blob: b7bbed7ffda75d3bf57e2537987940bbb791e23e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.model.application.validation.first;
import com.yahoo.config.application.api.ValidationId;
import com.yahoo.config.model.ConfigModelContext.ApplicationType;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.provision.InstanceName;
import com.yahoo.vespa.model.VespaModel;
import com.yahoo.vespa.model.application.validation.Validator;
import com.yahoo.vespa.model.container.Container;
import com.yahoo.vespa.model.container.ContainerCluster;
import com.yahoo.vespa.model.container.ApplicationContainerCluster;
import com.yahoo.vespa.model.container.component.Handler;
import java.util.ArrayList;
import java.util.List;
import static com.yahoo.collections.CollectionUtil.mkString;
import static com.yahoo.vespa.model.container.http.AccessControl.isBuiltinGetOnly;
/**
* Validates that hosted applications in prod zones have write protection enabled.
*
* @author gjoranv
*/
public class AccessControlValidator extends Validator {
@Override
public void validate(VespaModel model, DeployState deployState) {
if (! deployState.isHosted()) return;
if (! deployState.zone().environment().isProduction()) return;
if (deployState.zone().system().isPublic()) return;
if (model.getAdmin().getApplicationType() != ApplicationType.DEFAULT) return;
List<String> offendingClusters = new ArrayList<>();
for (ContainerCluster<? extends Container> c : model.getContainerClusters().values()) {
if (! (c instanceof ApplicationContainerCluster)) continue;
ApplicationContainerCluster cluster = (ApplicationContainerCluster)c;
if (cluster.getHttp() == null
|| ! cluster.getHttp().getAccessControl().isPresent()
|| ! cluster.getHttp().getAccessControl().get().writeEnabled)
if (hasHandlerThatNeedsProtection(cluster) || ! cluster.getAllServlets().isEmpty())
offendingClusters.add(cluster.getName());
}
if (! offendingClusters.isEmpty()
&& deployState.getApplicationPackage().getApplicationId().instance().equals(InstanceName.defaultName()))
deployState.validationOverrides().invalid(ValidationId.accessControl,
"Access-control must be enabled for write operations to container clusters in production zones: " +
mkString(offendingClusters, "[", ", ", "]."), deployState.now());
}
private boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) {
return cluster.getHandlers().stream().anyMatch(this::handlerNeedsProtection);
}
private boolean handlerNeedsProtection(Handler<?> handler) {
return ! isBuiltinGetOnly(handler) && hasNonMbusBinding(handler);
}
private boolean hasNonMbusBinding(Handler<?> handler) {
return handler.getServerBindings().stream().anyMatch(binding -> ! binding.startsWith("mbus"));
}
}
|