exceptionfactory commented on a change in pull request #4866:
URL: https://github.com/apache/nifi/pull/4866#discussion_r585743722
##########
File path:
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
##########
@@ -149,6 +149,27 @@ public static String extractUsername(String dn) {
username = StringUtils.substring(dn, cnIndex +
cnPattern.length());
}
}
+
+ /*
+ https://tools.ietf.org/html/rfc5280#section-4.1.2.6
+
+ Legacy implementations exist where an electronic mail address
is
+ embedded in the subject distinguished name as an emailAddress
+ attribute [RFC2985]. The attribute value for emailAddress is
of type
+ IA5String to permit inclusion of the character '@', which is
not part
+ of the PrintableString character set. emailAddress attribute
values
+ are not case-sensitive (e.g., "subscri...@example.com" is the
same as
+ "subscri...@example.com").
+ */
+ final String emailPattern = "/emailAddress=";
+ final int index = StringUtils.indexOfIgnoreCase(username,
emailPattern);
+ if (index >= 0) {
+ String[] dnParts = username.split(emailPattern);
+ if (dnParts.length > 0) {
+ // only use the actual CN
+ username = dnParts[0];
+ }
+ }
Review comment:
Did you consider using regular expression pattern? That might simplify
the approach and the Pattern could be compiled as a static variable.
```suggestion
// Replace variable with: private static final Pattern
EMAIL_ATTRIBUTE_PATTERN = Pattern.compile("/emailAddress=.+");
final Pattern emailAttributePattern =
Pattern.compile("/emailAddress=.+");
final Matcher emailMatcher =
emailAttributePattern.matcher(username);
if (emailMatcher.find()) {
username = emailMatcher.replace(StringUtils.EMPTY);
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
