Add environment variable for capabilities enforcement mode

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-19 11:22:47 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:56:33 +0200
commit: aedcb7eaea2ee9f059ff55f819a6b8f91aaa15ae (patch)
tree: 7123c48a22628922962fef424059fc4ac18a9b47 /security-utils
parent: 46ba1b00aa19e937e2c257b34c23417adeef56eb (diff)
2 files changed, 33 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java
new file mode 100644
index 00000000000..c2fa11ce7f7
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java
@@ -0,0 +1,26 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import java.util.Arrays;
+
+/**
+ * @author bjorncs
+ */
+public enum CapabilityMode {
+    DISABLE("disable"), LOG_ONLY("log_only"), ENFORCE("enforce");
+
+    private final String configValue;
+
+    CapabilityMode(String configValue) { this.configValue = configValue; }
+
+    public String configValue() { return configValue; }
+
+    /** @return Default value when mode is not explicitly specified */
+    public static CapabilityMode defaultValue() { return DISABLE; }
+
+    public static CapabilityMode fromConfigValue(String configValue) {
+        return Arrays.stream(values())
+                .filter(c -> c.configValue.equals(configValue))
+                .findFirst().orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue));
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
index cbd3857d2d5..21d97613f95 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
@@ -18,6 +18,7 @@ public class TransportSecurityUtils {
     public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE";
     public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE";
     public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE";
+    public static final String CAPABILITIES_ENV_VAR = "VESPA_TLS_CAPABILITIES_ENFORCEMENT_MODE";
 
     private TransportSecurityUtils() {}
 
@@ -49,6 +50,12 @@ public class TransportSecurityUtils {
                 .orElse(AuthorizationMode.defaultValue());
     }
 
+    public static CapabilityMode getCapabilityMode() {
+        return getEnvironmentVariable(System.getenv(), CAPABILITIES_ENV_VAR)
+                .map(CapabilityMode::fromConfigValue)
+                .orElse(CapabilityMode.defaultValue());
+    }
+
     public static Optional<Path> getConfigFile() {
         return getConfigFile(System.getenv());
     }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-19 11:22:47 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:56:33 +0200
commit	aedcb7eaea2ee9f059ff55f819a6b8f91aaa15ae (patch)
tree	7123c48a22628922962fef424059fc4ac18a9b47 /security-utils
parent	46ba1b00aa19e937e2c257b34c23417adeef56eb (diff)