diff options
author | Harald Musum <musum@verizonmedia.com> | 2021-04-25 07:33:23 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-25 07:33:23 +0200 |
commit | 46f2cc458e628e7ed3efff6c41f62b302f26508b (patch) | |
tree | f48b4ca978da9cf5b78b06d24c604dceaeb494ae /config-model/src/main | |
parent | 17522dc13210408ff9a1da84b9c5c354283389a8 (diff) |
Revert "Revert "Flag to allow disabling mtls""
Diffstat (limited to 'config-model/src/main')
-rw-r--r-- | config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java | 7 | ||||
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java | 15 |
2 files changed, 16 insertions, 6 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java index 59930a77a21..75a1a167446 100644 --- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java +++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java @@ -61,6 +61,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea private List<TenantSecretStore> tenantSecretStores = Collections.emptyList(); private String jvmOmitStackTraceInFastThrowOption; private int numDistributorStripes = 0; + private boolean allowDisableMtls = true; @Override public ModelContext.FeatureFlags featureFlags() { return this; } @Override public boolean multitenant() { return multitenant; } @@ -102,6 +103,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea @Override public List<TenantSecretStore> tenantSecretStores() { return tenantSecretStores; } @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) { return jvmOmitStackTraceInFastThrowOption; } @Override public int numDistributorStripes() { return numDistributorStripes; } + @Override public boolean allowDisableMtls() { return allowDisableMtls; } public TestProperties setFeedConcurrency(double feedConcurrency) { this.feedConcurrency = feedConcurrency; @@ -248,6 +250,11 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea return this; } + public TestProperties allowDisableMtls(boolean value) { + this.allowDisableMtls = value; + return this; + } + public static class Spec implements ConfigServerSpec { private final String hostName; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java index 5417a522d6a..5c8028575aa 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java @@ -78,13 +78,16 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> readAttr -> builder.readEnabled(Boolean.valueOf(readAttr))); XmlHelper.getOptionalAttribute(accessControlElem, "write").ifPresent( writeAttr -> builder.writeEnabled(Boolean.valueOf(writeAttr))); - builder.clientAuthentication( + + AccessControl.ClientAuthentication clientAuth = XmlHelper.getOptionalAttribute(accessControlElem, "tls-handshake-client-auth") - .map(value -> "want".equals(value) - ? AccessControl.ClientAuthentication.want - : AccessControl.ClientAuthentication.need) - .orElse(AccessControl.ClientAuthentication.need) - ); + .filter("want"::equals) + .map(value -> AccessControl.ClientAuthentication.want) + .orElse(AccessControl.ClientAuthentication.need); + if (! deployState.getProperties().allowDisableMtls() && clientAuth == AccessControl.ClientAuthentication.want) { + throw new IllegalArgumentException("Overriding 'tls-handshake-client-auth' for application is not allowed."); + } + builder.clientAuthentication(clientAuth); Element excludeElem = XML.getChild(accessControlElem, "exclude"); if (excludeElem != null) { |