diff options
author | bjormel <bjormel@verizonmedia.com> | 2022-01-20 13:39:43 +0100 |
---|---|---|
committer | bjormel <bjormel@verizonmedia.com> | 2022-01-20 13:39:43 +0100 |
commit | 42b16db7458e3313d3dac88b67d381b87a698320 (patch) | |
tree | e29989db4e33fd6d54a32ce2e7a62fd9056d33b2 /config-model | |
parent | bf91fa3cb1759b195688f76dec8c4854c9b79011 (diff) |
access-control is implicit
Diffstat (limited to 'config-model')
5 files changed, 0 insertions, 150 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidator.java deleted file mode 100644 index a07e07169d1..00000000000 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidator.java +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.model.application.validation; - -import com.yahoo.config.application.api.ValidationId; -import com.yahoo.config.model.deploy.DeployState; -import com.yahoo.vespa.model.VespaModel; - -import java.util.ArrayList; -import java.util.List; - -import static com.yahoo.collections.CollectionUtil.mkString; -import static com.yahoo.vespa.model.application.validation.first.AccessControlOnFirstDeploymentValidator.needsAccessControlValidation; -import static com.yahoo.vespa.model.container.http.AccessControl.hasHandlerThatNeedsProtection; - -/** - * @author gjoranv - */ -public class AwsAccessControlValidator extends Validator { - - @Override - public void validate(VespaModel model, DeployState deployState) { - - if (! needsAccessControlValidation(model, deployState)) return; - if(! deployState.zone().getCloud().requireAccessControl()) return; - - List<String> offendingClusters = new ArrayList<>(); - for (var cluster : model.getContainerClusters().values()) { - var http = cluster.getHttp(); - if (http == null - || ! http.getAccessControl().isPresent() - || ! http.getAccessControl().get().writeEnabled - || ! http.getAccessControl().get().readEnabled) - - if (hasHandlerThatNeedsProtection(cluster)) - offendingClusters.add(cluster.getName()); - } - if (! offendingClusters.isEmpty()) - deployState.validationOverrides() - .invalid(ValidationId.accessControl, - "Access-control must be enabled for read/write operations to container clusters in AWS production zones: " + - mkString(offendingClusters, "[", ", ", "]"), deployState.now()); - } - -} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java index 36503ba4bae..7bfd57de323 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java @@ -24,7 +24,6 @@ import com.yahoo.vespa.model.application.validation.change.RedundancyIncreaseVal import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator; import com.yahoo.vespa.model.application.validation.change.StartupCommandChangeValidator; import com.yahoo.vespa.model.application.validation.change.StreamingSearchClusterChangeValidator; -import com.yahoo.vespa.model.application.validation.first.AccessControlOnFirstDeploymentValidator; import com.yahoo.vespa.model.application.validation.first.RedundancyOnFirstDeploymentValidator; import java.time.Instant; @@ -83,7 +82,6 @@ public class Validation { new EndpointCertificateSecretsValidator().validate(model, deployState); new AccessControlFilterValidator().validate(model, deployState); new CloudWatchValidator().validate(model, deployState); - new AwsAccessControlValidator().validate(model, deployState); new QuotaValidator().validate(model, deployState); new UriBindingsValidator().validate(model, deployState); @@ -135,7 +133,6 @@ public class Validation { } private static void validateFirstTimeDeployment(VespaModel model, DeployState deployState) { - new AccessControlOnFirstDeploymentValidator().validate(model, deployState); new RedundancyOnFirstDeploymentValidator().validate(model, deployState); } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidator.java deleted file mode 100644 index dd6e6ad590d..00000000000 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidator.java +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.model.application.validation.first; - -import com.yahoo.config.application.api.ValidationId; -import com.yahoo.config.model.ConfigModelContext.ApplicationType; -import com.yahoo.config.model.deploy.DeployState; -import com.yahoo.config.provision.InstanceName; -import com.yahoo.vespa.model.VespaModel; -import com.yahoo.vespa.model.application.validation.Validator; -import com.yahoo.vespa.model.container.ApplicationContainerCluster; -import com.yahoo.vespa.model.container.Container; -import com.yahoo.vespa.model.container.ContainerCluster; - -import java.util.ArrayList; -import java.util.List; - -import static com.yahoo.collections.CollectionUtil.mkString; -import static com.yahoo.config.provision.InstanceName.defaultName; -import static com.yahoo.vespa.model.container.http.AccessControl.hasHandlerThatNeedsProtection; - -/** - * Validates that hosted applications in prod zones have write protection enabled. - * - * @author gjoranv - */ -public class AccessControlOnFirstDeploymentValidator extends Validator { - - @Override - public void validate(VespaModel model, DeployState deployState) { - - if (! needsAccessControlValidation(model, deployState)) return; - - List<String> offendingClusters = new ArrayList<>(); - for (ContainerCluster<? extends Container> c : model.getContainerClusters().values()) { - if (! (c instanceof ApplicationContainerCluster)) continue; - ApplicationContainerCluster cluster = (ApplicationContainerCluster)c; - if (cluster.getHttp() == null - || ! cluster.getHttp().getAccessControl().isPresent() - || ! cluster.getHttp().getAccessControl().get().writeEnabled) - - if (hasHandlerThatNeedsProtection(cluster)) - offendingClusters.add(cluster.getName()); - } - if (! offendingClusters.isEmpty()) - deployState.validationOverrides().invalid(ValidationId.accessControl, - "Access-control must be enabled for write operations to container clusters in production zones: " + - mkString(offendingClusters, "[", ", ", "]"), deployState.now()); - } - - public static boolean needsAccessControlValidation(VespaModel model, DeployState deployState) { - if (! deployState.isHosted()) return false; - if (! deployState.zone().environment().isProduction()) return false; - if (deployState.zone().system().isPublic()) return false; - if (! deployState.getApplicationPackage().getApplicationId().instance().equals(defaultName())) return false; - if (model.getAdmin().getApplicationType() != ApplicationType.DEFAULT) return false; - - return true; - } -} diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidatorTest.java deleted file mode 100644 index e2386e145ca..00000000000 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/AwsAccessControlValidatorTest.java +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.model.application.validation; - -import com.yahoo.config.provision.Cloud; -import com.yahoo.config.provision.Environment; -import com.yahoo.config.provision.RegionName; -import com.yahoo.config.provision.SystemName; -import com.yahoo.config.provision.Zone; -import org.junit.Before; - -/** - * @author gjoranv - */ -public class AwsAccessControlValidatorTest extends AccessControlValidatorTestBase { - - @Before - public void setup() { - validator = new AwsAccessControlValidator(); - zone = new Zone(Cloud.builder().requireAccessControl(true).build(), - SystemName.main, Environment.prod, RegionName.from("foo")); - } - -} diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidatorTest.java deleted file mode 100644 index b9e92e1b866..00000000000 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlOnFirstDeploymentValidatorTest.java +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.model.application.validation.first; - -import com.yahoo.config.provision.Environment; -import com.yahoo.config.provision.RegionName; -import com.yahoo.config.provision.Zone; -import com.yahoo.vespa.model.application.validation.AccessControlValidatorTestBase; -import org.junit.Before; - -/** - * @author gjoranv - */ -public class AccessControlOnFirstDeploymentValidatorTest extends AccessControlValidatorTestBase { - - @Before - public void setup() { - validator = new AccessControlOnFirstDeploymentValidator(); - zone = new Zone(Environment.prod, RegionName.from("foo")); - } - -} |