diff options
4 files changed, 29 insertions, 7 deletions
diff --git a/config-model-api/abi-spec.json b/config-model-api/abi-spec.json index acde86824b8..b67b496a7ce 100644 --- a/config-model-api/abi-spec.json +++ b/config-model-api/abi-spec.json @@ -451,7 +451,8 @@ "public static final enum com.yahoo.config.application.api.ValidationId globalDocumentChange", "public static final enum com.yahoo.config.application.api.ValidationId configModelVersionMismatch", "public static final enum com.yahoo.config.application.api.ValidationId skipOldConfigModels", - "public static final enum com.yahoo.config.application.api.ValidationId forceAutomaticTenantUpgradeTests" + "public static final enum com.yahoo.config.application.api.ValidationId forceAutomaticTenantUpgradeTests", + "public static final enum com.yahoo.config.application.api.ValidationId accessControl" ] }, "com.yahoo.config.application.api.ValidationOverrides$Allow": { diff --git a/config-model-api/src/main/java/com/yahoo/config/application/api/ValidationId.java b/config-model-api/src/main/java/com/yahoo/config/application/api/ValidationId.java index 6d8fd553502..65dc264eb8a 100644 --- a/config-model-api/src/main/java/com/yahoo/config/application/api/ValidationId.java +++ b/config-model-api/src/main/java/com/yahoo/config/application/api/ValidationId.java @@ -21,7 +21,8 @@ public enum ValidationId { globalDocumentChange("global-document-change"), // Changing global attribute for document types in content clusters configModelVersionMismatch("config-model-version-mismatch"), // Internal use skipOldConfigModels("skip-old-config-models"), // Internal use - forceAutomaticTenantUpgradeTests("force-automatic-tenant-upgrade-test"); // Internal use + forceAutomaticTenantUpgradeTests("force-automatic-tenant-upgrade-test"), // Internal use + accessControl("access-control"); // Internal use, used in zones where there should be no access-control private final String id; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java index a89f96453fb..9a272a08fec 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation.first; +import com.yahoo.config.application.api.ValidationId; import com.yahoo.config.model.ConfigModelContext.ApplicationType; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.vespa.model.VespaModel; @@ -42,9 +43,9 @@ public class AccessControlValidator extends Validator { offendingClusters.add(cluster.getName()); } if (! offendingClusters.isEmpty()) - throw new IllegalArgumentException( - "Access-control must be enabled for write operations to container clusters in production zones: " + - mkString(offendingClusters, "[", ", ", "].")); + deployState.validationOverrides().invalid(ValidationId.accessControl, + "Access-control must be enabled for write operations to container clusters in production zones: " + + mkString(offendingClusters, "[", ", ", "]."), deployState.now()); } private boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) { diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java index 84a5b69c5f2..17ca0e2dd07 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java @@ -16,6 +16,10 @@ import org.junit.rules.ExpectedException; import org.xml.sax.SAXException; import java.io.IOException; +import java.time.Instant; +import java.time.LocalDate; +import java.time.ZoneOffset; +import java.time.format.DateTimeFormatter; import static com.yahoo.config.model.test.TestUtil.joinLines; import static com.yahoo.config.provision.Environment.prod; @@ -85,7 +89,6 @@ public class AccessControlValidatorTest { VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState); new AccessControlValidator().validate(model, deployState); - } @Test @@ -133,15 +136,31 @@ public class AccessControlValidatorTest { new AccessControlValidator().validate(model, deployState); } + @Test + public void write_protection_is_not_required_with_validation_override() throws IOException, SAXException{ + DeployState deployState = deployState(servicesXml(true, false), + "<validation-overrides><allow until='2000-01-30'>access-control</allow></validation-overrides>", + LocalDate.parse("2000-01-01", DateTimeFormatter.ISO_DATE).atStartOfDay().atZone(ZoneOffset.UTC).toInstant()); + VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState); + + new AccessControlValidator().validate(model, deployState); + } + private static DeployState deployState(String servicesXml) { + return deployState(servicesXml, "<validation-overrides></validation-overrides>", Instant.now()); + } + + private static DeployState deployState(String servicesXml, String validationOverrides, Instant now) { ApplicationPackage app = new MockApplicationPackage.Builder() .withServices(servicesXml) + .withValidationOverrides(validationOverrides) .build(); DeployState.Builder builder = new DeployState.Builder() .applicationPackage(app) .zone(new Zone(Environment.prod, RegionName.from("foo")) ) - .properties(new TestProperties().setHostedVespa(true)); + .properties(new TestProperties().setHostedVespa(true)) + .now(now); final DeployState deployState = builder.build(); assertTrue("Test must emulate a hosted deployment.", deployState.isHosted()); |