Skip validation of non-user applications.

author: gjoranv <gv@oath.com> 2018-03-19 15:22:36 +0100
committer: gjoranv <gv@oath.com> 2018-03-19 15:37:42 +0100
commit: 6e4c8d474fe4ab802bd5602069d4fd1ca0f6ffa1 (patch)
tree: ac60d25b1b7d39acbd7b23370f75d2af7921b373 /config-model
parent: 6a3c6ba874bd1977829f030d9d6f03f783f9e184 (diff)
2 files changed, 30 insertions, 16 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
index 6e53634639c..26a1478d0a7 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
@@ -1,6 +1,7 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.application.validation.first;
 
+import com.yahoo.config.model.ConfigModelContext.ApplicationType;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.vespa.model.VespaModel;
 import com.yahoo.vespa.model.application.validation.Validator;
@@ -23,23 +24,23 @@ public class AccessControlValidator extends Validator {
     @Override
     public void validate(VespaModel model, DeployState deployState) {
 
-        // TODO: what about zone application? (HOSTED_INFRASTRUCTURE)
-
-        if (deployState.isHosted() && deployState.zone().environment().isProduction()) {
-            List<String> offendingClusters = new ArrayList<>();
-            for (ContainerCluster cluster : model.getContainerClusters().values()) {
-                if (cluster.getHttp() == null
-                        || ! cluster.getHttp().getAccessControl().isPresent()
-                        || ! cluster.getHttp().getAccessControl().get().writeEnabled)
-
-                    if (hasHandlerThatNeedsProtection(cluster) || ! cluster.getAllServlets().isEmpty())
-                        offendingClusters.add(cluster.getName());
-            }
-            if (! offendingClusters.isEmpty())
-                throw new IllegalArgumentException(
-                        "Access-control must be enabled for write operations to container clusters in production zones: " +
-                                mkString(offendingClusters, "[", ", ", "]."));
+        if (! deployState.isHosted()) return;
+        if (! deployState.zone().environment().isProduction()) return;
+        if (model.getAdmin().getApplicationType() != ApplicationType.DEFAULT) return;
+
+        List<String> offendingClusters = new ArrayList<>();
+        for (ContainerCluster cluster : model.getContainerClusters().values()) {
+            if (cluster.getHttp() == null
+                    || ! cluster.getHttp().getAccessControl().isPresent()
+                    || ! cluster.getHttp().getAccessControl().get().writeEnabled)
+
+                if (hasHandlerThatNeedsProtection(cluster) || ! cluster.getAllServlets().isEmpty())
+                    offendingClusters.add(cluster.getName());
         }
+        if (! offendingClusters.isEmpty())
+            throw new IllegalArgumentException(
+                    "Access-control must be enabled for write operations to container clusters in production zones: " +
+                            mkString(offendingClusters, "[", ", ", "]."));
     }
 
     private boolean hasHandlerThatNeedsProtection(ContainerCluster cluster) {
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
index a313aa1051d..4845d66aeda 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
@@ -117,6 +117,19 @@ public class AccessControlValidatorTest  {
         new AccessControlValidator().validate(model, deployState);
     }
 
+    @Test
+    public void write_protection_is_not_required_for_non_default_application_type() throws IOException, SAXException{
+        String servicesXml = joinLines("<services version='1.0' application-type='hosted-infrastructure'>",
+                                       "  <container id='default' version='1.0'>",
+                                       httpHandlerXml,
+                                       "  </container>",
+                                       "</services>");
+        DeployState deployState = deployState(servicesXml);
+        VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
+
+        new AccessControlValidator().validate(model, deployState);
+    }
+
     private static DeployState deployState(String servicesXml) {
         ApplicationPackage app = new MockApplicationPackage.Builder()
                 .withServices(servicesXml)
author	gjoranv <gv@oath.com>	2018-03-19 15:22:36 +0100
committer	gjoranv <gv@oath.com>	2018-03-19 15:37:42 +0100
commit	6e4c8d474fe4ab802bd5602069d4fd1ca0f6ffa1 (patch)
tree	ac60d25b1b7d39acbd7b23370f75d2af7921b373 /config-model
parent	6a3c6ba874bd1977829f030d9d6f03f783f9e184 (diff)