diff options
Diffstat (limited to 'config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java')
-rw-r--r-- | config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java | 125 |
1 files changed, 61 insertions, 64 deletions
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java index 2f962855470..faeac12f508 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java @@ -24,11 +24,11 @@ import com.yahoo.vespa.model.container.http.FilterChains; import com.yahoo.vespa.model.container.http.Http; import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory; import org.hamcrest.Matchers; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.io.TempDir; import org.w3c.dom.Element; +import java.io.File; import java.io.StringReader; import java.time.Duration; import java.util.ArrayList; @@ -40,10 +40,7 @@ import java.util.stream.Collectors; import static com.yahoo.vespa.defaults.Defaults.getDefaults; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsInAnyOrder; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; +import static org.junit.jupiter.api.Assertions.*; /** * @author gjoranv @@ -52,11 +49,11 @@ import static org.junit.Assert.fail; */ public class AccessControlTest extends ContainerModelBuilderTestBase { - @Rule - public TemporaryFolder applicationFolder = new TemporaryFolder(); + @TempDir + public File applicationFolder; @Test - public void access_control_filter_chains_are_set_up() { + void access_control_filter_chains_are_set_up() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -71,7 +68,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void properties_are_set_from_xml() { + void properties_are_set_from_xml() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -81,12 +78,12 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { AccessControl accessControl = http.getAccessControl().get(); - assertEquals("Wrong domain.", "my-tenant-domain", accessControl.domain); + assertEquals("my-tenant-domain", accessControl.domain, "Wrong domain."); } @Test - public void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() { + void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -108,7 +105,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() { + void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -126,7 +123,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { @Test - public void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() { + void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() { Http http = createModelAndGetHttp( " <http>", " <handler id='custom.Handler'>", @@ -147,7 +144,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void hosted_connector_for_port_4443_uses_access_control_filter_chain_as_default_request_filter_chain() { + void hosted_connector_for_port_4443_uses_access_control_filter_chain_as_default_request_filter_chain() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -158,7 +155,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { Set<String> actualBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_CHAIN_ID); assertTrue(actualBindings.isEmpty()); - HostedSslConnectorFactory hostedConnectorFactory = (HostedSslConnectorFactory)http.getHttpServer().get().getConnectorFactories().stream() + HostedSslConnectorFactory hostedConnectorFactory = (HostedSslConnectorFactory) http.getHttpServer().get().getConnectorFactories().stream() .filter(connectorFactory -> connectorFactory instanceof HostedSslConnectorFactory) .findAny() .get(); @@ -168,7 +165,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_is_implicitly_added_for_hosted_apps() { + void access_control_is_implicitly_added_for_hosted_apps() { Http http = createModelAndGetHttp("<container version='1.0'/>"); Optional<AccessControl> maybeAccessControl = http.getAccessControl(); assertTrue(maybeAccessControl.isPresent()); @@ -178,7 +175,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() { + void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() { Http http = createModelAndGetHttp( " <http>", " <server port='" + getDefaults().vespaWebServicePort() + "' id='main' />", @@ -195,7 +192,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_chain_exclude_chain_does_not_contain_duplicate_bindings_to_user_request_filter_chain() { + void access_control_chain_exclude_chain_does_not_contain_duplicate_bindings_to_user_request_filter_chain() { Http http = createModelAndGetHttp( " <http>", " <handler id='custom.Handler'>", @@ -228,7 +225,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_excludes_are_not_affected_by_user_response_filter_chain() { + void access_control_excludes_are_not_affected_by_user_response_filter_chain() { Http http = createModelAndGetHttp( " <http>", " <handler id='custom.Handler'>", @@ -265,7 +262,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_client_auth_defaults_to_need() { + void access_control_client_auth_defaults_to_need() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -277,7 +274,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void access_control_client_auth_can_be_overridden() { + void access_control_client_auth_can_be_overridden() { AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); DeployState state = new DeployState.Builder().properties( new TestProperties() @@ -286,17 +283,17 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { .allowDisableMtls(true)) .build(); Http http = createModelAndGetHttp(state, - " <http>", - " <filtering>", - " <access-control tls-handshake-client-auth=\"want\"/>", - " </filtering>", - " </http>"); + " <http>", + " <filtering>", + " <access-control tls-handshake-client-auth=\"want\"/>", + " </filtering>", + " </http>"); assertTrue(http.getAccessControl().isPresent()); assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication); } @Test - public void access_control_client_auth_cannot_be_overridden_when_disabled() { + void access_control_client_auth_cannot_be_overridden_when_disabled() { AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain"); DeployState state = new DeployState.Builder().properties( new TestProperties() @@ -307,11 +304,11 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { try { Http http = createModelAndGetHttp(state, - " <http>", - " <filtering>", - " <access-control tls-handshake-client-auth=\"want\"/>", - " </filtering>", - " </http>"); + " <http>", + " <filtering>", + " <access-control tls-handshake-client-auth=\"want\"/>", + " </filtering>", + " </http>"); fail("Overriding tls-handshake-client-auth allowed, but should have failed"); } catch (IllegalArgumentException e) { assertEquals("Overriding 'tls-handshake-client-auth' for application is not allowed.", e.getMessage()); @@ -319,7 +316,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void local_connector_has_default_chain() { + void local_connector_has_default_chain() { Http http = createModelAndGetHttp( " <http>", " <filtering>", @@ -341,22 +338,22 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void client_authentication_is_enforced() { + void client_authentication_is_enforced() { Element clusterElem = DomBuilderTest.parse( "<container version='1.0'>", nodesXml, " <http><filtering>" + " <access-control domain=\"vespa\" tls-handshake-client-auth=\"need\"/>" + " </filtering></http>" + - "</container>" ); + "</container>"); DeployState state = new DeployState.Builder().properties( - new TestProperties() - .setHostedVespa(true) - .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))) + new TestProperties() + .setHostedVespa(true) + .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))) .build(); createModel(root, state, null, clusterElem); - ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0"); + ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow(); @@ -371,14 +368,14 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { assertEquals("KEY", connectorConfig.ssl().privateKey()); assertEquals(4443, connectorConfig.listenPort()); - assertEquals("Connector must use Athenz truststore in a non-public system.", - "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", - connectorConfig.ssl().caCertificateFile()); + assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", + connectorConfig.ssl().caCertificateFile(), + "Connector must use Athenz truststore in a non-public system."); assertTrue(connectorConfig.ssl().caCertificate().isEmpty()); } @Test - public void missing_security_clients_pem_fails_in_public() { + void missing_security_clients_pem_fails_in_public() { Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); try { @@ -392,16 +389,16 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { createModel(root, state, null, clusterElem); } catch (RuntimeException e) { assertEquals("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/en/security-model#data-plane", - e.getMessage()); + e.getMessage()); return; } fail(); } @Test - public void security_clients_pem_is_picked_up() { + void security_clients_pem_is_picked_up() { var applicationPackage = new MockApplicationPackage.Builder() - .withRoot(applicationFolder.getRoot()) + .withRoot(applicationFolder) .build(); applicationPackage.getFile(Path.fromString("security")).createDirectory(); @@ -416,9 +413,9 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void operator_certificates_are_joined_with_clients_pem() { + void operator_certificates_are_joined_with_clients_pem() { var applicationPackage = new MockApplicationPackage.Builder() - .withRoot(applicationFolder.getRoot()) + .withRoot(applicationFolder) .build(); var applicationTrustCert = X509CertificateUtils.toPem( @@ -429,10 +426,10 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { applicationPackage.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader(applicationTrustCert)); var deployState = new DeployState.Builder().properties( - new TestProperties() - .setOperatorCertificates(List.of(operatorCert)) - .setHostedVespa(true) - .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))) + new TestProperties() + .setOperatorCertificates(List.of(operatorCert)) + .setHostedVespa(true) + .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))) .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())) .applicationPackage(applicationPackage) .build(); @@ -441,7 +438,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { createModel(root, deployState, null, clusterElem); - ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0"); + ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow(); @@ -458,15 +455,15 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void require_allowed_ciphers() { + void require_allowed_ciphers() { Element clusterElem = DomBuilderTest.parse( "<container version='1.0'>", nodesXml, - "</container>" ); + "</container>"); DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(); createModel(root, state, null, clusterElem); - ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0"); + ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow(); @@ -479,15 +476,15 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { } @Test - public void providing_endpoint_certificate_secrets_opens_port_4443() { + void providing_endpoint_certificate_secrets_opens_port_4443() { Element clusterElem = DomBuilderTest.parse( "<container version='1.0'>", nodesXml, - "</container>" ); + "</container>"); DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(); createModel(root, state, null, clusterElem); - ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0"); + ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0"); // Verify that there are two connectors List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories(); @@ -510,9 +507,9 @@ public class AccessControlTest extends ContainerModelBuilderTestBase { assertEquals("KEY", connectorConfig.ssl().privateKey()); assertEquals(4443, connectorConfig.listenPort()); - assertEquals("Connector must use Athenz truststore in a non-public system.", - "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", - connectorConfig.ssl().caCertificateFile()); + assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", + connectorConfig.ssl().caCertificateFile(), + "Connector must use Athenz truststore in a non-public system."); assertTrue(connectorConfig.ssl().caCertificate().isEmpty()); } |