fix: Log ignored certificates during client authentication #4415
Conversation
Signed-off-by: hrishikesh-nalawade <[email protected]>
Signed-off-by: hrishikesh-nalawade <[email protected]>
github-project-automation
bot
moved this to New
in API Mediation Layer Backlog Management
…ent-certificate-ino
EvaJavornicka
moved this from New
to In Progress
in API Mediation Layer Backlog Management
| certificateForClientAuth | ||
| ); | ||
|
|
||
| // Log ignored certificates |
There was a problem hiding this comment.
Are the comments needed? The method name is self-explanatory
There was a problem hiding this comment.
yes, will remove most of the comments after after review and before merging.
|
What about microservices' mode CategorizeCertsFilter? Do we want to print it also there? It's still the most used configuration mode and it may be helpful to have more diagnostics there |
|
Does the PR fix #4164 fully? The issue also refers to documentation update |
Thank You for pointing that out, I was not aware of that. I'll implement the changes in CategorizeCertsFilter as well. |
…ld be done in CategorizeCertsFilter and CategorizeCertsWebFilter Signed-off-by: hrishikesh-nalawade <[email protected]>
hrishikesh-nalawade
changed the title
github-actions
bot
added
the
Sensitive
Signed-off-by: hrishikesh-nalawade <[email protected]>
…ent-certificate-ino
…ent-certificate-ino
|
@hrishikesh-nalawade can you take care of the 7 sonarqube issues reported? |
| filteredCerts, | ||
| publicKeyCertificatesBase64, | ||
| log, | ||
| CategorizeCertsWebFilter::base64EncodePublicKey |
There was a problem hiding this comment.
This could be moved to a utility class, there's no reason to have it as a parameter everywhere
There was a problem hiding this comment.
yes it is, I have created a separate utility class CertificateLoggingUtils to handle the certificate filtering logic
| * @param logger The logger to use for output | ||
| * @param base64Encoder Function to encode certificate public key to Base64 | ||
| */ | ||
| public static void logIgnoredCertificates( |
There was a problem hiding this comment.
Try to refactor a bit this method, it's too long, you can extract smaller blocks into private methods
There was a problem hiding this comment.
Done, Thank You for pointing that out.
| Set<String> originalKeys = Arrays.stream(originalCerts) | ||
| .map(base64Encoder) | ||
| .collect(Collectors.toSet()); | ||
|
|
||
| Set<String> filteredKeys = filteredCerts != null | ||
| ? Arrays.stream(filteredCerts) | ||
| .map(base64Encoder) | ||
| .collect(Collectors.toSet()) | ||
| : new HashSet<>(); | ||
|
|
||
| Set<String> ignoredKeys = new HashSet<>(originalKeys); | ||
| ignoredKeys.removeAll(filteredKeys); |
There was a problem hiding this comment.
Done, Thank You for pointing that out.
| ignoredKeys.removeAll(filteredKeys); | ||
|
|
||
| if (!ignoredKeys.isEmpty()) { | ||
| List<X509Certificate> ignoredCerts = Arrays.stream(originalCerts) |
There was a problem hiding this comment.
Since it's java 17+, verbosity can be somewhat reduced using var, like:
var ignoredCerts = Arrays.stream(originalCerts)
| ignoredCerts.stream() | ||
| .map(cert -> { | ||
| String subjectDN = cert.getSubjectX500Principal() != null | ||
| ? cert.getSubjectX500Principal().getName() | ||
| : "Unknown"; | ||
| String issuerDN = cert.getIssuerX500Principal() != null | ||
| ? cert.getIssuerX500Principal().getName() | ||
| : "Unknown"; | ||
| String publicKeyBase64 = base64Encoder.apply(cert); | ||
| return String.format("[Subject: %s, Issuer: %s, Public Key (first 20 chars): %s...]", | ||
| subjectDN, issuerDN, publicKeyBase64.substring(0, Math.min(20, publicKeyBase64.length()))); | ||
| }) | ||
| .collect(Collectors.joining(", "))); |
There was a problem hiding this comment.
This can be extracted to a private method as well
There was a problem hiding this comment.
Done, Thank You for pointing that out.
| } | ||
| } | ||
|
|
||
| @Test |
There was a problem hiding this comment.
Move these tests into a nested class, if it's only verifying logging.
Have you checked if these same scenarios are already covered in previous tests? (so you can only add the assertion to the existing test about logging)
There was a problem hiding this comment.
Thank You, Removed most of the tests, added assertions to the existing ones, and kept one test for a scenario that was not covered.
| } | ||
|
|
||
| @Nested | ||
| class LogIgnoredCertificatesTests { |
There was a problem hiding this comment.
Same question, have you checked if these test conditions are covered in the existing tests?
Maybe it's easier to add assertions to the existing tests rather than writing all new ones
If the conditions were not covered previously, then let's add new tests, but the focus should be on the main validations rather than whether they are logged or not. Logging should be in addition to.
There was a problem hiding this comment.
Thank You, Removed most of the tests, added assertions to the existing ones, and kept one test for a scenario that was not covered.
…ent-certificate-ino
…eCertsWebFilterTest and CategorizeCertsFilterTest by adding logging assertions into existing tests Signed-off-by: hrishikesh-nalawade <[email protected]>
Signed-off-by: hrishikesh-nalawade <[email protected]>
…ent-certificate-ino
| filteredCerts, | ||
| publicKeyCertificatesBase64, | ||
| log, | ||
| CategorizeCertsFilter::base64EncodePublicKey |
There was a problem hiding this comment.
please remove this as an argument, simply call the method or if not visible, move to a utility class that's visible in apiml-common
| filteredCerts, | ||
| publicKeyCertificatesBase64, | ||
| log, | ||
| CategorizeCertsFilter::base64EncodePublicKey |
There was a problem hiding this comment.
@hrishikesh-nalawade can you confirm if you see this comment? There's some weird behaviour in the github view
| * Utility class for logging certificate-related operations, particularly for logging | ||
| * certificates that were ignored/filtered during client authentication. | ||
| */ | ||
| @UtilityClass |
There was a problem hiding this comment.
This annotation doesn't provide much value here honestly, it's preferable to remove it and add a private constructor
…ent-certificate-ino
…ent-certificate-ino
|
Description
API-Layer filters out its own certificates during client authentication but doesn't log which certificates were ignored, making troubleshooting difficult.
CertificateLoggingUtilsutility class for certificate loggingCategorizeCertsFilterandCategorizeCertsWebFilterLinked to #4164
Type of change
Checklist: