diff options
author | Morten Tokle <mortent@yahooinc.com> | 2022-11-28 10:30:29 +0100 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2022-11-28 11:04:07 +0100 |
commit | afd2cbfe0bb8dc3ee74f40ca2b62e102bd0a6d1c (patch) | |
tree | 2c467828330422df6ebbac66515c269e68ec2a26 /config-model/src/test | |
parent | 6b94dfc1fa9461a12e2d267c8c07fc0837f524de (diff) |
Add legacy test cases
Diffstat (limited to 'config-model/src/test')
-rw-r--r-- | config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java | 136 |
1 files changed, 100 insertions, 36 deletions
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java index 0f99f1c67c9..39d2da11465 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.java @@ -19,7 +19,9 @@ import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.model.container.ApplicationContainer; +import com.yahoo.vespa.model.container.ContainerModel; import com.yahoo.vespa.model.container.http.ConnectorFactory; +import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.io.TempDir; import org.w3c.dom.Element; @@ -40,20 +42,28 @@ import java.util.Optional; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertIterableEquals; -import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { @TempDir public File applicationFolder; + Path securityFolder; + private static final String cloudDataPlaneFilterConfigId = "container/filters/chain/cloud-data-plane-secure/component/" + + "com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter"; + + @BeforeEach + public void setup() throws IOException { + securityFolder = applicationFolder.toPath().resolve("security"); + Files.createDirectories(securityFolder); + } + @Test public void it_generates_correct_config() throws IOException { - Path security = applicationFolder.toPath().resolve("security"); - Files.createDirectories(security); - Path certFile = security.resolve("foo.pem"); + Path certFile = securityFolder.resolve("foo.pem"); Element clusterElem = DomBuilderTest.parse( - """ + """ <container version='1.0'> <clients> <client id="foo" permissions="read,write"> @@ -63,44 +73,20 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { </container> """ .formatted(applicationFolder.toPath().relativize(certFile).toString())); - X509Certificate certificate = createCertificate(); - String certPem = X509CertificateUtils.toPem(certificate); - Files.writeString(certFile, certPem); + X509Certificate certificate = createCertificate(certFile); - var applicationPackage = new MockApplicationPackage.Builder() - .withRoot(applicationFolder) - .build(); + buildModel(true, clusterElem); - DeployState state = new DeployState.Builder() - .applicationPackage(applicationPackage) - .properties( - new TestProperties() - .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))) - .setHostedVespa(true) - .setEnableDataPlaneFilter(true)) - .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())) - .build(); - createModel(root, state, null, clusterElem); - - String configId = "container/filters/chain/cloud-data-plane-secure/component/" + - "com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter"; - CloudDataPlaneFilterConfig config = root.getConfig(CloudDataPlaneFilterConfig.class, configId); + CloudDataPlaneFilterConfig config = root.getConfig(CloudDataPlaneFilterConfig.class, cloudDataPlaneFilterConfigId); assertFalse(config.legacyMode()); List<CloudDataPlaneFilterConfig.Clients> clients = config.clients(); assertEquals(1, clients.size()); CloudDataPlaneFilterConfig.Clients client = clients.get(0); assertEquals("foo", client.id()); assertIterableEquals(List.of("read", "write"), client.permissions()); - assertIterableEquals(List.of(certPem), client.certificates()); - - ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); - List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); - ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow(); - - ConnectorConfig.Builder builder = new ConnectorConfig.Builder(); - tlsPort.getConfig(builder); + assertIterableEquals(List.of(X509CertificateUtils.toPem(certificate)), client.certificates()); - ConnectorConfig connectorConfig = new ConnectorConfig(builder); + ConnectorConfig connectorConfig = connectorConfig(); var caCerts = X509CertificateUtils.certificateListFromPem(connectorConfig.ssl().caCertificate()); assertEquals(1, caCerts.size()); assertEquals(List.of(certificate), caCerts); @@ -111,15 +97,93 @@ public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase { assertEquals(4443, srvCfg.defaultFilters().get(1).localPort()); } + @Test + public void it_generates_correct_legacy_config() throws IOException { + Path certFile = securityFolder.resolve("clients.pem"); + Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); + X509Certificate certificate = createCertificate(certFile); + + buildModel(true, clusterElem); + CloudDataPlaneFilterConfig config = root.getConfig(CloudDataPlaneFilterConfig.class, cloudDataPlaneFilterConfigId); + assertTrue(config.legacyMode()); + List<CloudDataPlaneFilterConfig.Clients> clients = config.clients(); + assertEquals(0, clients.size()); - static X509Certificate createCertificate() { + ConnectorConfig connectorConfig = connectorConfig(); + var caCerts = X509CertificateUtils.certificateListFromPem(connectorConfig.ssl().caCertificate()); + assertEquals(1, caCerts.size()); + assertEquals(List.of(certificate), caCerts); + } + + @Test + public void it_generates_correct_config_when_filter_not_enabled () throws IOException { + Path certFile = securityFolder.resolve("clients.pem"); + Element clusterElem = DomBuilderTest.parse( + """ + <container version='1.0'> + <clients> + <client id="foo" permissions="read,write"> + <certificate file="%s"/> + </client> + </clients> + </container> + """ + .formatted(applicationFolder.toPath().relativize(certFile).toString())); + X509Certificate certificate = createCertificate(certFile); + + buildModel(false, clusterElem); + + // Data plane filter config is not configured + assertFalse(root.getConfigIds().contains("container/component/com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter")); + + // Connector config configures ca certs from security/clients.pem + ConnectorConfig connectorConfig = connectorConfig(); + var caCerts = X509CertificateUtils.certificateListFromPem(connectorConfig.ssl().caCertificate()); + assertEquals(1, caCerts.size()); + assertEquals(List.of(certificate), caCerts); + } + + private ConnectorConfig connectorConfig() { + ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); + List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); + ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow(); + + ConnectorConfig.Builder builder = new ConnectorConfig.Builder(); + tlsPort.getConfig(builder); + + return new ConnectorConfig(builder); + } + + /* + Creates cert, returns + */ + static X509Certificate createCertificate(Path certFile) throws IOException { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject = new X500Principal("CN=mysubject"); - return X509CertificateBuilder + X509Certificate certificate = X509CertificateBuilder .fromKeypair( keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1)) .build(); + String certPem = X509CertificateUtils.toPem(certificate); + Files.writeString(certFile, certPem); + return certificate; } + public List<ContainerModel> buildModel(boolean enableFilter, Element... clusterElem) { + var applicationPackage = new MockApplicationPackage.Builder() + .withRoot(applicationFolder) + .build(); + + DeployState state = new DeployState.Builder() + .applicationPackage(applicationPackage) + .properties( + new TestProperties() + .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))) + .setHostedVespa(true) + .setEnableDataPlaneFilter(enableFilter)) + .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())) + .build(); + return createModel(root, state, null, clusterElem); + } } |