From ef4041420dc828726fbac4198b367d8ecf3dec65 Mon Sep 17 00:00:00 2001
From: andreer <andreer@verizonmedia.com>
Date: Thu, 14 Nov 2019 10:32:55 +0100
Subject: do not enforce client auth outside public system (yet)

---
 .../model/container/http/ssl/HostedSslConnectorFactory.java      | 9 ++++++---
 .../yahoo/vespa/model/container/xml/ContainerModelBuilder.java   | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

(limited to 'config-model')

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 93eaeb0565a..d00ce3974fa 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -17,12 +17,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
 
     private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
 
+    private final boolean enforceClientAuth;
+
     public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) {
-        this(serverName, tlsSecrets, null);
+        this(serverName, tlsSecrets, null, false);
     }
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) {
         super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates));
+        this.enforceClientAuth = enforceClientAuth;
     }
 
     private static ConfiguredDirectSslProvider createSslProvider(
@@ -41,7 +44,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         super.getConfig(connectorBuilder);
         connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
                                                        .pathWhitelist(INSECURE_WHITELISTED_PATHS)
-                                                       .enable(true));
+                                                       .enable(enforceClientAuth));
     }
 
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 484021ad4d5..073503e9341 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -338,7 +338,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         JettyHttpServer server = cluster.getHttp().getHttpServer();
         String serverName = server.getComponentId().getName();
         HostedSslConnectorFactory connectorFactory = authorizeClient
-                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get())
+                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true)
                 : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get());
         server.addConnector(connectorFactory);
     }
-- 
cgit v1.2.3