Revert "Use builder pattern to make connector configuration more readable"

1 files changed, 68 insertions, 42 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 4f11611541d..5bf348e5bb5 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.model.container.http.ssl;
 
 import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 
@@ -17,71 +18,96 @@ import java.util.List;
  */
 public class HostedSslConnectorFactory extends ConnectorFactory {
 
-    boolean requireTlsClientAuthDuringTlsHandshake;
-    private final List<String> tlsCiphersOverride;
+    private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
+    private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem";
+
+    private final boolean enforceClientAuth;
+    private final boolean enforceHandshakeClientAuth;
+    private final Collection<String> tlsCiphersOverride;
     private final boolean enableProxyProtocolMixedMode;
     private final Duration endpointConnectionTtl;
 
-    public static Builder builder(String name, int listenPort) { return new Builder(name, listenPort); }
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificate(
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth,
+            Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port,
+            Duration endpointConnectionTtl, boolean enableTokenSupport) {
+        CloudSslProvider sslProvider = createConfiguredDirectSslProvider(
+                serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth, enableTokenSupport);
+        return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride,
+                                             enableProxyProtocolMixedMode, port, endpointConnectionTtl);
+    }
+
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates,
+            Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port,
+            Duration endpointConnectionTtl, boolean enableTokenSupport) {
+        CloudSslProvider sslProvider = createConfiguredDirectSslProvider(
+                serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false, enableTokenSupport);
+        return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, enableProxyProtocolMixedMode,
+                                             port, endpointConnectionTtl);
+    }
+
+    /**
+     * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
+     */
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride,
+                                                                                boolean enableProxyProtocolMixedMode, int port,
+                                                                                Duration endpointConnectionTtl) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride,
+                                             enableProxyProtocolMixedMode, port, endpointConnectionTtl);
+    }
 
-    private HostedSslConnectorFactory(Builder builder) {
-        super(new ConnectorFactory.Builder("tls"+builder.port, builder.port).sslProvider(createSslProvider(builder)));
-        this.requireTlsClientAuthDuringTlsHandshake = builder.requireTlsClientAuthDuringTlsHandshake;
-        this.tlsCiphersOverride = List.copyOf(builder.tlsCiphersOverride);
-        this.enableProxyProtocolMixedMode = builder.enableProxyProtocolMixedMode;
-        this.endpointConnectionTtl = builder.endpointConnectionTtl;
+    private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth,
+                                      boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride,
+                                      boolean enableProxyProtocolMixedMode, int port, Duration endpointConnectionTtl) {
+        super(new Builder("tls"+port, port).sslProvider(sslProvider));
+        this.enforceClientAuth = enforceClientAuth;
+        this.enforceHandshakeClientAuth = enforceHandshakeClientAuth;
+        this.tlsCiphersOverride = tlsCiphersOverride;
+        this.enableProxyProtocolMixedMode = enableProxyProtocolMixedMode;
+        this.endpointConnectionTtl = endpointConnectionTtl;
     }
 
-    private static SslProvider createSslProvider(Builder builder) {
-        if (builder.endpointCertificate == null) return new DefaultSslProvider(builder.name);
-        var clientAuthentication = builder.requireTlsClientAuthDuringTlsHandshake
-                ? ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH : ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH;
+    private static CloudSslProvider createConfiguredDirectSslProvider(
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth, boolean enableTokenSupport) {
+        var clientAuthentication = enforceHandshakeClientAuth ? ClientAuth.Enum.NEED_AUTH : ClientAuth.Enum.WANT_AUTH;
         return new CloudSslProvider(
-                builder.name, builder.endpointCertificate.key(), builder.endpointCertificate.certificate(),
-                builder.tlsCaCertificatesPath, builder.tlsCaCertificatesPem, clientAuthentication);
+                serverName,
+                endpointCertificateSecrets.key(),
+                endpointCertificateSecrets.certificate(),
+                tlsCaCertificatesPath,
+                tlsCaCertificates,
+                clientAuthentication,
+                enableTokenSupport);
     }
 
     @Override
     public void getConfig(ConnectorConfig.Builder connectorBuilder) {
         super.getConfig(connectorBuilder);
-        if (! requireTlsClientAuthDuringTlsHandshake) {
-            connectorBuilder.tlsClientAuthEnforcer(
-                    new ConnectorConfig.TlsClientAuthEnforcer.Builder()
-                            .pathWhitelist(List.of("/status.html")).enable(true));
+        if (! enforceHandshakeClientAuth) {
+            connectorBuilder
+                    .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
+                            .pathWhitelist(INSECURE_WHITELISTED_PATHS)
+                            .enable(enforceClientAuth));
         }
         // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth)
         connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2"));
+
         if (!tlsCiphersOverride.isEmpty()) {
             connectorBuilder.ssl.enabledCipherSuites(tlsCiphersOverride.stream().sorted().toList());
         } else {
             connectorBuilder.ssl.enabledCipherSuites(TlsContext.ALLOWED_CIPHER_SUITES.stream().sorted().toList());
         }
+
         connectorBuilder
                 .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(enableProxyProtocolMixedMode))
                 .idleTimeout(Duration.ofSeconds(30).toSeconds())
                 .maxConnectionLife(endpointConnectionTtl != null ? endpointConnectionTtl.toSeconds() : 0);
     }
-
-    public static class Builder {
-        final String name;
-        final int port;
-        boolean requireTlsClientAuthDuringTlsHandshake;
-        List<String> tlsCiphersOverride;
-        boolean enableProxyProtocolMixedMode;
-        Duration endpointConnectionTtl;
-        EndpointCertificateSecrets endpointCertificate;
-        String tlsCaCertificatesPem;
-        String tlsCaCertificatesPath;
-
-        private Builder(String name, int port) { this.name = name; this.port = port; }
-        public Builder requireTlsClientAuthDuringTlsHandshake(boolean enable) {this.requireTlsClientAuthDuringTlsHandshake = enable; return this; }
-        public Builder endpointConnectionTtl(Duration ttl) { endpointConnectionTtl = ttl; return this; }
-        public Builder tlsCiphersOverride(Collection<String> ciphers) { tlsCiphersOverride = List.copyOf(ciphers); return this; }
-        public Builder proxyProtocolMixedMode(boolean enable) { enableProxyProtocolMixedMode = enable; return this; }
-        public Builder endpointCertificate(EndpointCertificateSecrets cert) { this.endpointCertificate = cert; return this; }
-        public Builder tlsCaCertificatesPath(String path) { this.tlsCaCertificatesPath = path; return this; }
-        public Builder tlsCaCertificatesPem(String pem) { this.tlsCaCertificatesPem = pem; return this; }
-
-        public HostedSslConnectorFactory build() { return new HostedSslConnectorFactory(this); }
-    }
 }