diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2019-10-29 12:38:10 +0100 |
---|---|---|
committer | Øyvind Grønnesby <oyving@verizonmedia.com> | 2019-10-29 12:38:10 +0100 |
commit | 2837e9a6448a0e37ba348e105663efb7ecf95177 (patch) | |
tree | b3862f55c77d5963b0c1d84ef46886761c839461 /config-model | |
parent | e8932525b4f6039b2164bf7cebcba1fa2db50284 (diff) |
Require security/clients.pem in public systems
Diffstat (limited to 'config-model')
3 files changed, 20 insertions, 22 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java index dc64bec964e..cfa61560b29 100644 --- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java +++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java @@ -63,6 +63,7 @@ public class TestProperties implements ModelContext.Properties { defaultTermwiseLimit = limit; return this; } + public TestProperties setApplicationId(ApplicationId applicationId) { this.applicationId = applicationId; return this; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index cc78b92c260..81e0b48090d 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -316,16 +316,14 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } // If the deployment contains certificate/private key reference, setup TLS port if (deployState.tlsSecrets().isPresent()) { - addTlsPort(deployState, spec, cluster); + addTlsPort(deployState, cluster); } } - private void addTlsPort(DeployState deployState, Element spec, ApplicationContainerCluster cluster) { - boolean authorizeClient = XML.getChild(spec, "client-authorize") != null; - if (authorizeClient) { - if (deployState.tlsClientAuthority().isEmpty()) { - throw new RuntimeException("client-authorize set, but security/clients.pem is missing"); - } + private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) { + boolean authorizeClient = deployState.zone().system().isPublic(); + if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { + throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane"); } if(cluster.getHttp() == null) { Http http = new Http(Collections.emptyList()); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index d0317938d50..0e47302a0ca 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -17,6 +17,7 @@ import com.yahoo.config.model.test.MockRoot; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.Flavor; import com.yahoo.config.provision.RegionName; +import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; import com.yahoo.config.provisioning.FlavorsConfig; import com.yahoo.container.ComponentsConfig; @@ -661,26 +662,27 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { } @Test - public void client_ca_carts_fail_with_missing_clients_pem() { - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <client-authorize />", - "</container>"); + public void missing_security_clients_pem_fails_in_public() { + Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); + try { - DeployState state = new DeployState.Builder().properties( - new TestProperties() - .setHostedVespa(true) - .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build(); + DeployState state = new DeployState.Builder() + .properties( + new TestProperties() + .setHostedVespa(true) + .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))) + .zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName())) + .build(); createModel(root, state, null, clusterElem); } catch (RuntimeException e) { - assertEquals(e.getMessage(), "client-authorize set, but security/clients.pem is missing"); + assertEquals(e.getMessage(), "Client certificate authority security/clients.pem is missing - see: https://vespa.ai/documentation/security-model#data-plane"); return; } fail(); } @Test - public void client_ca_carts_succeeds_with_client_authorize_and_clients_pem() { + public void client_ca_certs_succeeds_with_client_authorize_and_clients_pem() { var applicationPackage = new MockApplicationPackage.Builder() .withRoot(applicationFolder.getRoot()) .build(); @@ -690,10 +692,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { var deployState = DeployState.createTestState(applicationPackage); - Element clusterElem = DomBuilderTest.parse( - "<container version='1.0'>", - " <client-authorize />", - "</container>"); + Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); createModel(root, deployState, null, clusterElem); assertEquals(Optional.of("I am a very nice certificate"), getContainerCluster("container").getTlsClientAuthority()); |