diff options
| author | Morten Tokle <mortent@verizonmedia.com> | 2021-04-23 13:10:23 +0200 |
|---|---|---|
| committer | Morten Tokle <mortent@verizonmedia.com> | 2021-04-23 13:10:23 +0200 |
| commit | 32e1315bc079a6391757819e8fcff8b01821cc87 (patch) | |
| tree | 333ee9f3b009883609fe23fc40e3d315a0793e3a /config-model | |
| parent | 2d89d3298b442be57fe00433e1958f05f9cfa2e6 (diff) | |
Flag to allow disabling mtls
Diffstat (limited to 'config-model')
3 files changed, 61 insertions, 17 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java index 3722876a53f..3f3d453a90b 100644 --- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java +++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java @@ -62,6 +62,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea private List<TenantSecretStore> tenantSecretStores = Collections.emptyList(); private String jvmOmitStackTraceInFastThrowOption; private int numDistributorStripes = 0; + private boolean allowDisableMtls = true; @Override public ModelContext.FeatureFlags featureFlags() { return this; } @Override public boolean multitenant() { return multitenant; } @@ -104,6 +105,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea @Override public List<TenantSecretStore> tenantSecretStores() { return tenantSecretStores; } @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) { return jvmOmitStackTraceInFastThrowOption; } @Override public int numDistributorStripes() { return numDistributorStripes; } + @Override public boolean allowDisableMtls() { return allowDisableMtls; } public TestProperties setFeedConcurrency(double feedConcurrency) { this.feedConcurrency = feedConcurrency; @@ -255,6 +257,11 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea return this; } + public TestProperties allowDisableMtls(boolean value) { + this.allowDisableMtls = value; + return this; + } + public static class Spec implements ConfigServerSpec { private final String hostName; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java index 5417a522d6a..5c8028575aa 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java @@ -78,13 +78,16 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http> readAttr -> builder.readEnabled(Boolean.valueOf(readAttr))); XmlHelper.getOptionalAttribute(accessControlElem, "write").ifPresent( writeAttr -> builder.writeEnabled(Boolean.valueOf(writeAttr))); - builder.clientAuthentication( + + AccessControl.ClientAuthentication clientAuth = XmlHelper.getOptionalAttribute(accessControlElem, "tls-handshake-client-auth") - .map(value -> "want".equals(value) - ? AccessControl.ClientAuthentication.want - : AccessControl.ClientAuthentication.need) - .orElse(AccessControl.ClientAuthentication.need) - ); + .filter("want"::equals) + .map(value -> AccessControl.ClientAuthentication.want) + .orElse(AccessControl.ClientAuthentication.need); + if (! deployState.getProperties().allowDisableMtls() && clientAuth == AccessControl.ClientAuthentication.want) { + throw new IllegalArgumentException("Overriding 'tls-handshake-client-auth' for application is not allowed."); + } + builder.clientAuthentication(clientAuth); Element excludeElem = XML.getChild(accessControlElem, "exclude"); if (excludeElem != null) { diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index 4993a51ab74..39b5cc139d9 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -33,6 +33,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; /** * @author gjoranv @@ -290,17 +291,47 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { @Test public void access_control_client_auth_can_be_overridden() { - Http http = createModelAndGetHttp( - " <http>", - " <filtering>", - " <access-control tls-handshake-client-auth=\"want\"/>", - " </filtering>", - " </http>"); + AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); + DeployState state = new DeployState.Builder().properties( + new TestProperties() + .setAthenzDomain(tenantDomain) + .setHostedVespa(true) + .allowDisableMtls(true)) + .build(); + Http http = createModelAndGetHttp(state, + " <http>", + " <filtering>", + " <access-control tls-handshake-client-auth=\"want\"/>", + " </filtering>", + " </http>"); assertTrue(http.getAccessControl().isPresent()); assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication); } @Test + public void access_control_client_auth_cannot_be_overridden_when_disabled() { + AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); + DeployState state = new DeployState.Builder().properties( + new TestProperties() + .setAthenzDomain(tenantDomain) + .setHostedVespa(true) + .allowDisableMtls(false)) + .build(); + + try { + Http http = createModelAndGetHttp(state, + " <http>", + " <filtering>", + " <access-control tls-handshake-client-auth=\"want\"/>", + " </filtering>", + " </http>"); + fail("Overriding tls-handshake-client-auth allowed, but should have failed"); + } catch (IllegalArgumentException e) { + assertEquals("Overriding 'tls-handshake-client-auth' for application is not allowed.", e.getMessage()); + } + } + + @Test public void local_connector_has_default_chain() { Http http = createModelAndGetHttp( " <http>", @@ -323,17 +354,20 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } private Http createModelAndGetHttp(String... httpElement) { - List<String> servicesXml = new ArrayList<>(); - servicesXml.add("<container version='1.0'>"); - servicesXml.addAll(List.of(httpElement)); - servicesXml.add("</container>"); - AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); DeployState state = new DeployState.Builder().properties( new TestProperties() .setAthenzDomain(tenantDomain) .setHostedVespa(true)) .build(); + return createModelAndGetHttp(state, httpElement); + } + private Http createModelAndGetHttp(DeployState state, String... httpElement) { + List<String> servicesXml = new ArrayList<>(); + servicesXml.add("<container version='1.0'>"); + servicesXml.addAll(List.of(httpElement)); + servicesXml.add("</container>"); + createModel(root, state, null, DomBuilderTest.parse(servicesXml.toArray(String[]::new))); return ((ApplicationContainer) root.getProducer("container/container.0")).getHttp(); } |