Optional identity document. Skip in public

author: Ola Aunronning <olaa@yahooinc.com> 2023-04-26 14:11:31 +0200
committer: Ola Aunronning <olaa@yahooinc.com> 2023-04-26 14:11:31 +0200
commit: 6d58df3ac8ab8e94eb3b7f71d9a3792f97d63e56 (patch)
tree: b8df4dc92eb8e512889c0e003abd7b9d8d5d9e86
parent: 46239c2babb3025e98222cd5cf72856767a1289d (diff)
4 files changed, 36 insertions, 23 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 13c0c5d0bb5..3ab1fdf211b 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -107,6 +107,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     public boolean converge(NodeAgentContext context) {
         var modified = false;
         modified |= maintain(context, NODE);
+
+        if (context.zone().getSystemName().isPublic())
+            return modified;
+
         if (shouldWriteTenantServiceIdentity(context))
             modified |= maintain(context, TENANT);
         else
@@ -121,7 +125,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
             context.log(logger, Level.FINE, "Checking certificate");
             ContainerPath siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
             ContainerPath identityDocumentFile = siaDirectory.resolve(identityType.getIdentityDocument());
-            AthenzIdentity athenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
+            Optional<AthenzIdentity> optionalAthenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
+            if (optionalAthenzIdentity.isEmpty())
+                return false;
+            AthenzIdentity athenzIdentity = optionalAthenzIdentity.get();
             ContainerPath privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
             ContainerPath certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
             if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) {
@@ -203,16 +210,17 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
         var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument());
         if (!Files.exists(identityDocumentFile)) return false;
-        var athenzIdentity = getAthenzIdentity(context, TENANT, identityDocumentFile);
-        var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
-        var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
-        try {
-            return Files.deleteIfExists(identityDocumentFile) ||
-                    Files.deleteIfExists(privateKeyFile) ||
-                    Files.deleteIfExists(certificateFile);
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        }
+        return getAthenzIdentity(context, TENANT, identityDocumentFile).map(athenzIdentity -> {
+            var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
+            var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
+            try {
+                return Files.deleteIfExists(identityDocumentFile) ||
+                        Files.deleteIfExists(privateKeyFile) ||
+                        Files.deleteIfExists(certificateFile);
+            } catch (IOException e) {
+                throw new UncheckedIOException(e);
+            }
+        }).orElse(false);
     }
 
     private boolean shouldRefreshCredentials(Duration age) {
@@ -321,22 +329,23 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private SignedIdentityDocument signedIdentityDocument(NodeAgentContext context, IdentityType identityType) {
         return switch (identityType) {
             case NODE -> identityDocumentClient.getNodeIdentityDocument(context.hostname().value(), documentVersion(context));
-            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context));
+            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).get();
         };
     }
 
-    private AthenzIdentity getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
+    private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
         return switch (identityType) {
-            case NODE -> context.identity();
+            case NODE -> Optional.of(context.identity());
             case TENANT -> getTenantIdentity(context, identityDocumentFile);
         };
     }
 
-    private AthenzIdentity getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
+    private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
         if (Files.exists(identityDocumentFile)) {
-            return EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity();
+            return Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity());
         } else {
-            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).identityDocument().serviceIdentity();
+            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context))
+                    .map(doc -> doc.identityDocument().serviceIdentity());
         }
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
index 0e13cba8de9..a3c2f0264d3 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api;
 
+import java.util.Optional;
 import java.util.OptionalInt;
 
 /**
@@ -10,5 +11,5 @@ import java.util.OptionalInt;
  */
 public interface IdentityDocumentClient {
     SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion);
-    SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion);
+    Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion);
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index 1858653c9b4..d26386702d5 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -76,7 +76,7 @@ class AthenzCredentialsService {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         IdentityDocumentClient identityDocumentClient = createIdentityDocumentClient();
         // Use legacy version for now.
-        SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION);
+        SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION).orElseThrow();
         IdentityDocument document = signedDocument.identityDocument();
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 tenantIdentity,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
index 48fc021dced..f95a3335c24 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.URI;
 import java.time.Duration;
+import java.util.Optional;
 import java.util.function.Supplier;
 
 /**
@@ -57,15 +58,15 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
 
     @Override
     public SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion) {
-        return getIdentityDocument(host, "node", documentVersion);
+        return getIdentityDocument(host, "node", documentVersion).orElseThrow();
     }
 
     @Override
-    public SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion) {
+    public Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion) {
         return getIdentityDocument(host, "tenant", documentVersion);
     }
 
-    private SignedIdentityDocument getIdentityDocument(String host, String type, int documentVersion) {
+    private Optional<SignedIdentityDocument> getIdentityDocument(String host, String type, int documentVersion) {
 
         try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
             URI uri = configserverUri
@@ -83,7 +84,9 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
                 int statusCode = response.getStatusLine().getStatusCode();
                 if (statusCode >= 200 && statusCode <= 299) {
                     SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class);
-                    return EntityBindingsMapper.toSignedIdentityDocument(entity);
+                    return Optional.of(EntityBindingsMapper.toSignedIdentityDocument(entity));
+                } else if (statusCode == 404) {
+                    return Optional.empty();
                 } else {
                     throw new RuntimeException(
                             String.format(
author	Ola Aunronning <olaa@yahooinc.com>	2023-04-26 14:11:31 +0200
committer	Ola Aunronning <olaa@yahooinc.com>	2023-04-26 14:11:31 +0200
commit	6d58df3ac8ab8e94eb3b7f71d9a3792f97d63e56 (patch)
tree	b8df4dc92eb8e512889c0e003abd7b9d8d5d9e86
parent	46239c2babb3025e98222cd5cf72856767a1289d (diff)