diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-06-07 11:29:07 +0200 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-06-07 11:29:07 +0200 |
commit | e8e31b8f7ff1a77a47a8e9cf1bb884123ca2469a (patch) | |
tree | 55ae69cceca99e955f455348dd18c46f97d8b4fb /config-model/src/main/java/com/yahoo/vespa/model/container | |
parent | 17680e5bd51252b282e011e4f9929653f78be016 (diff) |
Generate proxy certificate and inject in trust store
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/CloudSslProvider.java (renamed from config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java) | 14 | ||||
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 21 | ||||
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java | 12 |
3 files changed, 31 insertions, 16 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/CloudSslProvider.java index adc1458ce85..5fa893e9599 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/CloudSslProvider.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.model.container.http.ssl; import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.ssl.impl.CloudSslContextProvider; import com.yahoo.jdisc.http.ssl.impl.ConfiguredSslContextFactoryProvider; import java.util.Optional; @@ -14,9 +15,10 @@ import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; * @author mortent * @author andreer */ -public class ConfiguredDirectSslProvider extends SslProvider { +public class CloudSslProvider extends SslProvider { public static final String COMPONENT_ID_PREFIX = "configured-ssl-provider@"; - public static final String COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName(); + public static final String MTLSONLY_COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName(); + public static final String TOKEN_COMPONENT_CLASS = CloudSslContextProvider.class.getName(); private final String privateKey; private final String certificate; @@ -24,8 +26,8 @@ public class ConfiguredDirectSslProvider extends SslProvider { private final String caCertificate; private final ClientAuth.Enum clientAuthentication; - public ConfiguredDirectSslProvider(String servername, String privateKey, String certificate, String caCertificatePath, String caCertificate, ClientAuth.Enum clientAuthentication) { - super(COMPONENT_ID_PREFIX, servername, COMPONENT_CLASS, null); + public CloudSslProvider(String servername, String privateKey, String certificate, String caCertificatePath, String caCertificate, ClientAuth.Enum clientAuthentication, boolean enableTokenSupport) { + super(COMPONENT_ID_PREFIX, servername, componentClass(enableTokenSupport), null); this.privateKey = privateKey; this.certificate = certificate; this.caCertificatePath = caCertificatePath; @@ -33,6 +35,10 @@ public class ConfiguredDirectSslProvider extends SslProvider { this.clientAuthentication = clientAuthentication; } + private static String componentClass(boolean enableTokenSupport) { + return enableTokenSupport ? TOKEN_COMPONENT_CLASS : MTLSONLY_COMPONENT_CLASS; + } + @Override public void amendConnectorConfig(ConnectorConfig.Builder builder) { builder.ssl.enabled(true); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 72d2927f910..5bf348e5bb5 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -33,9 +33,9 @@ public class HostedSslConnectorFactory extends ConnectorFactory { public static HostedSslConnectorFactory withProvidedCertificate( String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port, - Duration endpointConnectionTtl) { - ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( - serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth); + Duration endpointConnectionTtl, boolean enableTokenSupport) { + CloudSslProvider sslProvider = createConfiguredDirectSslProvider( + serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth, enableTokenSupport); return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride, enableProxyProtocolMixedMode, port, endpointConnectionTtl); } @@ -46,9 +46,9 @@ public class HostedSslConnectorFactory extends ConnectorFactory { public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port, - Duration endpointConnectionTtl) { - ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( - serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false); + Duration endpointConnectionTtl, boolean enableTokenSupport) { + CloudSslProvider sslProvider = createConfiguredDirectSslProvider( + serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false, enableTokenSupport); return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, enableProxyProtocolMixedMode, port, endpointConnectionTtl); } @@ -74,16 +74,17 @@ public class HostedSslConnectorFactory extends ConnectorFactory { this.endpointConnectionTtl = endpointConnectionTtl; } - private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth) { + private static CloudSslProvider createConfiguredDirectSslProvider( + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth, boolean enableTokenSupport) { var clientAuthentication = enforceHandshakeClientAuth ? ClientAuth.Enum.NEED_AUTH : ClientAuth.Enum.WANT_AUTH; - return new ConfiguredDirectSslProvider( + return new CloudSslProvider( serverName, endpointCertificateSecrets.key(), endpointCertificateSecrets.certificate(), tlsCaCertificatesPath, tlsCaCertificates, - clientAuthentication); + clientAuthentication, + enableTokenSupport); } @Override diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index c8bd661a00b..3305e596a87 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -39,6 +39,7 @@ import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.container.logging.AccessLog; import com.yahoo.container.logging.FileConnectionLog; import com.yahoo.io.IOUtils; +import com.yahoo.jdisc.http.server.jetty.DataplaneProxyCredentials; import com.yahoo.jdisc.http.server.jetty.VoidRequestLog; import com.yahoo.osgi.provider.model.ComponentModel; import com.yahoo.path.Path; @@ -606,13 +607,20 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { .map(clientAuth -> clientAuth == AccessControl.ClientAuthentication.need) .orElse(false); + // TODO (mortent): Implement token support in model + boolean enableTokenSupport = false; + + // Set up component to generate proxy cert if token support is enabled + if (enableTokenSupport) { + cluster.addSimpleComponent(DataplaneProxyCredentials.class); + } connectorFactory = authorizeClient ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore( serverName, endpointCertificateSecrets, X509CertificateUtils.toPem(clientCertificates), - tlsCiphersOverride, proxyProtocolMixedMode, port, endpointConnectionTtl) + tlsCiphersOverride, proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport) : HostedSslConnectorFactory.withProvidedCertificate( serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride, - proxyProtocolMixedMode, port, endpointConnectionTtl); + proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport); } else { connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore( serverName, tlsCiphersOverride, proxyProtocolMixedMode, port, |