Add 'asCertificateSanUri()'

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-06 11:09:01 +0100
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-06 11:09:01 +0100
commit: c1ceb4407c3f6f035abac5d89f326c892a39cabd (patch)
tree: b7c622ec2df05a9b2e25c576f7eaafb68474ed3e
parent: afa309b95c2ad96680bb844b0b268edb705bea65 (diff)
3 files changed, 8 insertions, 3 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
index 15c7b620e44..d8bbf743d8c 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
@@ -8,6 +8,7 @@ import com.yahoo.config.model.api.ServiceInfo;
 import com.yahoo.config.model.api.SuperModelProvider;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.identityprovider.api.ClusterType;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
@@ -191,7 +192,7 @@ public class InstanceValidator {
         }
         var clusterType = node.allocation().map(a -> a.membership().cluster().type()).orElse(null);
         Set<URI> allowedUris = clusterType != null
-                ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType.name()))) : Set.of();
+                ? Set.of(ClusterType.from(clusterType.name()).asCertificateSanUri()) : Set.of();
         if (!allowedUris.containsAll(requestedUris)) {
             Supplier<String> msg = () -> "Illegal SAN URIs: expected '%s' found '%s'".formatted(allowedUris, requestedUris);
             throw new ValidationException(Level.WARNING, msg);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java
index ab14c41e314..3702f693a7b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/ClusterType.java
@@ -2,6 +2,8 @@
 
 package com.yahoo.vespa.athenz.identityprovider.api;
 
+import java.net.URI;
+
 /**
  * Vespa cluster type
  *
@@ -32,5 +34,7 @@ public enum ClusterType {
         };
     }
 
+    public URI asCertificateSanUri() { return URI.create("vespa://cluster-type/%s".formatted(toConfigValue())); }
+
 }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index 9115627cad5..353f0fdf067 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -51,7 +51,7 @@ public class CsrGenerator {
                                 instanceIdentity.getDomainName().replace(".", "-"),
                                 dnsSuffix))
                 .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
-        if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.toConfigValue()));
+        if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
         ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
         return pkcs10CsrBuilder.build();
     }
@@ -65,7 +65,7 @@ public class CsrGenerator {
         var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
                 .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix));
-        if (clusterType != null) b.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.toConfigValue()));
+        if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
         return b.build();
     }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-06 11:09:01 +0100
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-06 11:09:01 +0100
commit	c1ceb4407c3f6f035abac5d89f326c892a39cabd (patch)
tree	b7c622ec2df05a9b2e25c576f7eaafb68474ed3e
parent	afa309b95c2ad96680bb844b0b268edb705bea65 (diff)