Adding support to use port-uri.json to start application ports and filter requests (#3190)

Signed-off-by: Sasi Palaka <palakas@yahooinc.com>
Co-authored-by: Sasi Palaka <palakas@yahooinc.com>

Author: psasidhar

containers/jetty/conf/port-uri.json.example

@@ -0,0 +1,62 @@
+{
+  "ports": [
+    {
+      "port": 9443,
+      "mtls_required": false,
+      "description": "Instance registration port - restricted endpoints only",
+      "allowed_endpoints": [
+        {
+          "path": "/zts/v1/instance",
+          "methods": ["POST"],
+          "description": "Instance registration - initial registration"
+        }
+      ]
+    },
+    {
+      "port": 4443,
+      "mtls_required": true,
+      "description": "Main API port - all endpoints allowed with mTLS required",
+      "allowed_endpoints": []
+    },
+    {
+      "port": 8443,
+      "mtls_required": false,
+      "description": "Health/status port - /zts/v1/status (ZTS API) and /status (file-based health check returning OK)",
+      "allowed_endpoints": [
+        {
+          "path": "/zts/v1/status",
+          "methods": ["GET"],
+          "description": "ZTS API status - returns JSON { \"code\": 200, \"message\": \"OK\" }"
+        },
+        {
+          "path": "/status",
+          "methods": ["GET"],
+          "description": "Legacy file-based health check - returns OK when athenz.health_check_uri_list includes /status"
+        }
+      ]
+    },
+    {
+      "port": 443,
+      "mtls_required": false,
+      "description": "JWKS and OpenID discovery endpoints",
+      "allowed_endpoints": [
+        {
+          "path": "/zts/v1/.well-known/openid-configuration",
+          "methods": ["GET"],
+          "description": "OpenID Connect discovery"
+        },
+        {
+          "path": "/zts/v1/oauth2/keys",
+          "methods": ["GET"],
+          "description": "OAuth2 JWKS public keys"
+        },
+        {
+          "path_starts_with": "/zts/v1/.well-known",
+          "path_ends_with": "openid-configuration",
+          "methods": ["GET"],
+          "description": "OpenID discovery (alternative using path_starts_with and path_ends_with)"
+        }
+      ]
+    }
+  ]
+}

containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java

@@ -63,31 +63,32 @@ public final class AthenzConsts {
     public static final String ATHENZ_PROP_HOSTNAME               = "athenz.hostname";
     public static final String ATHENZ_PROP_JETTY_HOME             = "athenz.jetty_home";
     public static final String ATHENZ_PROP_DEBUG                  = "athenz.debug";
-    public static final String ATHENZ_PROP_HEALTH_CHECK_URI_LIST  = "athenz.health_check_uri_list";
-    public static final String ATHENZ_PROP_HEALTH_CHECK_PATH      = "athenz.health_check_path";
-    public static final String ATHENZ_PROP_LOG_FORWARDED_FOR_ADDR = "athenz.log_forwarded_for_addr";
+    public static final String ATHENZ_PROP_HEALTH_CHECK_URI_LIST       = "athenz.health_check_uri_list";
+    public static final String ATHENZ_PROP_HEALTH_CHECK_PATH           = "athenz.health_check_path";
+    public static final String ATHENZ_PROP_LOG_FORWARDED_FOR_ADDR      = "athenz.log_forwarded_for_addr";
     public static final String ATHENZ_PROP_DECODE_AMBIGUOUS_URIS  = "athenz.decode_ambiguous_uris";
     public static final String ATHENZ_PROP_SEND_HOST_HEADER       = "athenz.send_host_header";
 
     public static final String ATHENZ_PROP_RATE_LIMIT_FACTORY_CLASS        = "athenz.ratelimit_factory_class";
     public static final String ATHENZ_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS = "athenz.private_keystore_factory_class";
+    public static final String ATHENZ_PROP_PORT_URI_CONFIG                 = "athenz.port_uri_config";
 
     public static final String ATHENZ_PROP_SERVER_POOL_SET_ENABLED       = "athenz.server.pool.set_enabled";
 
     public static final String STR_DEF_ROOT     = "/home/athenz";
 
-    public static final String ATHENZ_PROP_HTTP_PORT   = "athenz.port";
-    public static final String ATHENZ_PROP_HTTPS_PORT  = "athenz.tls_port";
-    public static final String ATHENZ_PROP_OIDC_PORT   = "athenz.oidc_port";
-    public static final String ATHENZ_PROP_STATUS_PORT = "athenz.status_port";
-    
+    public static final String ATHENZ_PROP_HTTP_PORT               = "athenz.port";
+    public static final String ATHENZ_PROP_HTTPS_PORT              = "athenz.tls_port";
+    public static final String ATHENZ_PROP_OIDC_PORT               = "athenz.oidc_port";
+    public static final String ATHENZ_PROP_STATUS_PORT             = "athenz.status_port";
+
     public static final int ATHENZ_HTTPS_PORT_DEFAULT = 4443;
     public static final int ATHENZ_HTTP_PORT_DEFAULT  = 4080;
     public static final int ATHENZ_HTTP_MAX_THREADS   = 1024;
-    
+
     public static final String ATHENZ_RATE_LIMIT_FACTORY_CLASS = "com.yahoo.athenz.common.filter.impl.NoOpRateLimitFactory";
     public static final String ATHENZ_PKEY_STORE_FACTORY_CLASS = "com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory";
-    
+
     public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_APPNAME   = "athenz.ssl_key_store_password_appname";
     public static final String ATHENZ_PROP_KEYSTORE_PASSWORD_KEYGROUPNAME   = "athenz.ssl_key_store_password_keygroupname";
 

containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java

@@ -26,6 +26,9 @@
 import com.yahoo.athenz.common.server.log.jetty.JettyConnectionLoggerFactory;
 import com.yahoo.athenz.common.server.util.ConfigProperties;
 import com.yahoo.athenz.common.server.util.config.providers.ConfigProviderFile;
+import com.yahoo.athenz.container.config.PortConfig;
+import com.yahoo.athenz.container.config.PortUriConfiguration;
+import com.yahoo.athenz.container.config.PortUriConfigurationManager;
 import com.yahoo.athenz.container.filter.HealthCheckFilter;
 import jakarta.servlet.DispatcherType;
 import org.eclipse.jetty.deploy.DeploymentManager;
@@ -68,14 +71,15 @@ public class AthenzJettyContainer {
 
     static final String ATHENZ_DEFAULT_EXCLUDED_PROTOCOLS = "SSLv2,SSLv3";
 
-    private Server server = null;
+    Server server = null;
     private String banner = null;
     private Handler.Sequence handlers = null;
     private PrivateKeyStore privateKeyStore;
     private final boolean decodeAmbiguousUris;
     private final AthenzConnectionListener connectionListener = new AthenzConnectionListener();
     private final JettyConnectionLoggerFactory jettyConnectionLoggerFactory = new JettyConnectionLoggerFactory();
-    
+
+
     public AthenzJettyContainer() {
 
         // check to see if we want to support ambiguous uris
@@ -290,6 +294,9 @@ void addServletHandlers(final String serverHostName) {
                 servletCtxHandler.addFilter(filterHolder, checkUri.trim(), EnumSet.of(DispatcherType.REQUEST));
             }
         }
+
+        // PortFilter is applied to all webapps (e.g. ZTS API) via webdefault.xml; no need to add it here.
+
         contexts.addHandler(servletCtxHandler);
 
         final String jettyHome = System.getProperty(AthenzConsts.ATHENZ_PROP_JETTY_HOME, getRootDir());
@@ -441,7 +448,7 @@ SslContextFactory.Server createSSLContextObject(boolean needClientAuth) {
 
     void addHTTPConnector(HttpConfiguration httpConfig, int httpPort, boolean proxyProtocol,
             String listenHost, int idleTimeout) {
-        
+
         ServerConnector connector;
         if (proxyProtocol) {
             connector = new ServerConnector(server, new ProxyConnectionFactory(), new HttpConnectionFactory(httpConfig));
@@ -525,12 +532,6 @@ public void addHTTPConnectors(HttpConfiguration httpConfig, int httpPort, int ht
         boolean proxyProtocol = Boolean.parseBoolean(
                 System.getProperty(AthenzConsts.ATHENZ_PROP_PROXY_PROTOCOL, "false"));
 
-        // HTTP Connector
-        
-        if (httpPort > 0) {
-            addHTTPConnector(httpConfig, httpPort, proxyProtocol, listenHost, idleTimeout);
-        }
-
         // check to see if we need to create our connection logger
         // for TLS connection failures
 
@@ -545,27 +546,80 @@ public void addHTTPConnectors(HttpConfiguration httpConfig, int httpPort, int ht
                 System.getProperty(AthenzConsts.ATHENZ_PROP_SNI_REQUIRED, "false"));
         boolean sniHostCheck = Boolean.parseBoolean(
                 System.getProperty(AthenzConsts.ATHENZ_PROP_SNI_HOSTCHECK, "true"));
+
+        // Use port-uri.json for connectors if configured; otherwise use properties
+        PortUriConfigurationManager configManager = PortUriConfigurationManager.getInstance();
+
+        if (configManager.isPortListConfigured()) {
+            LOG.info("Creating HTTP/HTTPS connectors based on port-uri.json configuration");
+            addConnectorsFromPortConfig(configManager.getConfiguration(), httpConfig,
+                    proxyProtocol, listenHost, idleTimeout, sniRequired, sniHostCheck, connectionLogger);
+        } else {
+            LOG.info("Creating HTTP/HTTPS connectors based on properties configuration");
+            addConnectorsFromProperties(httpConfig, httpPort, httpsPort, oidcPort, statusPort,
+                    proxyProtocol, listenHost, idleTimeout, sniRequired, sniHostCheck, connectionLogger);
+        }
+    }
+
+    /**
+     * Add HTTP/HTTPS connectors based on port-uri.json configuration
+     */
+    private void addConnectorsFromPortConfig(PortUriConfiguration config, HttpConfiguration httpConfig,
+                                             boolean proxyProtocol, String listenHost, int idleTimeout, boolean sniRequired,
+                                             boolean sniHostCheck, JettyConnectionLogger connectionLogger) {
+
+        for (PortConfig portConfig : config.getPorts()) {
+            int port = portConfig.getPort();
+
+            if (port <= 0) {
+                continue;
+            }
+
+            // Determine if this port needs client authentication (mTLS)
+            boolean needClientAuth = portConfig.isMtlsRequired();
+
+            // Create HTTPS connector for this port
+            HttpConfiguration httpsConfig = getHttpsConfig(httpConfig, port, sniRequired, sniHostCheck);
+            addHTTPSConnector(httpsConfig, port, proxyProtocol, listenHost,
+                    idleTimeout, needClientAuth, connectionLogger);
+
+            LOG.info("Added connector for port {} (mTLS: {}, description: {})",
+                    port, needClientAuth, portConfig.getDescription());
+        }
+    }
+
+    /**
+     * Add HTTP/HTTPS connectors based on property configuration
+     */
+    private void addConnectorsFromProperties(HttpConfiguration httpConfig, int httpPort, int httpsPort,
+                                             int oidcPort, int statusPort, boolean proxyProtocol, String listenHost,
+                                             int idleTimeout, boolean sniRequired, boolean sniHostCheck,
+                                             JettyConnectionLogger connectionLogger) {
+
+        // Default client auth setting from properties
         boolean needClientAuth = Boolean.parseBoolean(
                 System.getProperty(AthenzConsts.ATHENZ_PROP_CLIENT_AUTH, "false"));
 
-        // HTTPS Connector
+        // HTTP Connector
+        if (httpPort > 0) {
+            addHTTPConnector(httpConfig, httpPort, proxyProtocol, listenHost, idleTimeout);
+        }
 
+        // HTTPS Connector
         if (httpsPort > 0) {
             HttpConfiguration httpsConfig = getHttpsConfig(httpConfig, httpsPort, sniRequired, sniHostCheck);
             addHTTPSConnector(httpsConfig, httpsPort, proxyProtocol, listenHost,
                     idleTimeout, needClientAuth, connectionLogger);
         }
 
         // OIDC Connector - only if it's different from HTTPS
-
         if (oidcPort > 0 && oidcPort != httpsPort) {
             HttpConfiguration httpsConfig = getHttpsConfig(httpConfig, oidcPort, sniRequired, sniHostCheck);
             addHTTPSConnector(httpsConfig, oidcPort, proxyProtocol, listenHost,
                     idleTimeout, needClientAuth, connectionLogger);
         }
 
         // Status Connector - only if it's different from HTTP/HTTPS
-        
         if (statusPort > 0 && statusPort != httpPort && statusPort != httpsPort) {
             if (httpsPort > 0) {
                 HttpConfiguration httpsConfig = getHttpsConfig(httpConfig, httpsPort, false, false);
@@ -612,9 +666,9 @@ public static AthenzJettyContainer createJettyContainer() {
         // for status port we'll use the protocol specified for the regular http
         // port. if both http and https are provided then https will be picked
         // it could also be either one of the values specified as well
-        
+
         int statusPort = ConfigProperties.getPortNumber(AthenzConsts.ATHENZ_PROP_STATUS_PORT, 0);
-        
+
         String serverHostName = getServerHostName();
 
         AthenzJettyContainer container = new AthenzJettyContainer();
@@ -626,6 +680,10 @@ public static AthenzJettyContainer createJettyContainer() {
                 Integer.toString(AthenzConsts.ATHENZ_HTTP_MAX_THREADS)));
         container.createServer(maxThreads);
 
+        // Load port-uri.json configuration before creating connectors
+        // This must be done before addHTTPConnectors() so the configuration is available
+        loadPortUriConfiguration();
+
         HttpConfiguration httpConfig = container.newHttpConfiguration();
         container.addHTTPConnectors(httpConfig, httpPort, httpsPort, oidcPort, statusPort);
 
@@ -655,6 +713,21 @@ public static void initConfigManager() {
         CONFIG_MANAGER.addConfigSource(ConfigProviderFile.PROVIDER_DESCRIPTION_PREFIX + propFile);
     }
 
+    /**
+     * Load port-uri.json configuration if available.
+     * This must be called before creating HTTP/HTTPS connectors.
+     */
+    static void loadPortUriConfiguration() {
+        // Configuration is automatically loaded by PortUriConfigurationManager singleton
+        // upon first getInstance() call. Just trigger initialization and log the result.
+        PortUriConfigurationManager configManager = PortUriConfigurationManager.getInstance();
+        if (configManager.isPortListConfigured()) {
+            LOG.info("Port-uri configuration successfully loaded");
+        } else {
+            LOG.info("Port-uri configuration not available, will use properties for port configuration");
+        }
+    }
+
     public void run() {
         try {
             server.setDumpAfterStart(Boolean.parseBoolean(System.getProperty(AthenzConsts.ATHENZ_PROP_DUMP_AFTER_START, "false")));

containers/jetty/src/main/java/com/yahoo/athenz/container/config/EndpointConfig.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.container.config;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+/**
+ * Configuration for an allowed endpoint including path (exact or prefix/suffix), HTTP methods, and description.
+ * Use "path" for exact match, or "path_starts_with" and/or "path_ends_with" for prefix/suffix matching.
+ */
+public class EndpointConfig {
+
+    private String path;
+    @JsonProperty("path_starts_with")
+    private String pathStartsWith;
+    @JsonProperty("path_ends_with")
+    private String pathEndsWith;
+    private List<String> methods;
+    private String description;
+
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    public String getPathStartsWith() {
+        return pathStartsWith;
+    }
+
+    public void setPathStartsWith(String pathStartsWith) {
+        this.pathStartsWith = pathStartsWith;
+    }
+
+    public String getPathEndsWith() {
+        return pathEndsWith;
+    }
+
+    public void setPathEndsWith(String pathEndsWith) {
+        this.pathEndsWith = pathEndsWith;
+    }
+
+    public List<String> getMethods() {
+        return methods;
+    }
+
+    public void setMethods(List<String> methods) {
+        this.methods = methods;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    /**
+     * Check if this endpoint allows the given HTTP method
+     *
+     * @param method HTTP method to check
+     * @return true if method is allowed (or if no method restrictions configured)
+     */
+    public boolean allowsMethod(String method) {
+        return methods == null || methods.isEmpty() || methods.contains(method);
+    }
+}