diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2019-04-08 15:32:57 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-04-08 15:32:57 +0200 |
commit | b0572a758ff5186861b2bf711c447505fc8d98ce (patch) | |
tree | 5cf9ab9843147b3dea8c3059a3feeb47c434225e | |
parent | 6935cdc74fe60a94b26091413f46218c9833f0be (diff) | |
parent | 65ead0b39afcbbb00f21a6b0c89a879889ec1a5f (diff) |
Merge pull request #9052 from vespa-engine/bjorncs/binding-warning
Warn on 'https' bindings during deploy
6 files changed, 70 insertions, 38 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java index 071411845ad..4de50fc2dde 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java @@ -4,11 +4,11 @@ package com.yahoo.vespa.model.container.http; import com.google.common.collect.ImmutableList; import com.yahoo.component.ComponentId; import com.yahoo.component.ComponentSpecification; +import com.yahoo.config.application.api.DeployLogger; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent; import com.yahoo.vespa.model.container.component.Handler; import com.yahoo.vespa.model.container.component.Servlet; -import com.yahoo.vespa.model.container.http.Http.Binding; import java.util.ArrayList; import java.util.Collection; @@ -47,10 +47,12 @@ public final class AccessControl { private final Set<String> excludeBindings = new LinkedHashSet<>(); private Collection<Handler<?>> handlers = Collections.emptyList(); private Collection<Servlet> servlets = Collections.emptyList(); + private final DeployLogger logger; - public Builder(String domain, String applicationId) { + public Builder(String domain, String applicationId, DeployLogger logger) { this.domain = domain; this.applicationId = applicationId; + this.logger = logger; } public Builder readEnabled(boolean readEnabled) { @@ -85,7 +87,7 @@ public final class AccessControl { public AccessControl build() { return new AccessControl(domain, applicationId, writeEnabled, readEnabled, - excludeBindings, vespaDomain, servlets, handlers); + excludeBindings, vespaDomain, servlets, handlers, logger); } } @@ -97,6 +99,7 @@ public final class AccessControl { private final Set<String> excludedBindings; private final Collection<Handler<?>> handlers; private final Collection<Servlet> servlets; + private final DeployLogger logger; private AccessControl(String domain, String applicationId, @@ -105,7 +108,8 @@ public final class AccessControl { Set<String> excludedBindings, Optional<String> vespaDomain, Collection<Servlet> servlets, - Collection<Handler<?>> handlers) { + Collection<Handler<?>> handlers, + DeployLogger logger) { this.domain = domain; this.applicationId = applicationId; this.readEnabled = readEnabled; @@ -114,6 +118,7 @@ public final class AccessControl { this.vespaDomain = vespaDomain; this.handlers = handlers; this.servlets = servlets; + this.logger = logger; } public List<Binding> getBindings() { @@ -125,14 +130,14 @@ public final class AccessControl { return handlers.stream() .filter(this::shouldHandlerBeProtected) .flatMap(handler -> handler.getServerBindings().stream()) - .map(AccessControl::accessControlBinding); + .map(binding -> accessControlBinding(binding, logger)); } private Stream<Binding> getServletBindings() { return servlets.stream() .filter(this::shouldServletBeProtected) .flatMap(AccessControl::servletBindings) - .map(AccessControl::accessControlBinding); + .map(binding -> accessControlBinding(binding, logger)); } private boolean shouldHandlerBeProtected(Handler<?> handler) { @@ -148,8 +153,8 @@ public final class AccessControl { return servletBindings(servlet).noneMatch(excludedBindings::contains); } - private static Binding accessControlBinding(String binding) { - return new Binding(new ComponentSpecification(ACCESS_CONTROL_CHAIN_ID.stringValue()), binding); + private static Binding accessControlBinding(String binding, DeployLogger logger) { + return Binding.create(new ComponentSpecification(ACCESS_CONTROL_CHAIN_ID.stringValue()), binding, logger); } private static Stream<String> servletBindings(Servlet servlet) { diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java new file mode 100644 index 00000000000..09ac5f580ed --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java @@ -0,0 +1,38 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.http; + +import com.yahoo.component.ComponentSpecification; +import com.yahoo.config.application.api.DeployLogger; + +import java.util.logging.Level; + +/** + * @author bjorncs + */ +public class Binding { + private final ComponentSpecification filterId; + private final String binding; + + private Binding(ComponentSpecification filterId, String binding) { + this.filterId = filterId; + this.binding = binding; + } + + public static Binding create(ComponentSpecification filterId, String binding, DeployLogger logger) { + if (binding.startsWith("https://")) { + logger.log(Level.WARNING, String.format( + "For binding '%s' on '%s': 'https' bindings are deprecated, " + + "use 'http' instead to bind to both http and https traffic.", + binding, filterId)); + } + return new Binding(filterId, binding); + } + + public ComponentSpecification filterId() { + return filterId; + } + + public String binding() { + return binding; + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java index 9e85a889075..9a67871e683 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java @@ -1,7 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.http; -import com.yahoo.component.ComponentSpecification; import com.yahoo.component.provider.ComponentRegistry; import com.yahoo.config.model.producer.AbstractConfigProducer; import com.yahoo.jdisc.http.ServerConfig; @@ -20,16 +19,6 @@ import java.util.Optional; */ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> implements ServerConfig.Producer { - public static class Binding { - public final ComponentSpecification filterId; - public final String binding; - - public Binding(ComponentSpecification filterId, String binding) { - this.filterId = filterId; - this.binding = binding; - } - } - private FilterChains filterChains; private JettyHttpServer httpServer; public final List<Binding> bindings; @@ -91,8 +80,8 @@ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> impl for (final Binding binding : bindings) { builder.filter( new ServerConfig.Filter.Builder() - .id(binding.filterId.stringValue()) - .binding(binding.binding)); + .id(binding.filterId().stringValue()) + .binding(binding.binding())); } } @@ -110,8 +99,8 @@ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> impl ComponentRegistry<Chain<Filter>> chains = filterChains.allChains(); for (Binding binding: bindings) { - if (filters.getComponent(binding.filterId) == null && chains.getComponent(binding.filterId) == null) - throw new RuntimeException("Can't find filter " + binding.filterId + " for binding " + binding.binding); + if (filters.getComponent(binding.filterId()) == null && chains.getComponent(binding.filterId()) == null) + throw new RuntimeException("Can't find filter " + binding.filterId() + " for binding " + binding.binding()); } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java index 08268f5085d..8cf430741f0 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java @@ -17,7 +17,7 @@ import com.yahoo.vespa.model.container.component.chain.Chain; import com.yahoo.vespa.model.container.http.AccessControl; import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; -import com.yahoo.vespa.model.container.http.Http.Binding; +import com.yahoo.vespa.model.container.http.Binding; import org.w3c.dom.Element; import java.util.ArrayList; @@ -41,7 +41,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> Element filteringElem = XML.getChild(spec, "filtering"); if (filteringElem != null) { filterChains = new FilterChainsBuilder().build(deployState, ancestor, filteringElem); - bindings = readFilterBindings(filteringElem); + bindings = readFilterBindings(filteringElem, deployState.getDeployLogger()); Element accessControlElem = XML.getChild(filteringElem, "access-control"); if (accessControlElem != null) { @@ -65,7 +65,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> String application = XmlHelper.getOptionalChildValue(accessControlElem, "application") .orElse(getDeployedApplicationId(deployState, ancestor).value()); - AccessControl.Builder builder = new AccessControl.Builder(accessControlElem.getAttribute("domain"), application); + AccessControl.Builder builder = new AccessControl.Builder(accessControlElem.getAttribute("domain"), application, deployState.getDeployLogger()); getContainerCluster(ancestor).ifPresent(cluster -> { builder.setHandlers(cluster.getHandlers()); @@ -106,7 +106,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> return Optional.of((ApplicationContainerCluster) currentProducer); } - private List<Binding> readFilterBindings(Element filteringSpec) { + private List<Binding> readFilterBindings(Element filteringSpec, DeployLogger logger) { List<Binding> result = new ArrayList<>(); for (Element child: XML.getChildren(filteringSpec)) { @@ -116,7 +116,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> for (Element bindingSpec: XML.getChildren(child, "binding")) { String binding = XML.getValue(bindingSpec); - result.add(new Binding(chainId, binding)); + result.add(Binding.create(chainId, binding, logger)); } } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java index 4d04a1be614..b6d63af180d 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java @@ -52,9 +52,9 @@ public class FilterBindingsTest extends DomBuilderTest { "</http>"); Http http = buildHttp(xml); - Http.Binding binding = first(http.bindings); - assertThat(binding.filterId.getName(), is("my-request-chain")); - assertThat(binding.binding, is(MY_CHAIN_BINDING)); + Binding binding = first(http.bindings); + assertThat(binding.filterId().getName(), is("my-request-chain")); + assertThat(binding.binding(), is(MY_CHAIN_BINDING)); Chain<Filter> myChain = http.getFilterChains().allChains().getComponent("my-request-chain"); assertNotNull("Missing chain", myChain); @@ -72,9 +72,9 @@ public class FilterBindingsTest extends DomBuilderTest { "</http>"); Http http = buildHttp(xml); - Http.Binding binding = first(http.bindings); - assertThat(binding.filterId.getName(), is("my-response-chain")); - assertThat(binding.binding, is(MY_CHAIN_BINDING)); + Binding binding = first(http.bindings); + assertThat(binding.filterId().getName(), is("my-response-chain")); + assertThat(binding.binding(), is(MY_CHAIN_BINDING)); Chain<Filter> myChain = http.getFilterChains().allChains().getComponent("my-response-chain"); assertNotNull("Missing chain", myChain); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index f5df3df0070..5433c7659cc 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -8,7 +8,7 @@ import com.yahoo.container.jdisc.state.StateHandler; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.http.AccessControl; import com.yahoo.vespa.model.container.http.Http; -import com.yahoo.vespa.model.container.http.Http.Binding; +import com.yahoo.vespa.model.container.http.Binding; import com.yahoo.vespa.model.container.http.xml.HttpBuilder; import com.yahoo.vespa.model.container.jersey.Jersey2Servlet; import org.junit.Test; @@ -140,8 +140,8 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { missingRequiredBindings.isEmpty()); FORBIDDEN_HANDLER_BINDINGS.forEach(forbiddenBinding -> http.getBindings().forEach( - binding -> assertFalse("Access control chain was bound to: " + binding.binding, - binding.binding.contains(forbiddenBinding)))); + binding -> assertFalse("Access control chain was bound to: " + binding.binding(), + binding.binding().contains(forbiddenBinding)))); } @Test @@ -256,7 +256,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { private boolean containsBinding(Collection<Binding> bindings, String binding) { for (Binding b : bindings) { - if (b.binding.contains(binding)) + if (b.binding().contains(binding)) return true; } return false; |