aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHenning Baldersheim <balder@yahoo-inc.com>2023-02-14 07:34:24 +0100
committerGitHub <noreply@github.com>2023-02-14 07:34:24 +0100
commit091367f1ecf37c23278bbde772128c60f8e08749 (patch)
tree8bf1f68cb4d654914a2092147f60e3d4d622f62b
parent98869035893b99654614d6ff76189e3dbbb52482 (diff)
Revert "Bjorncs/capabilities"
Diffstat
-rw-r--r--container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java2
-rw-r--r--container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java6
-rw-r--r--jrt/src/com/yahoo/jrt/Method.java2
-rw-r--r--jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java2
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/Capability.java4
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java38
-rw-r--r--security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java9
-rw-r--r--security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java2
-rw-r--r--security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java2
9 files changed, 27 insertions, 40 deletions
diff --git a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
index abb30ba2544..1dd866ae571 100644
--- a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
+++ b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
@@ -12,7 +12,7 @@ import com.yahoo.security.tls.CapabilitySet;
*/
public interface CapabilityRequiringRequestHandler extends RequestHandler {
- CapabilitySet DEFAULT_REQUIRED_CAPABILITIES = CapabilitySet.of(Capability.HTTP_UNCLASSIFIED);
+ CapabilitySet DEFAULT_REQUIRED_CAPABILITIES = CapabilitySet.from(Capability.HTTP_UNCLASSIFIED);
default CapabilitySet requiredCapabilities(RequestView req) { return DEFAULT_REQUIRED_CAPABILITIES; }
diff --git a/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java b/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java
index 1fd30edb252..59b78a1423d 100644
--- a/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java
+++ b/container-core/src/main/java/com/yahoo/restapi/RestApiImpl.java
@@ -269,7 +269,7 @@ class RestApiImpl implements RestApi {
@Override public Builder disableDefaultAclMapping() { this.disableDefaultAclMapping = true; return this; }
@Override public Builder requiredCapabilities(Capability... capabilities) {
- return requiredCapabilities(CapabilitySet.of(capabilities));
+ return requiredCapabilities(CapabilitySet.from(capabilities));
}
@Override public Builder requiredCapabilities(CapabilitySet capabilities) {
if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set");
@@ -293,7 +293,7 @@ class RestApiImpl implements RestApi {
@Override public RestApi.RouteBuilder name(String name) { this.name = name; return this; }
@Override public RestApi.RouteBuilder requiredCapabilities(Capability... capabilities) {
- return requiredCapabilities(CapabilitySet.of(capabilities));
+ return requiredCapabilities(CapabilitySet.from(capabilities));
}
@Override public RestApi.RouteBuilder requiredCapabilities(CapabilitySet capabilities) {
if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set");
@@ -396,7 +396,7 @@ class RestApiImpl implements RestApi {
private CapabilitySet requiredCapabilities;
@Override public HandlerConfigBuilder withRequiredCapabilities(Capability... capabilities) {
- return withRequiredCapabilities(CapabilitySet.of(capabilities));
+ return withRequiredCapabilities(CapabilitySet.from(capabilities));
}
@Override public HandlerConfigBuilder withRequiredCapabilities(CapabilitySet capabilities) {
if (requiredCapabilities != null) throw new IllegalStateException("Capabilities already set");
diff --git a/jrt/src/com/yahoo/jrt/Method.java b/jrt/src/com/yahoo/jrt/Method.java
index 18affe35b6a..790aafd2743 100644
--- a/jrt/src/com/yahoo/jrt/Method.java
+++ b/jrt/src/com/yahoo/jrt/Method.java
@@ -154,7 +154,7 @@ public class Method {
}
public Method requestAccessFilter(RequestAccessFilter filter) { verifyNoFilterAssigned(); this.filter = filter; return this; }
- public Method requireCapabilities(Capability... capabilities) { return requireCapabilities(CapabilitySet.of(capabilities)); }
+ public Method requireCapabilities(Capability... capabilities) { return requireCapabilities(CapabilitySet.from(capabilities)); }
public Method requireCapabilities(CapabilitySet capabilities) {
verifyNoFilterAssigned();
filter = new RequireCapabilitiesFilter(capabilities);
diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
index 3f5fabde973..90cc19880f0 100644
--- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
+++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
@@ -20,7 +20,7 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter {
}
public RequireCapabilitiesFilter(Capability... requiredCapabilities) {
- this(CapabilitySet.of(requiredCapabilities));
+ this(CapabilitySet.from(requiredCapabilities));
}
public static RequireCapabilitiesFilter unclassified() { return UNCLASSIFIED; }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java
index 8cb98a0dd59..a11b6d5f96a 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java
@@ -29,8 +29,6 @@ public enum Capability implements ToCapabilitySet {
LOGSERVER_API("vespa.logserver.api"),
METRICSPROXY__MANAGEMENT_API("vespa.metricsproxy.management_api"),
METRICSPROXY__METRICS_API("vespa.metricsproxy.metrics_api"),
- SENTINEL__CONNECTIVITY_CHECK("vespa.sentinel.connectivity_check"),
- SENTINEL__MANAGEMENT_API("vespa.sentinel.management_api"),
SLOBROK__API("vespa.slobrok.api"),
;
@@ -40,7 +38,7 @@ public enum Capability implements ToCapabilitySet {
public String asString() { return name; }
- @Override public CapabilitySet toCapabilitySet() { return CapabilitySet.of(this); }
+ @Override public CapabilitySet toCapabilitySet() { return CapabilitySet.from(this); }
public static Capability fromName(String name) {
return Arrays.stream(values())
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java
index cc5bdbeafd3..70217665241 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java
@@ -21,36 +21,24 @@ public class CapabilitySet implements ToCapabilitySet {
private static final Map<String, CapabilitySet> PREDEFINED = new HashMap<>();
- private static final CapabilitySet SHARED_CAPABILITIES_APP_NODE = CapabilitySet.of(
- Capability.LOGSERVER_API, Capability.CONFIGSERVER__CONFIG_API,
- Capability.CONFIGSERVER__FILEDISTRIBUTION_API, Capability.CONFIGPROXY__CONFIG_API,
- Capability.CONFIGPROXY__FILEDISTRIBUTION_API, Capability.SENTINEL__CONNECTIVITY_CHECK);
-
/* Predefined capability sets */
- public static final CapabilitySet ALL = predefined(
- "vespa.all", Capability.values());
- public static final CapabilitySet TELEMETRY = predefined(
- "vespa.telemetry",
- Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API);
public static final CapabilitySet CONTENT_NODE = predefined(
"vespa.content_node",
- Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.CONTAINER__DOCUMENT_API,
- SHARED_CAPABILITIES_APP_NODE);
+ Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.SLOBROK__API);
public static final CapabilitySet CONTAINER_NODE = predefined(
"vespa.container_node",
- Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, SHARED_CAPABILITIES_APP_NODE);
+ Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, Capability.SLOBROK__API);
+ public static final CapabilitySet TELEMETRY = predefined(
+ "vespa.telemetry",
+ Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API);
public static final CapabilitySet CLUSTER_CONTROLLER_NODE = predefined(
"vespa.cluster_controller_node",
- Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API,
- Capability.CLIENT__SLOBROK_API, Capability.CONTAINER__DOCUMENT_API, SHARED_CAPABILITIES_APP_NODE);
- public static final CapabilitySet LOGSERVER_NODE = predefined(
- "vespa.logserver_node", SHARED_CAPABILITIES_APP_NODE);
- public static final CapabilitySet CONFIGSERVER_NODE = predefined(
- "vespa.config_server_node",
- Capability.CLIENT__FILERECEIVER_API, Capability.CONTAINER__MANAGEMENT_API, TELEMETRY);
+ Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API);
+ public static final CapabilitySet CONFIG_SERVER = predefined(
+ "vespa.config_server");
private static CapabilitySet predefined(String name, ToCapabilitySet... capabilities) {
- var instance = CapabilitySet.of(capabilities);
+ var instance = CapabilitySet.from(capabilities);
PREDEFINED.put(name, instance);
return instance;
}
@@ -80,13 +68,13 @@ public class CapabilitySet implements ToCapabilitySet {
return new CapabilitySet(union);
}
- public static CapabilitySet of(ToCapabilitySet... capabilities) {
+ public static CapabilitySet from(ToCapabilitySet... capabilities) {
return CapabilitySet.unionOf(Arrays.stream(capabilities).map(ToCapabilitySet::toCapabilitySet).toList());
}
- public static CapabilitySet of(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); }
- public static CapabilitySet of(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); }
- public static CapabilitySet of(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); }
+ public static CapabilitySet from(EnumSet<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); }
+ public static CapabilitySet from(Collection<Capability> caps) { return new CapabilitySet(EnumSet.copyOf(caps)); }
+ public static CapabilitySet from(Capability... caps) { return new CapabilitySet(EnumSet.copyOf(List.of(caps))); }
public static CapabilitySet all() { return ALL_CAPABILITIES; }
public static CapabilitySet none() { return NO_CAPABILITIES; }
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
index 7092486e521..ae36cc2f774 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java
@@ -28,16 +28,17 @@ class ConnectionAuthContextTest {
void fails_on_missing_capabilities() {
ConnectionAuthContext ctx = createConnectionAuthContext();
assertThrows(MissingCapabilitiesException.class,
- () -> ctx.verifyCapabilities(CapabilitySet.of(Capability.CONTENT__STATUS_PAGES)));
+ () -> ctx.verifyCapabilities(CapabilitySet.from(Capability.CONTENT__STATUS_PAGES)));
}
@Test
void creates_correct_error_message() {
ConnectionAuthContext ctx = createConnectionAuthContext();
- CapabilitySet requiredCaps = CapabilitySet.of(Capability.CONTENT__STATUS_PAGES);
+ CapabilitySet requiredCaps = CapabilitySet.from(Capability.CONTENT__STATUS_PAGES);
String expectedMessage = """
Permission denied for 'myaction' on 'myresource'. Peer 'mypeer' with [CN='myidentity'].
- Requires capabilities [vespa.content.status_pages] but peer has [vespa.logserver.api].
+ Requires capabilities [vespa.content.status_pages] but peer has
+ [vespa.content.document_api, vespa.content.search_api, vespa.slobrok.api].
""";
String actualMessage = ctx.createPermissionDeniedErrorMessage(requiredCaps, "myaction", "myresource", "mypeer");
assertThat(actualMessage).isEqualToIgnoringWhitespace(expectedMessage);
@@ -45,7 +46,7 @@ class ConnectionAuthContextTest {
private static ConnectionAuthContext createConnectionAuthContext() {
return new ConnectionAuthContext(
- List.of(createCertificate()), CapabilitySet.of(Capability.LOGSERVER_API), Set.of(),
+ List.of(createCertificate()), CapabilitySet.CONTAINER_NODE, Set.of(),
CapabilityMode.ENFORCE);
}
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java
index 55fa8424ae3..bea5c6108f2 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java
@@ -149,7 +149,7 @@ public class PeerAuthorizerTest {
}
private static PeerPolicy createPolicy(String name, List<Capability> caps, List<RequiredPeerCredential> creds) {
- return new PeerPolicy(name, Optional.empty(), CapabilitySet.of(caps), creds);
+ return new PeerPolicy(name, Optional.empty(), CapabilitySet.from(caps), creds);
}
private static void assertAuthorized(ConnectionAuthContext result) {
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java
index 9ba5886e408..895428037ed 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java
@@ -49,7 +49,7 @@ public class TransportSecurityOptionsJsonSerializerTest {
RequiredPeerCredential.of(SAN_DNS, "*.suffix.com"),
RequiredPeerCredential.of(SAN_URI, "myscheme://resource/path/"))),
new PeerPolicy("node", Optional.empty(),
- CapabilitySet.of(Capability.SLOBROK__API),
+ CapabilitySet.from(Capability.SLOBROK__API),
Collections.singletonList(RequiredPeerCredential.of(CN, "hostname")))))))
.build();