diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-03-17 10:59:56 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-03-17 15:15:22 +0100 |
commit | 8c4c00e79390ce4d670ed1482e6f777e5c86461f (patch) | |
tree | b95dc54d063f777e1cfc913a200d6f1b6084d9b4 /config-model | |
parent | 3a48cdb53107e1be7112d711bfda77790cbdefff (diff) |
Add implicit access control for hosted tenant applications
Diffstat (limited to 'config-model')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 32bed614ce0..282c8f1507c 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -19,6 +19,7 @@ import com.yahoo.config.model.builder.xml.ConfigModelBuilder; import com.yahoo.config.model.builder.xml.ConfigModelId; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.config.model.producer.AbstractConfigProducer; +import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.AthenzService; import com.yahoo.config.provision.Capacity; import com.yahoo.config.provision.ClusterMembership; @@ -57,9 +58,11 @@ import com.yahoo.vespa.model.container.SecretStore; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.chain.Chain; import com.yahoo.vespa.model.container.component.chain.ProcessingHandler; import com.yahoo.vespa.model.container.docproc.ContainerDocproc; import com.yahoo.vespa.model.container.docproc.DocprocChains; +import com.yahoo.vespa.model.container.http.AccessControl; import com.yahoo.vespa.model.container.http.ConnectorFactory; import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; @@ -88,6 +91,7 @@ import java.util.function.Consumer; import java.util.regex.Pattern; import java.util.stream.Collectors; +import static com.yahoo.vespa.model.container.http.AccessControl.ACCESS_CONTROL_CHAIN_ID; import static java.util.logging.Level.WARNING; /** @@ -317,7 +321,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { cluster.setHttp(buildHttp(deployState, cluster, httpElement)); } if (isHostedTenantApplication(context)) { - addHostedImplicitHttpIfNotPresent(cluster); + addHostedImplicitHttpIfNotPresent(deployState, cluster); addAdditionalHostedConnector(deployState, cluster); } } @@ -349,10 +353,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { return deployState.isHosted() && context.getApplicationType() == ApplicationType.DEFAULT && !isTesterApplication; } - private static void addHostedImplicitHttpIfNotPresent(ApplicationContainerCluster cluster) { + private static void addHostedImplicitHttpIfNotPresent(DeployState deployState, ApplicationContainerCluster cluster) { if(cluster.getHttp() == null) { - Http http = new Http(Collections.emptyList()); - http.setFilterChains(new FilterChains(cluster)); + Http http = deployState.getProperties().athenzDomain() + .map(tenantDomain -> createHostedImplicitHttpWithAccessControl(deployState, tenantDomain, cluster)) + .orElseGet(() -> createHostedImplicitHttpWithoutAccessControl(cluster)); cluster.setHttp(http); } if(cluster.getHttp().getHttpServer() == null) { @@ -362,6 +367,27 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } } + private static Http createHostedImplicitHttpWithAccessControl( + DeployState deployState, AthenzDomain tenantDomain, ApplicationContainerCluster cluster) { + AccessControl accessControl = + new AccessControl.Builder(tenantDomain.value(), deployState.getDeployLogger()) + .setHandlers(cluster) + .readEnabled(false) + .writeEnabled(false) + .build(); + Http http = new Http(accessControl.getBindings(), accessControl); + FilterChains filterChains = new FilterChains(cluster); + filterChains.add(new Chain<>(FilterChains.emptyChainSpec(ACCESS_CONTROL_CHAIN_ID))); + http.setFilterChains(filterChains); + return http; + } + + private static Http createHostedImplicitHttpWithoutAccessControl(ApplicationContainerCluster cluster) { + Http http = new Http(Collections.emptyList()); + http.setFilterChains(new FilterChains(cluster)); + return http; + } + private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) { Http http = new HttpBuilder().build(deployState, cluster, httpElement); |