diff options
author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-02-14 07:34:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-14 07:34:24 +0100 |
commit | 091367f1ecf37c23278bbde772128c60f8e08749 (patch) | |
tree | 8bf1f68cb4d654914a2092147f60e3d4d622f62b | |
parent | 98869035893b99654614d6ff76189e3dbbb52482 (diff) |
Revert "Bjorncs/capabilities"
9 files changed, 27 insertions, 40 deletions
diff --git a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java index abb30ba2544..1dd866ae571 100644 --- a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java +++ b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java @@ -12,7 +12,7 @@ import com.yahoo.security.tls.CapabilitySet; */ public interface CapabilityRequiringRequestHandler extends RequestHandler { - CapabilitySet DEFAULT_REQUIRED_CAPABILITIES = CapabilitySet.of(Capability.HTTP_UNCLASSIFIED); + CapabilitySet DEFAULT_REQUIRED_CAPABILITIES = CapabilitySet.from(Capability.HTTP_UNCLASSIFIED); default CapabilitySet requiredCapabilities(RequestView req) { return DEFAULT_REQUIRED_CAPABILITIES; } diff --git a/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java b/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java index 1fd30edb252..59b78a1423d 100644 --- a/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java +++ b/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java @@ -269,7 +269,7 @@ class RestApiImpl implements RestApi { @Override public Builder disableDefaultAclMapping() { this.disableDefaultAclMapping = true; return this; } @Override public Builder requiredCapabilities(Capability... capabilities) { - return requiredCapabilities(CapabilitySet.of(capabilities)); + return requiredCapabilities(CapabilitySet.from(capabilities)); } @Override public Builder requiredCapabilities(CapabilitySet capabilities) { if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set"); @@ -293,7 +293,7 @@ class RestApiImpl implements RestApi { @Override public RestApi.RouteBuilder name(String name) { this.name = name; return this; } @Override public RestApi.RouteBuilder requiredCapabilities(Capability... capabilities) { - return requiredCapabilities(CapabilitySet.of(capabilities)); + return requiredCapabilities(CapabilitySet.from(capabilities)); } @Override public RestApi.RouteBuilder requiredCapabilities(CapabilitySet capabilities) { if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set"); @@ -396,7 +396,7 @@ class RestApiImpl implements RestApi { private CapabilitySet requiredCapabilities; @Override public HandlerConfigBuilder withRequiredCapabilities(Capability... capabilities) { - return withRequiredCapabilities(CapabilitySet.of(capabilities)); + return withRequiredCapabilities(CapabilitySet.from(capabilities)); } @Override public HandlerConfigBuilder withRequiredCapabilities(CapabilitySet capabilities) { if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set"); diff --git a/jrt/src/com/yahoo/jrt/Method.java b/jrt/src/com/yahoo/jrt/Method.java index 18affe35b6a..790aafd2743 100644 --- a/jrt/src/com/yahoo/jrt/Method.java +++ b/jrt/src/com/yahoo/jrt/Method.java @@ -154,7 +154,7 @@ public class Method { } public Method requestAccessFilter(RequestAccessFilter filter) { verifyNoFilterAssigned(); this.filter = filter; return this; } - public Method requireCapabilities(Capability... capabilities) { return requireCapabilities(CapabilitySet.of(capabilities)); } + public Method requireCapabilities(Capability... capabilities) { return requireCapabilities(CapabilitySet.from(capabilities)); } public Method requireCapabilities(CapabilitySet capabilities) { verifyNoFilterAssigned(); filter = new RequireCapabilitiesFilter(capabilities); diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java index 3f5fabde973..90cc19880f0 100644 --- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java +++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java @@ -20,7 +20,7 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter { } public RequireCapabilitiesFilter(Capability... requiredCapabilities) { - this(CapabilitySet.of(requiredCapabilities)); + this(CapabilitySet.from(requiredCapabilities)); } public static RequireCapabilitiesFilter unclassified() { return UNCLASSIFIED; } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java index 8cb98a0dd59..a11b6d5f96a 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java @@ -29,8 +29,6 @@ public enum Capability implements ToCapabilitySet { LOGSERVER_API("vespa.logserver.api"), METRICSPROXY__MANAGEMENT_API("vespa.metricsproxy.management_api"), METRICSPROXY__METRICS_API("vespa.metricsproxy.metrics_api"), - SENTINEL__CONNECTIVITY_CHECK("vespa.sentinel.connectivity_check"), - SENTINEL__MANAGEMENT_API("vespa.sentinel.management_api"), SLOBROK__API("vespa.slobrok.api"), ; @@ -40,7 +38,7 @@ public enum Capability implements ToCapabilitySet { public String asString() { return name; } - @Override public CapabilitySet toCapabilitySet() { return CapabilitySet.of(this); } + @Override public CapabilitySet toCapabilitySet() { return CapabilitySet.from(this); } public static Capability fromName(String name) { return Arrays.stream(values()) diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java index cc5bdbeafd3..70217665241 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java @@ -21,36 +21,24 @@ public class CapabilitySet implements ToCapabilitySet { private static final Map<String, CapabilitySet> PREDEFINED = new HashMap<>(); - private static final CapabilitySet SHARED_CAPABILITIES_APP_NODE = CapabilitySet.of( - Capability.LOGSERVER_API, Capability.CONFIGSERVER__CONFIG_API, - Capability.CONFIGSERVER__FILEDISTRIBUTION_API, Capability.CONFIGPROXY__CONFIG_API, - Capability.CONFIGPROXY__FILEDISTRIBUTION_API, Capability.SENTINEL__CONNECTIVITY_CHECK); - /* Predefined capability sets */ - public static final CapabilitySet ALL = predefined( - "vespa.all", Capability.values()); - public static final CapabilitySet TELEMETRY = predefined( - "vespa.telemetry", - Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API); public static final CapabilitySet CONTENT_NODE = predefined( "vespa.content_node", - Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.CONTAINER__DOCUMENT_API, - SHARED_CAPABILITIES_APP_NODE); + Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.SLOBROK__API); public static final CapabilitySet CONTAINER_NODE = predefined( "vespa.container_node", - Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, SHARED_CAPABILITIES_APP_NODE); + Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, Capability.SLOBROK__API); + public static final CapabilitySet TELEMETRY = predefined( + "vespa.telemetry", + Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API); public static final CapabilitySet CLUSTER_CONTROLLER_NODE = predefined( "vespa.cluster_controller_node", - Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API, - Capability.CLIENT__SLOBROK_API, Capability.CONTAINER__DOCUMENT_API, SHARED_CAPABILITIES_APP_NODE); - public static final CapabilitySet LOGSERVER_NODE = predefined( - "vespa.logserver_node", SHARED_CAPABILITIES_APP_NODE); - public static final CapabilitySet CONFIGSERVER_NODE = predefined( - "vespa.config_server_node", - Capability.CLIENT__FILERECEIVER_API, Capability.CONTAINER__MANAGEMENT_API, TELEMETRY); + Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API); + public static final CapabilitySet CONFIG_SERVER = predefined( + "vespa.config_server"); private static CapabilitySet predefined(String name, ToCapabilitySet... capabilities) { - var instance = CapabilitySet.of(capabilities); + var instance = CapabilitySet.from(capabilities); PREDEFINED.put(name, instance); return instance; } @@ -80,13 +68,13 @@ public class CapabilitySet implements ToCapabilitySet { return new CapabilitySet(union); } - public static CapabilitySet of(ToCapabilitySet... capabilities) { + public static CapabilitySet from(ToCapabilitySet... capabilities) { return CapabilitySet.unionOf(Arrays.stream(capabilities).map(ToCapabilitySet::toCapabilitySet).toList()); } - public static CapabilitySet of(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } - public static CapabilitySet of(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } - public static CapabilitySet of(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); } + public static CapabilitySet from(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } + public static CapabilitySet from(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); } + public static CapabilitySet from(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); } public static CapabilitySet all() { return ALL_CAPABILITIES; } public static CapabilitySet none() { return NO_CAPABILITIES; } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java index 7092486e521..ae36cc2f774 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java @@ -28,16 +28,17 @@ class ConnectionAuthContextTest { void fails_on_missing_capabilities() { ConnectionAuthContext ctx = createConnectionAuthContext(); assertThrows(MissingCapabilitiesException.class, - () -> ctx.verifyCapabilities(CapabilitySet.of(Capability.CONTENT__STATUS_PAGES))); + () -> ctx.verifyCapabilities(CapabilitySet.from(Capability.CONTENT__STATUS_PAGES))); } @Test void creates_correct_error_message() { ConnectionAuthContext ctx = createConnectionAuthContext(); - CapabilitySet requiredCaps = CapabilitySet.of(Capability.CONTENT__STATUS_PAGES); + CapabilitySet requiredCaps = CapabilitySet.from(Capability.CONTENT__STATUS_PAGES); String expectedMessage = """ Permission denied for 'myaction' on 'myresource'. Peer 'mypeer' with [CN='myidentity']. - Requires capabilities [vespa.content.status_pages] but peer has [vespa.logserver.api]. + Requires capabilities [vespa.content.status_pages] but peer has + [vespa.content.document_api, vespa.content.search_api, vespa.slobrok.api]. """; String actualMessage = ctx.createPermissionDeniedErrorMessage(requiredCaps, "myaction", "myresource", "mypeer"); assertThat(actualMessage).isEqualToIgnoringWhitespace(expectedMessage); @@ -45,7 +46,7 @@ class ConnectionAuthContextTest { private static ConnectionAuthContext createConnectionAuthContext() { return new ConnectionAuthContext( - List.of(createCertificate()), CapabilitySet.of(Capability.LOGSERVER_API), Set.of(), + List.of(createCertificate()), CapabilitySet.CONTAINER_NODE, Set.of(), CapabilityMode.ENFORCE); } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java index 55fa8424ae3..bea5c6108f2 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java @@ -149,7 +149,7 @@ public class PeerAuthorizerTest { } private static PeerPolicy createPolicy(String name, List<Capability> caps, List<RequiredPeerCredential> creds) { - return new PeerPolicy(name, Optional.empty(), CapabilitySet.of(caps), creds); + return new PeerPolicy(name, Optional.empty(), CapabilitySet.from(caps), creds); } private static void assertAuthorized(ConnectionAuthContext result) { diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java index 9ba5886e408..895428037ed 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java @@ -49,7 +49,7 @@ public class TransportSecurityOptionsJsonSerializerTest { RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"), RequiredPeerCredential.of(SAN_URI, "myscheme://resource/path/"))), new PeerPolicy("node", Optional.empty(), - CapabilitySet.of(Capability.SLOBROK__API), + CapabilitySet.from(Capability.SLOBROK__API), Collections.singletonList(RequiredPeerCredential.of(CN, "hostname"))))))) .build(); |