diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-11-23 15:02:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-23 15:02:46 +0100 |
commit | 0616eecc2ec2a0b267100512ad0dcac5767dde87 (patch) | |
tree | 1299b8636d39bc7374fc83b0817cc3e65b51f4f1 /config-model | |
parent | d5fa517246cb0647123615b9b10d6054b9c759c6 (diff) | |
parent | 885cb31bad09bae15067c9c527f051ade6bb2d44 (diff) |
Merge pull request #15434 from vespa-engine/mortent/vespa-tls-filter
Create default connector request chain
Diffstat (limited to 'config-model')
3 files changed, 68 insertions, 8 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java index 9bd12350f26..00ff19ae68a 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java @@ -3,6 +3,10 @@ package com.yahoo.vespa.model.container.http; import com.yahoo.component.ComponentId; import com.yahoo.component.ComponentSpecification; +import com.yahoo.component.chain.dependencies.Dependencies; +import com.yahoo.component.chain.model.ChainedComponentModel; +import com.yahoo.container.bundle.BundleInstantiationSpecification; +import com.yahoo.vespa.defaults.Defaults; import com.yahoo.vespa.model.container.ApplicationContainerCluster; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.BindingPattern; @@ -27,11 +31,13 @@ import java.util.Set; */ public class AccessControl { - public enum ClientAuthentication { want, need } + + public enum ClientAuthentication { want, need;} public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain"); - public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain"); + public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain"); + public static final ComponentId DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID = ComponentId.fromString("default-connector-hosted-request-chain"); private static final int HOSTED_CONTAINER_PORT = 4443; // Handlers that are excluded from access control @@ -44,7 +50,6 @@ public class AccessControl { ApplicationContainerCluster.METRICS_V2_HANDLER_CLASS, ApplicationContainerCluster.PROMETHEUS_V1_HANDLER_CLASS ); - public static class Builder { private final String domain; private boolean readEnabled = false; @@ -52,7 +57,6 @@ public class AccessControl { private ClientAuthentication clientAuthentication = ClientAuthentication.need; private final Set<BindingPattern> excludeBindings = new LinkedHashSet<>(); private Collection<Handler<?>> handlers = Collections.emptyList(); - public Builder(String domain) { this.domain = domain; } @@ -112,6 +116,7 @@ public class AccessControl { http.setAccessControl(this); addAccessControlFilterChain(http); addAccessControlExcludedChain(http); + addDefaultHostedRequestChain(http); removeDuplicateBindingsFromAccessControlChain(http); } @@ -119,6 +124,18 @@ public class AccessControl { connectorFactory.setDefaultRequestFilterChain(ACCESS_CONTROL_CHAIN_ID); } + public void configureDefaultHostedConnector(Http http) { + // Set default filter chain on local port + http.getHttpServer() + .get() + .getConnectorFactories() + .stream() + .filter(cf -> cf.getListenPort() == Defaults.getDefaults().vespaWebServicePort()) + .findFirst() + .orElseThrow(() -> new RuntimeException("Could not find default connector")) + .setDefaultRequestFilterChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID); + } + /** returns the excluded bindings as specified in 'access-control' in services.xml **/ public Set<BindingPattern> excludedBindings() { return excludedBindings; } @@ -148,6 +165,12 @@ public class AccessControl { } } + // Add a filter chain used by default hosted connector + private void addDefaultHostedRequestChain(Http http) { + Chain<Filter> chain = createChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID); + http.getFilterChains().add(chain); + } + // Remove bindings from access control chain that have binding pattern as a different filter chain private void removeDuplicateBindingsFromAccessControlChain(Http http) { removeDuplicateBindingsFromChain(http, ACCESS_CONTROL_EXCLUDED_CHAIN_ID); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 0e23527c97c..7eea5d8496f 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -85,6 +85,7 @@ import org.w3c.dom.Node; import java.net.URI; import java.util.ArrayList; +import java.util.Collection; import java.util.Collections; import java.util.List; import java.util.Map; @@ -318,10 +319,16 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { if (isHostedTenantApplication(context)) { addHostedImplicitHttpIfNotPresent(cluster); addHostedImplicitAccessControlIfNotPresent(deployState, cluster); + addDefaultConnectorHostedFilterBinding(cluster); addAdditionalHostedConnector(deployState, cluster, context); } } + private void addDefaultConnectorHostedFilterBinding(ApplicationContainerCluster cluster) { + cluster.getHttp().getAccessControl() + .ifPresent(accessControl -> accessControl.configureDefaultHostedConnector(cluster.getHttp())); ; + } + private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster, ConfigModelContext context) { JettyHttpServer server = cluster.getHttp().getHttpServer().get(); String serverName = server.getComponentId().getName(); @@ -361,10 +368,15 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { if(cluster.getHttp() == null) { cluster.setHttp(new Http(new FilterChains(cluster))); } - if(cluster.getHttp().getHttpServer().isEmpty()) { - JettyHttpServer defaultHttpServer = new JettyHttpServer(new ComponentId("DefaultHttpServer"), cluster, cluster.isHostedVespa()); - cluster.getHttp().setHttpServer(defaultHttpServer); - defaultHttpServer.addConnector(new ConnectorFactory.Builder("SearchServer", Defaults.getDefaults().vespaWebServicePort()).build()); + JettyHttpServer httpServer = cluster.getHttp().getHttpServer().orElse(null); + if (httpServer == null) { + httpServer = new JettyHttpServer(new ComponentId("DefaultHttpServer"), cluster, cluster.isHostedVespa()); + cluster.getHttp().setHttpServer(httpServer); + } + int defaultPort = Defaults.getDefaults().vespaWebServicePort(); + boolean defaultConnectorPresent = httpServer.getConnectorFactories().stream().anyMatch(connector -> connector.getListenPort() == defaultPort); + if (!defaultConnectorPresent) { + httpServer.addConnector(new ConnectorFactory.Builder("SearchServer", defaultPort).build()); } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index 1ac95ac9a99..4993a51ab74 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -6,8 +6,10 @@ import com.yahoo.config.model.builder.xml.test.DomBuilderTest; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.config.model.deploy.TestProperties; import com.yahoo.config.provision.AthenzDomain; +import com.yahoo.vespa.defaults.Defaults; import com.yahoo.vespa.model.container.ApplicationContainer; import com.yahoo.vespa.model.container.http.AccessControl; +import com.yahoo.vespa.model.container.http.ConnectorFactory; import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory; @@ -50,6 +52,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { FilterChains filterChains = http.getFilterChains(); assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID)); assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID)); + assertTrue(filterChains.hasChain(AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID)); } @Test @@ -297,6 +300,28 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication); } + @Test + public void local_connector_has_default_chain() { + Http http = createModelAndGetHttp( + " <http>", + " <filtering>", + " <access-control/>", + " </filtering>", + " </http>"); + + Set<String> actualBindings = getFilterBindings(http, AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID); + assertThat(actualBindings, empty()); + + ConnectorFactory connectorFactory = http.getHttpServer().get().getConnectorFactories().stream() + .filter(cf -> cf.getListenPort() == Defaults.getDefaults().vespaWebServicePort()) + .findAny() + .get(); + + Optional<ComponentId> defaultChain = connectorFactory.getDefaultRequestFilterChain(); + assertTrue(defaultChain.isPresent()); + assertEquals(AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID, defaultChain.get()); + } + private Http createModelAndGetHttp(String... httpElement) { List<String> servicesXml = new ArrayList<>(); servicesXml.add("<container version='1.0'>"); |