; } | ||
| public String getPattern() { return pattern; } | ||
| public String getClaim() { return claim; } | ||
|
|
||
| public void setField(String field) { this.field = field; } | ||
| public void setPattern(String pattern) { this.pattern = pattern; } | ||
| public void setClaim(String claim) { this.claim = claim; } | ||
|
|
||
| @Override | ||
| public boolean equals(Object o) { | ||
| if (this == o) return true; | ||
| if (!(o instanceof ClaimMapping that)) return false; | ||
| return Objects.equals(field, that.field) && | ||
| Objects.equals(pattern, that.pattern) && | ||
| Objects.equals(claim, that.claim); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(field, pattern, claim); | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.