Check that we are configured to use certificates to validate

author: Øyvind Grønnesby <oyving@verizonmedia.com> 2019-08-13 14:05:40 +0200
committer: Øyvind Grønnesby <oyving@verizonmedia.com> 2019-08-13 14:05:40 +0200
commit: 8e9e48809ded9fe9178e620b7985f5e63ccf570d (patch)
tree: 55e36e0a6c96f56d19713b3584d6209cf0802bcd /config-model
parent: f68fae7329b21c87793909c1638b210a6784ca3e (diff)
2 files changed, 17 insertions, 0 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
index 5656299b302..2b9cd18d64b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
@@ -57,6 +57,7 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
 
     private Optional<TlsSecrets> tlsSecrets;
     private Optional<String> tlsClientAuthority;
+    private boolean useTlsClientAuthority = false;
     private final boolean enableGroupingSessionCache;
 
     private MbusParams mbusParams;
@@ -211,6 +212,10 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
                         null))));
     }
 
+    public void useTlsClientAuthority(boolean value) {
+        this.useTlsClientAuthority = value;
+    }
+
     public static class MbusParams {
         // the amount of the maxpendingbytes to process concurrently, typically 0.2 (20%)
         final Double maxConcurrentFactor;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index a7a4e0fb540..70f49e60136 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -192,9 +192,21 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         addClientProviders(deployState, spec, cluster);
         addServerProviders(deployState, spec, cluster);
 
+        addTlsClientAuthority(deployState, spec, cluster);
+
         addAthensCopperArgos(cluster, context);  // Must be added after nodes.
     }
 
+    private void addTlsClientAuthority(DeployState deployState, Element spec, ApplicationContainerCluster cluster) {
+        var clientAuthorized = XML.getChild(spec, "client-authorize");
+        if (clientAuthorized != null && deployState.tlsClientAuthority().isEmpty()) {
+            if (deployState.tlsClientAuthority().isEmpty()) {
+                throw new RuntimeException("client-authorize set, but security/clients.pem is missing");
+            }
+            cluster.useTlsClientAuthority(true);
+        }
+    }
+
     private void addSecretStore(ApplicationContainerCluster cluster, Element spec) {
         Element secretStoreElement = XML.getChild(spec, "secret-store");
         if (secretStoreElement != null) {
author	Øyvind Grønnesby <oyving@verizonmedia.com>	2019-08-13 14:05:40 +0200
committer	Øyvind Grønnesby <oyving@verizonmedia.com>	2019-08-13 14:05:40 +0200
commit	8e9e48809ded9fe9178e620b7985f5e63ccf570d (patch)
tree	55e36e0a6c96f56d19713b3584d6209cf0802bcd /config-model
parent	f68fae7329b21c87793909c1638b210a6784ca3e (diff)