diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-02-17 16:55:48 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-02-17 16:55:48 +0100 |
commit | b89cdf9c50e6294760a01d9d08698ef8bce17ec6 (patch) | |
tree | cf14f61b1090e21dd9d90c2e3f8d11338d33c689 /security-tools | |
parent | 84d21444ee5308d781990f09eb87739e265b197f (diff) |
Support disabled hostname validation in vespa-security-env + vespa-curl-wrapper
Diffstat (limited to 'security-tools')
8 files changed, 16 insertions, 1 deletions
diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java index 367d7b9dd83..c314d17e018 100644 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java +++ b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java @@ -54,6 +54,9 @@ public class Main { MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(envVars); if (options.isPresent() && mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { outputVariables.put(OutputVariable.TLS_ENABLED, "1"); + if (options.get().isHostnameValidationDisabled()) { + outputVariables.put(OutputVariable.DISABLE_HOSTNAME_VALIDATION, "1"); + } options.get().getCaCertificatesFile() .ifPresent(caCertFile -> outputVariables.put(OutputVariable.CA_CERTIFICATE, caCertFile.toString())); options.get().getCertificatesFile() diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java index dd248d05aac..ad694751ad2 100644 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java +++ b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java @@ -10,7 +10,8 @@ enum OutputVariable { TLS_ENABLED("VESPA_TLS_ENABLED", "Set to '1' if TLS is enabled in Vespa"), CA_CERTIFICATE("VESPA_TLS_CA_CERT", "Path to CA certificates file"), CERTIFICATE("VESPA_TLS_CERT", "Path to certificate file"), - PRIVATE_KEY("VESPA_TLS_PRIVATE_KEY", "Path to private key file"); + PRIVATE_KEY("VESPA_TLS_PRIVATE_KEY", "Path to private key file"), + DISABLE_HOSTNAME_VALIDATION("VESPA_TLS_DISABLE_HOSTNAME_VALIDATION", "Set to '1' if TLS hostname validation is disabled"); private final String variableName; private final String description; diff --git a/security-tools/src/main/sh/vespa-curl-wrapper b/security-tools/src/main/sh/vespa-curl-wrapper index e286e121f64..c2e97febad2 100755 --- a/security-tools/src/main/sh/vespa-curl-wrapper +++ b/security-tools/src/main/sh/vespa-curl-wrapper @@ -88,6 +88,11 @@ then CURL_PARAMETERS=("${CURL_PARAMETERS[@]/http:/https:}") fi +if [ -n "${VESPA_TLS_DISABLE_HOSTNAME_VALIDATION}" ] +then + CURL_PARAMETERS=("--insecure" "${CURL_PARAMETERS[@]}") +fi + if [ -n "${VESPA_TLS_CA_CERT}" ] then CURL_PARAMETERS=("--cacert" "${VESPA_TLS_CA_CERT}" "${CURL_PARAMETERS[@]}") diff --git a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java b/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java index b563ebd14f4..45626820f4d 100644 --- a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java +++ b/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java @@ -106,6 +106,7 @@ public class MainTest { TransportSecurityOptions options = new TransportSecurityOptions.Builder() .withCertificates(Paths.get("/path/to/certificate"), Paths.get("/path/to/key")) .withCaCertificates(Paths.get("/path/to/cacerts")) + .withHostnameValidationDisabled(true) .build(); Path configFile = tmpFolder.newFile().toPath(); options.toJsonFile(configFile); diff --git a/security-tools/src/test/resources/bash-output.txt b/security-tools/src/test/resources/bash-output.txt index c07c667af47..a3a8b9e8e1f 100644 --- a/security-tools/src/test/resources/bash-output.txt +++ b/security-tools/src/test/resources/bash-output.txt @@ -2,3 +2,4 @@ VESPA_TLS_ENABLED="1"; export VESPA_TLS_ENABLED; VESPA_TLS_CA_CERT="/path/to/cacerts"; export VESPA_TLS_CA_CERT; VESPA_TLS_CERT="/path/to/certificate"; export VESPA_TLS_CERT; VESPA_TLS_PRIVATE_KEY="/path/to/key"; export VESPA_TLS_PRIVATE_KEY; +VESPA_TLS_DISABLE_HOSTNAME_VALIDATION="1"; export VESPA_TLS_DISABLE_HOSTNAME_VALIDATION; diff --git a/security-tools/src/test/resources/csh-output.txt b/security-tools/src/test/resources/csh-output.txt index 2b6716de92b..13027a64d71 100644 --- a/security-tools/src/test/resources/csh-output.txt +++ b/security-tools/src/test/resources/csh-output.txt @@ -2,3 +2,4 @@ setenv VESPA_TLS_ENABLED "1"; setenv VESPA_TLS_CA_CERT "/path/to/cacerts"; setenv VESPA_TLS_CERT "/path/to/certificate"; setenv VESPA_TLS_PRIVATE_KEY "/path/to/key"; +setenv VESPA_TLS_DISABLE_HOSTNAME_VALIDATION "1"; diff --git a/security-tools/src/test/resources/expected-help-output.txt b/security-tools/src/test/resources/expected-help-output.txt index 7d125fe15a2..fb0dfb1f2c8 100644 --- a/security-tools/src/test/resources/expected-help-output.txt +++ b/security-tools/src/test/resources/expected-help-output.txt @@ -9,3 +9,5 @@ The output may include the following variables: - 'VESPA_TLS_CA_CERT': Path to CA certificates file - 'VESPA_TLS_CERT': Path to certificate file - 'VESPA_TLS_PRIVATE_KEY': Path to private key file + - 'VESPA_TLS_DISABLE_HOSTNAME_VALIDATION': Set to '1' if TLS hostname +validation is disabled diff --git a/security-tools/src/test/resources/no-security-output.txt b/security-tools/src/test/resources/no-security-output.txt index 3467f1316b5..eaa9831caf8 100644 --- a/security-tools/src/test/resources/no-security-output.txt +++ b/security-tools/src/test/resources/no-security-output.txt @@ -2,3 +2,4 @@ unset VESPA_TLS_ENABLED; unset VESPA_TLS_CA_CERT; unset VESPA_TLS_CERT; unset VESPA_TLS_PRIVATE_KEY; +unset VESPA_TLS_DISABLE_HOSTNAME_VALIDATION; |