Revert "Revert "Flag to allow disabling mtls""

2 files changed, 16 insertions, 6 deletions

diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index 59930a77a21..75a1a167446 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -61,6 +61,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     private List<TenantSecretStore> tenantSecretStores = Collections.emptyList();
     private String jvmOmitStackTraceInFastThrowOption;
     private int numDistributorStripes = 0;
+    private boolean allowDisableMtls = true;
 
     @Override public ModelContext.FeatureFlags featureFlags() { return this; }
     @Override public boolean multitenant() { return multitenant; }
@@ -102,6 +103,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     @Override public List<TenantSecretStore> tenantSecretStores() { return tenantSecretStores; }
     @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) { return jvmOmitStackTraceInFastThrowOption; }
     @Override public int numDistributorStripes() { return numDistributorStripes; }
+    @Override public boolean allowDisableMtls() { return allowDisableMtls; }
 
     public TestProperties setFeedConcurrency(double feedConcurrency) {
         this.feedConcurrency = feedConcurrency;
@@ -248,6 +250,11 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
         return this;
     }
 
+    public TestProperties allowDisableMtls(boolean value) {
+        this.allowDisableMtls = value;
+        return this;
+    }
+
     public static class Spec implements ConfigServerSpec {
 
         private final String hostName;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
index 5417a522d6a..5c8028575aa 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
@@ -78,13 +78,16 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http>
                 readAttr -> builder.readEnabled(Boolean.valueOf(readAttr)));
         XmlHelper.getOptionalAttribute(accessControlElem, "write").ifPresent(
                 writeAttr -> builder.writeEnabled(Boolean.valueOf(writeAttr)));
-        builder.clientAuthentication(
+
+        AccessControl.ClientAuthentication clientAuth =
                 XmlHelper.getOptionalAttribute(accessControlElem, "tls-handshake-client-auth")
-                        .map(value -> "want".equals(value)
-                                ? AccessControl.ClientAuthentication.want
-                                : AccessControl.ClientAuthentication.need)
-                        .orElse(AccessControl.ClientAuthentication.need)
-        );
+                        .filter("want"::equals)
+                        .map(value -> AccessControl.ClientAuthentication.want)
+                        .orElse(AccessControl.ClientAuthentication.need);
+        if (! deployState.getProperties().allowDisableMtls() && clientAuth == AccessControl.ClientAuthentication.want) {
+            throw new IllegalArgumentException("Overriding 'tls-handshake-client-auth' for application is not allowed.");
+        }
+        builder.clientAuthentication(clientAuth);
 
         Element excludeElem = XML.getChild(accessControlElem, "exclude");
         if (excludeElem != null) {