From c1747690f03f1a7593e119b3441b03c99c6e902b Mon Sep 17 00:00:00 2001
From: Dmitry Kaukov <dkaukov@opentable.com>
Date: Thu, 29 Jun 2023 16:34:24 +1000
Subject: [PATCH] OTPL-8083 OtSecureRequestCustomizer

More customizable callback.
---
 CHANGELOG.md                                          |  4 ++++
 .../opentable/server/OtSecureRequestCustomizer.java   | 11 ++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29afb91..1928b81 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 otj-server
 =========
+6.0.1, 6.0.2, 6.0.3, 6.0.4
+-----
+* More customizable SNI host check
+
 6.0.0
 -----
 * Update Parent Pom to 362 [changes see here]( https://github.com/opentable/otj-parent/blob/master/CHANGELOG.md#362)
diff --git a/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java b/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java
index 0e76865..10281cf 100644
--- a/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java
+++ b/otj-server-core/src/main/java/com/opentable/server/OtSecureRequestCustomizer.java
@@ -15,7 +15,7 @@
 
 import java.time.Duration;
 import java.util.Optional;
-import java.util.function.BiConsumer;
+import java.util.function.BiFunction;
 
 import javax.net.ssl.SSLEngine;
 
@@ -35,7 +35,7 @@ public class OtSecureRequestCustomizer extends SecureRequestCustomizer {
     private static final Logger LOG = LoggerFactory.getLogger(HttpChannel.class);
     private static final Logger BUCKET_LOG = BucketLog.of(HttpChannel.class, 1, Duration.ofSeconds(10)); // 1 per 10 second
     private final ServerConnectorConfig config;
-    private Optional<BiConsumer<SSLEngine, Request>> sniErrorCallback = Optional.empty();
+    private Optional<BiFunction<SSLEngine, Request, Boolean>> sniErrorCallback = Optional.empty();
 
     public OtSecureRequestCustomizer(ServerConnectorConfig config) {
         super(config.isSniRequired(), config.isSniHostCheck(), -1, false);
@@ -55,8 +55,9 @@ protected void customize(SSLEngine sslEngine, Request request) {
                     sslEngine.getSession().getValue(X509_CERT),
                     sslEngine.getPeerHost(),
                     sslEngine.getPeerPort());
-                sniErrorCallback.ifPresent(c -> c.accept(sslEngine, request));
-                throw ex;
+                if (sniErrorCallback.map(i -> i.apply(sslEngine, request)).orElse(true)) {
+                    throw ex;
+                }
             }
         } else {
             BUCKET_LOG.warn("SNIHOST: Host={}, SNI=null, SNI Certificate={}, peerHost={}, peerPort={}",
@@ -67,7 +68,7 @@ protected void customize(SSLEngine sslEngine, Request request) {
         }
     }
 
-    public void setSniErrorCallback(BiConsumer<SSLEngine, Request> sniErrorCallback) {
+    public void setSniErrorCallback(BiFunction<SSLEngine, Request, Boolean> sniErrorCallback) {
         this.sniErrorCallback = Optional.ofNullable(sniErrorCallback);
     }
 }