Revert "Revert mortent/cfg operator cert"

author: Morten Tokle <morten.tokle@gmail.com> 2021-05-28 08:29:28 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-05-28 11:27:27 +0200
commit: 057b88a27172d2e6b8912cfcff67ab341f19affa (patch)
tree: 4720e923a079b4c40890cd47f00d8698f6ecde0d /config-model/src/test/java/com
parent: 8d86fe0d7b23871ed643ba592423e92d7b86d024 (diff)
1 files changed, 56 insertions, 0 deletions
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index 7f862afa1b0..543318f9224 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -40,6 +40,11 @@ import com.yahoo.net.HostName;
 import com.yahoo.path.Path;
 import com.yahoo.prelude.cluster.QrMonitorConfig;
 import com.yahoo.search.config.QrStartConfig;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.defaults.Defaults;
 import com.yahoo.vespa.model.AbstractService;
@@ -53,6 +58,7 @@ import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.content.utils.ContentClusterUtils;
 import com.yahoo.vespa.model.test.VespaModelTester;
 import com.yahoo.vespa.model.test.utils.VespaModelCreatorWithFilePkg;
+import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
 import org.hamcrest.core.IsEqual;
 import org.junit.Rule;
@@ -61,8 +67,15 @@ import org.junit.rules.TemporaryFolder;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
+import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
 import java.io.StringReader;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -82,6 +95,7 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
@@ -818,6 +832,48 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
     }
 
     @Test
+    public void operator_certificates_are_joined_with_clients_pem() {
+        var applicationPackage = new MockApplicationPackage.Builder()
+                .withRoot(applicationFolder.getRoot())
+                .build();
+
+        var applicationTrustCert = X509CertificateUtils.toPem(
+                X509CertificateUtils.createSelfSigned("CN=application", Duration.ofDays(1)).certificate());
+        var operatorCert = X509CertificateUtils.createSelfSigned("CN=operator", Duration.ofDays(1)).certificate();
+
+        applicationPackage.getFile(Path.fromString("security")).createDirectory();
+        applicationPackage.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader(applicationTrustCert));
+
+        var deployState = new DeployState.Builder().properties(
+                new TestProperties()
+                        .setOperatorCertificates(List.of(operatorCert))
+                        .setHostedVespa(true)
+                        .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
+                .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName()))
+                .applicationPackage(applicationPackage)
+                .build();
+
+        Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");
+
+        createModel(root, deployState, null, clusterElem);
+
+        ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
+        List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
+        ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
+
+        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
+        tlsPort.getConfig(builder);
+
+        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
+        var caCerts = X509CertificateUtils.certificateListFromPem(connectorConfig.ssl().caCertificate());
+        assertEquals(2, caCerts.size());
+        List<String> certnames = caCerts.stream()
+                .map(cert -> cert.getSubjectX500Principal().getName())
+                .collect(Collectors.toList());
+        assertThat(certnames, containsInAnyOrder("CN=operator", "CN=application"));
+    }
+
+    @Test
     public void environment_vars_are_honoured() {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
author	Morten Tokle <morten.tokle@gmail.com>	2021-05-28 08:29:28 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-05-28 11:27:27 +0200
commit	057b88a27172d2e6b8912cfcff67ab341f19affa (patch)
tree	4720e923a079b4c40890cd47f00d8698f6ecde0d /config-model/src/test/java/com
parent	8d86fe0d7b23871ed643ba592423e92d7b86d024 (diff)