diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-10-14 09:06:55 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2020-10-14 09:06:55 +0200 |
commit | ef16ddcca082541a9c5b36d66cb45d405f5e8630 (patch) | |
tree | 06c42c2701111c882ecb899691fc21985443ca9b | |
parent | a5c0acab0b2021df94600ba61d6de268308608e9 (diff) |
Read client authentication attribute from access control element
5 files changed, 46 insertions, 1 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java index f04edeb67f4..1e5c944f8dc 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java @@ -26,6 +26,8 @@ import java.util.Set; */ public class AccessControl { + public enum ClientAuthentication { want, need } + public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain"); public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain"); @@ -46,6 +48,7 @@ public class AccessControl { private final String domain; private boolean readEnabled = false; private boolean writeEnabled = true; + private ClientAuthentication clientAuthentication = ClientAuthentication.need; private final Set<BindingPattern> excludeBindings = new LinkedHashSet<>(); private Collection<Handler<?>> handlers = Collections.emptyList(); @@ -73,25 +76,33 @@ public class AccessControl { return this; } + public Builder clientAuthentication(ClientAuthentication clientAuthentication) { + this.clientAuthentication = clientAuthentication; + return this; + } + public AccessControl build() { - return new AccessControl(domain, writeEnabled, readEnabled, excludeBindings, handlers); + return new AccessControl(domain, writeEnabled, readEnabled, clientAuthentication, excludeBindings, handlers); } } public final String domain; public final boolean readEnabled; public final boolean writeEnabled; + public final ClientAuthentication clientAuthentication; private final Set<BindingPattern> excludedBindings; private final Collection<Handler<?>> handlers; private AccessControl(String domain, boolean writeEnabled, boolean readEnabled, + ClientAuthentication clientAuthentication, Set<BindingPattern> excludedBindings, Collection<Handler<?>> handlers) { this.domain = domain; this.readEnabled = readEnabled; this.writeEnabled = writeEnabled; + this.clientAuthentication = clientAuthentication; this.excludedBindings = Collections.unmodifiableSet(excludedBindings); this.handlers = handlers; } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java index 5b360b478fa..004539688e2 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java @@ -73,6 +73,13 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> readAttr -> builder.readEnabled(Boolean.valueOf(readAttr))); XmlHelper.getOptionalAttribute(accessControlElem, "write").ifPresent( writeAttr -> builder.writeEnabled(Boolean.valueOf(writeAttr))); + builder.clientAuthentication( + XmlHelper.getOptionalAttribute(accessControlElem, "tls-handshake-client-auth") + .map(value -> "want".equals(value) + ? AccessControl.ClientAuthentication.want + : AccessControl.ClientAuthentication.need) + .orElse(AccessControl.ClientAuthentication.need) + ); Element excludeElem = XML.getChild(accessControlElem, "exclude"); if (excludeElem != null) { diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index dee03fb58d3..bc8b01ec6df 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -368,6 +368,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { .setHandlers(cluster) .readEnabled(false) .writeEnabled(false) + .clientAuthentication(AccessControl.ClientAuthentication.need) .build() .configureHttpFilterChains(http); } diff --git a/config-model/src/main/resources/schema/container.rnc b/config-model/src/main/resources/schema/container.rnc index 034de1113c2..3c219558b9d 100644 --- a/config-model/src/main/resources/schema/container.rnc +++ b/config-model/src/main/resources/schema/container.rnc @@ -26,6 +26,7 @@ AccessControl = element access-control { attribute domain { xsd:NCName }? & # TODO Vespa 8 Remove attribute read { string "true" | string "false" }? & # TODO Vespa 8 Remove attribute write { string "true" | string "false" }? & # TODO Vespa 8 Remove + attribute tls-handshake-client-auth {string "want" | string "need"}? & element vespa-domain { xsd:NCName }? & # TODO Remove after end of March 2020 element exclude { Binding+ diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index 92b54a4679d..f21ab28be72 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -171,6 +171,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { AccessControl accessControl = maybeAccessControl.get(); assertThat(accessControl.writeEnabled, is(false)); assertThat(accessControl.readEnabled, is(false)); + assertThat(accessControl.clientAuthentication, is(AccessControl.ClientAuthentication.need)); assertThat(accessControl.domain, equalTo("my-tenant-domain")); } @@ -267,6 +268,30 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { assertThat(actualCustomChainBindings, containsInAnyOrder("http://*/custom-handler/*")); } + @Test + public void access_control_client_auth_defaults_to_need() { + Http http = createModelAndGetHttp( + " <http>", + " <filtering>", + " <access-control />", + " </filtering>", + " </http>"); + assertTrue(http.getAccessControl().isPresent()); + assertEquals(AccessControl.ClientAuthentication.need, http.getAccessControl().get().clientAuthentication); + } + + @Test + public void access_control_client_auth_can_be_overridden() { + Http http = createModelAndGetHttp( + " <http>", + " <filtering>", + " <access-control tls-handshake-client-auth=\"want\"/>", + " </filtering>", + " </http>"); + assertTrue(http.getAccessControl().isPresent()); + assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication); + } + private Http createModelAndGetHttp(String... httpElement) { List<String> servicesXml = new ArrayList<>(); servicesXml.add("<container version='1.0'>"); |