aboutsummaryrefslogtreecommitdiffstats
path: root/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java')
-rw-r--r--config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java125
1 files changed, 61 insertions, 64 deletions
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
index 2f962855470..faeac12f508 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/AccessControlTest.java
@@ -24,11 +24,11 @@ import com.yahoo.vespa.model.container.http.FilterChains;
import com.yahoo.vespa.model.container.http.Http;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
import org.hamcrest.Matchers;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TemporaryFolder;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
import org.w3c.dom.Element;
+import java.io.File;
import java.io.StringReader;
import java.time.Duration;
import java.util.ArrayList;
@@ -40,10 +40,7 @@ import java.util.stream.Collectors;
import static com.yahoo.vespa.defaults.Defaults.getDefaults;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsInAnyOrder;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.*;
/**
* @author gjoranv
@@ -52,11 +49,11 @@ import static org.junit.Assert.fail;
*/
public class AccessControlTest extends ContainerModelBuilderTestBase {
- @Rule
- public TemporaryFolder applicationFolder = new TemporaryFolder();
+ @TempDir
+ public File applicationFolder;
@Test
- public void access_control_filter_chains_are_set_up() {
+ void access_control_filter_chains_are_set_up() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -71,7 +68,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void properties_are_set_from_xml() {
+ void properties_are_set_from_xml() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -81,12 +78,12 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
AccessControl accessControl = http.getAccessControl().get();
- assertEquals("Wrong domain.", "my-tenant-domain", accessControl.domain);
+ assertEquals("my-tenant-domain", accessControl.domain, "Wrong domain.");
}
@Test
- public void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() {
+ void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -108,7 +105,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() {
+ void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -126,7 +123,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
@Test
- public void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() {
+ void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() {
Http http = createModelAndGetHttp(
" <http>",
" <handler id='custom.Handler'>",
@@ -147,7 +144,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void hosted_connector_for_port_4443_uses_access_control_filter_chain_as_default_request_filter_chain() {
+ void hosted_connector_for_port_4443_uses_access_control_filter_chain_as_default_request_filter_chain() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -158,7 +155,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
Set<String> actualBindings = getFilterBindings(http, AccessControl.ACCESS_CONTROL_CHAIN_ID);
assertTrue(actualBindings.isEmpty());
- HostedSslConnectorFactory hostedConnectorFactory = (HostedSslConnectorFactory)http.getHttpServer().get().getConnectorFactories().stream()
+ HostedSslConnectorFactory hostedConnectorFactory = (HostedSslConnectorFactory) http.getHttpServer().get().getConnectorFactories().stream()
.filter(connectorFactory -> connectorFactory instanceof HostedSslConnectorFactory)
.findAny()
.get();
@@ -168,7 +165,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_is_implicitly_added_for_hosted_apps() {
+ void access_control_is_implicitly_added_for_hosted_apps() {
Http http = createModelAndGetHttp("<container version='1.0'/>");
Optional<AccessControl> maybeAccessControl = http.getAccessControl();
assertTrue(maybeAccessControl.isPresent());
@@ -178,7 +175,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() {
+ void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() {
Http http = createModelAndGetHttp(
" <http>",
" <server port='" + getDefaults().vespaWebServicePort() + "' id='main' />",
@@ -195,7 +192,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_chain_exclude_chain_does_not_contain_duplicate_bindings_to_user_request_filter_chain() {
+ void access_control_chain_exclude_chain_does_not_contain_duplicate_bindings_to_user_request_filter_chain() {
Http http = createModelAndGetHttp(
" <http>",
" <handler id='custom.Handler'>",
@@ -228,7 +225,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_excludes_are_not_affected_by_user_response_filter_chain() {
+ void access_control_excludes_are_not_affected_by_user_response_filter_chain() {
Http http = createModelAndGetHttp(
" <http>",
" <handler id='custom.Handler'>",
@@ -265,7 +262,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_client_auth_defaults_to_need() {
+ void access_control_client_auth_defaults_to_need() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -277,7 +274,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void access_control_client_auth_can_be_overridden() {
+ void access_control_client_auth_can_be_overridden() {
AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain");
DeployState state = new DeployState.Builder().properties(
new TestProperties()
@@ -286,17 +283,17 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
.allowDisableMtls(true))
.build();
Http http = createModelAndGetHttp(state,
- " <http>",
- " <filtering>",
- " <access-control tls-handshake-client-auth=\"want\"/>",
- " </filtering>",
- " </http>");
+ " <http>",
+ " <filtering>",
+ " <access-control tls-handshake-client-auth=\"want\"/>",
+ " </filtering>",
+ " </http>");
assertTrue(http.getAccessControl().isPresent());
assertEquals(AccessControl.ClientAuthentication.want, http.getAccessControl().get().clientAuthentication);
}
@Test
- public void access_control_client_auth_cannot_be_overridden_when_disabled() {
+ void access_control_client_auth_cannot_be_overridden_when_disabled() {
AthenzDomain tenantDomain = AthenzDomain.from("my-tenant-domain");
DeployState state = new DeployState.Builder().properties(
new TestProperties()
@@ -307,11 +304,11 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
try {
Http http = createModelAndGetHttp(state,
- " <http>",
- " <filtering>",
- " <access-control tls-handshake-client-auth=\"want\"/>",
- " </filtering>",
- " </http>");
+ " <http>",
+ " <filtering>",
+ " <access-control tls-handshake-client-auth=\"want\"/>",
+ " </filtering>",
+ " </http>");
fail("Overriding tls-handshake-client-auth allowed, but should have failed");
} catch (IllegalArgumentException e) {
assertEquals("Overriding 'tls-handshake-client-auth' for application is not allowed.", e.getMessage());
@@ -319,7 +316,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void local_connector_has_default_chain() {
+ void local_connector_has_default_chain() {
Http http = createModelAndGetHttp(
" <http>",
" <filtering>",
@@ -341,22 +338,22 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void client_authentication_is_enforced() {
+ void client_authentication_is_enforced() {
Element clusterElem = DomBuilderTest.parse(
"<container version='1.0'>",
nodesXml,
" <http><filtering>" +
" <access-control domain=\"vespa\" tls-handshake-client-auth=\"need\"/>" +
" </filtering></http>" +
- "</container>" );
+ "</container>");
DeployState state = new DeployState.Builder().properties(
- new TestProperties()
- .setHostedVespa(true)
- .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
+ new TestProperties()
+ .setHostedVespa(true)
+ .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
.build();
createModel(root, state, null, clusterElem);
- ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
+ ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0");
List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
@@ -371,14 +368,14 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
assertEquals("KEY", connectorConfig.ssl().privateKey());
assertEquals(4443, connectorConfig.listenPort());
- assertEquals("Connector must use Athenz truststore in a non-public system.",
- "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem",
- connectorConfig.ssl().caCertificateFile());
+ assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem",
+ connectorConfig.ssl().caCertificateFile(),
+ "Connector must use Athenz truststore in a non-public system.");
assertTrue(connectorConfig.ssl().caCertificate().isEmpty());
}
@Test
- public void missing_security_clients_pem_fails_in_public() {
+ void missing_security_clients_pem_fails_in_public() {
Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");
try {
@@ -392,16 +389,16 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
createModel(root, state, null, clusterElem);
} catch (RuntimeException e) {
assertEquals("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/en/security-model#data-plane",
- e.getMessage());
+ e.getMessage());
return;
}
fail();
}
@Test
- public void security_clients_pem_is_picked_up() {
+ void security_clients_pem_is_picked_up() {
var applicationPackage = new MockApplicationPackage.Builder()
- .withRoot(applicationFolder.getRoot())
+ .withRoot(applicationFolder)
.build();
applicationPackage.getFile(Path.fromString("security")).createDirectory();
@@ -416,9 +413,9 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void operator_certificates_are_joined_with_clients_pem() {
+ void operator_certificates_are_joined_with_clients_pem() {
var applicationPackage = new MockApplicationPackage.Builder()
- .withRoot(applicationFolder.getRoot())
+ .withRoot(applicationFolder)
.build();
var applicationTrustCert = X509CertificateUtils.toPem(
@@ -429,10 +426,10 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
applicationPackage.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader(applicationTrustCert));
var deployState = new DeployState.Builder().properties(
- new TestProperties()
- .setOperatorCertificates(List.of(operatorCert))
- .setHostedVespa(true)
- .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
+ new TestProperties()
+ .setOperatorCertificates(List.of(operatorCert))
+ .setHostedVespa(true)
+ .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
.zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName()))
.applicationPackage(applicationPackage)
.build();
@@ -441,7 +438,7 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
createModel(root, deployState, null, clusterElem);
- ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
+ ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0");
List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
@@ -458,15 +455,15 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void require_allowed_ciphers() {
+ void require_allowed_ciphers() {
Element clusterElem = DomBuilderTest.parse(
"<container version='1.0'>",
nodesXml,
- "</container>" );
+ "</container>");
DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build();
createModel(root, state, null, clusterElem);
- ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
+ ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0");
List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
@@ -479,15 +476,15 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
}
@Test
- public void providing_endpoint_certificate_secrets_opens_port_4443() {
+ void providing_endpoint_certificate_secrets_opens_port_4443() {
Element clusterElem = DomBuilderTest.parse(
"<container version='1.0'>",
nodesXml,
- "</container>" );
+ "</container>");
DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build();
createModel(root, state, null, clusterElem);
- ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
+ ApplicationContainer container = (ApplicationContainer) root.getProducer("container/container.0");
// Verify that there are two connectors
List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
@@ -510,9 +507,9 @@ public class AccessControlTest extends ContainerModelBuilderTestBase {
assertEquals("KEY", connectorConfig.ssl().privateKey());
assertEquals(4443, connectorConfig.listenPort());
- assertEquals("Connector must use Athenz truststore in a non-public system.",
- "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem",
- connectorConfig.ssl().caCertificateFile());
+ assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem",
+ connectorConfig.ssl().caCertificateFile(),
+ "Connector must use Athenz truststore in a non-public system.");
assertTrue(connectorConfig.ssl().caCertificate().isEmpty());
}