Use Common Name instead of SPIFFE URI for mTLS app identity

gradle/scripts/lib/java-javadoc.gradle

@@ -458,7 +458,7 @@ class DownloadJavadocPackageListTask extends DefaultTask {
         return [success, javadocUrl, listFileDir.asFile]
     }
 
-    private def downloadListFile(File listFile, URL listUrl) {
+    def downloadListFile(File listFile, URL listUrl) {
         // Do not attempt to download more than once.
         if (!visitedUrls.add(listUrl.toString())) {
             return

server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationCertificateAuthorizer.java

@@ -60,7 +60,7 @@ public final class ApplicationCertificateAuthorizer implements Authorizer<HttpRe
             AttributeKey.valueOf(ApplicationCertificateAuthorizer.class, "CERTIFICATE_ID");
 
     // TODO(minwoox): Make it configurable via SPI.
-    private static final ApplicationCertificateIdExtractor ID_EXTRACTOR = SpiffeIdExtractor.INSTANCE;
+    private static final ApplicationCertificateIdExtractor ID_EXTRACTOR = CommonNameExtractor.INSTANCE;
 
     private final Function<String, CertificateAppIdentity> certificateLookupFunc;
 

server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/SpiffeIdExtractor.java → server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/CommonNameExtractor.java

@@ -15,49 +15,36 @@
  */
 package com.linecorp.centraldogma.server.internal.api.auth;
 
-import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
-import java.util.Collection;
-import java.util.List;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
 
 import org.jspecify.annotations.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.linecorp.centraldogma.server.auth.ApplicationCertificateIdExtractor;
 
-enum SpiffeIdExtractor implements ApplicationCertificateIdExtractor {
+enum CommonNameExtractor implements ApplicationCertificateIdExtractor {
 
     INSTANCE;
 
-    private static final Logger logger = LoggerFactory.getLogger(SpiffeIdExtractor.class);
+    private static final Logger logger = LoggerFactory.getLogger(CommonNameExtractor.class);
 
     @Nullable
     @Override
     public String extractCertificateId(X509Certificate certificate) {
         try {
-            final Collection<List<?>> subjectAlternativeNames = certificate.getSubjectAlternativeNames();
-            if (subjectAlternativeNames == null) {
-                return null;
-            }
-
-            // We're looking for type 6 (URI)
-            for (List<?> san : subjectAlternativeNames) {
-                if (san.size() >= 2) {
-                    final Integer type = (Integer) san.get(0);
-                    if (type != null && type == 6) { // URI type
-                        final Object value = san.get(1);
-                        if (value instanceof String) {
-                            final String uri = (String) value;
-                            if (uri.startsWith("spiffe://")) {
-                                return uri.substring(9); // Remove "spiffe://"
-                            }
-                        }
-                    }
+            final LdapName ldapName = new LdapName(certificate.getSubjectX500Principal().getName());
+            for (Rdn rdn : ldapName.getRdns()) {
+                if ("CN".equalsIgnoreCase(rdn.getType())) {
+                    return rdn.getValue().toString();
                 }
             }
-        } catch (CertificateParsingException e) {
-            logger.trace("Failed to parse certificate SAN", e);
+        } catch (InvalidNameException e) {
+            logger.trace("Failed to parse certificate subject DN", e);
         }
         return null;
     }

server/src/test/java/com/linecorp/centraldogma/server/internal/admin/auth/CertificateAppIdentityAuthTest.java

@@ -56,7 +56,7 @@
 
 final class CertificateAppIdentityAuthTest {
 
-    private static final String CERT_ID = "centraldogma.com/my-client";
+    private static final String CERT_ID = "my-client";
 
     @Order(1)
     @RegisterExtension
@@ -69,8 +69,7 @@ final class CertificateAppIdentityAuthTest {
     @Order(3)
     @RegisterExtension
     static final SignedCertificateExtension clientCert =
-            new SignedCertificateExtension("my-client", ca,
-                                           ImmutableList.of("spiffe://" + CERT_ID));
+            new SignedCertificateExtension("my-client", ca);
 
     @RegisterExtension
     static final CentralDogmaExtension dogma = new CentralDogmaExtension() {

server/src/test/java/com/linecorp/centraldogma/server/metadata/MetadataApiServiceTest.java

@@ -74,7 +74,7 @@ class MetadataApiServiceTest {
     private static final String MEMBER_ID = "member_id@linecorp.com";
     private static final String MEMBER_TOKEN_APP_ID = "foo_token";
     private static final String MEMBER_CERTIFICATE_APP_ID = "foo_cert";
-    private static final String CERT_ID = "centraldogma.com/my-client";
+    private static final String CERT_ID = "my-client";
     private static final String APP_ID = "app_id";
 
     @Order(1)
@@ -88,8 +88,7 @@ class MetadataApiServiceTest {
     @Order(3)
     @RegisterExtension
     static final SignedCertificateExtension clientCert =
-            new SignedCertificateExtension("my-client", ca,
-                                           ImmutableList.of("spiffe://" + CERT_ID));
+            new SignedCertificateExtension("my-client", ca);
 
     @RegisterExtension
     static CentralDogmaExtension dogma = new CentralDogmaExtension() {
@@ -139,11 +138,8 @@ private static void configureWebClient(WebClientBuilder builder) {
                                      .build());
     }
 
-    @SuppressWarnings("NotNullFieldNotInitialized")
     static BlockingWebClient systemAdminClient;
-    @SuppressWarnings("NotNullFieldNotInitialized")
     static BlockingWebClient memberTokenClient;
-    @SuppressWarnings("NotNullFieldNotInitialized")
     static BlockingWebClient memberCertClient;
 
     @BeforeAll

webapp/src/dogma/features/app-identity/NewAppIdentity.tsx

@@ -154,7 +154,8 @@ export const NewAppIdentity = () => {
                   {...register('appId', { pattern: APP_ID_PATTERN })}
                 />
                 <FormHelperText pl={1}>
-                  Register the app identity with a project before accessing it.
+                  A unique identifier for the application. It must be registered with a project to access
+                  repositories.
                 </FormHelperText>
                 {errors.appId && (
                   <FormErrorMessage>The first/last character must be alphanumeric</FormErrorMessage>
@@ -172,7 +173,8 @@ export const NewAppIdentity = () => {
                     })}
                   />
                   <FormHelperText pl={1}>
-                    The ID of the client certificate to be used for mTLS authentication.
+                    An identifier extracted from the client certificate for mTLS authentication, e.g., Common
+                    Name (CN) or SPIFFE ID in SAN.
                   </FormHelperText>
                   {errors.certificateId && <FormErrorMessage>Certificate ID is required</FormErrorMessage>}
                 </FormControl>