diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-05-15 16:58:33 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-05-15 16:58:33 +0200 |
commit | 1047edca4cae1bc6280c399a9bce28c6e52bc319 (patch) | |
tree | f1136413eae743bd5e215257569149506561f637 | |
parent | 59cefad3cd70b6ece6a6e152176019df040a3e5f (diff) |
Ensure all default cloud connectors are allowed
2 files changed, 21 insertions, 22 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java index 737042a3695..acfbaa0f485 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java @@ -5,12 +5,9 @@ package com.yahoo.vespa.model.application.validation; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.vespa.model.VespaModel; import com.yahoo.vespa.model.container.Container; -import com.yahoo.vespa.model.container.http.JettyHttpServer; -import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider; +import com.yahoo.vespa.model.container.http.ConnectorFactory; import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider; -import com.yahoo.vespa.model.container.xml.ContainerModelBuilder; - -import java.util.List; +import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory; /** * Enforces that Cloud applications cannot @@ -27,21 +24,22 @@ public class CloudHttpConnectorValidator extends Validator { model.getContainerClusters().forEach((__, cluster) -> { var http = cluster.getHttp(); if (http == null) return; - var connectors = http.getHttpServer().map(JettyHttpServer::getConnectorFactories).orElse(List.of()); - for (var connector : connectors) { - int port = connector.getListenPort(); - if (!List.of(ContainerModelBuilder.HOSTED_VESPA_DATAPLANE_PORT, Container.BASEPORT).contains(port)) { - throw new IllegalArgumentException( - "Adding additional HTTP connectors is not allowed for Vespa Cloud applications. " + - "See https://cloud.vespa.ai/en/security/whitepaper."); - } - var sslProvider = connector.sslProvider(); - if (!(sslProvider instanceof ConfiguredDirectSslProvider || sslProvider instanceof DefaultSslProvider)) { - throw new IllegalArgumentException( - "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + - "See https://cloud.vespa.ai/en/security/guide#data-plane."); - } - } + var illegalConnectors = http.getHttpServer().stream().flatMap(s -> s.getConnectorFactories().stream() + .filter(c -> !isAllowedConnector(c))) + .map(cf -> "%s@%d".formatted(cf.getName(), cf.getListenPort())) + .toList(); + if (illegalConnectors.isEmpty()) return; + throw new IllegalArgumentException( + ("Adding additional or modifying existing HTTPS connectors is not allowed for Vespa Cloud applications." + + " Violating connectors: %s. See https://cloud.vespa.ai/en/security/whitepaper, " + + "https://cloud.vespa.ai/en/security/guide#data-plane.") + .formatted(illegalConnectors)); }); } + + private static boolean isAllowedConnector(ConnectorFactory cf) { + return cf instanceof HostedSslConnectorFactory + || cf.getClass().getSimpleName().endsWith("HealthCheckProxyConnector") + || (cf.getListenPort() == Container.BASEPORT && cf.sslProvider() instanceof DefaultSslProvider); + } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java index 6a2eed1d21b..2b47bd7910f 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java @@ -42,8 +42,9 @@ class CloudHttpConnectorValidatorTest { @Test void fails_on_custom_ssl_for_cloud_application() { var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", CUSTOM_SSL_ON_8080)); - var expected = "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + - "See https://cloud.vespa.ai/en/security/guide#data-plane."; + var expected = "Adding additional or modifying existing HTTPS connectors is not allowed for Vespa Cloud applications. " + + "Violating connectors: [default@8080]. See https://cloud.vespa.ai/en/security/whitepaper, " + + "https://cloud.vespa.ai/en/security/guide#data-plane."; assertEquals(expected, exception.getMessage()); } |