re-enable additional certificate check

2025-10-29 04:57:48 +01:00 · 2024-07-11 22:44:18 +02:00
parent 955f4723c4
commit acf013c264
1 changed files with 14 additions and 24 deletions
--- a/server/src/main/java/com/usatiuk/dhfs/objects/repository/peertrust/PeerRolesAugmentor.java
+++ b/server/src/main/java/com/usatiuk/dhfs/objects/repository/peertrust/PeerRolesAugmentor.java
@@ -11,6 +11,7 @@ import io.smallrye.mutiny.Uni;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;

+import java.util.UUID;
 import java.util.function.Supplier;

@ApplicationScoped
@@ -25,37 +26,26 @@ public class PeerRolesAugmentor implements SecurityIdentityAugmentor {

    private Supplier<SecurityIdentity> build(SecurityIdentity identity) {
        if (identity.isAnonymous()) {
-            Log.error("Unauthorized connection");
            return () -> identity;
        } else {
            QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);

-            // FIXME: The below is just an additional security check, we still check the certificates
-            // with the normal TLS mechanisms.
-            // But my guess is there's a race condition between tls store update and quarkus checking this somehow?
-            // So the anonymous identity gets cached for a channel and it returns UNAUTHORIZED all the time...
-            if (identity.getCredential(CertificateCredential.class).getCertificate() != null) {
+            var uuid = identity.getPrincipal().getName().substring(3);
+
+            try {
+                var entry = persistentRemoteHostsService.getHost(UUID.fromString(uuid));
+
+                if (!entry.getCertificate().equals(identity.getCredential(CertificateCredential.class).getCertificate())) {
+                    Log.error("Certificate mismatch for " + uuid);
+                    return () -> identity;
+                }
+
                builder.addRole("cluster-member");
                return builder::build;
+            } catch (Exception e) {
+                Log.error("Error when checking certificate for " + uuid, e);
+                return () -> identity;
            }
-            Log.error("Unauthorized connection from " + identity.getPrincipal().toString());
-            return () -> identity;
-//            var uuid = identity.getPrincipal().getName().substring(3);
-//
-//            try {
-//                var entry = persistentRemoteHostsService.getHost(UUID.fromString(uuid));
-//
-//                if (!entry.getCertificate().equals(identity.getCredential(CertificateCredential.class).getCertificate())) {
-//                    Log.error("Certificate mismatch for " + uuid);
-//                    return () -> identity;
-//                }
-//
-//                builder.addRole("cluster-member");
-//                return builder::build;
-//            } catch (Exception e) {
-//                Log.error("Error when checking certificate for " + uuid, e);
-//                return () -> identity;
-//            }
        }
    }
 }