diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-12-02 16:28:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-02 16:28:28 +0100 |
commit | 5ae4ae79edbf6668776e26c21ba47fcc58c844ec (patch) | |
tree | 1a21fc01300e9d9fd62a6f5f4041317912461245 | |
parent | 42c05e4dc000a82a9cbe2d00604bd17d708a2cd2 (diff) | |
parent | fe023e4ecf2b3eb2f9ebb2e71bf652cbf5f1a4dd (diff) |
Merge pull request #25093 from vespa-engine/mortent/validate-empty-cert-files
Enforce at least one cert in files
2 files changed, 28 insertions, 1 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 007e8401c70..13ab012dedb 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -532,7 +532,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { Reader reader = file.createReader(); String certPem = IOUtils.readAll(reader); reader.close(); - return X509CertificateUtils.certificateListFromPem(certPem); + List<X509Certificate> x509Certificates = X509CertificateUtils.certificateListFromPem(certPem); + if (x509Certificates.isEmpty()) { + throw new IllegalArgumentException("File %s does not contain any certificates.".formatted(file.getPath().getRelative())); + } + return x509Certificates; } catch (IOException e) { throw new RuntimeException(e); } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java index 39d2da11465..1ccaa7d6325 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java @@ -30,6 +30,7 @@ import javax.security.auth.x500.X500Principal; import java.io.File; import java.io.IOException; import java.math.BigInteger; +import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.security.KeyPair; @@ -42,7 +43,9 @@ import java.util.Optional; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertIterableEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { @@ -144,6 +147,26 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { assertEquals(List.of(certificate), caCerts); } + @Test + public void it_rejects_files_without_certificates() throws IOException { + Path certFile = securityFolder.resolve("foo.pem"); + Element clusterElem = DomBuilderTest.parse( + """ + <container version='1.0'> + <clients> + <client id="foo" permissions="read,write"> + <certificate file="%s"/> + </client> + </clients> + </container> + """ + .formatted(applicationFolder.toPath().relativize(certFile).toString())); + Files.writeString(certFile, "effectively empty"); + + IllegalArgumentException exception = assertThrows(IllegalArgumentException.class, () -> buildModel(true, clusterElem)); + assertEquals("File security/foo.pem does not contain any certificates.", exception.getMessage()); + } + private ConnectorConfig connectorConfig() { ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); |