diff options
| author | Morten Tokle <mortent@verizonmedia.com> | 2021-02-18 10:48:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-18 10:48:13 +0100 |
| commit | 5b35f35f8a300e467689e956a535a8551b7272b0 (patch) | |
| tree | e9801a852c99cc0e4e001e8174d560363fa14a1d | |
| parent | 213e1a975c81594a5971bd737f09eb160297ee92 (diff) | |
| parent | 3213321255e28e16645c18b54f8770f640a96258 (diff) | |
Merge pull request #16556 from vespa-engine/mortent/block-feed-global-config
Config for blocking feed to global endpoints
4 files changed, 76 insertions, 7 deletions
diff --git a/config-model/pom.xml b/config-model/pom.xml index 60ce80164bd..0d499399de8 100644 --- a/config-model/pom.xml +++ b/config-model/pom.xml @@ -300,6 +300,12 @@ <version>${project.version}</version> <scope>provided</scope> </dependency> + <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>jdisc-security-filters</artifactId> + <version>${project.version}</version> + <scope>provided</scope> + </dependency> </dependencies> <build> diff --git a/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java b/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java index 48bf51714ee..9e1407ec93e 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java @@ -20,6 +20,8 @@ import java.util.Collections; */ public class ContainerDocumentApi { + public static final String DOCUMENT_V1_PREFIX = "/document/v1"; + private static final int FALLBACK_MAX_POOL_SIZE = 0; // Use fallback based on actual logical core count on host private static final int FALLBACK_CORE_POOL_SIZE = 0; // Use fallback based on actual logical core count on host @@ -39,7 +41,7 @@ public class ContainerDocumentApi { private static void addRestApiHandler(ContainerCluster<?> cluster, Options options) { - var handler = newVespaClientHandler("com.yahoo.document.restapi.resource.DocumentV1ApiHandler", "/document/v1/*", options); + var handler = newVespaClientHandler("com.yahoo.document.restapi.resource.DocumentV1ApiHandler", DOCUMENT_V1_PREFIX + "/*", options); cluster.addComponent(handler); // We need to include a dummy implementation of the previous restapi handler (using the same class name). diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/BlockFeedGlobalEndpointsFilter.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/BlockFeedGlobalEndpointsFilter.java new file mode 100644 index 00000000000..8a3c8e7d336 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/BlockFeedGlobalEndpointsFilter.java @@ -0,0 +1,67 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.model.container.http; + +import com.yahoo.component.ComponentSpecification; +import com.yahoo.component.chain.dependencies.Dependencies; +import com.yahoo.component.chain.model.ChainedComponentModel; +import com.yahoo.config.model.api.ContainerEndpoint; +import com.yahoo.config.provision.ApplicationId; +import com.yahoo.container.bundle.BundleInstantiationSpecification; +import com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig; +import com.yahoo.path.Path; +import com.yahoo.vespa.model.clients.ContainerDocumentApi; +import com.yahoo.vespa.model.container.ContainerCluster; + +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; + +import static com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig.DefaultRule.Action.Enum.ALLOW; +import static com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig.Rule.Action.Enum.BLOCK; +import static com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig.Rule.Methods.Enum.DELETE; +import static com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig.Rule.Methods.Enum.POST; +import static com.yahoo.jdisc.http.filter.security.rule.RuleBasedFilterConfig.Rule.Methods.Enum.PUT; + +/** + * @author mortent + */ +public class BlockFeedGlobalEndpointsFilter extends Filter implements RuleBasedFilterConfig.Producer { + + private final Set<ContainerEndpoint> endpoints; + private final boolean dryRun; + + public BlockFeedGlobalEndpointsFilter(Set<ContainerEndpoint> endpoints, boolean dryRun) { + super(createFilterComponentModel()); + this.endpoints = Set.copyOf(endpoints); + this.dryRun = dryRun; + } + + @Override + public void getConfig(RuleBasedFilterConfig.Builder builder) { + Set<String> hostNames = endpoints.stream() + .flatMap(e -> e.names().stream()) + .collect(Collectors.toSet()); + RuleBasedFilterConfig.Rule.Builder rule = new RuleBasedFilterConfig.Rule.Builder() + .hostNames(hostNames) + .pathExpressions(ContainerCluster.RESERVED_URI_PREFIX + "/{*}") + .pathExpressions(ContainerDocumentApi.DOCUMENT_V1_PREFIX + "/{*}") + .methods(List.of(PUT, POST, DELETE)) + .action(BLOCK) + .name("block-feed-global-endpoints") + .blockResponseMessage("Feed to global endpoints are not allowed") + .blockResponseCode(404); + builder.rule(rule); + builder.dryrun(dryRun); + builder.defaultRule.action(ALLOW); + } + + private static ChainedComponentModel createFilterComponentModel() { + return new ChainedComponentModel( + new BundleInstantiationSpecification( + new ComponentSpecification("com.yahoo.jdisc.http.filter.security.rule.RuleBasedRequestFilter"), + null, + new ComponentSpecification("jdisc-security-filters")), + Dependencies.emptyDependencies()); + } +} diff --git a/jdisc-security-filters/pom.xml b/jdisc-security-filters/pom.xml index d4adfd23bac..5f6189c5cae 100644 --- a/jdisc-security-filters/pom.xml +++ b/jdisc-security-filters/pom.xml @@ -32,12 +32,6 @@ <!-- test --> <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>container-test</artifactId> - <version>${project.version}</version> - <scope>test</scope> - </dependency> - <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> |