ServerHttpRequest exposes SSL certificates

Issue: SPR-15964
This commit is contained in:
Rossen Stoyanchev 2017-11-10 16:43:12 -05:00
parent 9a894ab61e
commit 87375fe6f8
11 changed files with 271 additions and 13 deletions

View File

@ -38,6 +38,7 @@ import org.springframework.http.HttpMethod;
import org.springframework.http.HttpRange;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.AbstractServerHttpRequest;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.lang.Nullable;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MimeType;
@ -60,17 +61,22 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private final SslInfo sslInfo;
private final Flux<DataBuffer> body;
private MockServerHttpRequest(HttpMethod httpMethod, URI uri, @Nullable String contextPath,
HttpHeaders headers, MultiValueMap<String, HttpCookie> cookies,
@Nullable InetSocketAddress remoteAddress, Publisher<? extends DataBuffer> body) {
@Nullable InetSocketAddress remoteAddress, @Nullable SslInfo sslInfo,
Publisher<? extends DataBuffer> body) {
super(uri, contextPath, headers);
this.httpMethod = httpMethod;
this.cookies = cookies;
this.remoteAddress = remoteAddress;
this.sslInfo = sslInfo;
this.body = Flux.from(body);
}
@ -91,6 +97,12 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
return this.remoteAddress;
}
@Nullable
@Override
protected SslInfo initSslInfo() {
return this.sslInfo;
}
@Override
public Flux<DataBuffer> getBody() {
return this.body;
@ -218,6 +230,11 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
*/
B remoteAddress(InetSocketAddress remoteAddress);
/**
* Set SSL session information and certificates.
*/
void sslInfo(SslInfo sslInfo);
/**
* Add one or more cookies.
*/
@ -365,6 +382,9 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
@Nullable
private InetSocketAddress remoteAddress;
@Nullable
private SslInfo sslInfo;
public DefaultBodyBuilder(HttpMethod method, URI url) {
this.method = method;
@ -383,6 +403,11 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
return this;
}
@Override
public void sslInfo(SslInfo sslInfo) {
this.sslInfo = sslInfo;
}
@Override
public BodyBuilder cookie(HttpCookie... cookies) {
Arrays.stream(cookies).forEach(cookie -> this.cookies.add(cookie.getName(), cookie));
@ -482,7 +507,7 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
public MockServerHttpRequest body(Publisher<? extends DataBuffer> body) {
applyCookiesIfNecessary();
return new MockServerHttpRequest(this.method, this.url, this.contextPath,
this.headers, this.cookies, this.remoteAddress, body);
this.headers, this.cookies, this.remoteAddress, this.sslInfo, body);
}
private void applyCookiesIfNecessary() {

View File

@ -59,6 +59,9 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
@Nullable
private MultiValueMap<String, HttpCookie> cookies;
@Nullable
private SslInfo sslInfo;
/**
* Constructor with the URI and headers for the request.
@ -152,6 +155,23 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
*/
protected abstract MultiValueMap<String, HttpCookie> initCookies();
@Nullable
@Override
public SslInfo getSslInfo() {
if (this.sslInfo == null) {
this.sslInfo = initSslInfo();
}
return this.sslInfo;
}
/**
* Obtain SSL session information from the underlying "native" request.
* @return the SSL information or {@code null} if not available
* @since 5.0.2
*/
@Nullable
protected abstract SslInfo initSslInfo();
/**
* Return the underlying server response.
* <p><strong>Note:</strong> This is exposed mainly for internal framework

View File

@ -52,9 +52,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
private final MultiValueMap<String, HttpCookie> cookies;
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private String uriPath;
@ -71,7 +68,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
this.uri = original.getURI();
this.httpMethodValue = original.getMethodValue();
this.remoteAddress = original.getRemoteAddress();
this.body = original.getBody();
this.httpHeaders = new HttpHeaders();
@ -135,8 +131,7 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
public ServerHttpRequest build() {
URI uriToUse = getUriToUse();
return new DefaultServerHttpRequest(uriToUse, this.contextPath, this.httpHeaders,
this.httpMethodValue, this.cookies, this.remoteAddress, this.body,
this.originalRequest);
this.httpMethodValue, this.cookies, this.body, this.originalRequest);
}
@ -162,6 +157,9 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private final SslInfo sslInfo;
private final Flux<DataBuffer> body;
private final ServerHttpRequest originalRequest;
@ -169,13 +167,13 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
public DefaultServerHttpRequest(URI uri, @Nullable String contextPath,
HttpHeaders headers, String methodValue, MultiValueMap<String, HttpCookie> cookies,
@Nullable InetSocketAddress remoteAddress,
Flux<DataBuffer> body, ServerHttpRequest originalRequest) {
super(uri, contextPath, headers);
this.methodValue = methodValue;
this.cookies = cookies;
this.remoteAddress = remoteAddress;
this.remoteAddress = originalRequest.getRemoteAddress();
this.sslInfo = originalRequest.getSslInfo();
this.body = body;
this.originalRequest = originalRequest;
}
@ -197,6 +195,12 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
return this.remoteAddress;
}
@Nullable
@Override
protected SslInfo initSslInfo() {
return this.sslInfo;
}
@Override
public Flux<DataBuffer> getBody() {
return this.body;

View File

@ -0,0 +1,102 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.http.server.reactive;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLSession;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
/**
*
* @author Rossen Stoyanchev
* @since 5.0
*/
final class DefaultSslInfo implements SslInfo {
@Nullable
private final String sessionId;
private final X509Certificate[] peerCertificates;
DefaultSslInfo(String sessionId, X509Certificate[] peerCertificates) {
Assert.notNull(peerCertificates, "No SSL certificates");
this.sessionId = sessionId;
this.peerCertificates = peerCertificates;
}
DefaultSslInfo(SSLSession session) {
Assert.notNull(session, "SSLSession is required");
this.sessionId = initSessionId(session);
this.peerCertificates = initCertificates(session);
}
@Nullable
private static String initSessionId(SSLSession session) {
byte [] bytes = session.getId();
if (bytes == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
String digit = Integer.toHexString(b);
if (digit.length() < 2) {
sb.append('0');
}
if (digit.length() > 2) {
digit = digit.substring(digit.length() - 2);
}
sb.append(digit);
}
return sb.toString();
}
private static X509Certificate[] initCertificates(SSLSession session) {
Certificate[] certificates;
try {
certificates = session.getPeerCertificates();
}
catch (Throwable ex) {
throw new IllegalStateException("Failed to get SSL certificates", ex);
}
List<X509Certificate> result = new ArrayList<>(certificates.length);
for (Certificate certificate : certificates) {
if (certificate instanceof X509Certificate) {
result.add((X509Certificate) certificate);
}
}
return result.toArray(new X509Certificate[result.size()]);
}
@Override
@Nullable
public String getSessionId() {
return this.sessionId;
}
@Override
public X509Certificate[] getPeerCertificates() {
return this.peerCertificates;
}
}

View File

@ -19,6 +19,7 @@ package org.springframework.http.server.reactive;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import javax.net.ssl.SSLSession;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.http.HttpHeaderNames;
@ -31,6 +32,7 @@ import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.NettyDataBufferFactory;
import org.springframework.http.HttpCookie;
import org.springframework.http.HttpHeaders;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
@ -108,6 +110,7 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
return headers;
}
@Override
public String getMethodValue() {
return this.request.method().name();
@ -130,6 +133,16 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
return this.request.remoteAddress();
}
@Nullable
protected SslInfo initSslInfo() {
SslHandler sslHandler = this.request.context().channel().pipeline().get(SslHandler.class);
if (sslHandler != null) {
SSLSession session = sslHandler.engine().getSession();
return new DefaultSslInfo(session);
}
return null;
}
@Override
public Flux<DataBuffer> getBody() {
return this.request.receive().retain().map(this.bufferFactory::wrap);

View File

@ -61,6 +61,14 @@ public interface ServerHttpRequest extends HttpRequest, ReactiveHttpInputMessage
@Nullable
InetSocketAddress getRemoteAddress();
/**
* Return the SSL session information if the request has been transmitted
* over a secure protocol including SSL certificates, if available.
* @return the session information or {@code null}
* @since 5.0.2
*/
@Nullable
SslInfo getSslInfo();
/**
* Return a builder to mutate properties of this request by wrapping it

View File

@ -96,6 +96,12 @@ public class ServerHttpRequestDecorator implements ServerHttpRequest {
return getDelegate().getRemoteAddress();
}
@Nullable
@Override
public SslInfo getSslInfo() {
return getDelegate().getSslInfo();
}
@Override
public Flux<DataBuffer> getBody() {
return getDelegate().getBody();

View File

@ -21,6 +21,7 @@ import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Map;
import javax.servlet.AsyncContext;
@ -89,7 +90,6 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
this.bodyPublisher.registerReadListener();
}
private static URI initUri(HttpServletRequest request) {
Assert.notNull(request, "'request' must not be null");
try {
@ -172,6 +172,16 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
return new InetSocketAddress(this.request.getRemoteHost(), this.request.getRemotePort());
}
@Nullable
protected SslInfo initSslInfo() {
if (!this.request.isSecure()) {
return null;
}
return new DefaultSslInfo(
(String) request.getAttribute("javax.servlet.request.ssl_session_id"),
(X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate"));
}
@Override
public Flux<DataBuffer> getBody() {
return Flux.from(this.bodyPublisher);

View File

@ -0,0 +1,34 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.http.server.reactive;
import java.security.cert.X509Certificate;
import org.springframework.lang.Nullable;
/**
*
* @author Rossen Stoyanchev
* @since 5.0.2
*/
public interface SslInfo {
@Nullable
String getSessionId();
X509Certificate[] getPeerCertificates();
}

View File

@ -23,6 +23,7 @@ import java.net.InetSocketAddress;
import java.net.URI;
import java.nio.ByteBuffer;
import java.util.function.IntPredicate;
import javax.net.ssl.SSLSession;
import io.undertow.connector.ByteBufferPool;
import io.undertow.connector.PooledByteBuffer;
@ -101,6 +102,16 @@ class UndertowServerHttpRequest extends AbstractServerHttpRequest {
return this.exchange.getSourceAddress();
}
@Nullable
@Override
protected SslInfo initSslInfo() {
SSLSession session = this.exchange.getConnection().getSslSession();
if (session != null) {
return new DefaultSslInfo(session);
}
return null;
}
@Override
public Flux<DataBuffer> getBody() {
return Flux.from(this.body);

View File

@ -38,6 +38,7 @@ import org.springframework.http.HttpMethod;
import org.springframework.http.HttpRange;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.AbstractServerHttpRequest;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.lang.Nullable;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MimeType;
@ -60,17 +61,22 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private final SslInfo sslInfo;
private final Flux<DataBuffer> body;
private MockServerHttpRequest(HttpMethod httpMethod, URI uri, @Nullable String contextPath,
HttpHeaders headers, MultiValueMap<String, HttpCookie> cookies,
@Nullable InetSocketAddress remoteAddress, Publisher<? extends DataBuffer> body) {
@Nullable InetSocketAddress remoteAddress, @Nullable SslInfo sslInfo,
Publisher<? extends DataBuffer> body) {
super(uri, contextPath, headers);
this.httpMethod = httpMethod;
this.cookies = cookies;
this.remoteAddress = remoteAddress;
this.sslInfo = sslInfo;
this.body = Flux.from(body);
}
@ -91,6 +97,12 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
return this.remoteAddress;
}
@Nullable
@Override
protected SslInfo initSslInfo() {
return this.sslInfo;
}
@Override
public Flux<DataBuffer> getBody() {
return this.body;
@ -218,6 +230,11 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
*/
B remoteAddress(InetSocketAddress remoteAddress);
/**
* Set SSL session information and certificates.
*/
void sslInfo(SslInfo sslInfo);
/**
* Add one or more cookies.
*/
@ -365,6 +382,9 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
@Nullable
private InetSocketAddress remoteAddress;
@Nullable
private SslInfo sslInfo;
public DefaultBodyBuilder(HttpMethod method, URI url) {
this.method = method;
@ -383,6 +403,11 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
return this;
}
@Override
public void sslInfo(SslInfo sslInfo) {
this.sslInfo = sslInfo;
}
@Override
public BodyBuilder cookie(HttpCookie... cookies) {
Arrays.stream(cookies).forEach(cookie -> this.cookies.add(cookie.getName(), cookie));
@ -482,7 +507,7 @@ public class MockServerHttpRequest extends AbstractServerHttpRequest {
public MockServerHttpRequest body(Publisher<? extends DataBuffer> body) {
applyCookiesIfNecessary();
return new MockServerHttpRequest(this.method, this.url, this.contextPath,
this.headers, this.cookies, this.remoteAddress, body);
this.headers, this.cookies, this.remoteAddress, this.sslInfo, body);
}
private void applyCookiesIfNecessary() {