diff options
| author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-09 11:33:48 +0100 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-09 15:18:43 +0100 |
| commit | 6ef87df07fa0c0ffdd595e39647e8253cb558d92 (patch) | |
| tree | 286cd6f444703a9468c68828937d36e8c5cafcc2 | |
| parent | f0f9cee55960f20c0daef33991d01e77abbc8f1c (diff) | |
Introduce capbilities for unclassified APIs
Require 'vespa.rpc.unclassified' by default for all JRT APIs
| -rw-r--r-- | jrt/src/com/yahoo/jrt/Method.java | 2 | ||||
| -rw-r--r-- | jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java | 5 | ||||
| -rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/Capability.java | 3 |
3 files changed, 9 insertions, 1 deletions
diff --git a/jrt/src/com/yahoo/jrt/Method.java b/jrt/src/com/yahoo/jrt/Method.java index 89c66747e0b..e69c6bcd802 100644 --- a/jrt/src/com/yahoo/jrt/Method.java +++ b/jrt/src/com/yahoo/jrt/Method.java @@ -40,7 +40,7 @@ public class Method { private String[] returnName; private String[] returnDesc; - private RequestAccessFilter filter = RequestAccessFilter.ALLOW_ALL; + private RequestAccessFilter filter = RequireCapabilitiesFilter.unclassified(); private static final String undocumented = "???"; diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java index 9bb497e96ed..90cc19880f0 100644 --- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java +++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java @@ -10,6 +10,9 @@ import com.yahoo.security.tls.MissingCapabilitiesException; */ public class RequireCapabilitiesFilter implements RequestAccessFilter { + private static final RequireCapabilitiesFilter UNCLASSIFIED = + new RequireCapabilitiesFilter(Capability.RPC_UNCLASSIFIED); + private final CapabilitySet requiredCapabilities; public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) { @@ -20,6 +23,8 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter { this(CapabilitySet.from(requiredCapabilities)); } + public static RequireCapabilitiesFilter unclassified() { return UNCLASSIFIED; } + @Override public boolean allow(Request r) { try { diff --git a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java index 17f5d3d1421..502c0511b93 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java @@ -8,6 +8,9 @@ import java.util.Arrays; */ public enum Capability implements ToCapabilitySet { NONE("vespa.none"), // placeholder for no capabilities + HTTP_UNCLASSIFIED("vespa.http.unclassified"), + RESTAPI_UNCLASSIFIED("vespa.restapi.unclassified"), + RPC_UNCLASSIFIED("vespa.rpc.unclassified"), CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API("vespa.content.cluster_controller.internal_state_api"), CONTENT__DOCUMENT_API("vespa.content.document_api"), CONTENT__METRICS_API("vespa.content.metrics_api"), |