1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.model.application.validation.first;
import com.yahoo.config.application.api.ApplicationPackage;
import com.yahoo.config.model.NullConfigModelRegistry;
import com.yahoo.config.model.deploy.DeployProperties;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.test.MockApplicationPackage;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.Zone;
import com.yahoo.vespa.model.VespaModel;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.xml.sax.SAXException;
import java.io.IOException;
import static com.yahoo.config.model.test.TestUtil.joinLines;
import static com.yahoo.config.provision.Environment.prod;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* @author gjoranv
*/
public class AccessControlValidatorTest {
@Rule
public final ExpectedException exceptionRule = ExpectedException.none();
private static String servicesXml(boolean addHandler, boolean writeProtection) {
return joinLines("<services version='1.0'>",
" <container id='default' version='1.0'>",
addHandler ? httpHandlerXml : "",
" <http>",
" <filtering>",
" <access-control domain='foo' write='" + writeProtection + "' />",
" </filtering>",
" </http>",
" </container>",
"</services>");
}
private static final String httpHandlerXml =
joinLines(" <handler id='foo'>",
" <binding>http://foo/bar</binding>",
" </handler>");
@Test
public void cluster_with_write_protection_passes_validation() throws IOException, SAXException{
DeployState deployState = deployState(servicesXml(true, true));
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void cluster_with_no_handlers_passes_validation_without_write_protection() throws IOException, SAXException{
DeployState deployState = deployState(servicesXml(false, false));
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void cluster_without_custom_components_passes_validation_without_write_protection() throws IOException, SAXException{
String servicesXml = joinLines("<services version='1.0'>",
" <container id='default' version='1.0' />",
"</services>");
DeployState deployState = deployState(servicesXml);
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void cluster_with_handler_fails_validation_without_write_protection() throws IOException, SAXException{
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage(
"Access-control must be enabled for write operations to container clusters in production zones: [default]");
DeployState deployState = deployState(servicesXml(true, false));
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void no_http_element_has_same_effect_as_no_write_protection() throws IOException, SAXException{
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage(
"Access-control must be enabled for write operations to container clusters in production zones: [default]");
String servicesXml = joinLines("<services version='1.0'>",
" <container id='default' version='1.0'>",
httpHandlerXml,
" </container>",
"</services>");
DeployState deployState = deployState(servicesXml);
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void cluster_with_mbus_handler_passes_validation_without_write_protection() throws IOException, SAXException{
String servicesXml = joinLines("<services version='1.0'>",
" <container id='default' version='1.0'>",
" <handler id='foo'>",
" <binding>mbus://*/foo</binding>",
" </handler>",
" </container>",
"</services>");
DeployState deployState = deployState(servicesXml);
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
@Test
public void write_protection_is_not_required_for_non_default_application_type() throws IOException, SAXException{
String servicesXml = joinLines("<services version='1.0' application-type='hosted-infrastructure'>",
" <container id='default' version='1.0'>",
httpHandlerXml,
" </container>",
"</services>");
DeployState deployState = deployState(servicesXml);
VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
new AccessControlValidator().validate(model, deployState);
}
private static DeployState deployState(String servicesXml) {
ApplicationPackage app = new MockApplicationPackage.Builder()
.withServices(servicesXml)
.build();
DeployState.Builder builder = new DeployState.Builder()
.applicationPackage(app)
.zone(new Zone(Environment.prod, RegionName.from("foo")) )
.properties(new DeployProperties.Builder()
.hostedVespa(true)
.build());
final DeployState deployState = builder.build();
assertTrue("Test must emulate a hosted deployment.", deployState.isHosted());
assertEquals("Test must emulate a prod environment.", prod, deployState.zone().environment());
return deployState;
}
}
|
