Read client authentication attribute from access control element

5 files changed, 46 insertions, 1 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java
index f04edeb67f4..1e5c944f8dc 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/AccessControl.java
@@ -26,6 +26,8 @@ import java.util.Set;
  */
 public class AccessControl {
 
+    public enum ClientAuthentication { want, need }
+
     public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain");
     public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain");
 
@@ -46,6 +48,7 @@ public class AccessControl {
         private final String domain;
         private boolean readEnabled = false;
         private boolean writeEnabled = true;
+        private ClientAuthentication clientAuthentication = ClientAuthentication.need;
         private final Set<BindingPattern> excludeBindings = new LinkedHashSet<>();
         private Collection<Handler<?>> handlers = Collections.emptyList();
 
@@ -73,25 +76,33 @@ public class AccessControl {
             return this;
         }
 
+        public Builder clientAuthentication(ClientAuthentication clientAuthentication) {
+            this.clientAuthentication = clientAuthentication;
+            return this;
+        }
+
         public AccessControl build() {
-            return new AccessControl(domain, writeEnabled, readEnabled, excludeBindings, handlers);
+            return new AccessControl(domain, writeEnabled, readEnabled, clientAuthentication, excludeBindings, handlers);
         }
     }
 
     public final String domain;
     public final boolean readEnabled;
     public final boolean writeEnabled;
+    public final ClientAuthentication clientAuthentication;
     private final Set<BindingPattern> excludedBindings;
     private final Collection<Handler<?>> handlers;
 
     private AccessControl(String domain,
                           boolean writeEnabled,
                           boolean readEnabled,
+                          ClientAuthentication clientAuthentication,
                           Set<BindingPattern> excludedBindings,
                           Collection<Handler<?>> handlers) {
         this.domain = domain;
         this.readEnabled = readEnabled;
         this.writeEnabled = writeEnabled;
+        this.clientAuthentication = clientAuthentication;
         this.excludedBindings = Collections.unmodifiableSet(excludedBindings);
         this.handlers = handlers;
     }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
index 5b360b478fa..004539688e2 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/HttpBuilder.java
@@ -73,6 +73,13 @@ public class HttpBuilder extends VespaDomBuilder.DomConfigProducerBuilder<Http>
                 readAttr -> builder.readEnabled(Boolean.valueOf(readAttr)));
         XmlHelper.getOptionalAttribute(accessControlElem, "write").ifPresent(
                 writeAttr -> builder.writeEnabled(Boolean.valueOf(writeAttr)));
+        builder.clientAuthentication(
+                XmlHelper.getOptionalAttribute(accessControlElem, "tls-handshake-client-auth")
+                        .map(value -> "want".equals(value)
+                                ? AccessControl.ClientAuthentication.want
+                                : AccessControl.ClientAuthentication.need)
+                        .orElse(AccessControl.ClientAuthentication.need)
+        );
 
         Element excludeElem = XML.getChild(accessControlElem, "exclude");
         if (excludeElem != null) {
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index dee03fb58d3..bc8b01ec6df 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -368,6 +368,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                 .setHandlers(cluster)
                 .readEnabled(false)
                 .writeEnabled(false)
+                .clientAuthentication(AccessControl.ClientAuthentication.need)
                 .build()
                 .configureHttpFilterChains(http);
     }
diff --git a/config-model/src/main/resources/schema/container.rnc b/config-model/src/main/resources/schema/container.rnc
index 034de1113c2..3c219558b9d 100644
--- a/config-model/src/main/resources/schema/container.rnc
+++ b/config-model/src/main/resources/schema/container.rnc
@@ -26,6 +26,7 @@ AccessControl = element access-control {
     attribute domain { xsd:NCName }? &  # TODO Vespa 8 Remove
     attribute read { string "true" | string "false" }? & # TODO Vespa 8 Remove
     attribute write { string "true" | string "false" }? & # TODO Vespa 8 Remove
+    attribute tls-handshake-client-auth {string "want" | string "need"}? &
     element vespa-domain { xsd:NCName }? & # TODO Remove after end of March 2020
     element exclude {
         Binding+
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
index 92b54a4679d..f21ab28be72 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
@@ -171,6 +171,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
         AccessControl accessControl = maybeAccessControl.get();
         assertThat(accessControl.writeEnabled, is(false));
         assertThat(accessControl.readEnabled, is(false));
+        assertThat(accessControl.clientAuthentication, is(AccessControl.ClientAuthentication.need));
         assertThat(accessControl.domain, equalTo("my-tenant-domain"));
     }
 
@@ -267,6 +268,30 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
         assertThat(actualCustomChainBindings, containsInAnyOrder("http://*/custom-handler/*"));
     }
 
+    @Test
+    public void access_control_client_auth_defaults_to_need() {
+        Http http = createModelAndGetHttp(
+                "  <http>",
+                "    <filtering>",
+                "      <access-control />",
+                "    </filtering>",
+                "  </http>");
+        assertTrue(http.getAccessControl().isPresent());
+        assertEquals(AccessControl.ClientAuthentication.need, http.getAccessControl().get().clientAuthentication);
+    }
+
+    @Test
+    public void access_control_client_auth_can_be_overridden() {
+        Http http = createModelAndGetHttp(
+                "  <http>",
+                "    <filtering>",
+                "      <access-control tls-handshake-client-auth=\"want\"/>",
+                "    </filtering>",
+                "  </http>");
+        assertTrue(http.getAccessControl().isPresent());
+        assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication);
+    }
+
     private Http createModelAndGetHttp(String... httpElement) {
         List<String> servicesXml = new ArrayList<>();
         servicesXml.add("<container version='1.0'>");