diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-06 11:09:01 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-06 11:09:01 +0100 |
commit | c1ceb4407c3f6f035abac5d89f326c892a39cabd (patch) | |
tree | b7c622ec2df05a9b2e25c576f7eaafb68474ed3e | |
parent | afa309b95c2ad96680bb844b0b268edb705bea65 (diff) |
Add 'asCertificateSanUri()'
3 files changed, 8 insertions, 3 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java index 15c7b620e44..d8bbf743d8c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java @@ -8,6 +8,7 @@ import com.yahoo.config.model.api.ServiceInfo; import com.yahoo.config.model.api.SuperModelProvider; import com.yahoo.config.provision.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.identityprovider.api.ClusterType; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; @@ -191,7 +192,7 @@ public class InstanceValidator { } var clusterType = node.allocation().map(a -> a.membership().cluster().type()).orElse(null); Set<URI> allowedUris = clusterType != null - ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType.name()))) : Set.of(); + ? Set.of(ClusterType.from(clusterType.name()).asCertificateSanUri()) : Set.of(); if (!allowedUris.containsAll(requestedUris)) { Supplier<String> msg = () -> "Illegal SAN URIs: expected '%s' found '%s'".formatted(allowedUris, requestedUris); throw new ValidationException(Level.WARNING, msg); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java index ab14c41e314..3702f693a7b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java @@ -2,6 +2,8 @@ package com.yahoo.vespa.athenz.identityprovider.api; +import java.net.URI; + /** * Vespa cluster type * @@ -32,5 +34,7 @@ public enum ClusterType { }; } + public URI asCertificateSanUri() { return URI.create("vespa://cluster-type/%s".formatted(toConfigValue())); } + } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 9115627cad5..353f0fdf067 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -51,7 +51,7 @@ public class CsrGenerator { instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); - if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.toConfigValue())); + if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); } @@ -65,7 +65,7 @@ public class CsrGenerator { var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)); - if (clusterType != null) b.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.toConfigValue())); + if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); return b.build(); } |