Merge pull request #11294 from vespa-engine/andreer/do-not-enforce-client-auth-outside-public

do not enforce client auth outside public system (yet)
author: Andreas Eriksen <andreer@verizonmedia.com> 2019-11-14 11:45:57 +0100
committer: GitHub <noreply@github.com> 2019-11-14 11:45:57 +0100
commit: bf057fb22f9c917d616031a0cd32597b315bb803 (patch)
tree: 32ea0dd80156b08f3eeb56c45bb67b13f5ac709c /config-model
parent: eefeb095cb136450e69dabd25b43250775cb98d7 (diff)
parent: ef4041420dc828726fbac4198b367d8ecf3dec65 (diff)
2 files changed, 7 insertions, 4 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 93eaeb0565a..d00ce3974fa 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -17,12 +17,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
 
     private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
 
+    private final boolean enforceClientAuth;
+
     public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) {
-        this(serverName, tlsSecrets, null);
+        this(serverName, tlsSecrets, null, false);
     }
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) {
         super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates));
+        this.enforceClientAuth = enforceClientAuth;
     }
 
     private static ConfiguredDirectSslProvider createSslProvider(
@@ -41,7 +44,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         super.getConfig(connectorBuilder);
         connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
                                                        .pathWhitelist(INSECURE_WHITELISTED_PATHS)
-                                                       .enable(true));
+                                                       .enable(enforceClientAuth));
     }
 
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 484021ad4d5..073503e9341 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -338,7 +338,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         JettyHttpServer server = cluster.getHttp().getHttpServer();
         String serverName = server.getComponentId().getName();
         HostedSslConnectorFactory connectorFactory = authorizeClient
-                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get())
+                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true)
                 : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get());
         server.addConnector(connectorFactory);
     }
author	Andreas Eriksen <andreer@verizonmedia.com>	2019-11-14 11:45:57 +0100
committer	GitHub <noreply@github.com>	2019-11-14 11:45:57 +0100
commit	bf057fb22f9c917d616031a0cd32597b315bb803 (patch)
tree	32ea0dd80156b08f3eeb56c45bb67b13f5ac709c /config-model
parent	eefeb095cb136450e69dabd25b43250775cb98d7 (diff)
parent	ef4041420dc828726fbac4198b367d8ecf3dec65 (diff)