diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2020-02-21 09:40:26 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-21 09:40:26 +0100 |
commit | f4fcb9465c3a3191b1d41531c93f29cae878c2da (patch) | |
tree | 1144d2fa05023ee0c520f25ee9cbd41da16cf279 | |
parent | 7bf3943209a62678db8a007045505565f2815f7b (diff) | |
parent | 6cac8f95ca72bb0914b68bf7060e76ca8cf7eee2 (diff) |
Merge pull request #12294 from vespa-engine/andreer/endpoint-cert-updates
make it possible to request an updated endpoint cert
7 files changed, 49 insertions, 64 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java index 0aa0df8ae2b..171c5caa756 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java @@ -18,25 +18,23 @@ public class EndpointCertificateMetadata { private final int version; private final Optional<String> request_id; private final Optional<List<String>> requestedDnsSans; + private final Optional<String> issuer; public EndpointCertificateMetadata(String keyName, String certName, int version) { - this.keyName = keyName; - this.certName = certName; - this.version = version; - this.request_id = Optional.empty(); - this.requestedDnsSans = Optional.empty(); + this(keyName, certName, version, Optional.empty(), Optional.empty(), Optional.empty()); + } + + public EndpointCertificateMetadata(String keyName, String certName, int version, String request_id, List<String> requestedDnsSans) { + this(keyName, certName, version, Optional.of(request_id), Optional.of(requestedDnsSans), Optional.empty()); } - public EndpointCertificateMetadata(String keyName, String certName, int version, Optional<String> request_id, Optional<List<String>> requestedDnsSans) { + public EndpointCertificateMetadata(String keyName, String certName, int version, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) { this.keyName = keyName; this.certName = certName; this.version = version; this.request_id = request_id; this.requestedDnsSans = requestedDnsSans; - } - - public EndpointCertificateMetadata(String keyName, String certName, int version, String request_id, List<String> requestedDnsSans) { - this(keyName, certName, version, Optional.of(request_id), Optional.of(requestedDnsSans)); + this.issuer = issuer; } public String keyName() { @@ -59,6 +57,10 @@ public class EndpointCertificateMetadata { return requestedDnsSans; } + public Optional<String> issuer() { + return issuer; + } + @Override public String toString() { return "EndpointCertificateMetadata{" + @@ -67,6 +69,7 @@ public class EndpointCertificateMetadata { ", version=" + version + ", request_id=" + request_id + ", requestedDnsSans=" + requestedDnsSans + + ", issuer=" + issuer + '}'; } @@ -79,11 +82,12 @@ public class EndpointCertificateMetadata { keyName.equals(that.keyName) && certName.equals(that.certName) && request_id.equals(that.request_id) && - requestedDnsSans.equals(that.requestedDnsSans); + requestedDnsSans.equals(that.requestedDnsSans) && + issuer.equals(that.issuer); } @Override public int hashCode() { - return Objects.hash(keyName, certName, version, request_id, requestedDnsSans); + return Objects.hash(keyName, certName, version, request_id, requestedDnsSans, issuer); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java index 8e81400f3c8..c38ea158507 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java @@ -7,6 +7,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Optional; import java.util.UUID; /** @@ -21,7 +22,7 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { } @Override - public EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames) { + public EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata) { this.dnsNames.put(applicationId, dnsNames); String endpointCertificatePrefix = String.format("vespa.tls.%s.%s@%s", applicationId.tenant(), applicationId.application(), diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java index 97d2bdb3343..9c5c25c1c71 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.certificates; import com.yahoo.config.provision.ApplicationId; import java.util.List; +import java.util.Optional; /** * Generates an endpoint certificate for an application instance. @@ -12,7 +13,7 @@ import java.util.List; */ public interface EndpointCertificateProvider { - EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames); + EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata); List<EndpointCertificateMetadata> listCertificates(); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java index d915da21603..23a3ffb42b6 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java @@ -156,7 +156,8 @@ public class EndpointCertificateManager { storedMetaData.certName(), storedMetaData.version(), providerMetadata.request_id(), - providerMetadata.requestedDnsSans()); + providerMetadata.requestedDnsSans(), + Optional.empty()); if (mode == BackfillMode.DRYRUN) { log.log(LogLevel.INFO, "Would update stored metadata " + storedMetaData + " with data from provider: " + backfilledMetadata); @@ -176,7 +177,7 @@ public class EndpointCertificateManager { private EndpointCertificateMetadata provisionEndpointCertificate(Instance instance) { List<ZoneId> zones = zoneRegistry.zones().controllerUpgraded().zones().stream().map(ZoneApi::getId).collect(Collectors.toUnmodifiableList()); EndpointCertificateMetadata provisionedCertificateMetadata = endpointCertificateProvider - .requestCaSignedCertificate(instance.id(), dnsNamesOf(instance.id(), zones)); + .requestCaSignedCertificate(instance.id(), dnsNamesOf(instance.id(), zones), Optional.empty()); curator.writeEndpointCertificateMetadata(instance.id(), provisionedCertificateMetadata); return provisionedCertificateMetadata; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java index ad2835e301f..eb86b1028e2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java @@ -42,7 +42,6 @@ import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.NavigableMap; @@ -521,8 +520,7 @@ public class CuratorDb { } public Optional<EndpointCertificateMetadata> readEndpointCertificateMetadata(ApplicationId applicationId) { - Optional<String> zkData = curator.getData(endpointCertificatePath(applicationId)).map(String::new); - return zkData.map(EndpointCertificateMetadataSerializer::fromJsonOrTlsSecretsKeysString); + return curator.getData(endpointCertificatePath(applicationId)).map(String::new).map(EndpointCertificateMetadataSerializer::fromJsonString); } public Map<ApplicationId, EndpointCertificateMetadata> readAllEndpointCertificateMetadata() { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java index 653f224a02b..501d3a06d42 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java @@ -4,6 +4,7 @@ import com.yahoo.slime.Cursor; import com.yahoo.slime.Inspector; import com.yahoo.slime.Slime; import com.yahoo.slime.SlimeUtils; +import com.yahoo.slime.Type; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import java.util.List; @@ -33,6 +34,7 @@ public class EndpointCertificateMetadataSerializer { private final static String versionField = "version"; private final static String requestIdField = "requestId"; private final static String requestedDnsSansField = "requestedDnsSans"; + private final static String issuerField = "issuer"; public static Slime toSlime(EndpointCertificateMetadata metadata) { Slime slime = new Slime(); @@ -51,46 +53,31 @@ public class EndpointCertificateMetadataSerializer { } public static EndpointCertificateMetadata fromSlime(Inspector inspector) { - switch (inspector.type()) { - case STRING: // TODO: Remove once all are transmitted and stored as JSON - return new EndpointCertificateMetadata( - inspector.asString() + "-key", - inspector.asString() + "-cert", - 0 - ); - case OBJECT: { - Optional<String> request_id = inspector.field(requestIdField).valid() ? - Optional.of(inspector.field(requestIdField).asString()) : - Optional.empty(); + if (inspector.type() != Type.OBJECT) + throw new IllegalArgumentException("Unknown format encountered for endpoint certificate metadata!"); + Optional<String> request_id = inspector.field(requestIdField).valid() ? + Optional.of(inspector.field(requestIdField).asString()) : + Optional.empty(); - Optional<List<String>> requestedDnsSans = inspector.field(requestedDnsSansField).valid() ? - Optional.of(IntStream.range(0, inspector.field(requestedDnsSansField).entries()) - .mapToObj(i -> inspector.field(requestedDnsSansField).entry(i).asString()).collect(Collectors.toList())) : - Optional.empty(); + Optional<List<String>> requestedDnsSans = inspector.field(requestedDnsSansField).valid() ? + Optional.of(IntStream.range(0, inspector.field(requestedDnsSansField).entries()) + .mapToObj(i -> inspector.field(requestedDnsSansField).entry(i).asString()).collect(Collectors.toList())) : + Optional.empty(); - return new EndpointCertificateMetadata( - inspector.field(keyNameField).asString(), - inspector.field(certNameField).asString(), - Math.toIntExact(inspector.field(versionField).asLong()), - request_id, - requestedDnsSans - ); - } + Optional<String> issuer = inspector.field(issuerField).valid() ? + Optional.of(inspector.field(issuerField).asString()) : + Optional.empty(); - default: - throw new IllegalArgumentException("Unknown format encountered for endpoint certificate metadata!"); - } + return new EndpointCertificateMetadata( + inspector.field(keyNameField).asString(), + inspector.field(certNameField).asString(), + Math.toIntExact(inspector.field(versionField).asLong()), + request_id, + requestedDnsSans, + issuer); } - public static EndpointCertificateMetadata fromTlsSecretsKeysString(String tlsSecretsKeys) { - return fromSlime(new Slime().setString(tlsSecretsKeys)); - } - - public static EndpointCertificateMetadata fromJsonOrTlsSecretsKeysString(String zkdata) { - if (zkdata.strip().startsWith("{")) { - return fromSlime(SlimeUtils.jsonToSlime(zkdata).get()); - } else { - return fromTlsSecretsKeysString(zkdata); - } + public static EndpointCertificateMetadata fromJsonString(String zkdata) { + return fromSlime(SlimeUtils.jsonToSlime(zkdata).get()); } } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java index 7428b9901a2..5f8a3eaa98a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java @@ -29,17 +29,10 @@ public class EndpointCertificateMetadataSerializerTest { } @Test - public void deserializeFromString() { - assertEquals( - new EndpointCertificateMetadata("foo-key", "foo-cert", 0), - EndpointCertificateMetadataSerializer.fromJsonOrTlsSecretsKeysString("foo")); - } - - @Test public void deserializeFromJson() { assertEquals( sample, - EndpointCertificateMetadataSerializer.fromJsonOrTlsSecretsKeysString( + EndpointCertificateMetadataSerializer.fromJsonString( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}")); } @@ -47,7 +40,7 @@ public class EndpointCertificateMetadataSerializerTest { public void deserializeFromJsonWithRequestMetadata() { assertEquals( sampleWithRequestMetadata, - EndpointCertificateMetadataSerializer.fromJsonOrTlsSecretsKeysString( + EndpointCertificateMetadataSerializer.fromJsonString( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"]}")); } }
\ No newline at end of file |