Merge pull request #26026 from vespa-engine/bjorncs/capabilities

Require capabilities for built-in request handlers
author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-14 11:25:59 +0100
committer: GitHub <noreply@github.com> 2023-02-14 11:25:59 +0100
commit: 221d3f99ba7a724fe142942e64f8f3404d63ae85 (patch)
tree: 2c688755bd81055786fed1e629de5e1b1c0dced9 /container-core
parent: 993b65076edcccce7e4e9e197fa172dedfd96a63 (diff)
parent: 2bbc49b697aa9636c4121aefd20487a2c16c839a (diff)
4 files changed, 17 insertions, 8 deletions
diff --git a/container-core/src/main/java/com/yahoo/container/handler/metrics/HttpHandlerBase.java b/container-core/src/main/java/com/yahoo/container/handler/metrics/HttpHandlerBase.java
index 71e5e8db3e5..ab57f654294 100644
--- a/container-core/src/main/java/com/yahoo/container/handler/metrics/HttpHandlerBase.java
+++ b/container-core/src/main/java/com/yahoo/container/handler/metrics/HttpHandlerBase.java
@@ -7,8 +7,11 @@ import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
+import com.yahoo.container.jdisc.RequestView;
 import com.yahoo.container.jdisc.ThreadedHttpRequestHandler;
+import com.yahoo.container.jdisc.utils.CapabilityRequiringRequestHandler;
 import com.yahoo.restapi.Path;
+import com.yahoo.security.tls.Capability;
 
 import java.net.URI;
 import java.time.Duration;
@@ -26,7 +29,7 @@ import static java.util.logging.Level.WARNING;
 /**
  * @author gjoranv
  */
-public abstract class HttpHandlerBase extends ThreadedHttpRequestHandler {
+public abstract class HttpHandlerBase extends ThreadedHttpRequestHandler implements CapabilityRequiringRequestHandler {
 
     private static final ObjectMapper jsonMapper = new ObjectMapper();
     private final Duration defaultTimeout;
@@ -42,6 +45,8 @@ public abstract class HttpHandlerBase extends ThreadedHttpRequestHandler {
 
     protected abstract Optional<HttpResponse> doHandle(URI requestUri, Path apiPath, String consumer);
 
+    @Override public Capability requiredCapability(RequestView __) { return Capability.METRICSPROXY__METRICS_API; }
+
     @Override
     public Duration getTimeout() {
         return defaultTimeout;
diff --git a/container-core/src/main/java/com/yahoo/container/jdisc/state/StateHandler.java b/container-core/src/main/java/com/yahoo/container/jdisc/state/StateHandler.java
index 629bb29a460..e1ec22bd622 100644
--- a/container-core/src/main/java/com/yahoo/container/jdisc/state/StateHandler.java
+++ b/container-core/src/main/java/com/yahoo/container/jdisc/state/StateHandler.java
@@ -6,12 +6,13 @@ import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
-import com.yahoo.component.annotation.Inject;
 import com.yahoo.collections.Tuple2;
 import com.yahoo.component.Vtag;
+import com.yahoo.component.annotation.Inject;
 import com.yahoo.component.provider.ComponentRegistry;
 import com.yahoo.container.core.ApplicationMetadataConfig;
-import com.yahoo.container.logging.LevelsModSpec;
+import com.yahoo.container.jdisc.RequestView;
+import com.yahoo.container.jdisc.utils.CapabilityRequiringRequestHandler;
 import com.yahoo.jdisc.Request;
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.Timer;
@@ -21,6 +22,7 @@ import com.yahoo.jdisc.handler.ContentChannel;
 import com.yahoo.jdisc.handler.ResponseDispatch;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.HttpHeaders;
+import com.yahoo.security.tls.Capability;
 
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
@@ -40,7 +42,7 @@ import static com.yahoo.container.jdisc.state.JsonUtil.sanitizeDouble;
  *
  * @author Simon Thoresen Hult
  */
-public class StateHandler extends AbstractRequestHandler {
+public class StateHandler extends AbstractRequestHandler implements CapabilityRequiringRequestHandler {
 
     private static final ObjectMapper jsonMapper = new ObjectMapper();
 
@@ -66,6 +68,8 @@ public class StateHandler extends AbstractRequestHandler {
         snapshotProvider = getSnapshotProviderOrThrow(snapshotProviders);
     }
 
+    @Override public Capability requiredCapability(RequestView __) { return Capability.CONTAINER__STATE_API; }
+
     static SnapshotProvider getSnapshotProviderOrThrow(ComponentRegistry<SnapshotProvider> preprocessors) {
         List<SnapshotProvider> allPreprocessors = preprocessors.allComponents();
         if (allPreprocessors.size() > 0) {
diff --git a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
index abb30ba2544..695cf1cff4a 100644
--- a/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
+++ b/container-core/src/main/java/com/yahoo/container/jdisc/utils/CapabilityRequiringRequestHandler.java
@@ -11,9 +11,9 @@ import com.yahoo.security.tls.CapabilitySet;
  * @author bjorncs
  */
 public interface CapabilityRequiringRequestHandler extends RequestHandler {
+    Capability DEFAULT_REQUIRED_CAPABILITY = Capability.HTTP_UNCLASSIFIED;
 
-    CapabilitySet DEFAULT_REQUIRED_CAPABILITIES = CapabilitySet.of(Capability.HTTP_UNCLASSIFIED);
-
-    default CapabilitySet requiredCapabilities(RequestView req) { return DEFAULT_REQUIRED_CAPABILITIES; }
+    default CapabilitySet requiredCapabilities(RequestView req) { return requiredCapability(req).toCapabilitySet(); }
+    default Capability requiredCapability(RequestView req) { return DEFAULT_REQUIRED_CAPABILITY; }
 
 }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/CapabilityEnforcingRequestHandler.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/CapabilityEnforcingRequestHandler.java
index d298f11860c..dde864704cb 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/CapabilityEnforcingRequestHandler.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/CapabilityEnforcingRequestHandler.java
@@ -42,7 +42,7 @@ class CapabilityEnforcingRequestHandler implements DelegatedRequestHandler {
                 DelegatedRequestHandler.resolve(CapabilityRequiringRequestHandler.class, wrapped).orElse(null);
         var requiredCapabilities = capabilityRequiringHandler != null
                 ? capabilityRequiringHandler.requiredCapabilities(new View(req))
-                : CapabilityRequiringRequestHandler.DEFAULT_REQUIRED_CAPABILITIES;
+                : CapabilityRequiringRequestHandler.DEFAULT_REQUIRED_CAPABILITY.toCapabilitySet();
         var authCtx = Optional.ofNullable(req.context().get(RequestUtils.JDISC_REQUEST_SSLSESSION))
                 .flatMap(s -> TransportSecurityUtils.getConnectionAuthContext((SSLSession) s))
                 .orElse(null);
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-14 11:25:59 +0100
committer	GitHub <noreply@github.com>	2023-02-14 11:25:59 +0100
commit	221d3f99ba7a724fe142942e64f8f3404d63ae85 (patch)
tree	2c688755bd81055786fed1e629de5e1b1c0dced9 /container-core
parent	993b65076edcccce7e4e9e197fa172dedfd96a63 (diff)
parent	2bbc49b697aa9636c4121aefd20487a2c16c839a (diff)