diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2019-10-30 09:49:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-30 09:49:42 +0100 |
commit | cba1d4de85ce5e77aadc064ac53b47cb216e3c48 (patch) | |
tree | 797628c4f7d0b9730136c97b5e7f1dc23e6513e4 /config-model | |
parent | 4cbac2d17b74124cae9256455b11c50ff053919b (diff) | |
parent | 3889ecfe1b0b4c53bde3dd347a234aaec6634286 (diff) |
Merge pull request #11149 from vespa-engine/ogronnesby/require-clients-pem-in-public
Require security/clients.pem in public systems
Diffstat (limited to 'config-model')
3 files changed, 20 insertions, 22 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java index dc64bec964e..cfa61560b29 100644 --- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java +++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java @@ -63,6 +63,7 @@ public class TestProperties implements ModelContext.Properties { defaultTermwiseLimit = limit; return this; } + public TestProperties setApplicationId(ApplicationId applicationId) { this.applicationId = applicationId; return this; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index cc78b92c260..81e0b48090d 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -316,16 +316,14 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } // If the deployment contains certificate/private key reference, setup TLS port if (deployState.tlsSecrets().isPresent()) { - addTlsPort(deployState, spec, cluster); + addTlsPort(deployState, cluster); } } - private void addTlsPort(DeployState deployState, Element spec, ApplicationContainerCluster cluster) { - boolean authorizeClient = XML.getChild(spec, "client-authorize") != null; - if (authorizeClient) { - if (deployState.tlsClientAuthority().isEmpty()) { - throw new RuntimeException("client-authorize set, but security/clients.pem is missing"); - } + private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) { + boolean authorizeClient = deployState.zone().system().isPublic(); + if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { + throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane"); } if(cluster.getHttp() == null) { Http http = new Http(Collections.emptyList()); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index d0317938d50..852320a4677 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -17,6 +17,7 @@ import com.yahoo.config.model.test.MockRoot; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.Flavor; import com.yahoo.config.provision.RegionName; +import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; import com.yahoo.config.provisioning.FlavorsConfig; import com.yahoo.container.ComponentsConfig; @@ -661,26 +662,27 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { } @Test - public void client_ca_carts_fail_with_missing_clients_pem() { - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <client-authorize />", - "</container>"); + public void missing_security_clients_pem_fails_in_public() { + Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); + try { - DeployState state = new DeployState.Builder().properties( - new TestProperties() - .setHostedVespa(true) - .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build(); + DeployState state = new DeployState.Builder() + .properties( + new TestProperties() + .setHostedVespa(true) + .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))) + .zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName())) + .build(); createModel(root, state, null, clusterElem); } catch (RuntimeException e) { - assertEquals(e.getMessage(), "client-authorize set, but security/clients.pem is missing"); + assertEquals(e.getMessage(), "Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane"); return; } fail(); } @Test - public void client_ca_carts_succeeds_with_client_authorize_and_clients_pem() { + public void security_clients_pem_is_picked_up() { var applicationPackage = new MockApplicationPackage.Builder() .withRoot(applicationFolder.getRoot()) .build(); @@ -690,10 +692,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { var deployState = DeployState.createTestState(applicationPackage); - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <client-authorize />", - "</container>"); + Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); createModel(root, deployState, null, clusterElem); assertEquals(Optional.of("I am a very nice certificate"), getContainerCluster("container").getTlsClientAuthority()); |