Ensure all default cloud connectors are allowed

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-05-15 16:58:33 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-05-15 16:58:33 +0200
commit: 1047edca4cae1bc6280c399a9bce28c6e52bc319 (patch)
tree: f1136413eae743bd5e215257569149506561f637
parent: 59cefad3cd70b6ece6a6e152176019df040a3e5f (diff)
2 files changed, 21 insertions, 22 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java
index 737042a3695..acfbaa0f485 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java
@@ -5,12 +5,9 @@ package com.yahoo.vespa.model.application.validation;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.vespa.model.VespaModel;
 import com.yahoo.vespa.model.container.Container;
-import com.yahoo.vespa.model.container.http.JettyHttpServer;
-import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider;
+import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
-import com.yahoo.vespa.model.container.xml.ContainerModelBuilder;
-
-import java.util.List;
+import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
 
 /**
  * Enforces that Cloud applications cannot
@@ -27,21 +24,22 @@ public class CloudHttpConnectorValidator extends Validator {
         model.getContainerClusters().forEach((__, cluster) -> {
             var http = cluster.getHttp();
             if (http == null) return;
-            var connectors = http.getHttpServer().map(JettyHttpServer::getConnectorFactories).orElse(List.of());
-            for (var connector : connectors) {
-                int port = connector.getListenPort();
-                if (!List.of(ContainerModelBuilder.HOSTED_VESPA_DATAPLANE_PORT, Container.BASEPORT).contains(port)) {
-                    throw new IllegalArgumentException(
-                            "Adding additional HTTP connectors is not allowed for Vespa Cloud applications. " +
-                                    "See https://cloud.vespa.ai/en/security/whitepaper.");
-                }
-                var sslProvider = connector.sslProvider();
-                if (!(sslProvider instanceof ConfiguredDirectSslProvider || sslProvider instanceof DefaultSslProvider)) {
-                    throw new IllegalArgumentException(
-                            "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " +
-                                    "See https://cloud.vespa.ai/en/security/guide#data-plane.");
-                }
-            }
+            var illegalConnectors = http.getHttpServer().stream().flatMap(s -> s.getConnectorFactories().stream()
+                    .filter(c -> !isAllowedConnector(c)))
+                    .map(cf -> "%s@%d".formatted(cf.getName(), cf.getListenPort()))
+                    .toList();
+            if (illegalConnectors.isEmpty()) return;
+            throw new IllegalArgumentException(
+                    ("Adding additional or modifying existing HTTPS connectors is not allowed for Vespa Cloud applications." +
+                            " Violating connectors: %s. See https://cloud.vespa.ai/en/security/whitepaper, " +
+                            "https://cloud.vespa.ai/en/security/guide#data-plane.")
+                            .formatted(illegalConnectors));
         });
     }
+
+    private static boolean isAllowedConnector(ConnectorFactory cf) {
+        return cf instanceof HostedSslConnectorFactory
+                || cf.getClass().getSimpleName().endsWith("HealthCheckProxyConnector")
+                || (cf.getListenPort() == Container.BASEPORT && cf.sslProvider() instanceof DefaultSslProvider);
+    }
 }
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java
index 6a2eed1d21b..2b47bd7910f 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java
@@ -42,8 +42,9 @@ class CloudHttpConnectorValidatorTest {
     @Test
     void fails_on_custom_ssl_for_cloud_application() {
         var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", CUSTOM_SSL_ON_8080));
-        var expected = "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " +
-                "See https://cloud.vespa.ai/en/security/guide#data-plane.";
+        var expected = "Adding additional or modifying existing HTTPS connectors is not allowed for Vespa Cloud applications. " +
+                "Violating connectors: [default@8080]. See https://cloud.vespa.ai/en/security/whitepaper, " +
+                "https://cloud.vespa.ai/en/security/guide#data-plane.";
         assertEquals(expected, exception.getMessage());
     }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-05-15 16:58:33 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-05-15 16:58:33 +0200
commit	1047edca4cae1bc6280c399a9bce28c6e52bc319 (patch)
tree	f1136413eae743bd5e215257569149506561f637
parent	59cefad3cd70b6ece6a6e152176019df040a3e5f (diff)