Set up need_auth for connector when access_control configured

author: Morten Tokle <mortent@verizonmedia.com> 2020-10-14 14:23:45 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2020-10-14 14:23:45 +0200
commit: 7e01a997ee5f918ce32ef2d6bddc44691cc6c530 (patch)
tree: 2a3e1561abe7d11a3dc8f8ae57a3df5f70820c53 /config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
parent: d27f881027a5fddeefe336da0d84f2e160c01eb1 (diff)
1 files changed, 15 insertions, 8 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index bcc2c9a3d6a..6c4ebec2301 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -21,14 +21,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem";
 
     private final boolean enforceClientAuth;
+    private final boolean enforceHandshakeClientAuth;
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore.
      */
     // TODO Enforce client authentication
     public static HostedSslConnectorFactory withProvidedCertificate(
-            String serverName, EndpointCertificateSecrets endpointCertificateSecrets) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false);
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false, enforceHandshakeClientAuth);
     }
 
     /**
@@ -36,19 +37,20 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
      */
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true);
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true, false);
     }
 
     /**
      * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
      */
     public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) {
-        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true);
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false);
     }
 
-    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
+    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth, boolean enforceHandshakeClientAuth) {
         super("tls4443", 4443, sslProviderComponent);
         this.enforceClientAuth = enforceClientAuth;
+        this.enforceHandshakeClientAuth = enforceHandshakeClientAuth;
     }
 
     private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
@@ -65,10 +67,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     @Override
     public void getConfig(ConnectorConfig.Builder connectorBuilder) {
         super.getConfig(connectorBuilder);
+        if (enforceHandshakeClientAuth) {
+            connectorBuilder.ssl.clientAuth(ClientAuth.Enum.NEED_AUTH);
+        } else {
+            connectorBuilder
+                    .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
+                            .pathWhitelist(INSECURE_WHITELISTED_PATHS)
+                            .enable(enforceClientAuth));
+        }
         connectorBuilder
-                .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
-                        .pathWhitelist(INSECURE_WHITELISTED_PATHS)
-                        .enable(enforceClientAuth))
                 .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true))
                 .idleTimeout(Duration.ofMinutes(3).toSeconds())
                 .maxConnectionLife(Duration.ofMinutes(10).toSeconds());
author	Morten Tokle <mortent@verizonmedia.com>	2020-10-14 14:23:45 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2020-10-14 14:23:45 +0200
commit	7e01a997ee5f918ce32ef2d6bddc44691cc6c530 (patch)
tree	2a3e1561abe7d11a3dc8f8ae57a3df5f70820c53 /config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
parent	d27f881027a5fddeefe336da0d84f2e160c01eb1 (diff)