Skip CA certificates during mTLS client certificate authentication

[minwoox]

Motivation:
The ApplicationCertificateAuthorizer previously had code to skip CA certificates commented out with a TODO note to uncomment after fixing SignedCertificateExtension to generate end-entity certificates. Now that the extension has been fixed, the filtering logic can be enabled.

Modifications:

• Uncomment the basicConstraints check in ApplicationCertificateAuthorizer to skip CA certificates and only extract identity from leaf (end-entity) certificates

Result:

• mTLS authentication now correctly ignores CA certificates in the peer certificate chain and only uses end-entity (leaf) certificates for application identity extraction.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97921a78-1214-481e-a598-4517f8784320

📥 Commits

Reviewing files that changed from the base of the PR and between 6e561bc and f24b2b6.

📒 Files selected for processing (3)

• server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationCertificateAuthorizer.java
• server/src/test/java/com/linecorp/centraldogma/server/internal/admin/auth/CertificateAppIdentityAuthTest.java
• server/src/test/java/com/linecorp/centraldogma/server/metadata/MetadataApiServiceTest.java

💤 Files with no reviewable changes (1)

• server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationCertificateAuthorizer.java

---

📝 Walkthrough

Walkthrough

Uncommented the X.509 basic-constraints check in the certificate authorizer to always skip CA certificates during peer-certificate iteration. Updated two test files to pass an additional false boolean parameter to the SignedCertificateExtension constructor to accommodate the enabled check.

Changes

Cohort / File(s)	Summary
Certificate Authorization server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationCertificateAuthorizer.java	Removed commented-out block that was conditionally disabling the CA certificate skip logic. The x509Certificate.getBasicConstraints() != -1 check now executes unconditionally during peer-certificate iteration.
Test Configuration Updates server/src/test/java/com/linecorp/centraldogma/server/internal/admin/auth/CertificateAppIdentityAuthTest.java, server/src/test/java/com/linecorp/centraldogma/server/metadata/MetadataApiServiceTest.java	Updated SignedCertificateExtension constructor calls to pass false as a third boolean parameter in client certificate setup, aligning test configuration with the now-enabled authorization logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Add support for mTLS-based application authentication #1255 — Introduces mTLS functionality and the SignedCertificateExtension class that is now being updated in these test files, with direct interaction to the certificate authorization behavior being enabled here.

Suggested labels

improvement

Suggested reviewers

• trustin
• jrhee17
• ikhoon

Poem

🐰 Hop, hop—commented lines now freed!
CA checks enabled, just what we need,
Tests aligned with logic so true,
X.509 paths now skip right through! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: uncommenting code to skip CA certificates during mTLS client certificate authentication.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the motivation for uncommenting the CA certificate filtering logic and the expected result.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes.

Add @coderabbitai placeholder anywhere in the title of your PR and CodeRabbit will replace it with a title based on the changes in the PR. You can change the placeholder by changing the reviews.auto_title_placeholder setting.

[jrhee17]

👍 👍

[ikhoon]

👍👍