From d0aae35c427f7a4777c9cf7df03928eda18aeab4 Mon Sep 17 00:00:00 2001
From: Harald Musum <musum@verizonmedia.com>
Date: Mon, 27 May 2019 17:33:54 +0200
Subject: Add validation override for access control

---
 .../validation/first/AccessControlValidator.java   |  7 ++++---
 .../first/AccessControlValidatorTest.java          | 23 ++++++++++++++++++++--
 2 files changed, 25 insertions(+), 5 deletions(-)

(limited to 'config-model/src')

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
index a89f96453fb..9a272a08fec 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidator.java
@@ -1,6 +1,7 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.application.validation.first;
 
+import com.yahoo.config.application.api.ValidationId;
 import com.yahoo.config.model.ConfigModelContext.ApplicationType;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.vespa.model.VespaModel;
@@ -42,9 +43,9 @@ public class AccessControlValidator extends Validator {
                     offendingClusters.add(cluster.getName());
         }
         if (! offendingClusters.isEmpty())
-            throw new IllegalArgumentException(
-                    "Access-control must be enabled for write operations to container clusters in production zones: " +
-                            mkString(offendingClusters, "[", ", ", "]."));
+            deployState.validationOverrides().invalid(ValidationId.accessControl,
+                                                      "Access-control must be enabled for write operations to container clusters in production zones: " +
+                                                              mkString(offendingClusters, "[", ", ", "]."), deployState.now());
     }
 
     private boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) {
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
index 84a5b69c5f2..17ca0e2dd07 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/first/AccessControlValidatorTest.java
@@ -16,6 +16,10 @@ import org.junit.rules.ExpectedException;
 import org.xml.sax.SAXException;
 
 import java.io.IOException;
+import java.time.Instant;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
 
 import static com.yahoo.config.model.test.TestUtil.joinLines;
 import static com.yahoo.config.provision.Environment.prod;
@@ -85,7 +89,6 @@ public class AccessControlValidatorTest  {
         VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
 
         new AccessControlValidator().validate(model, deployState);
-
     }
 
     @Test
@@ -133,15 +136,31 @@ public class AccessControlValidatorTest  {
         new AccessControlValidator().validate(model, deployState);
     }
 
+    @Test
+    public void write_protection_is_not_required_with_validation_override() throws IOException, SAXException{
+        DeployState deployState = deployState(servicesXml(true, false),
+                                              "<validation-overrides><allow until='2000-01-30'>access-control</allow></validation-overrides>",
+                                              LocalDate.parse("2000-01-01", DateTimeFormatter.ISO_DATE).atStartOfDay().atZone(ZoneOffset.UTC).toInstant());
+        VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
+
+        new AccessControlValidator().validate(model, deployState);
+    }
+
     private static DeployState deployState(String servicesXml) {
+        return deployState(servicesXml, "<validation-overrides></validation-overrides>", Instant.now());
+    }
+
+    private static DeployState deployState(String servicesXml, String validationOverrides, Instant now) {
         ApplicationPackage app = new MockApplicationPackage.Builder()
                 .withServices(servicesXml)
+                .withValidationOverrides(validationOverrides)
                 .build();
 
         DeployState.Builder builder = new DeployState.Builder()
                 .applicationPackage(app)
                 .zone(new Zone(Environment.prod, RegionName.from("foo")) )
-                .properties(new TestProperties().setHostedVespa(true));
+                .properties(new TestProperties().setHostedVespa(true))
+                .now(now);
         final DeployState deployState = builder.build();
 
         assertTrue("Test must emulate a hosted deployment.", deployState.isHosted());
-- 
cgit v1.2.3