• Home
• com.yahoo.vespa
• config-model
• 8.447.14
• source code
• AccessControl.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.yahoo.vespa.model.container.http.AccessControl Maven / Gradle / Ivy

// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.model.container.http;

import com.yahoo.component.ComponentId;
import com.yahoo.component.ComponentSpecification;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.vespa.model.container.ApplicationContainerCluster;
import com.yahoo.vespa.model.container.ContainerCluster;
import com.yahoo.vespa.model.container.component.BindingPattern;
import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent;
import com.yahoo.vespa.model.container.component.Handler;
import com.yahoo.vespa.model.container.component.SystemBindingPattern;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;

/**
 * Helper class for http access control.
 *
 * @author gjoranv
 * @author bjorncs
 */
public class AccessControl {

    public enum ClientAuthentication { want, need;}
    public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain");

    public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain");
    public static final ComponentId DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID = ComponentId.fromString("default-connector-hosted-request-chain");
    private static final int HOSTED_CONTAINER_PORT = 4443;

    // Handlers that are excluded from access control
    public static final List EXCLUDED_HANDLERS = List.of(
            FileStatusHandlerComponent.CLASS,
            ContainerCluster.APPLICATION_STATUS_HANDLER_CLASS,
            ContainerCluster.BINDINGS_OVERVIEW_HANDLER_CLASS,
            ContainerCluster.STATE_HANDLER_CLASS,
            ContainerCluster.LOG_HANDLER_CLASS,
            ApplicationContainerCluster.METRICS_V2_HANDLER_CLASS,
            ApplicationContainerCluster.PROMETHEUS_V1_HANDLER_CLASS
    );
    public static class Builder {
        private final String domain;
        private ClientAuthentication clientAuthentication = ClientAuthentication.need;
        private final Set excludeBindings = new LinkedHashSet<>();
        private Collection handlers = List.of();
        public Builder(String domain) {
            this.domain = domain;
        }

        public Builder excludeBinding(BindingPattern binding) {
            this.excludeBindings.add(binding);
            return this;
        }

        public Builder setHandlers(ApplicationContainerCluster cluster) {
            this.handlers = cluster.getHandlers();
            return this;
        }

        public Builder clientAuthentication(ClientAuthentication clientAuthentication) {
            this.clientAuthentication = clientAuthentication;
            return this;
        }

        public AccessControl build() {
            return new AccessControl(domain, clientAuthentication, excludeBindings, handlers);
        }
    }

    public final String domain;
    public final ClientAuthentication clientAuthentication;
    private final Set excludedBindings;
    private final Collection handlers;

    private AccessControl(String domain,
                          ClientAuthentication clientAuthentication,
                          Set excludedBindings,
                          Collection handlers) {
        this.domain = domain;
        this.clientAuthentication = clientAuthentication;
        this.excludedBindings = Collections.unmodifiableSet(excludedBindings);
        this.handlers = handlers;
    }

    public void configureHttpFilterChains(Http http) {
        http.setAccessControl(this);
        addAccessControlFilterChain(http);
        addAccessControlExcludedChain(http);
        addDefaultHostedRequestChain(http);
        removeDuplicateBindingsFromAccessControlChain(http);
    }

    public void configureHostedConnector(HostedSslConnectorFactory connectorFactory) {
        connectorFactory.setDefaultRequestFilterChain(ACCESS_CONTROL_CHAIN_ID);
    }

    public void configureDefaultHostedConnector(Http http) {
        // Set default filter chain on local port
        http.getHttpServer()
                .get()
                .getConnectorFactories()
                .stream()
                .filter(cf -> cf.getListenPort() == Defaults.getDefaults().vespaWebServicePort())
                .findFirst()
                .orElseThrow(() -> new RuntimeException("Could not find default connector"))
                .setDefaultRequestFilterChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID);
    }

    /** returns the excluded bindings as specified in 'access-control' in services.xml **/
    public Set excludedBindings() { return excludedBindings; }

    /** all handlers (that are known by the access control components) **/
    public Collection handlers() { return handlers; }

    public static boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster cluster) {
        return cluster.getHandlers().stream()
                .anyMatch(handler -> ! isExcludedHandler(handler) && hasNonMbusBinding(handler));
    }

    private void addAccessControlFilterChain(Http http) {
        http.getFilterChains().add(createChain(ACCESS_CONTROL_CHAIN_ID));
    }

    private void addAccessControlExcludedChain(Http http) {
        http.getFilterChains().add(createChain(ACCESS_CONTROL_EXCLUDED_CHAIN_ID));
        for (BindingPattern excludedBinding : excludedBindings) {
            http.getBindings().add(createAccessControlExcludedBinding(excludedBinding));
        }
        for (Handler handler : handlers) {
            if (isExcludedHandler(handler)) {
                for (BindingPattern binding : handler.getServerBindings()) {
                    http.getBindings().add(createAccessControlExcludedBinding(binding));
                }
            }
        }
    }

    // Add a filter chain used by default hosted connector
    private void addDefaultHostedRequestChain(Http http) {
        HttpFilterChain chain = createChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID);
        http.getFilterChains().add(chain);
    }

    // Remove bindings from access control chain that have binding pattern as a different filter chain
    private void removeDuplicateBindingsFromAccessControlChain(Http http) {
        removeDuplicateBindingsFromChain(http, ACCESS_CONTROL_EXCLUDED_CHAIN_ID);
    }

    private void removeDuplicateBindingsFromChain(Http http, ComponentId chainId) {
        Set duplicateBindings = new HashSet<>();
        for (FilterBinding binding : http.getBindings()) {
            if (binding.chainId().toId().equals(chainId)) {
                for (FilterBinding otherBinding : http.getBindings()) {
                    if (effectivelyDuplicateOf(binding, otherBinding)) {
                        duplicateBindings.add(binding);
                    }
                }
            }
        }
        duplicateBindings.forEach(http.getBindings()::remove);
    }

    private static boolean effectivelyDuplicateOf(FilterBinding accessControlBinding, FilterBinding other) {
        if (accessControlBinding.chainId().equals(other.chainId())) return false; // Same filter chain
        if (other.type() == FilterBinding.Type.RESPONSE) return false;
        return accessControlBinding.binding().equals(other.binding())
                || (accessControlBinding.binding().path().equals(other.binding().path()) && other.binding().matchesAnyPort());
    }


    private static FilterBinding createAccessControlExcludedBinding(BindingPattern excludedBinding) {
        BindingPattern rewrittenBinding = SystemBindingPattern.fromHttpPortAndPath(
                Integer.toString(HOSTED_CONTAINER_PORT), excludedBinding.path()); // only keep path from excluded binding
        return FilterBinding.create(
                FilterBinding.Type.REQUEST,
                new ComponentSpecification(ACCESS_CONTROL_EXCLUDED_CHAIN_ID.stringValue()),
                rewrittenBinding);
    }

    private static HttpFilterChain createChain(ComponentId id) { return new HttpFilterChain(id, HttpFilterChain.Type.SYSTEM); }

    private static boolean isExcludedHandler(Handler handler) { return EXCLUDED_HANDLERS.contains(handler.getClassId().getName()); }

    private static boolean hasNonMbusBinding(Handler handler) {
        return handler.getServerBindings().stream().anyMatch(binding -> ! binding.scheme().equals("mbus"));
    }

}