Merge pull request #11149 from vespa-engine/ogronnesby/require-clients-pem-in-public

Require security/clients.pem in public systems

3 files changed, 20 insertions, 22 deletions

diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index dc64bec964e..cfa61560b29 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -63,6 +63,7 @@ public class TestProperties implements ModelContext.Properties {
         defaultTermwiseLimit = limit;
         return this;
     }
+
     public TestProperties setApplicationId(ApplicationId applicationId) {
         this.applicationId = applicationId;
         return this;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index cc78b92c260..81e0b48090d 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -316,16 +316,14 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         }
         // If the deployment contains certificate/private key reference, setup TLS port
         if (deployState.tlsSecrets().isPresent()) {
-            addTlsPort(deployState, spec, cluster);
+            addTlsPort(deployState, cluster);
         }
     }
 
-    private void addTlsPort(DeployState deployState, Element spec, ApplicationContainerCluster cluster) {
-        boolean authorizeClient = XML.getChild(spec, "client-authorize") != null;
-        if (authorizeClient) {
-            if (deployState.tlsClientAuthority().isEmpty()) {
-                throw new RuntimeException("client-authorize set, but security/clients.pem is missing");
-            }
+    private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) {
+        boolean authorizeClient = deployState.zone().system().isPublic();
+        if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
+            throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane");
         }
         if(cluster.getHttp() == null) {
             Http http = new Http(Collections.emptyList());
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index d0317938d50..852320a4677 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -17,6 +17,7 @@ import com.yahoo.config.model.test.MockRoot;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.config.provision.Flavor;
 import com.yahoo.config.provision.RegionName;
+import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.config.provisioning.FlavorsConfig;
 import com.yahoo.container.ComponentsConfig;
@@ -661,26 +662,27 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
     }
 
     @Test
-    public void client_ca_carts_fail_with_missing_clients_pem() {
-        Element clusterElem = DomBuilderTest.parse(
-                "<container version='1.0'>",
-                "  <client-authorize />",
-                "</container>");
+    public void missing_security_clients_pem_fails_in_public() {
+        Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");
+
         try {
-            DeployState state = new DeployState.Builder().properties(
-                    new TestProperties()
-                            .setHostedVespa(true)
-                            .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build();
+            DeployState state = new DeployState.Builder()
+                    .properties(
+                        new TestProperties()
+                                .setHostedVespa(true)
+                                .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY"))))
+                    .zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName()))
+                    .build();
             createModel(root, state, null, clusterElem);
         } catch (RuntimeException e) {
-            assertEquals(e.getMessage(), "client-authorize set, but security/clients.pem is missing");
+            assertEquals(e.getMessage(), "Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane");
             return;
         }
         fail();
     }
 
     @Test
-    public void client_ca_carts_succeeds_with_client_authorize_and_clients_pem() {
+    public void security_clients_pem_is_picked_up() {
         var applicationPackage = new MockApplicationPackage.Builder()
                 .withRoot(applicationFolder.getRoot())
                 .build();
@@ -690,10 +692,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
 
         var deployState = DeployState.createTestState(applicationPackage);
 
-        Element clusterElem = DomBuilderTest.parse(
-                "<container version='1.0'>",
-                "  <client-authorize />",
-                "</container>");
+        Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");
 
         createModel(root, deployState, null, clusterElem);
         assertEquals(Optional.of("I am a very nice certificate"), getContainerCluster("container").getTlsClientAuthority());