diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-03-24 09:59:22 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-03-24 09:59:22 +0100 |
commit | c7656c036c48cfc5d291d20f14309b2170d91946 (patch) | |
tree | f488a571fbc8bac8053ac0966a754685330901d7 /config-model/src/test | |
parent | 438568b0f9ae0db73eaaffcd1d8410285419ba96 (diff) |
Add validator disallowing custom TLS configuration for Cloud apps
Diffstat (limited to 'config-model/src/test')
2 files changed, 106 insertions, 7 deletions
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java new file mode 100644 index 00000000000..fdff586192c --- /dev/null +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java @@ -0,0 +1,103 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.model.application.validation; + +import com.yahoo.config.model.NullConfigModelRegistry; +import com.yahoo.config.model.deploy.DeployState; +import com.yahoo.config.model.deploy.TestProperties; +import com.yahoo.config.model.test.MockApplicationPackage; +import com.yahoo.vespa.model.VespaModel; +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +/** + * @author bjorncs + */ +class CloudHttpConnectorValidatorTest { + + private static final String CUSTOM_SSL_ON_8080 = + """ + <server port='8080' id='default'> + <ssl> + <private-key-file>/foo/key</private-key-file> + <certificate-file>/foo/cert</certificate-file> + </ssl> + </server> + """; + + private static final String DEFAULT_SSL_ON_8080 = + """ + <server port='8080' id='default'/> + """; + + private static final String ADDITIONAL_CONNECTOR = + """ + <server port='8080' id='default'/> + <server port='1234' id='custom'/> + """; + + @Test + void fails_on_custom_ssl_for_cloud_application() { + var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", CUSTOM_SSL_ON_8080)); + var expected = "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + + "See https://cloud.vespa.ai/en/security/guide#data-plane."; + assertEquals(expected, exception.getMessage()); + } + + @Test + void allows_custom_ssl_for_infra() { + assertDoesNotThrow(() -> runValidatorOnApp(true, " application-type='hosted-infrastructure'", CUSTOM_SSL_ON_8080)); + } + + @Test + void allows_custom_ssl_for_self_hosted() { + assertDoesNotThrow(() -> runValidatorOnApp(false, "", CUSTOM_SSL_ON_8080)); + } + + @Test + void fails_on_additional_connectors_for_cloud_application() { + var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", ADDITIONAL_CONNECTOR)); + var expected = "Illegal port 1234 in http server 'custom': Port must be set to 8080"; // Currently fails earlier in model construction + assertEquals(expected, exception.getMessage()); + } + + @Test + void allows_additional_connectors_for_self_hosted() { + assertDoesNotThrow(() -> runValidatorOnApp(false, "", ADDITIONAL_CONNECTOR)); + } + + @Test + void allows_default_ssl_for_cloud_application() { + assertDoesNotThrow(() -> runValidatorOnApp(true, "", DEFAULT_SSL_ON_8080)); + } + + @Test + void allows_default_ssl_for_self_hosted() { + assertDoesNotThrow(() -> runValidatorOnApp(true, "", DEFAULT_SSL_ON_8080)); + } + + private static void runValidatorOnApp(boolean hosted, String appTypeAttribute, String serverXml) throws Exception { + String servicesXml = """ + <services version='1.0'%s> + <container version='1.0'> + <http> + %s + </http> + </container> + </services> + """.formatted(appTypeAttribute, serverXml); + var state = new DeployState.Builder() + .applicationPackage( + new MockApplicationPackage.Builder() + .withServices(servicesXml) + .build()) + .properties(new TestProperties().setHostedVespa(hosted)) + .build(); + var model = new VespaModel(new NullConfigModelRegistry(), state); + new CloudHttpConnectorValidator().validate(model, state); + } + +}
\ No newline at end of file diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java index 8b1217758ab..89cce7feacb 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java @@ -243,11 +243,7 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>", " <http>", - " <server port='8080' id='ssl'>", - " <ssl>", - " <private-key-file>/foo/key</private-key-file>", - " <certificate-file>/foo/cert</certificate-file>", - " </ssl>", + " <server port='8080' id='default'>", " </server>", " </http>", multiNode, @@ -272,8 +268,8 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas .build(); MockRoot root = new MockRoot("root", deployState); createModel(root, deployState, null, clusterElem); - ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/ssl"); - assertTrue(sslProvider.ssl().enabled()); + ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/default"); + assertFalse(sslProvider.ssl().enabled()); assertEquals("", sslProvider.ssl().certificate()); assertEquals("", sslProvider.ssl().privateKey()); |