OTPL-8083 OtSecureRequestCustomizer

More customizable callback.
opentable · Jun 29, 2023 · c174769 · c174769
1 parent b59d20f
commit c174769
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 otj-server
 =========
+6.0.1, 6.0.2, 6.0.3, 6.0.4
+-----
+* More customizable SNI host check
+
 6.0.0
 -----
 * Update Parent Pom to 362 [changes see here]( https://github.com/opentable/otj-parent/blob/master/CHANGELOG.md#362)

diff --git a/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java b/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java
@@ -15,7 +15,7 @@
 
 import java.time.Duration;
 import java.util.Optional;
-import java.util.function.BiConsumer;
+import java.util.function.BiFunction;
 
 import javax.net.ssl.SSLEngine;
 
@@ -35,7 +35,7 @@ public class OtSecureRequestCustomizer extends SecureRequestCustomizer {
     private static final Logger LOG = LoggerFactory.getLogger(HttpChannel.class);
     private static final Logger BUCKET_LOG = BucketLog.of(HttpChannel.class, 1, Duration.ofSeconds(10)); // 1 per 10 second
     private final ServerConnectorConfig config;
-    private Optional<BiConsumer<SSLEngine, Request>> sniErrorCallback = Optional.empty();
+    private Optional<BiFunction<SSLEngine, Request, Boolean>> sniErrorCallback = Optional.empty();
 
     public OtSecureRequestCustomizer(ServerConnectorConfig config) {
         super(config.isSniRequired(), config.isSniHostCheck(), -1, false);
@@ -55,8 +55,9 @@ protected void customize(SSLEngine sslEngine, Request request) {
                     sslEngine.getSession().getValue(X509_CERT),
                     sslEngine.getPeerHost(),
                     sslEngine.getPeerPort());
-                sniErrorCallback.ifPresent(c -> c.accept(sslEngine, request));
-                throw ex;
+                if (sniErrorCallback.map(i -> i.apply(sslEngine, request)).orElse(true)) {
+                    throw ex;
+                }
             }
         } else {
             BUCKET_LOG.warn("SNIHOST: Host={}, SNI=null, SNI Certificate={}, peerHost={}, peerPort={}",
@@ -67,7 +68,7 @@ protected void customize(SSLEngine sslEngine, Request request) {
         }
     }
 
-    public void setSniErrorCallback(BiConsumer<SSLEngine, Request> sniErrorCallback) {
+    public void setSniErrorCallback(BiFunction<SSLEngine, Request, Boolean> sniErrorCallback) {
         this.sniErrorCallback = Optional.ofNullable(sniErrorCallback);
     }
 }