Class CertPermissionMapper

java.lang.Object

com.loomcache.server.security.CertPermissionMapper

public final class CertPermissionMapper
extends Object

Maps TLS certificate Common Names (CN) to permission levels.

Configuration maps CN patterns to CertPermissionMapper.PermissionLevel values: READ_ONLY, READ_WRITE, or ADMIN.

Supports exact match and wildcard prefix matching (e.g., "cluster-*" matches "cluster-node1", "cluster-node2"). When multiple patterns match, exact matches take priority over wildcard matches, and among wildcards, the longest prefix wins.

Thread-safe and immutable after construction.

Since:

2.0

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	CertPermissionMapper.PermissionLevel	Permission levels for certificate-based authorization.

Constructor Summary

Constructors

Constructor	Description
CertPermissionMapper(Map<String, CertPermissionMapper.PermissionLevel> cnMappings)	Creates a new mapper from CN-to-permission-level string mappings.

Method Summary

Modifier and Type	Method	Description
static String	extractCommonName(X509Certificate cert)	Extract the Common Name (CN) from an X.509 certificate's subject distinguished name.
static CertPermissionMapper.PermissionLevel	parsePermissionLevel(String level)	Parse a permission level string to the enum value.
@Nullable CertPermissionMapper.PermissionLevel	resolve(String commonName)	Resolve the permission level for a given Common Name.
@Nullable CertPermissionMapper.PermissionLevel	resolveFromCertificate(X509Certificate cert)	Extract the Common Name from an X.509 certificate and resolve its permission level.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CertPermissionMapper

public CertPermissionMapper(Map<String, CertPermissionMapper.PermissionLevel> cnMappings)

Creates a new mapper from CN-to-permission-level string mappings.

Parameters:

cnMappings - map of CN pattern to permission level (must not be null)

Throws:

NullPointerException - if cnMappings is null

IllegalArgumentException - if a permission level string is invalid

Method Details

resolve

public @Nullable CertPermissionMapper.PermissionLevel resolve(String commonName)

Resolve the permission level for a given Common Name.

Resolution order:

1. Exact match (highest priority)
2. Longest wildcard prefix match
3. Default: null (no access — unmapped CNs are denied)

Parameters:

commonName - the certificate CN to resolve (must not be null)

Returns:

the resolved permission level, or null if no mapping matches (deny access)

resolveFromCertificate

public @Nullable CertPermissionMapper.PermissionLevel resolveFromCertificate(X509Certificate cert)

Extract the Common Name from an X.509 certificate and resolve its permission level.

Parameters:

cert - the X.509 certificate (must not be null)

Returns:

the resolved permission level, or null if no mapping matches (deny access)

extractCommonName

public static String extractCommonName(X509Certificate cert)

Extract the Common Name (CN) from an X.509 certificate's subject distinguished name.

Parameters:

cert - the X.509 certificate (must not be null)

Returns:

the CN value, or an empty string if no CN is present or parsing fails

parsePermissionLevel

public static CertPermissionMapper.PermissionLevel parsePermissionLevel(String level)

Parse a permission level string to the enum value.

Parameters:

level - the permission level string (must not be null)

Returns:

the parsed permission level

Throws:

IllegalArgumentException - if the string is not a valid permission level