diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-08-27 11:03:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-27 11:03:27 +0200 |
commit | c7cb8032b3de3dba59a8462cbf4ab82fc7b93c97 (patch) | |
tree | d311d0178b4397b4b2eeba1060e185441e87e43c /config-model | |
parent | dee2ecf2bd831ad4468c22b60e1d7a4f12db641a (diff) | |
parent | 9e62ce17a3664043a39da61b6a809e701bd79291 (diff) |
Merge pull request #14158 from vespa-engine/bjorncs/improved-bindings-and-access-control
Bjorncs/improved bindings and access control
Diffstat (limited to 'config-model')
35 files changed, 812 insertions, 473 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/admin/LogserverContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/admin/LogserverContainerCluster.java index f9338f9cb35..9ae9a158631 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/admin/LogserverContainerCluster.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/admin/LogserverContainerCluster.java @@ -7,6 +7,7 @@ import com.yahoo.container.handler.ThreadpoolConfig; import com.yahoo.search.config.QrStartConfig; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; /** * @author hmusum @@ -39,7 +40,7 @@ public class LogserverContainerCluster extends ContainerCluster<LogserverContain private void addLogHandler() { Handler<?> logHandler = Handler.fromClassName(ContainerCluster.LOG_HANDLER_CLASS); - logHandler.addServerBindings("http://*/logs"); + logHandler.addServerBindings(SystemBindingPattern.fromHttpPath("/logs")); addComponent(logHandler); } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/admin/clustercontroller/ClusterControllerContainer.java b/config-model/src/main/java/com/yahoo/vespa/model/admin/clustercontroller/ClusterControllerContainer.java index 08f4e2fa12f..5b3e4e1479e 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/admin/clustercontroller/ClusterControllerContainer.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/admin/clustercontroller/ClusterControllerContainer.java @@ -14,6 +14,7 @@ import com.yahoo.vespa.model.container.Container; import com.yahoo.vespa.model.container.component.AccessLogComponent; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.xml.PlatformBundles; import java.util.Set; @@ -36,10 +37,10 @@ public class ClusterControllerContainer extends Container implements super(parent, "" + index, index); addHandler("clustercontroller-status", "com.yahoo.vespa.clustercontroller.apps.clustercontroller.StatusHandler", - "clustercontroller-status/*"); + "/clustercontroller-status/*"); addHandler("clustercontroller-state-restapi-v2", "com.yahoo.vespa.clustercontroller.apps.clustercontroller.StateRestApiV2Handler", - "cluster/v2/*"); + "/cluster/v2/*"); if (runStandaloneZooKeeper) { addComponent("clustercontroller-zkrunner", "com.yahoo.vespa.zookeeper.VespaZooKeeperServerImpl", @@ -77,8 +78,8 @@ public class ClusterControllerContainer extends Container implements return ContainerServiceType.CLUSTERCONTROLLER_CONTAINER; } - private void addHandler(Handler h, String binding) { - h.addServerBindings("http://*/" + binding); + private void addHandler(Handler h, String path) { + h.addServerBindings(SystemBindingPattern.fromHttpPath(path)); super.addHandler(h); } @@ -96,9 +97,8 @@ public class ClusterControllerContainer extends Container implements addComponent(new Component<>(createComponentModel(id, className, bundle))); } - private void addHandler(String id, String className, String binding) { - addHandler(new Handler(createComponentModel(id, className, CLUSTERCONTROLLER_BUNDLE)), - binding); + private void addHandler(String id, String className, String path) { + addHandler(new Handler(createComponentModel(id, className, CLUSTERCONTROLLER_BUNDLE)), path); } @Override diff --git a/config-model/src/main/java/com/yahoo/vespa/model/admin/metricsproxy/MetricsProxyContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/admin/metricsproxy/MetricsProxyContainerCluster.java index 4dc9811a024..b5936887b50 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/admin/metricsproxy/MetricsProxyContainerCluster.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/admin/metricsproxy/MetricsProxyContainerCluster.java @@ -7,12 +7,12 @@ import ai.vespa.metricsproxy.core.MetricsConsumers; import ai.vespa.metricsproxy.core.MetricsManager; import ai.vespa.metricsproxy.core.MonitoringConfig; import ai.vespa.metricsproxy.core.VespaMetrics; -import ai.vespa.metricsproxy.http.metrics.MetricsV1Handler; import ai.vespa.metricsproxy.http.application.ApplicationMetricsHandler; import ai.vespa.metricsproxy.http.application.ApplicationMetricsRetriever; import ai.vespa.metricsproxy.http.application.MetricsNodesConfig; -import ai.vespa.metricsproxy.http.yamas.YamasHandler; +import ai.vespa.metricsproxy.http.metrics.MetricsV1Handler; import ai.vespa.metricsproxy.http.prometheus.PrometheusHandler; +import ai.vespa.metricsproxy.http.yamas.YamasHandler; import ai.vespa.metricsproxy.metric.ExternalMetrics; import ai.vespa.metricsproxy.metric.dimensions.ApplicationDimensions; import ai.vespa.metricsproxy.metric.dimensions.ApplicationDimensionsConfig; @@ -38,6 +38,7 @@ import com.yahoo.vespa.model.admin.monitoring.MetricsConsumer; import com.yahoo.vespa.model.admin.monitoring.Monitoring; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.xml.PlatformBundles; import java.nio.file.Path; @@ -129,8 +130,9 @@ public class MetricsProxyContainerCluster extends ContainerCluster<MetricsProxyC static Handler<AbstractConfigProducer<?>> createMetricsHandler(Class<? extends ThreadedHttpRequestHandler> clazz, String bindingPath) { Handler<AbstractConfigProducer<?>> metricsHandler = new Handler<>( new ComponentModel(clazz.getName(), null, METRICS_PROXY_BUNDLE_NAME, null)); - metricsHandler.addServerBindings("http://*" + bindingPath, - "http://*" + bindingPath + "/*"); + metricsHandler.addServerBindings( + SystemBindingPattern.fromHttpPath(bindingPath), + SystemBindingPattern.fromHttpPath(bindingPath + "/*")); return metricsHandler; } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/UriBindingsValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/UriBindingsValidator.java new file mode 100644 index 00000000000..00c761a6764 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/UriBindingsValidator.java @@ -0,0 +1,80 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.application.validation; + +import com.yahoo.config.model.deploy.DeployState; +import com.yahoo.vespa.model.VespaModel; +import com.yahoo.vespa.model.container.ApplicationContainerCluster; +import com.yahoo.vespa.model.container.component.BindingPattern; +import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; +import com.yahoo.vespa.model.container.http.FilterBinding; +import com.yahoo.vespa.model.container.http.Http; + +import java.util.logging.Level; + +import static com.yahoo.config.model.ConfigModelContext.ApplicationType.HOSTED_INFRASTRUCTURE; + +/** + * Validates URI bindings for filters and handlers + * + * @author bjorncs + */ +class UriBindingsValidator extends Validator { + + @Override + public void validate(VespaModel model, DeployState deployState) { + for (ApplicationContainerCluster cluster : model.getContainerClusters().values()) { + for (Handler<?> handler : cluster.getHandlers()) { + for (BindingPattern binding : handler.getServerBindings()) { + validateUserBinding(binding, model, deployState); + } + } + Http http = cluster.getHttp(); + if (http != null) { + for (FilterBinding binding : cluster.getHttp().getBindings()) { + validateUserBinding(binding.binding(), model, deployState); + } + } + } + } + + private static void validateUserBinding(BindingPattern binding, VespaModel model, DeployState deployState) { + validateScheme(binding, deployState); + if (isHostedApplication(model, deployState)) { + validateHostedApplicationUserBinding(binding); + } + } + + private static void validateScheme(BindingPattern binding, DeployState deployState) { + if (binding.scheme().equals("https")) { + String message = createErrorMessage( + binding, "'https' bindings are deprecated, use 'http' instead to bind to both http and https traffic."); + deployState.getDeployLogger().log(Level.WARNING, message); + } + } + + private static void validateHostedApplicationUserBinding(BindingPattern binding) { + // only perform these validation for used-generated bindings + // bindings produced by the hosted config model amender will violate some of the rules below + if (binding instanceof SystemBindingPattern) return; + + if (binding.port().isPresent() && !binding.port().get().equals(BindingPattern.WILDCARD_PATTERN)) { + throw new IllegalArgumentException(createErrorMessage(binding, "binding with port is not allowed")); + } + if (!binding.host().equals(BindingPattern.WILDCARD_PATTERN)) { + throw new IllegalArgumentException(createErrorMessage(binding, "only binding with wildcard ('*') for hostname is allowed")); + } + if (!binding.scheme().equals("http") && !binding.scheme().equals("https")) { + throw new IllegalArgumentException(createErrorMessage(binding, "only 'http' is allowed as scheme")); + } + } + + private static boolean isHostedApplication(VespaModel model, DeployState deployState) { + return deployState.isHosted() && model.getAdmin().getApplicationType() != HOSTED_INFRASTRUCTURE; + } + + private static String createErrorMessage(BindingPattern binding, String message) { + return String.format("For binding '%s': %s", binding.patternString(), message); + } + +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java index f3ccc2d3447..fa72a4965b0 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java @@ -62,6 +62,7 @@ public class Validation { new CloudWatchValidator().validate(model, deployState); new AwsAccessControlValidator().validate(model, deployState); new QuotaValidator().validate(model, deployState); + new UriBindingsValidator().validate(model, deployState); List<ConfigChangeAction> result = Collections.emptyList(); if (deployState.getProperties().isFirstTimeDeployment()) { diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomClientProviderBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomClientProviderBuilder.java index 11fab0ada29..0fdd1af56f3 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomClientProviderBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomClientProviderBuilder.java @@ -2,11 +2,12 @@ package com.yahoo.vespa.model.builder.xml.dom; import com.yahoo.config.model.deploy.DeployState; -import com.yahoo.text.XML; import com.yahoo.config.model.producer.AbstractConfigProducer; +import com.yahoo.text.XML; import com.yahoo.vespa.model.container.ApplicationContainerCluster; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import org.w3c.dom.Element; /** @@ -24,10 +25,10 @@ public class DomClientProviderBuilder extends DomHandlerBuilder { Handler<? super Component<?, ?>> client = createHandler(clientElement); for (Element binding : XML.getChildren(clientElement, "binding")) - client.addClientBindings(XML.getValue(binding)); + client.addClientBindings(UserBindingPattern.fromPattern(XML.getValue(binding))); for (Element serverBinding : XML.getChildren(clientElement, "serverBinding")) - client.addServerBindings(XML.getValue(serverBinding)); + client.addServerBindings(UserBindingPattern.fromPattern(XML.getValue(serverBinding))); DomComponentBuilder.addChildren(deployState, parent, clientElement, client); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomHandlerBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomHandlerBuilder.java index ac6d089cf24..145535fe06f 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomHandlerBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomHandlerBuilder.java @@ -8,8 +8,10 @@ import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.osgi.provider.model.ComponentModel; import com.yahoo.text.XML; import com.yahoo.vespa.model.container.ApplicationContainerCluster; +import com.yahoo.vespa.model.container.component.BindingPattern; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import com.yahoo.vespa.model.container.xml.BundleInstantiationSpecificationBuilder; import org.w3c.dom.Element; @@ -27,11 +29,14 @@ import static java.util.logging.Level.INFO; */ public class DomHandlerBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Handler> { - private static final Set<String> reservedBindings = Set.of(METRICS_V2_HANDLER_BINDING_1, - METRICS_V2_HANDLER_BINDING_2, - STATE_HANDLER_BINDING_1, - STATE_HANDLER_BINDING_2, - VIP_HANDLER_BINDING); + private static final Set<BindingPattern> reservedBindings = + Set.of( + METRICS_V2_HANDLER_BINDING_1, + METRICS_V2_HANDLER_BINDING_2, + STATE_HANDLER_BINDING_1, + STATE_HANDLER_BINDING_2, + VIP_HANDLER_BINDING); + private final ApplicationContainerCluster cluster; public DomHandlerBuilder(ApplicationContainerCluster cluster) { @@ -43,10 +48,10 @@ public class DomHandlerBuilder extends VespaDomBuilder.DomConfigProducerBuilder< Handler<? super Component<?, ?>> handler = createHandler(handlerElement); for (Element binding : XML.getChildren(handlerElement, "binding")) - addServerBinding(handler, XML.getValue(binding), deployState.getDeployLogger()); + addServerBinding(handler, UserBindingPattern.fromPattern(XML.getValue(binding)), deployState.getDeployLogger()); for (Element clientBinding : XML.getChildren(handlerElement, "clientBinding")) - handler.addClientBindings(XML.getValue(clientBinding)); + handler.addClientBindings(UserBindingPattern.fromPattern(XML.getValue(clientBinding))); DomComponentBuilder.addChildren(deployState, parent, handlerElement, handler); @@ -58,27 +63,30 @@ public class DomHandlerBuilder extends VespaDomBuilder.DomConfigProducerBuilder< return new Handler<>(new ComponentModel(bundleSpec)); } - private void addServerBinding(Handler<? super Component<?, ?>> handler, String binding, DeployLogger log) { + private void addServerBinding(Handler<? super Component<?, ?>> handler, BindingPattern binding, DeployLogger log) { throwIfBindingIsReserved(binding, handler); handler.addServerBindings(binding); removeExistingServerBinding(binding, handler, log); } - private void throwIfBindingIsReserved(String binding, Handler<?> newHandler) { + private void throwIfBindingIsReserved(BindingPattern binding, Handler<?> newHandler) { for (var reserved : reservedBindings) { - if (binding.equals(reserved)) { - throw new IllegalArgumentException("Binding '" + binding + "' is a reserved Vespa binding and " + + if (binding.hasSamePattern(reserved)) { + throw new IllegalArgumentException("Binding '" + binding.patternString() + "' is a reserved Vespa binding and " + "cannot be used by handler: " + newHandler.getComponentId()); } } } - private void removeExistingServerBinding(String binding, Handler<?> newHandler, DeployLogger log) { + private void removeExistingServerBinding(BindingPattern binding, Handler<?> newHandler, DeployLogger log) { for (var handler : cluster.getHandlers()) { - if (handler.getServerBindings().contains(binding)) { - handler.removeServerBinding(binding); - log.log(INFO, "Binding '" + binding + "' was already in use by handler '" + - handler.getComponentId() + "', but will now be taken over by handler: " + newHandler.getComponentId()); + for (BindingPattern serverBinding : handler.getServerBindings()) { + if (serverBinding.hasSamePattern(binding)) { + handler.removeServerBinding(serverBinding); + log.log(INFO, "Binding '" + binding.patternString() + "' was already in use by handler '" + + handler.getComponentId() + "', but will now be taken over by handler: " + newHandler.getComponentId()); + + } } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java b/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java index 58f03bffb30..159a87be27d 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/clients/ContainerDocumentApi.java @@ -6,6 +6,8 @@ import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.osgi.provider.model.ComponentModel; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import java.util.Collection; import java.util.Collections; @@ -24,7 +26,7 @@ public class ContainerDocumentApi { } private void setupHandlers(ContainerCluster cluster) { - cluster.addComponent(newVespaClientHandler("com.yahoo.document.restapi.resource.RestApi", "document/v1/*")); + cluster.addComponent(newVespaClientHandler("com.yahoo.document.restapi.resource.RestApi", "/document/v1/*")); cluster.addComponent(newVespaClientHandler("com.yahoo.vespa.http.server.FeedHandler", ContainerCluster.RESERVED_URI_PREFIX + "/feedapi")); } @@ -32,9 +34,18 @@ public class ContainerDocumentApi { Handler<AbstractConfigProducer<?>> handler = new Handler<>(new ComponentModel( BundleInstantiationSpecification.getFromStrings(componentId, null, vespaClientBundleSpecification), "")); - for (String rootBinding : options.bindings) { - handler.addServerBindings(rootBinding + bindingSuffix, - rootBinding + bindingSuffix + '/'); + if (options.bindings.isEmpty()) { + handler.addServerBindings( + SystemBindingPattern.fromHttpPath(bindingSuffix), + SystemBindingPattern.fromHttpPath(bindingSuffix + '/')); + } else { + for (String rootBinding : options.bindings) { + String pathWithoutLeadingSlash = bindingSuffix.substring(1); + handler.addServerBindings( + UserBindingPattern.fromPattern(rootBinding + pathWithoutLeadingSlash), + UserBindingPattern.fromPattern(rootBinding + pathWithoutLeadingSlash + '/')); + } + } return handler; } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java index b0ac02d0fe8..1427fa492dc 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java @@ -22,10 +22,12 @@ import com.yahoo.search.config.QrStartConfig; import com.yahoo.vespa.config.search.RankProfilesConfig; import com.yahoo.vespa.config.search.core.RankingConstantsConfig; import com.yahoo.vespa.model.admin.metricsproxy.MetricsProxyContainer; +import com.yahoo.vespa.model.container.component.BindingPattern; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.ConfigProducerGroup; import com.yahoo.vespa.model.container.component.Handler; import com.yahoo.vespa.model.container.component.Servlet; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.jersey.Jersey2Servlet; import com.yahoo.vespa.model.container.jersey.RestApi; import com.yahoo.vespa.model.container.xml.PlatformBundles; @@ -55,12 +57,12 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat MetricsProxyApiConfig.Producer { public static final String METRICS_V2_HANDLER_CLASS = MetricsV2Handler.class.getName(); - public static final String METRICS_V2_HANDLER_BINDING_1 = "http://*" + MetricsV2Handler.V2_PATH; - public static final String METRICS_V2_HANDLER_BINDING_2 = METRICS_V2_HANDLER_BINDING_1 + "/*"; + public static final BindingPattern METRICS_V2_HANDLER_BINDING_1 = SystemBindingPattern.fromHttpPath(MetricsV2Handler.V2_PATH); + public static final BindingPattern METRICS_V2_HANDLER_BINDING_2 = SystemBindingPattern.fromHttpPath(MetricsV2Handler.V2_PATH + "/*"); public static final String PROMETHEUS_V1_HANDLER_CLASS = PrometheusV1Handler.class.getName(); - private static final String PROMETHEUS_V1_HANDLER_BINDING_1 = "http://*" + PrometheusV1Handler.V1_PATH; - private static final String PROMETHEUS_V1_HANDLER_BINDING_2 = PROMETHEUS_V1_HANDLER_BINDING_1 + "/*"; + private static final BindingPattern PROMETHEUS_V1_HANDLER_BINDING_1 = SystemBindingPattern.fromHttpPath(PrometheusV1Handler.V1_PATH); + private static final BindingPattern PROMETHEUS_V1_HANDLER_BINDING_2 = SystemBindingPattern.fromHttpPath(PrometheusV1Handler.V1_PATH + "/*"); public static final int heapSizePercentageOfTotalNodeMemory = 60; public static final int heapSizePercentageOfTotalNodeMemoryWhenCombinedCluster = 17; @@ -125,7 +127,7 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat addMetricsHandler(PROMETHEUS_V1_HANDLER_CLASS, PROMETHEUS_V1_HANDLER_BINDING_1, PROMETHEUS_V1_HANDLER_BINDING_2); } - private void addMetricsHandler(String handlerClass, String rootBinding, String innerBinding) { + private void addMetricsHandler(String handlerClass, BindingPattern rootBinding, BindingPattern innerBinding) { Handler<AbstractConfigProducer<?>> handler = new Handler<>( new ComponentModel(handlerClass, null, null, null)); handler.addServerBindings(rootBinding, innerBinding); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java index 240157fb7aa..8bb456ab7e7 100755 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java @@ -39,6 +39,7 @@ import com.yahoo.vespa.model.Service; import com.yahoo.vespa.model.admin.monitoring.Monitoring; import com.yahoo.vespa.model.clients.ContainerDocumentApi; import com.yahoo.vespa.model.container.component.AccessLogComponent; +import com.yahoo.vespa.model.container.component.BindingPattern; import com.yahoo.vespa.model.container.component.Component; import com.yahoo.vespa.model.container.component.ComponentGroup; import com.yahoo.vespa.model.container.component.ComponentsConfigGenerator; @@ -47,6 +48,7 @@ import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent; import com.yahoo.vespa.model.container.component.Handler; import com.yahoo.vespa.model.container.component.SimpleComponent; import com.yahoo.vespa.model.container.component.StatisticsComponent; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.component.chain.ProcessingHandler; import com.yahoo.vespa.model.container.docproc.ContainerDocproc; import com.yahoo.vespa.model.container.docproc.DocprocChains; @@ -107,7 +109,7 @@ public abstract class ContainerCluster<CONTAINER extends Container> * normal compatibility concerns only applies to libraries using the URIs in * question, not contents served from the URIs themselves. */ - public static final String RESERVED_URI_PREFIX = "reserved-for-internal-use"; + public static final String RESERVED_URI_PREFIX = "/reserved-for-internal-use"; public static final String APPLICATION_STATUS_HANDLER_CLASS = "com.yahoo.container.handler.observability.ApplicationStatusHandler"; public static final String BINDINGS_OVERVIEW_HANDLER_CLASS = BindingsOverviewHandler.class.getName(); @@ -117,13 +119,13 @@ public abstract class ContainerCluster<CONTAINER extends Container> public static final String G1GC = "-XX:+UseG1GC -XX:MaxTenuringThreshold=15"; public static final String STATE_HANDLER_CLASS = "com.yahoo.container.jdisc.state.StateHandler"; - public static final String STATE_HANDLER_BINDING_1 = "http://*" + StateHandler.STATE_API_ROOT; - public static final String STATE_HANDLER_BINDING_2 = STATE_HANDLER_BINDING_1 + "/*"; + public static final BindingPattern STATE_HANDLER_BINDING_1 = SystemBindingPattern.fromHttpPath(StateHandler.STATE_API_ROOT); + public static final BindingPattern STATE_HANDLER_BINDING_2 = SystemBindingPattern.fromHttpPath(StateHandler.STATE_API_ROOT + "/*"); public static final String ROOT_HANDLER_PATH = "/"; - public static final String ROOT_HANDLER_BINDING = "http://*" + ROOT_HANDLER_PATH; + public static final BindingPattern ROOT_HANDLER_BINDING = SystemBindingPattern.fromHttpPath(ROOT_HANDLER_PATH); - public static final String VIP_HANDLER_BINDING = "http://*/status.html"; + public static final BindingPattern VIP_HANDLER_BINDING = SystemBindingPattern.fromHttpPath("/status.html"); private final String name; @@ -234,7 +236,7 @@ public abstract class ContainerCluster<CONTAINER extends Container> Handler<AbstractConfigProducer<?>> statusHandler = new Handler<>( new ComponentModel(BundleInstantiationSpecification.getInternalHandlerSpecificationFromStrings( APPLICATION_STATUS_HANDLER_CLASS, null), null)); - statusHandler.addServerBindings("http://*/ApplicationStatus"); + statusHandler.addServerBindings(SystemBindingPattern.fromHttpPath("/ApplicationStatus")); addComponent(statusHandler); } @@ -309,7 +311,7 @@ public abstract class ContainerCluster<CONTAINER extends Container> containers.forEach(this::addContainer); } - public void setProcessingChains(ProcessingChains processingChains, String... serverBindings) { + public void setProcessingChains(ProcessingChains processingChains, BindingPattern... serverBindings) { if (this.processingChains != null) throw new IllegalStateException("ProcessingChains should only be set once."); @@ -320,7 +322,7 @@ public abstract class ContainerCluster<CONTAINER extends Container> processingChains, "com.yahoo.processing.handler.ProcessingHandler"); - for (String binding: serverBindings) + for (BindingPattern binding: serverBindings) processingHandler.addServerBindings(binding); addComponent(processingHandler); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerModelEvaluation.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerModelEvaluation.java index 6b4f8d486ec..72f1921e6a2 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerModelEvaluation.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerModelEvaluation.java @@ -7,6 +7,7 @@ import com.yahoo.searchdefinition.derived.RankProfileList; import com.yahoo.vespa.config.search.RankProfilesConfig; import com.yahoo.vespa.config.search.core.RankingConstantsConfig; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import java.util.List; import java.util.Objects; @@ -21,7 +22,7 @@ public class ContainerModelEvaluation implements RankProfilesConfig.Producer, Ra private final static String BUNDLE_NAME = "model-evaluation"; private final static String EVALUATOR_NAME = ModelsEvaluator.class.getName(); private final static String REST_HANDLER_NAME = "ai.vespa.models.handler.ModelsEvaluationHandler"; - private final static String REST_BINDING = "model-evaluation/v1"; + private final static String REST_BINDING_PATH = "/model-evaluation/v1"; /** Global rank profiles, aka models */ private final RankProfileList rankProfileList; @@ -48,8 +49,9 @@ public class ContainerModelEvaluation implements RankProfilesConfig.Producer, Ra public static Handler<?> getHandler() { Handler<?> handler = new Handler<>(new ComponentModel(REST_HANDLER_NAME, null, BUNDLE_NAME)); - handler.addServerBindings("http://*/" + REST_BINDING, - "http://*/" + REST_BINDING + "/*"); + handler.addServerBindings( + SystemBindingPattern.fromHttpPath(REST_BINDING_PATH), + SystemBindingPattern.fromHttpPath(REST_BINDING_PATH + "/*")); return handler; } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/BindingPattern.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/BindingPattern.java new file mode 100644 index 00000000000..1d5736ba7e2 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/BindingPattern.java @@ -0,0 +1,90 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.component; + +import java.util.Comparator; +import java.util.Objects; +import java.util.Optional; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * URI binding pattern used by filter and handler bindings. + * + * @author bjorncs + */ +public abstract class BindingPattern implements Comparable<BindingPattern> { + + private static final Pattern BINDING_PATTERN = + Pattern.compile("([^:]+)://([^:/]+)(:((\\*)|([0-9]+)))?(/.*)", Pattern.UNICODE_CASE | Pattern.CANON_EQ); + + public static final String WILDCARD_PATTERN = "*"; + + private final String scheme; + private final String host; + private final String port; + private final String path; + + protected BindingPattern( + String scheme, + String host, + String port, + String path) { + this.scheme = Objects.requireNonNull(scheme, "Scheme in binding must be specified"); + this.host = Objects.requireNonNull(host, "Host must be specified"); + this.port = port; + this.path = validatePath(path); + } + + protected BindingPattern(String binding) { + Matcher matcher = BINDING_PATTERN.matcher(binding); + if (!matcher.matches()) throw new IllegalArgumentException("Invalid binding: " + binding); + this.scheme = matcher.group(1); + this.host = matcher.group(2); + this.port = matcher.group(4); + this.path = matcher.group(7); + } + + private static String validatePath(String path) { + Objects.requireNonNull(path, "Path must be specified"); + if (!path.startsWith("/")) throw new IllegalArgumentException("Path must have '/' as prefix: " + path); + return path; + } + + public String scheme() { return scheme; } + public String host() { return host; } + public Optional<String> port() { return Optional.ofNullable(port); } + public String path() { return path; } + + public String patternString() { + StringBuilder builder = new StringBuilder(scheme).append("://").append(host); + if (port != null) { + builder.append(':').append(port); + } + return builder.append(path).toString(); + } + + /** Compares the underlying pattern string for equality */ + public boolean hasSamePattern(BindingPattern other) { return this.patternString().equals(other.patternString()); } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + BindingPattern that = (BindingPattern) o; + return Objects.equals(scheme, that.scheme) && + Objects.equals(host, that.host) && + Objects.equals(port, that.port) && + Objects.equals(path, that.path); + } + + @Override public int hashCode() { return Objects.hash(scheme, host, port, path); } + + @Override + public int compareTo(BindingPattern o) { + return Comparator.comparing(BindingPattern::scheme) + .thenComparing(BindingPattern::host) + .thenComparing(pattern -> pattern.port().orElse(null)) + .thenComparing(BindingPattern::path) + .compare(this, o); + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/DiscBindingsConfigGenerator.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/DiscBindingsConfigGenerator.java index d7e393ee474..02face328d9 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/component/DiscBindingsConfigGenerator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/DiscBindingsConfigGenerator.java @@ -1,13 +1,16 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.component; -import java.util.*; +import java.util.Collection; +import java.util.Collections; +import java.util.LinkedHashMap; +import java.util.Map; import static com.yahoo.container.jdisc.JdiscBindingsConfig.Handlers; +import static java.util.stream.Collectors.toList; /** * @author gjoranv - * @since 5.1.8 */ public class DiscBindingsConfigGenerator { @@ -26,7 +29,11 @@ public class DiscBindingsConfigGenerator { return Collections.singletonMap(handler.model.getComponentId().stringValue(), new Handlers.Builder() - .serverBindings(handler.getServerBindings()) - .clientBindings(handler.getClientBindings())); + .serverBindings(toStrings(handler.getServerBindings())) + .clientBindings(toStrings(handler.getClientBindings()))); + } + + private static Collection<String> toStrings(Collection<BindingPattern> bindings) { + return bindings.stream().map(BindingPattern::patternString).collect(toList()); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/FileStatusHandlerComponent.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/FileStatusHandlerComponent.java index 3d9a1b2e665..839594502c6 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/component/FileStatusHandlerComponent.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/FileStatusHandlerComponent.java @@ -15,7 +15,7 @@ public class FileStatusHandlerComponent extends Handler implements VipStatusConf private final String fileName; - public FileStatusHandlerComponent(String id, String fileName, String... bindings) { + public FileStatusHandlerComponent(String id, String fileName, BindingPattern... bindings) { super(new ComponentModel(id, CLASS, null, null)); this.fileName = fileName; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/Handler.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/Handler.java index 82484e07773..efee5c6a9a0 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/component/Handler.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/Handler.java @@ -1,9 +1,8 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.component; -import com.yahoo.container.bundle.BundleInstantiationSpecification; -import com.yahoo.osgi.provider.model.ComponentModel; import com.yahoo.config.model.producer.AbstractConfigProducer; +import com.yahoo.osgi.provider.model.ComponentModel; import java.util.ArrayList; import java.util.Arrays; @@ -23,8 +22,8 @@ import java.util.Set; */ public class Handler<CHILD extends AbstractConfigProducer<?>> extends Component<CHILD, ComponentModel> { - private Set<String> serverBindings = new LinkedHashSet<>(); - private List<String> clientBindings = new ArrayList<>(); + private final Set<BindingPattern> serverBindings = new LinkedHashSet<>(); + private final List<BindingPattern> clientBindings = new ArrayList<>(); public Handler(ComponentModel model) { super(model); @@ -34,27 +33,23 @@ public class Handler<CHILD extends AbstractConfigProducer<?>> extends Component< return new Handler<>(new ComponentModel(className, null, null, null)); } - public static Handler<AbstractConfigProducer<?>> getVespaHandlerFromClassName(String className) { - return new Handler<>(new ComponentModel(BundleInstantiationSpecification.getInternalHandlerSpecificationFromStrings(className, null), null)); - } - - public void addServerBindings(String... bindings) { + public void addServerBindings(BindingPattern... bindings) { serverBindings.addAll(Arrays.asList(bindings)); } - public void removeServerBinding(String binding) { + public void removeServerBinding(BindingPattern binding) { serverBindings.remove(binding); } - public void addClientBindings(String... bindings) { + public void addClientBindings(BindingPattern... bindings) { clientBindings.addAll(Arrays.asList(bindings)); } - public final Set<String> getServerBindings() { + public final Set<BindingPattern> getServerBindings() { return Collections.unmodifiableSet(serverBindings); } - public final List<String> getClientBindings() { + public final List<BindingPattern> getClientBindings() { return Collections.unmodifiableList(clientBindings); } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/SystemBindingPattern.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/SystemBindingPattern.java new file mode 100644 index 00000000000..3ae531539ef --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/SystemBindingPattern.java @@ -0,0 +1,27 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.component; + +/** + * A {@link BindingPattern} which is implicitly constructed by the model, e.g for built-in handlers and filter chains. + * + * @author bjorncs + */ +public class SystemBindingPattern extends BindingPattern { + + private SystemBindingPattern(String scheme, String host, String port, String path) { super(scheme, host, port, path); } + private SystemBindingPattern(String binding) { super(binding); } + + public static SystemBindingPattern fromHttpPath(String path) { return new SystemBindingPattern("http", "*", null, path);} + public static SystemBindingPattern fromPattern(String binding) { return new SystemBindingPattern(binding);} + public static SystemBindingPattern fromHttpPortAndPath(String port, String path) { return new SystemBindingPattern("http", "*", port, path); } + + @Override + public String toString() { + return "SystemBindingPattern{" + + "scheme='" + scheme() + '\'' + + ", host='" + host() + '\'' + + ", port='" + port().orElse(null) + '\'' + + ", path='" + path() + '\'' + + '}'; + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/component/UserBindingPattern.java b/config-model/src/main/java/com/yahoo/vespa/model/container/component/UserBindingPattern.java new file mode 100644 index 00000000000..43f57fa0343 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/component/UserBindingPattern.java @@ -0,0 +1,26 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.component; + +/** + * A {@link BindingPattern} which is constructed directly from a user provided 'binding' element from services.xml. + * + * @author bjorncs + */ +public class UserBindingPattern extends BindingPattern { + + private UserBindingPattern(String scheme, String host, String port, String path) { super(scheme, host, port, path); } + private UserBindingPattern(String binding) { super(binding); } + + public static UserBindingPattern fromHttpPath(String path) { return new UserBindingPattern("http", "*", null, path); } + public static UserBindingPattern fromPattern(String binding) { return new UserBindingPattern(binding); } + + @Override + public String toString() { + return "UserBindingPattern{" + + "scheme='" + scheme() + '\'' + + ", host='" + host() + '\'' + + ", port='" + port().orElse(null) + '\'' + + ", path='" + path() + '\'' + + '}'; + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/ContainerDocproc.java b/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/ContainerDocproc.java index d4b4dcea78e..82061a0425f 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/ContainerDocproc.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/ContainerDocproc.java @@ -9,6 +9,7 @@ import com.yahoo.container.jdisc.config.SessionConfig; import com.yahoo.docproc.jdisc.messagebus.MbusRequestContext; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.ContainerSubsystem; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import java.util.HashMap; import java.util.Map; @@ -44,7 +45,7 @@ public class ContainerDocproc extends ContainerSubsystem<DocprocChains> private void addSource( final ContainerCluster cluster, final String name, final SessionConfig.Type.Enum type) { final MbusClient mbusClient = new MbusClient(name, type); - mbusClient.addClientBindings("mbus://*/" + mbusClient.getSessionName()); + mbusClient.addClientBindings(SystemBindingPattern.fromPattern("mbus://*/" + mbusClient.getSessionName())); cluster.addComponent(mbusClient); } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/DocprocChains.java b/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/DocprocChains.java index 5d08a0a6998..68dc2518c23 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/DocprocChains.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/docproc/DocprocChains.java @@ -7,6 +7,7 @@ import com.yahoo.container.jdisc.config.SessionConfig; import com.yahoo.vespa.model.container.ApplicationContainerCluster; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.Component; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.component.chain.Chains; import com.yahoo.vespa.model.container.component.chain.ProcessingHandler; @@ -38,12 +39,12 @@ public class DocprocChains extends Chains<DocprocChain> { } private void addServerAndClientForChain(ApplicationContainerCluster cluster, DocprocChain docprocChain) { - docprocHandler.addServerBindings("mbus://*/" + docprocChain.getSessionName()); + docprocHandler.addServerBindings(SystemBindingPattern.fromPattern("mbus://*/" + docprocChain.getSessionName())); cluster.addMbusServer(ComponentId.fromString(docprocChain.getSessionName())); MbusClient client = new MbusClient(docprocChain.getSessionName(), SessionConfig.Type.INTERMEDIATE); - client.addClientBindings("mbus://*/" + client.getSessionName()); + client.addClientBindings(SystemBindingPattern.fromPattern("mbus://*/" + client.getSessionName())); addComponent(client); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java index 9676b8b1e4a..4349a8781e7 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java @@ -3,21 +3,20 @@ package com.yahoo.vespa.model.container.http; import com.yahoo.component.ComponentId; import com.yahoo.component.ComponentSpecification; -import com.yahoo.config.application.api.DeployLogger; import com.yahoo.vespa.model.container.ApplicationContainerCluster; import com.yahoo.vespa.model.container.ContainerCluster; +import com.yahoo.vespa.model.container.component.BindingPattern; import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent; import com.yahoo.vespa.model.container.component.Handler; -import com.yahoo.vespa.model.container.component.Servlet; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; +import com.yahoo.vespa.model.container.component.chain.Chain; -import java.util.ArrayList; import java.util.Collection; import java.util.Collections; +import java.util.HashSet; import java.util.LinkedHashSet; import java.util.List; import java.util.Set; -import java.util.stream.Collectors; -import java.util.stream.Stream; /** * Helper class for http access control. @@ -25,11 +24,15 @@ import java.util.stream.Stream; * @author gjoranv * @author bjorncs */ -public final class AccessControl { +public class AccessControl { public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain"); + public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain"); - public static final List<String> UNPROTECTED_HANDLERS = List.of( + private static final int HOSTED_CONTAINER_PORT = 4443; + + // Handlers that are excluded from access control + public static final List<String> EXCLUDED_HANDLERS = List.of( FileStatusHandlerComponent.CLASS, ContainerCluster.APPLICATION_STATUS_HANDLER_CLASS, ContainerCluster.BINDINGS_OVERVIEW_HANDLER_CLASS, @@ -39,18 +42,15 @@ public final class AccessControl { ApplicationContainerCluster.PROMETHEUS_V1_HANDLER_CLASS ); - public static final class Builder { - private String domain; + public static class Builder { + private final String domain; private boolean readEnabled = false; private boolean writeEnabled = true; - private final Set<String> excludeBindings = new LinkedHashSet<>(); + private final Set<BindingPattern> excludeBindings = new LinkedHashSet<>(); private Collection<Handler<?>> handlers = Collections.emptyList(); - private Collection<Servlet> servlets = Collections.emptyList(); - private final DeployLogger logger; - public Builder(String domain, DeployLogger logger) { + public Builder(String domain) { this.domain = domain; - this.logger = logger; } public Builder readEnabled(boolean readEnabled) { @@ -58,102 +58,117 @@ public final class AccessControl { return this; } - public Builder writeEnabled(boolean writeEnalbed) { - this.writeEnabled = writeEnalbed; + public Builder writeEnabled(boolean writeEnabled) { + this.writeEnabled = writeEnabled; return this; } - public Builder excludeBinding(String binding) { + public Builder excludeBinding(BindingPattern binding) { this.excludeBindings.add(binding); return this; } public Builder setHandlers(ApplicationContainerCluster cluster) { this.handlers = cluster.getHandlers(); - this.servlets = cluster.getAllServlets(); return this; } public AccessControl build() { - return new AccessControl(domain, writeEnabled, readEnabled, - excludeBindings, servlets, handlers, logger); + return new AccessControl(domain, writeEnabled, readEnabled, excludeBindings, handlers); } } public final String domain; public final boolean readEnabled; public final boolean writeEnabled; - private final Set<String> excludedBindings; + private final Set<BindingPattern> excludedBindings; private final Collection<Handler<?>> handlers; - private final Collection<Servlet> servlets; - private final DeployLogger logger; private AccessControl(String domain, boolean writeEnabled, boolean readEnabled, - Set<String> excludedBindings, - Collection<Servlet> servlets, - Collection<Handler<?>> handlers, - DeployLogger logger) { + Set<BindingPattern> excludedBindings, + Collection<Handler<?>> handlers) { this.domain = domain; this.readEnabled = readEnabled; this.writeEnabled = writeEnabled; this.excludedBindings = Collections.unmodifiableSet(excludedBindings); this.handlers = handlers; - this.servlets = servlets; - this.logger = logger; } - public List<Binding> getBindings() { - return Stream.concat(getHandlerBindings(), getServletBindings()) - .collect(Collectors.toCollection(ArrayList::new)); + public void configureHttpFilterChains(Http http) { + http.setAccessControl(this); + addAccessControlFilterChain(http); + addAccessControlExcludedChain(http); + removeDuplicateBindingsFromAccessControlChain(http); } - public static boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) { - return cluster.getHandlers().stream().anyMatch(AccessControl::handlerNeedsProtection); - } + /** returns the excluded bindings as specified in 'access-control' in services.xml **/ + public Set<BindingPattern> excludedBindings() { return excludedBindings; } - private Stream<Binding> getHandlerBindings() { - return handlers.stream() - .filter(this::shouldHandlerBeProtected) - .flatMap(handler -> handler.getServerBindings().stream()) - .map(binding -> accessControlBinding(binding, logger)); - } + /** all handlers (that are known by the access control components) **/ + public Collection<Handler<?>> handlers() { return handlers; } - private Stream<Binding> getServletBindings() { - return servlets.stream() - .filter(this::shouldServletBeProtected) - .flatMap(AccessControl::servletBindings) - .map(binding -> accessControlBinding(binding, logger)); + public static boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) { + return cluster.getHandlers().stream() + .anyMatch(handler -> ! isExcludedHandler(handler) && hasNonMbusBinding(handler)); } - private boolean shouldHandlerBeProtected(Handler<?> handler) { - return ! isBuiltinGetOnly(handler) - && handler.getServerBindings().stream().noneMatch(excludedBindings::contains); + private void addAccessControlFilterChain(Http http) { + http.getFilterChains().add(createChain(ACCESS_CONTROL_CHAIN_ID)); + http.getBindings().addAll(List.of(createAccessControlBinding("/"), createAccessControlBinding("/*"))); } - private static boolean isBuiltinGetOnly(Handler<?> handler) { - return UNPROTECTED_HANDLERS.contains(handler.getClassId().getName()); + private void addAccessControlExcludedChain(Http http) { + http.getFilterChains().add(createChain(ACCESS_CONTROL_EXCLUDED_CHAIN_ID)); + for (BindingPattern excludedBinding : excludedBindings) { + http.getBindings().add(createAccessControlExcludedBinding(excludedBinding)); + } + for (Handler<?> handler : handlers) { + if (isExcludedHandler(handler)) { + for (BindingPattern binding : handler.getServerBindings()) { + http.getBindings().add(createAccessControlExcludedBinding(binding)); + } + } + } } - private boolean shouldServletBeProtected(Servlet servlet) { - return servletBindings(servlet).noneMatch(excludedBindings::contains); + // Remove bindings from access control chain that have binding pattern as a different filter chain + private void removeDuplicateBindingsFromAccessControlChain(Http http) { + Set<FilterBinding> duplicateBindings = new HashSet<>(); + for (FilterBinding binding : http.getBindings()) { + if (binding.chainId().toId().equals(ACCESS_CONTROL_CHAIN_ID)) { + for (FilterBinding otherBinding : http.getBindings()) { + if (!binding.chainId().equals(otherBinding.chainId()) + && binding.binding().equals(otherBinding.binding())) { + duplicateBindings.add(binding); + } + } + } + } + duplicateBindings.forEach(http.getBindings()::remove); } - private static Binding accessControlBinding(String binding, DeployLogger logger) { - return Binding.create(new ComponentSpecification(ACCESS_CONTROL_CHAIN_ID.stringValue()), binding, logger); + private static FilterBinding createAccessControlBinding(String path) { + return FilterBinding.create( + new ComponentSpecification(ACCESS_CONTROL_CHAIN_ID.stringValue()), + SystemBindingPattern.fromHttpPortAndPath(Integer.toString(HOSTED_CONTAINER_PORT), path)); } - private static Stream<String> servletBindings(Servlet servlet) { - return Stream.of("http://*/").map(protocol -> protocol + servlet.bindingPath); + private static FilterBinding createAccessControlExcludedBinding(BindingPattern excludedBinding) { + BindingPattern rewrittenBinding = SystemBindingPattern.fromHttpPortAndPath( + Integer.toString(HOSTED_CONTAINER_PORT), excludedBinding.path()); // only keep path from excluded binding + return FilterBinding.create( + new ComponentSpecification(ACCESS_CONTROL_EXCLUDED_CHAIN_ID.stringValue()), + rewrittenBinding); } - private static boolean handlerNeedsProtection(Handler<?> handler) { - return ! isBuiltinGetOnly(handler) && hasNonMbusBinding(handler); - } + private static Chain<Filter> createChain(ComponentId id) { return new Chain<>(FilterChains.emptyChainSpec(id)); } + + private static boolean isExcludedHandler(Handler<?> handler) { return EXCLUDED_HANDLERS.contains(handler.getClassId().getName()); } private static boolean hasNonMbusBinding(Handler<?> handler) { - return handler.getServerBindings().stream().anyMatch(binding -> ! binding.startsWith("mbus")); + return handler.getServerBindings().stream().anyMatch(binding -> ! binding.scheme().equals("mbus")); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java deleted file mode 100644 index 28f4949f210..00000000000 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Binding.java +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.model.container.http; - -import com.yahoo.component.ComponentSpecification; -import com.yahoo.config.application.api.DeployLogger; - -import java.util.logging.Level; - -/** - * @author bjorncs - */ -public class Binding { - - private final ComponentSpecification filterId; - private final String binding; - - private Binding(ComponentSpecification filterId, String binding) { - this.filterId = filterId; - this.binding = binding; - } - - public static Binding create(ComponentSpecification filterId, String binding, DeployLogger logger) { - if (binding.startsWith("https://")) { - logger.log(Level.WARNING, String.format("For binding '%s' on '%s': 'https' bindings are deprecated, " + - "use 'http' instead to bind to both http and https traffic.", - binding, filterId)); - } - return new Binding(filterId, binding); - } - - public ComponentSpecification filterId() { - return filterId; - } - - public String binding() { - return binding; - } - -} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/FilterBinding.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/FilterBinding.java new file mode 100644 index 00000000000..1ca54769683 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/FilterBinding.java @@ -0,0 +1,47 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.http; + +import com.yahoo.component.ComponentSpecification; +import com.yahoo.vespa.model.container.component.BindingPattern; + +import java.util.Objects; + +/** + * @author bjorncs + */ +public class FilterBinding { + + private final ComponentSpecification chainId; + private final BindingPattern binding; + + private FilterBinding(ComponentSpecification chainId, BindingPattern binding) { + this.chainId = chainId; + this.binding = binding; + } + + public static FilterBinding create(ComponentSpecification chainId, BindingPattern binding) { + return new FilterBinding(chainId, binding); + } + + public ComponentSpecification chainId() { + return chainId; + } + + public BindingPattern binding() { + return binding; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + FilterBinding that = (FilterBinding) o; + return Objects.equals(chainId, that.chainId) && + Objects.equals(binding, that.binding); + } + + @Override + public int hashCode() { + return Objects.hash(chainId, binding); + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java index 0fcf7b2d06c..f58f5faa382 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/Http.java @@ -21,7 +21,7 @@ import java.util.concurrent.CopyOnWriteArrayList; public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> implements ServerConfig.Producer { private final FilterChains filterChains; - private final List<Binding> bindings = new CopyOnWriteArrayList<>(); + private final List<FilterBinding> bindings = new CopyOnWriteArrayList<>(); private volatile JettyHttpServer httpServer; private volatile AccessControl accessControl; @@ -64,7 +64,7 @@ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> impl setHttpServer(null); } - public List<Binding> getBindings() { + public List<FilterBinding> getBindings() { return bindings; } @@ -74,16 +74,16 @@ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> impl @Override public void getConfig(ServerConfig.Builder builder) { - for (Binding binding : bindings) { + for (FilterBinding binding : bindings) { builder.filter(new ServerConfig.Filter.Builder() - .id(binding.filterId().stringValue()) - .binding(binding.binding())); + .id(binding.chainId().stringValue()) + .binding(binding.binding().patternString())); } } @Override public void validate() { - if (((Collection<Binding>) bindings).isEmpty()) return; + if (((Collection<FilterBinding>) bindings).isEmpty()) return; if (filterChains == null) throw new IllegalArgumentException("Null FilterChains are not allowed when there are filter bindings"); @@ -91,9 +91,9 @@ public class Http extends AbstractConfigProducer<AbstractConfigProducer<?>> impl ComponentRegistry<ChainedComponent<?>> filters = filterChains.componentsRegistry(); ComponentRegistry<Chain<Filter>> chains = filterChains.allChains(); - for (Binding binding: bindings) { - if (filters.getComponent(binding.filterId()) == null && chains.getComponent(binding.filterId()) == null) - throw new RuntimeException("Can't find filter " + binding.filterId() + " for binding " + binding.binding()); + for (FilterBinding binding: bindings) { + if (filters.getComponent(binding.chainId()) == null && chains.getComponent(binding.chainId()) == null) + throw new RuntimeException("Can't find filter " + binding.chainId() + " for binding " + binding.binding()); } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java index bfde9b9add1..c86d8b206d5 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java @@ -13,9 +13,9 @@ import com.yahoo.vespa.model.builder.xml.dom.ModelElement; import com.yahoo.vespa.model.builder.xml.dom.VespaDomBuilder; import com.yahoo.vespa.model.container.ApplicationContainerCluster; import com.yahoo.vespa.model.container.Container; -import com.yahoo.vespa.model.container.component.chain.Chain; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import com.yahoo.vespa.model.container.http.AccessControl; -import com.yahoo.vespa.model.container.http.Binding; +import com.yahoo.vespa.model.container.http.FilterBinding; import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; import org.w3c.dom.Element; @@ -25,8 +25,6 @@ import java.util.List; import java.util.Optional; import java.util.logging.Level; -import static com.yahoo.vespa.model.container.http.AccessControl.ACCESS_CONTROL_CHAIN_ID; - /** * @author Tony Vaagenes * @author gjoranv @@ -36,19 +34,17 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> @Override protected Http doBuild(DeployState deployState, AbstractConfigProducer ancestor, Element spec) { FilterChains filterChains; - List<Binding> bindings = new ArrayList<>(); + List<FilterBinding> bindings = new ArrayList<>(); AccessControl accessControl = null; Element filteringElem = XML.getChild(spec, "filtering"); if (filteringElem != null) { filterChains = new FilterChainsBuilder().build(deployState, ancestor, filteringElem); - bindings = readFilterBindings(filteringElem, deployState.getDeployLogger()); + bindings = readFilterBindings(filteringElem); Element accessControlElem = XML.getChild(filteringElem, "access-control"); if (accessControlElem != null) { accessControl = buildAccessControl(deployState, ancestor, accessControlElem); - bindings.addAll(accessControl.getBindings()); - filterChains.add(new Chain<>(FilterChains.emptyChainSpec(ACCESS_CONTROL_CHAIN_ID))); } } else { filterChains = new FilterChainsBuilder().newChainsInstance(ancestor); @@ -56,14 +52,16 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> Http http = new Http(filterChains); http.getBindings().addAll(bindings); - http.setAccessControl(accessControl); http.setHttpServer(new JettyHttpServerBuilder().build(deployState, ancestor, spec)); + if (accessControl != null) { + accessControl.configureHttpFilterChains(http); + } return http; } private AccessControl buildAccessControl(DeployState deployState, AbstractConfigProducer ancestor, Element accessControlElem) { AthenzDomain domain = getAccessControlDomain(deployState, accessControlElem); - AccessControl.Builder builder = new AccessControl.Builder(domain.value(), deployState.getDeployLogger()); + AccessControl.Builder builder = new AccessControl.Builder(domain.value()); getContainerCluster(ancestor).ifPresent(builder::setHandlers); @@ -75,7 +73,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> Element excludeElem = XML.getChild(accessControlElem, "exclude"); if (excludeElem != null) { XML.getChildren(excludeElem, "binding").stream() - .map(XML::getValue) + .map(xml -> UserBindingPattern.fromPattern(XML.getValue(xml))) .forEach(builder::excludeBinding); } return builder.build(); @@ -113,8 +111,8 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> return Optional.of((ApplicationContainerCluster) currentProducer); } - private List<Binding> readFilterBindings(Element filteringSpec, DeployLogger logger) { - List<Binding> result = new ArrayList<>(); + private List<FilterBinding> readFilterBindings(Element filteringSpec) { + List<FilterBinding> result = new ArrayList<>(); for (Element child: XML.getChildren(filteringSpec)) { String tagName = child.getTagName(); @@ -123,7 +121,7 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> for (Element bindingSpec: XML.getChildren(child, "binding")) { String binding = XML.getValue(bindingSpec); - result.add(Binding.create(chainId, binding, logger)); + result.add(FilterBinding.create(chainId, UserBindingPattern.fromPattern(binding))); } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/processing/ProcessingChains.java b/config-model/src/main/java/com/yahoo/vespa/model/container/processing/ProcessingChains.java index 4fd79a4f335..f6b24bf9635 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/processing/ProcessingChains.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/processing/ProcessingChains.java @@ -2,6 +2,8 @@ package com.yahoo.vespa.model.container.processing; import com.yahoo.config.model.producer.AbstractConfigProducer; +import com.yahoo.vespa.model.container.component.BindingPattern; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; import com.yahoo.vespa.model.container.component.chain.Chains; /** @@ -11,7 +13,7 @@ import com.yahoo.vespa.model.container.component.chain.Chains; */ public class ProcessingChains extends Chains<ProcessingChain> { - public static final String[] defaultBindings = new String[] {"http://*/processing/*"}; + public static final BindingPattern[] defaultBindings = new BindingPattern[]{SystemBindingPattern.fromHttpPath("/processing/*")}; public ProcessingChains(AbstractConfigProducer parent, String subId) { diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/search/GUIHandler.java b/config-model/src/main/java/com/yahoo/vespa/model/container/search/GUIHandler.java index 1e717f89819..f01bbcd3951 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/search/GUIHandler.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/search/GUIHandler.java @@ -14,7 +14,7 @@ public class GUIHandler extends Handler<AbstractConfigProducer<?>> { public static final String BUNDLE = "container-search-gui"; public static final String CLASS = "com.yahoo.search.query.gui.GUIHandler"; - public static final String BINDING = "*/querybuilder/*"; + public static final String BINDING_PATH = "/querybuilder/*"; public GUIHandler() { super(new ComponentModel(bundleSpec(CLASS, BUNDLE))); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 41e092c7ea5..51583588201 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -29,7 +29,6 @@ import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.NodeResources; import com.yahoo.config.provision.NodeType; -import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; import com.yahoo.search.rendering.RendererRegistry; import com.yahoo.searchdefinition.derived.RankProfileList; @@ -57,10 +56,11 @@ import com.yahoo.vespa.model.container.ContainerModel; import com.yahoo.vespa.model.container.ContainerModelEvaluation; import com.yahoo.vespa.model.container.IdentityProvider; import com.yahoo.vespa.model.container.SecretStore; -import com.yahoo.vespa.model.container.component.Component; +import com.yahoo.vespa.model.container.component.BindingPattern; import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent; import com.yahoo.vespa.model.container.component.Handler; -import com.yahoo.vespa.model.container.component.chain.Chain; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import com.yahoo.vespa.model.container.component.chain.ProcessingHandler; import com.yahoo.vespa.model.container.docproc.ContainerDocproc; import com.yahoo.vespa.model.container.docproc.DocprocChains; @@ -93,7 +93,6 @@ import java.util.function.Consumer; import java.util.regex.Pattern; import java.util.stream.Collectors; -import static com.yahoo.vespa.model.container.http.AccessControl.ACCESS_CONTROL_CHAIN_ID; import static java.util.logging.Level.WARNING; /** @@ -113,7 +112,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private static final String ENVIRONMENT_VARIABLES_ELEMENT = "environment-variables"; static final String SEARCH_HANDLER_CLASS = com.yahoo.search.handler.SearchHandler.class.getName(); - static final String SEARCH_HANDLER_BINDING = "http://*/search/*"; + static final BindingPattern SEARCH_HANDLER_BINDING = SystemBindingPattern.fromHttpPath("/search/*"); public enum Networking { disable, enable } @@ -278,8 +277,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { String name = "status.html"; Optional<String> statusFile = Optional.ofNullable(System.getenv(HOSTED_VESPA_STATUS_FILE_SETTING)); cluster.addComponent( - new FileStatusHandlerComponent(name + "-status-handler", statusFile.orElse(HOSTED_VESPA_STATUS_FILE), - "http://*/" + name)); + new FileStatusHandlerComponent( + name + "-status-handler", + statusFile.orElse(HOSTED_VESPA_STATUS_FILE), + SystemBindingPattern.fromHttpPath("/" + name))); } else { cluster.addVipHandler(); } @@ -368,15 +369,12 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { if (http.getAccessControl().isPresent()) return; // access control added explicitly AthenzDomain tenantDomain = deployState.getProperties().athenzDomain().orElse(null); if (tenantDomain == null) return; // tenant domain not present, cannot add access control. this should eventually be a failure. - AccessControl accessControl = - new AccessControl.Builder(tenantDomain.value(), deployState.getDeployLogger()) - .setHandlers(cluster) - .readEnabled(false) - .writeEnabled(false) - .build(); - http.getFilterChains().add(new Chain<>(FilterChains.emptyChainSpec(ACCESS_CONTROL_CHAIN_ID))); - http.setAccessControl(accessControl); - http.getBindings().addAll(accessControl.getBindings()); + new AccessControl.Builder(tenantDomain.value()) + .setHandlers(cluster) + .readEnabled(false) + .writeEnabled(false) + .build() + .configureHttpFilterChains(http); } private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) { @@ -795,8 +793,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { ProcessingHandler<SearchChains> searchHandler = new ProcessingHandler<>(cluster.getSearch().getChains(), "com.yahoo.search.handler.SearchHandler"); - String[] defaultBindings = {SEARCH_HANDLER_BINDING}; - for (String binding: serverBindings(searchElement, defaultBindings)) { + BindingPattern[] defaultBindings = {SEARCH_HANDLER_BINDING}; + for (BindingPattern binding: serverBindings(searchElement, defaultBindings)) { searchHandler.addServerBindings(binding); } @@ -805,12 +803,12 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addGUIHandler(ApplicationContainerCluster cluster) { Handler<?> guiHandler = new GUIHandler(); - guiHandler.addServerBindings("http://"+GUIHandler.BINDING); + guiHandler.addServerBindings(SystemBindingPattern.fromHttpPath(GUIHandler.BINDING_PATH)); cluster.addComponent(guiHandler); } - private String[] serverBindings(Element searchElement, String... defaultBindings) { + private BindingPattern[] serverBindings(Element searchElement, BindingPattern... defaultBindings) { List<Element> bindings = XML.getChildren(searchElement, "binding"); if (bindings.isEmpty()) return defaultBindings; @@ -818,16 +816,16 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { return toBindingList(bindings); } - private String[] toBindingList(List<Element> bindingElements) { - List<String> result = new ArrayList<>(); + private BindingPattern[] toBindingList(List<Element> bindingElements) { + List<BindingPattern> result = new ArrayList<>(); for (Element element: bindingElements) { String text = element.getTextContent().trim(); if (!text.isEmpty()) - result.add(text); + result.add(UserBindingPattern.fromPattern(text)); } - return result.toArray(new String[result.size()]); + return result.toArray(BindingPattern[]::new); } private ContainerDocumentApi buildDocumentApi(ApplicationContainerCluster cluster, Element spec) { diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/DocumentApiOptionsBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/DocumentApiOptionsBuilder.java index ae74dbdb4a7..61464799812 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/DocumentApiOptionsBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/DocumentApiOptionsBuilder.java @@ -6,19 +6,17 @@ import com.yahoo.vespa.model.clients.ContainerDocumentApi; import org.w3c.dom.Element; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Logger; /** * @author Einar M R Rosenvinge - * @since 5.1.11 */ public class DocumentApiOptionsBuilder { private static final Logger log = Logger.getLogger(DocumentApiOptionsBuilder.class.getName()); - private static final String[] DEFAULT_BINDINGS = {"http://*/"}; + public static ContainerDocumentApi.Options build(Element spec) { return new ContainerDocumentApi.Options(getBindings(spec)); @@ -27,8 +25,7 @@ public class DocumentApiOptionsBuilder { private static List<String> getBindings(Element spec) { Collection<Element> bindingElems = XML.getChildren(spec, "binding"); if (bindingElems.isEmpty()) - return Arrays.asList(DEFAULT_BINDINGS); - + return List.of(); List<String> bindings = new ArrayList<>(); for (Element e :bindingElems) { String binding = getBinding(e); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/UriBindingsValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/UriBindingsValidatorTest.java new file mode 100644 index 00000000000..f3d199fc45c --- /dev/null +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/UriBindingsValidatorTest.java @@ -0,0 +1,109 @@ +package com.yahoo.vespa.model.application.validation;// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +import com.yahoo.config.application.api.ApplicationPackage; +import com.yahoo.config.model.NullConfigModelRegistry; +import com.yahoo.config.model.deploy.DeployState; +import com.yahoo.config.model.deploy.TestProperties; +import com.yahoo.config.model.test.MockApplicationPackage; +import com.yahoo.vespa.model.VespaModel; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; +import org.xml.sax.SAXException; + +import java.io.IOException; + +/** + * @author bjorncs + */ +public class UriBindingsValidatorTest { + + @Rule + public ExpectedException exceptionRule = ExpectedException.none(); + + @Test + public void fails_on_user_handler_binding_with_port() throws IOException, SAXException { + exceptionRule.expect(IllegalArgumentException.class); + exceptionRule.expectMessage("For binding 'http://*:4443/my-handler': binding with port is not allowed"); + runUriBindingValidator(true, createServicesXmlWithHandler("http://*:4443/my-handler")); + } + + @Test + public void fails_on_user_handler_binding_with_hostname() throws IOException, SAXException { + exceptionRule.expect(IllegalArgumentException.class); + exceptionRule.expectMessage("For binding 'http://myhostname/my-handler': only binding with wildcard ('*') for hostname is allowed"); + runUriBindingValidator(true, createServicesXmlWithHandler("http://myhostname/my-handler")); + } + + @Test + public void fails_on_user_handler_binding_with_non_http_scheme() throws IOException, SAXException { + exceptionRule.expect(IllegalArgumentException.class); + exceptionRule.expectMessage("For binding 'ftp://*/my-handler': only 'http' is allowed as scheme"); + runUriBindingValidator(true, createServicesXmlWithHandler("ftp://*/my-handler")); + } + + @Test + public void fails_on_invalid_filter_binding() throws IOException, SAXException { + exceptionRule.expect(IllegalArgumentException.class); + exceptionRule.expectMessage("For binding 'https://*:4443/my-request-filer-chain': binding with port is not allowed"); + runUriBindingValidator(true, createServicesXmlWithRequestFilterChain("https://*:4443/my-request-filer-chain")); + } + + @Test + public void allows_valid_user_binding() throws IOException, SAXException { + runUriBindingValidator(true, createServicesXmlWithHandler("http://*/my-handler")); + } + + @Test + public void allows_user_binding_with_wildcard_port() throws IOException, SAXException { + runUriBindingValidator(true, createServicesXmlWithHandler("http://*:*/my-handler")); + } + + @Test + public void only_restricts_user_bindings_on_hosted() throws IOException, SAXException { + runUriBindingValidator(false, createServicesXmlWithRequestFilterChain("https://*:4443/my-request-filer-chain")); + } + + private void runUriBindingValidator(boolean isHosted, String servicesXml) throws IOException, SAXException { + ApplicationPackage app = new MockApplicationPackage.Builder() + .withServices(servicesXml) + .build(); + DeployState deployState = new DeployState.Builder() + .applicationPackage(app) + .properties(new TestProperties().setHostedVespa(isHosted)) + .build(); + VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState); + new UriBindingsValidator().validate(model, deployState); + } + + private static String createServicesXmlWithHandler(String handlerBinding) { + return String.join( + "\n", + "<services version='1.0'>", + " <container id='default' version='1.0'>", + " <handler id='custom.Handler'>", + " <binding>" + handlerBinding + "</binding>", + " </handler>", + " </container>", + "</services>"); + } + + private static String createServicesXmlWithRequestFilterChain(String filterBinding) { + return String.join( + "\n", + "<services version='1.0'>", + " <container version='1.0'>", + " <http>", + " <server port='8080' id='main' />", + " <filtering>", + " <request-chain id='myChain'>", + " <filter id='myFilter'/>", + " <binding>" + filterBinding + "</binding>", + " </request-chain>", + " </filtering>", + " </http>", + " </container>", + "</services>"); + } + +}
\ No newline at end of file diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/component/BindingPatternTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/component/BindingPatternTest.java new file mode 100644 index 00000000000..91a2b65c0e0 --- /dev/null +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/component/BindingPatternTest.java @@ -0,0 +1,53 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.model.container.component; + +import org.junit.Test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; + +/** + * @author bjorncs + */ +public class BindingPatternTest { + + @Test + public void parses_valid_bindings_correctly() { + assertBindingParses("http://host:1234/path"); + assertBindingParses("http://host/path"); + assertBindingParses("http://host/"); + assertBindingParses("*://*:*/*"); + assertBindingParses("http://*/*"); + assertBindingParses("https://*/my/path"); + assertBindingParses("https://*/path/*"); + assertBindingParses("https://host:*/path/*"); + assertBindingParses("https://host:1234/*"); + } + + @Test + public void getters_returns_correct_components() { + { + BindingPattern pattern = SystemBindingPattern.fromPattern("http://host:1234/path/*"); + assertEquals("http", pattern.scheme()); + assertEquals("host", pattern.host()); + assertEquals("1234", pattern.port().get()); + assertEquals("/path/*", pattern.path()); + } + { + BindingPattern pattern = SystemBindingPattern.fromPattern("https://*/path/v1/"); + assertEquals("https", pattern.scheme()); + assertEquals("*", pattern.host()); + assertFalse(pattern.port().isPresent()); + assertEquals("/path/v1/", pattern.path()); + } + } + + private static void assertBindingParses(String binding) { + BindingPattern pattern = SystemBindingPattern.fromPattern(binding); + String stringRepresentation = pattern.patternString(); + assertEquals( + "Expected string representation of parsed binding to match original binding string", + binding, stringRepresentation); + } + +}
\ No newline at end of file diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java index 0f9de516a4b..5b0c13a4038 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/http/FilterBindingsTest.java @@ -1,10 +1,12 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.http; -import com.yahoo.config.model.deploy.DeployState; import com.yahoo.config.model.builder.xml.test.DomBuilderTest; +import com.yahoo.config.model.deploy.DeployState; import com.yahoo.jdisc.http.ServerConfig; import com.yahoo.vespa.model.container.ContainerModel; +import com.yahoo.vespa.model.container.component.BindingPattern; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import com.yahoo.vespa.model.container.component.chain.Chain; import com.yahoo.vespa.model.container.http.xml.HttpBuilder; import com.yahoo.vespa.model.container.xml.ContainerModelBuilder; @@ -21,7 +23,7 @@ import static org.junit.Assert.assertNotNull; */ public class FilterBindingsTest extends DomBuilderTest { - private static final String MY_CHAIN_BINDING = "http://*/my-chain-binding"; + private static final BindingPattern MY_CHAIN_BINDING = UserBindingPattern.fromHttpPath("/my-chain-binding"); private Http buildHttp(Element xml) { Http http = new HttpBuilder().build(root.getDeployState(), root, xml); @@ -42,14 +44,14 @@ public class FilterBindingsTest extends DomBuilderTest { "<http>", " <filtering>", " <request-chain id='my-request-chain'>", - " <binding>" + MY_CHAIN_BINDING + "</binding>", + " <binding>" + MY_CHAIN_BINDING.patternString() + "</binding>", " </request-chain>", " </filtering>", "</http>"); Http http = buildHttp(xml); - Binding binding = first(http.getBindings()); - assertEquals("my-request-chain", binding.filterId().getName()); + FilterBinding binding = first(http.getBindings()); + assertEquals("my-request-chain", binding.chainId().getName()); assertEquals(MY_CHAIN_BINDING, binding.binding()); Chain<Filter> myChain = http.getFilterChains().allChains().getComponent("my-request-chain"); @@ -62,14 +64,14 @@ public class FilterBindingsTest extends DomBuilderTest { "<http>", " <filtering>", " <response-chain id='my-response-chain'>", - " <binding>" + MY_CHAIN_BINDING + "</binding>", + " <binding>" + MY_CHAIN_BINDING.patternString() + "</binding>", " </response-chain>", " </filtering>", "</http>"); Http http = buildHttp(xml); - Binding binding = first(http.getBindings()); - assertEquals("my-response-chain", binding.filterId().getName()); + FilterBinding binding = first(http.getBindings()); + assertEquals("my-response-chain", binding.chainId().getName()); assertEquals(MY_CHAIN_BINDING, binding.binding()); Chain<Filter> myChain = http.getFilterChains().allChains().getComponent("my-response-chain"); @@ -83,7 +85,7 @@ public class FilterBindingsTest extends DomBuilderTest { " <http>", " <filtering>", " <request-chain id='my-request-chain'>", - " <binding>" + MY_CHAIN_BINDING + "</binding>", + " <binding>" + MY_CHAIN_BINDING.patternString() + "</binding>", " </request-chain>", " </filtering>", " <server id='server1' port='8000' />", @@ -96,13 +98,13 @@ public class FilterBindingsTest extends DomBuilderTest { final ServerConfig config = root.getConfig(ServerConfig.class, "container/http/jdisc-jetty/server1"); assertEquals(1, config.filter().size()); assertEquals("my-request-chain", config.filter(0).id()); - assertEquals(MY_CHAIN_BINDING, config.filter(0).binding()); + assertEquals(MY_CHAIN_BINDING.patternString(), config.filter(0).binding()); } { final ServerConfig config = root.getConfig(ServerConfig.class, "container/http/jdisc-jetty/server2"); assertEquals(1, config.filter().size()); assertEquals("my-request-chain", config.filter(0).id()); - assertEquals(MY_CHAIN_BINDING, config.filter(0).binding()); + assertEquals(MY_CHAIN_BINDING.patternString(), config.filter(0).binding()); } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index 28e23ce3222..4c3a1084005 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -1,271 +1,182 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.xml; -import com.google.common.collect.ImmutableSet; -import com.yahoo.collections.CollectionUtil; import com.yahoo.component.ComponentId; import com.yahoo.config.model.builder.xml.test.DomBuilderTest; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.config.model.deploy.TestProperties; import com.yahoo.config.provision.AthenzDomain; -import com.yahoo.container.jdisc.state.StateHandler; import com.yahoo.vespa.model.container.ApplicationContainer; -import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.http.AccessControl; +import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; -import com.yahoo.vespa.model.container.http.Binding; -import com.yahoo.vespa.model.container.http.xml.HttpBuilder; -import com.yahoo.vespa.model.container.jersey.Jersey2Servlet; import org.junit.Test; -import org.w3c.dom.Element; -import java.util.Collection; -import java.util.HashSet; +import java.util.ArrayList; +import java.util.List; import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; -import static com.yahoo.config.model.test.TestUtil.joinLines; import static com.yahoo.vespa.defaults.Defaults.getDefaults; +import static org.hamcrest.CoreMatchers.hasItem; import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasItems; +import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; /** * @author gjoranv + * @author bjorncs */ public class AccessControlTest extends ContainerModelBuilderTestBase { - private static final Set<String> REQUIRED_HANDLER_BINDINGS = ImmutableSet.of( - "/custom-handler/", - "/search/", - "/document/", - ContainerCluster.RESERVED_URI_PREFIX); - - private static final Set<String> FORBIDDEN_HANDLER_BINDINGS = ImmutableSet.of( - "/ApplicationStatus", - "/status.html", - "/statistics/", - StateHandler.STATE_API_ROOT, - ContainerCluster.ROOT_HANDLER_PATH); - @Test - public void access_control_filter_chain_is_set_up() { - Element clusterElem = DomBuilderTest.parse( + public void access_control_filter_chains_are_set_up() { + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='foo' />", + " <access-control domain='my-tenant-domain' />", " </filtering>", " </http>"); - Http http = new HttpBuilder().build(root.getDeployState(), root, clusterElem); - root.freezeModelTopology(); - - assertTrue(http.getFilterChains().hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID)); + FilterChains filterChains = http.getFilterChains(); + assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID)); + assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID)); } @Test public void properties_are_set_from_xml() { - Element clusterElem = DomBuilderTest.parse( + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='my-domain'/>", + " <access-control domain='my-tenant-domain'/>", " </filtering>", " </http>"); - Http http = new HttpBuilder().build(root.getDeployState(), root, clusterElem); - root.freezeModelTopology(); AccessControl accessControl = http.getAccessControl().get(); - assertEquals("Wrong domain.", "my-domain", accessControl.domain); + assertEquals("Wrong domain.", "my-tenant-domain", accessControl.domain); } @Test public void read_is_disabled_and_write_is_enabled_by_default() { - Element clusterElem = DomBuilderTest.parse( + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='foo' />", + " <access-control domain='my-tenant-domain'/>", " </filtering>", " </http>"); - Http http = new HttpBuilder().build(root.getDeployState(), root, clusterElem); - root.freezeModelTopology(); - assertFalse("Wrong default value for read.", http.getAccessControl().get().readEnabled); assertTrue("Wrong default value for write.", http.getAccessControl().get().writeEnabled); } @Test public void read_and_write_can_be_overridden() { - Element clusterElem = DomBuilderTest.parse( + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='foo' read='true' write='false'/>", + " <access-control domain='my-tenant-domain' read='true' write='false'/>", " </filtering>", " </http>"); - Http http = new HttpBuilder().build(root.getDeployState(), root, clusterElem); - root.freezeModelTopology(); - assertTrue("Given read value not honoured.", http.getAccessControl().get().readEnabled); assertFalse("Given write value not honoured.", http.getAccessControl().get().writeEnabled); } @Test - public void access_control_filter_chain_has_correct_handler_bindings() { - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <search/>", - " <document-api/>", - " <handler id='custom.Handler'>", - " <binding>http://*/custom-handler/*</binding>", - " </handler>", + public void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() { + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='foo' />", + " <access-control/>", " </filtering>", - " </http>", - "</container>"); - - Http http = getHttp(clusterElem); - - Set<String> foundRequiredBindings = REQUIRED_HANDLER_BINDINGS.stream() - .filter(requiredBinding -> containsBinding(http.getBindings(), requiredBinding)) - .collect(Collectors.toSet()); - Set<String> missingRequiredBindings = new HashSet<>(REQUIRED_HANDLER_BINDINGS); - missingRequiredBindings.removeAll(foundRequiredBindings); - assertTrue("Access control chain was not bound to: " + CollectionUtil.mkString(missingRequiredBindings, ", "), - missingRequiredBindings.isEmpty()); - - FORBIDDEN_HANDLER_BINDINGS.forEach(forbiddenPath -> { - String forbiddenBinding = String.format("http://*%s", forbiddenPath); - http.getBindings().forEach( - binding -> assertNotEquals("Access control chain was bound to: " + binding.binding(), binding.binding(), forbiddenBinding)); - }); - } - - @Test - public void handler_can_be_excluded_by_excluding_one_of_its_bindings() { - final String notExcludedBinding = "http://*/custom-handler/*"; - final String excludedBinding = "http://*/excluded/*"; - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - httpWithExcludedBinding(excludedBinding), - " <handler id='custom.Handler'>", - " <binding>" + notExcludedBinding + "</binding>", - " <binding>" + excludedBinding + "</binding>", - " </handler>", - "</container>"); - - Http http = getHttp(clusterElem); - assertFalse("Excluded binding was not removed.", - containsBinding(http.getBindings(), excludedBinding)); - assertFalse("Not all bindings of an excluded handler were removed.", - containsBinding(http.getBindings(), notExcludedBinding)); + " </http>"); + Set<String> actualBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID); + assertThat(actualBindings, containsInAnyOrder( + "http://*:4443/ApplicationStatus", + "http://*:4443/status.html", + "http://*:4443/state/v1", + "http://*:4443/state/v1/*", + "http://*:4443/prometheus/v1", + "http://*:4443/prometheus/v1/*", + "http://*:4443/metrics/v2", + "http://*:4443/metrics/v2/*", + "http://*:4443/")); } @Test - public void access_control_filter_chain_has_all_servlet_bindings() { - final String servletPath = "servlet/path"; - final String restApiPath = "api/v0"; - final Set<String> requiredBindings = ImmutableSet.of(servletPath, restApiPath); - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <servlet id='foo' class='bar' bundle='baz'>", - " <path>" + servletPath + "</path>", - " </servlet>", - " <rest-api jersey2='true' path='" + restApiPath + "' />", + public void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() { + Http http = createModelAndGetHttp( " <http>", " <filtering>", - " <access-control domain='foo' />", + " <access-control/>", " </filtering>", - " </http>", - "</container>"); - - Http http = getHttp(clusterElem); + " </http>"); - Set<String> missingRequiredBindings = requiredBindings.stream() - .filter(requiredBinding -> ! containsBinding(http.getBindings(), requiredBinding)) - .collect(Collectors.toSet()); + Set<String> bindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_CHAIN_ID); + Set<String> excludedBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID); - assertTrue("Access control chain was not bound to: " + CollectionUtil.mkString(missingRequiredBindings, ", "), - missingRequiredBindings.isEmpty()); + for (String binding : bindings) { + assertThat(excludedBindings, not(hasItem(binding))); + } } - @Test - public void servlet_can_be_excluded_by_excluding_one_of_its_bindings() { - final String servletPath = "servlet/path"; - final String notExcludedBinding = "http://*:8081/" + servletPath; - final String excludedBinding = "http://*:8080/" + servletPath; - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - httpWithExcludedBinding(excludedBinding), - " <servlet id='foo' class='bar' bundle='baz'>", - " <path>" + servletPath + "</path>", - " </servlet>", - "</container>"); - Http http = getHttp(clusterElem); - assertFalse("Excluded binding was not removed.", - containsBinding(http.getBindings(), excludedBinding)); - assertFalse("Not all bindings of an excluded servlet were removed.", - containsBinding(http.getBindings(), notExcludedBinding)); + @Test + public void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() { + Http http = createModelAndGetHttp( + " <http>", + " <handler id='custom.Handler'>", + " <binding>http://*/custom-handler/*</binding>", + " </handler>", + " <filtering>", + " <access-control>", + " <exclude>", + " <binding>http://*/custom-handler/*</binding>", + " <binding>http://*/search/*</binding>", + " </exclude>", + " </access-control>", + " </filtering>", + " </http>"); + Set<String> actualBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID); + assertThat(actualBindings, hasItems("http://*:4443/custom-handler/*", "http://*:4443/search/*", "http://*:4443/status.html")); } @Test - public void rest_api_can_be_excluded_by_excluding_one_of_its_bindings() { - final String restApiPath = "api/v0"; - final String notExcludedBinding = "http://*:8081/" + restApiPath + Jersey2Servlet.BINDING_SUFFIX;; - final String excludedBinding = "http://*:8080/" + restApiPath + Jersey2Servlet.BINDING_SUFFIX;; - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - httpWithExcludedBinding(excludedBinding), - " <rest-api jersey2='true' path='" + restApiPath + "' />", - "</container>"); - - Http http = getHttp(clusterElem); - assertFalse("Excluded binding was not removed.", - containsBinding(http.getBindings(), excludedBinding)); - assertFalse("Not all bindings of an excluded rest-api were removed.", - containsBinding(http.getBindings(), notExcludedBinding)); - + public void access_control_filter_chain_contains_catchall_bindings() { + Http http = createModelAndGetHttp( + " <http>", + " <filtering>", + " <access-control/>", + " </filtering>", + " </http>"); + Set<String> actualBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_CHAIN_ID); + assertThat(actualBindings, containsInAnyOrder("http://*:4443/*")); } - @Test public void access_control_is_implicitly_added_for_hosted_apps() { - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - nodesXml, - "</container>" ); - AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); - DeployState state = new DeployState.Builder().properties( - new TestProperties() - .setAthenzDomain(tenantDomain) - .setHostedVespa(true)) - .build(); - createModel(root, state, null, clusterElem); - Optional<AccessControl> maybeAccessControl = - ((ApplicationContainer) root.getProducer("container/container.0")).getHttp().getAccessControl(); + Http http = createModelAndGetHttp("<container version='1.0'/>"); + Optional<AccessControl> maybeAccessControl = http.getAccessControl(); assertThat(maybeAccessControl.isPresent(), is(true)); AccessControl accessControl = maybeAccessControl.get(); assertThat(accessControl.writeEnabled, is(false)); assertThat(accessControl.readEnabled, is(false)); - assertThat(accessControl.domain, equalTo(tenantDomain.value())); + assertThat(accessControl.domain, equalTo("my-tenant-domain")); } @Test public void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() { - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", + Http http = createModelAndGetHttp( " <http>", " <server port='" + getDefaults().vespaWebServicePort() + "' id='main' />", " <filtering>", @@ -274,49 +185,33 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { " <filter id='inner' />", " </request-chain>", " </filtering>", - " </http>", - nodesXml, - "</container>" ); - AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); - DeployState state = new DeployState.Builder().properties( - new TestProperties() - .setAthenzDomain(tenantDomain) - .setHostedVespa(true)) - .build(); - createModel(root, state, null, clusterElem); - Http http = ((ApplicationContainer) root.getProducer("container/container.0")).getHttp(); + " </http>"); assertThat(http.getAccessControl().isPresent(), is(true)); assertThat(http.getFilterChains().hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID), is(true)); assertThat(http.getFilterChains().hasChain(ComponentId.fromString("myChain")), is(true)); } + private Http createModelAndGetHttp(String... httpElement) { + List<String> servicesXml = new ArrayList<>(); + servicesXml.add("<container version='1.0'>"); + servicesXml.addAll(List.of(httpElement)); + servicesXml.add("</container>"); - private String httpWithExcludedBinding(String excludedBinding) { - return joinLines( - " <http>", - " <filtering>", - " <access-control domain='foo'>", - " <exclude>", - " <binding>" + excludedBinding + "</binding>", - " </exclude>", - " </access-control>", - " </filtering>", - " </http>"); + AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); + DeployState state = new DeployState.Builder().properties( + new TestProperties() + .setAthenzDomain(tenantDomain) + .setHostedVespa(true)) + .build(); + createModel(root, state, null, DomBuilderTest.parse(servicesXml.toArray(String[]::new))); + return ((ApplicationContainer) root.getProducer("container/container.0")).getHttp(); } - private Http getHttp(Element clusterElem) { - createModel(root, clusterElem); - ContainerCluster cluster = (ContainerCluster) root.getChildren().get("container"); - Http http = cluster.getHttp(); - assertNotNull(http); - return http; + private static Set<String> getFilterBindings(Http http, ComponentId filerChain) { + return http.getBindings().stream() + .filter(binding -> binding.chainId().toId().equals(filerChain)) + .map(binding -> binding.binding().patternString()) + .collect(Collectors.toSet()); } - private boolean containsBinding(Collection<Binding> bindings, String binding) { - for (Binding b : bindings) { - if (b.binding().contains(binding)) - return true; - } - return false; - } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerDocumentApiBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerDocumentApiBuilderTest.java index ac2e1b88c0b..73a68429b6d 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerDocumentApiBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerDocumentApiBuilderTest.java @@ -4,6 +4,8 @@ package com.yahoo.vespa.model.container.xml; import com.yahoo.config.model.builder.xml.test.DomBuilderTest; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.Handler; +import com.yahoo.vespa.model.container.component.SystemBindingPattern; +import com.yahoo.vespa.model.container.component.UserBindingPattern; import org.junit.Test; import org.w3c.dom.Element; @@ -40,24 +42,21 @@ public class ContainerDocumentApiBuilderTest extends ContainerModelBuilderTestBa "<container id='cluster1' version='1.0'>", " <document-api>", " <binding>http://*/document-api/</binding>", - " <binding>missing-trailing-slash</binding>", " </document-api>", nodesXml, "</container>"); createModel(root, elem); - verifyCustomBindings("com.yahoo.vespa.http.server.FeedHandler", ContainerCluster.RESERVED_URI_PREFIX + "/feedapi"); + verifyCustomBindings("com.yahoo.vespa.http.server.FeedHandler"); } - private void verifyCustomBindings(String id, String bindingSuffix) { + private void verifyCustomBindings(String id) { Handler<?> handler = getHandlers("cluster1").get(id); - assertThat(handler.getServerBindings(), hasItem("http://*/document-api/" + bindingSuffix)); - assertThat(handler.getServerBindings(), hasItem("http://*/document-api/" + bindingSuffix + "/")); - assertThat(handler.getServerBindings(), hasItem("missing-trailing-slash/" + bindingSuffix)); - assertThat(handler.getServerBindings(), hasItem("missing-trailing-slash/" + bindingSuffix + "/")); + assertThat(handler.getServerBindings(), hasItem(UserBindingPattern.fromHttpPath("/document-api/reserved-for-internal-use/feedapi"))); + assertThat(handler.getServerBindings(), hasItem(UserBindingPattern.fromHttpPath("/document-api/reserved-for-internal-use/feedapi/"))); - assertThat(handler.getServerBindings().size(), is(4)); + assertThat(handler.getServerBindings().size(), is(2)); } @Test @@ -76,8 +75,12 @@ public class ContainerDocumentApiBuilderTest extends ContainerModelBuilderTestBa assertThat(handlerMap.get("com.yahoo.container.jdisc.state.StateHandler"), not(nullValue())); assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler"), not(nullValue())); - assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler").getServerBindings().contains("http://*/" + ContainerCluster.RESERVED_URI_PREFIX + "/feedapi"), is(true)); - assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler").getServerBindings().contains("http://*/" + ContainerCluster.RESERVED_URI_PREFIX + "/feedapi/"), is(true)); + assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler").getServerBindings() + .contains(SystemBindingPattern.fromHttpPath("/reserved-for-internal-use/feedapi")), + is(true)); + assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler").getServerBindings() + .contains(SystemBindingPattern.fromHttpPath("/reserved-for-internal-use/feedapi")), + is(true)); assertThat(handlerMap.get("com.yahoo.vespa.http.server.FeedHandler").getServerBindings().size(), equalTo(2)); } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index fdd7ae57f0f..6114449c948 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -241,7 +241,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>" + " <handler id='userRootHandler'>" + - " <binding>" + ROOT_HANDLER_BINDING + "</binding>" + + " <binding>" + ROOT_HANDLER_BINDING.patternString() + "</binding>" + " </handler>" + "</container>"); createModel(root, clusterElem); @@ -260,7 +260,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>" + " <handler id='userHandler'>" + - " <binding>" + STATE_HANDLER_BINDING_1 + "</binding>" + + " <binding>" + STATE_HANDLER_BINDING_1.patternString() + "</binding>" + " </handler>" + "</container>"); try { @@ -277,9 +277,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { createClusterWithJDiscHandler(); String discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default").toString(); assertThat(discBindingsConfig, containsString("{discHandler}")); - assertThat(discBindingsConfig, containsString(".serverBindings[0] \"binding0\"")); - assertThat(discBindingsConfig, containsString(".serverBindings[1] \"binding1\"")); - assertThat(discBindingsConfig, containsString(".clientBindings[0] \"clientBinding\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[0] \"http://*/binding0\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[1] \"http://*/binding1\"")); + assertThat(discBindingsConfig, containsString(".clientBindings[0] \"http://*/clientBinding\"")); } @Test @@ -292,9 +292,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>", " <handler id='discHandler'>", - " <binding>binding0</binding>", - " <binding>binding1</binding>", - " <clientBinding>clientBinding</clientBinding>", + " <binding>http://*/binding0</binding>", + " <binding>http://*/binding1</binding>", + " <clientBinding>http://*/clientBinding</clientBinding>", " </handler>", "</container>"); @@ -340,16 +340,16 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>", " <processing>", - " <binding>binding0</binding>", - " <binding>binding1</binding>", + " <binding>http://*/binding0</binding>", + " <binding>http://*/binding1</binding>", " </processing>", "</container>"); createModel(root, clusterElem); String discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default").toString(); - assertThat(discBindingsConfig, containsString(".serverBindings[0] \"binding0\"")); - assertThat(discBindingsConfig, containsString(".serverBindings[1] \"binding1\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[0] \"http://*/binding0\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[1] \"http://*/binding1\"")); assertThat(discBindingsConfig, not(containsString("/processing/*"))); } @@ -358,9 +358,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { createModelWithClientProvider(); String discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default").toString(); assertThat(discBindingsConfig, containsString("{discClient}")); - assertThat(discBindingsConfig, containsString(".clientBindings[0] \"binding0\"")); - assertThat(discBindingsConfig, containsString(".clientBindings[1] \"binding1\"")); - assertThat(discBindingsConfig, containsString(".serverBindings[0] \"serverBinding\"")); + assertThat(discBindingsConfig, containsString(".clientBindings[0] \"http://*/binding0\"")); + assertThat(discBindingsConfig, containsString(".clientBindings[1] \"http://*/binding1\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[0] \"http://*/serverBinding\"")); } @Test @@ -373,9 +373,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>" + " <client id='discClient'>" + - " <binding>binding0</binding>" + - " <binding>binding1</binding>" + - " <serverBinding>serverBinding</serverBinding>" + + " <binding>http://*/binding0</binding>" + + " <binding>http://*/binding1</binding>" + + " <serverBinding>http://*/serverBinding</serverBinding>" + " </client>" + "</container>" ); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/SearchBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/SearchBuilderTest.java index b2f9c805be1..c8564c5a273 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/SearchBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/SearchBuilderTest.java @@ -20,6 +20,8 @@ import static com.yahoo.test.Matchers.hasItemWithMethod; import static com.yahoo.vespa.model.container.search.ContainerSearch.QUERY_PROFILE_REGISTRY_CLASS; import static com.yahoo.vespa.model.container.xml.ContainerModelBuilder.SEARCH_HANDLER_BINDING; import static com.yahoo.vespa.model.container.xml.ContainerModelBuilder.SEARCH_HANDLER_CLASS; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; @@ -48,7 +50,7 @@ public class SearchBuilderTest extends ContainerModelBuilderTestBase { createModel(root, clusterElem); String discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default").toString(); - assertTrue(discBindingsConfig.contains(GUIHandler.BINDING)); + assertThat(discBindingsConfig, containsString(GUIHandler.BINDING_PATH)); ApplicationContainerCluster cluster = (ApplicationContainerCluster)root.getChildren().get("default"); @@ -66,8 +68,8 @@ public class SearchBuilderTest extends ContainerModelBuilderTestBase { Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>", " <search>", - " <binding>binding0</binding>", - " <binding>binding1</binding>", + " <binding>http://*/binding0</binding>", + " <binding>http://*/binding1</binding>", " </search>", nodesXml, "</container>"); @@ -75,9 +77,9 @@ public class SearchBuilderTest extends ContainerModelBuilderTestBase { createModel(root, clusterElem); String discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default").toString(); - assertTrue(discBindingsConfig.contains(".serverBindings[0] \"binding0\"")); - assertTrue(discBindingsConfig.contains(".serverBindings[1] \"binding1\"")); - assertFalse(discBindingsConfig.contains("/search/*")); + assertThat(discBindingsConfig, containsString(".serverBindings[0] \"http://*/binding0\"")); + assertThat(discBindingsConfig, containsString(".serverBindings[1] \"http://*/binding1\"")); + assertThat(discBindingsConfig, not(containsString("/search/*"))); } @Test @@ -103,7 +105,7 @@ public class SearchBuilderTest extends ContainerModelBuilderTestBase { "<container id='default' version='1.0'>", " <search />", " <handler id='" + myHandler + "'>", - " <binding>" + SEARCH_HANDLER_BINDING + "</binding>", + " <binding>" + SEARCH_HANDLER_BINDING.patternString() + "</binding>", " </handler>", nodesXml, "</container>"); @@ -111,7 +113,7 @@ public class SearchBuilderTest extends ContainerModelBuilderTestBase { createModel(root, clusterElem); var discBindingsConfig = root.getConfig(JdiscBindingsConfig.class, "default"); - assertEquals(SEARCH_HANDLER_BINDING, discBindingsConfig.handlers(myHandler).serverBindings(0)); + assertEquals(SEARCH_HANDLER_BINDING.patternString(), discBindingsConfig.handlers(myHandler).serverBindings(0)); assertNull(discBindingsConfig.handlers(SEARCH_HANDLER_CLASS)); } |