Merge pull request #6374 from vespa-engine/bjorncs/handle-certificate-revoke

Bjorncs/handle certificate revoke

4 files changed, 54 insertions, 11 deletions

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index ff85c49bb13..a8403b8b10d 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
 import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
 import com.yahoo.vespa.athenz.client.zts.ZtsClient;
+import com.yahoo.vespa.athenz.client.zts.ZtsClientException;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
@@ -142,6 +143,8 @@ public class AthenzCredentialsMaintainer {
                 log.info(String.format("Deleted private key file (path=%s)", privateKeyFile));
             if (Files.deleteIfExists(certificateFile))
                 log.info(String.format("Deleted certificate file (path=%s)", certificateFile));
+            if (Files.deleteIfExists(identityDocumentFile))
+                log.info(String.format("Deleted identity document file (path=%s)", certificateFile));
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
@@ -201,6 +204,12 @@ public class AthenzCredentialsMaintainer {
                             csr);
             writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate());
             log.info("Instance successfully refreshed and credentials written to file");
+        } catch (ZtsClientException e) {
+            // TODO Find out why certificate was revoked and hopefully remove this workaround
+            if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) {
+                log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
+                registerIdentity();
+            }
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 8c67c3386b7..8a94518cee7 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -10,10 +10,11 @@ import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.api.NToken;
 import com.yahoo.vespa.athenz.api.ZToken;
+import com.yahoo.vespa.athenz.client.zts.bindings.ErrorResponseEntity;
+import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.IdentityResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.InstanceIdentityCredentials;
 import com.yahoo.vespa.athenz.client.zts.bindings.InstanceRefreshInformation;
-import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.InstanceRegisterInformation;
 import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateRequestEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateResponseEntity;
@@ -33,7 +34,6 @@ import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
 import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.util.EntityUtils;
 import org.eclipse.jetty.http.HttpStatus;
 
 import javax.net.ssl.SSLContext;
@@ -48,7 +48,6 @@ import java.util.List;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReadWriteLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
-import java.util.stream.Collectors;
 
 import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
 import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
@@ -237,10 +236,8 @@ public class DefaultZtsClient implements ZtsClient {
         if (HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) {
             return objectMapper.readValue(response.getEntity().getContent(), entityType);
         } else {
-            String message = EntityUtils.toString(response.getEntity());
-            throw new ZtsClientException(
-                    String.format("Unable to get identity. http code/message: %d/%s",
-                                  response.getStatusLine().getStatusCode(), message));
+            ErrorResponseEntity errorEntity = objectMapper.readValue(response.getEntity().getContent(), ErrorResponseEntity.class);
+            throw new ZtsClientException(errorEntity.code, errorEntity.description);
         }
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java
index 3d3696ad870..0b0d6914fea 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java
@@ -8,11 +8,25 @@ package com.yahoo.vespa.athenz.client.zts;
  */
 public class ZtsClientException extends RuntimeException {
 
-    public ZtsClientException(String message) {
-        super(message);
+    private final int errorCode;
+    private final String description;
+
+    public ZtsClientException(int errorCode, String description) {
+        super(createMessage(errorCode, description));
+        this.errorCode = errorCode;
+        this.description = description;
+    }
+
+    public int getErrorCode() {
+        return errorCode;
     }
 
-    public ZtsClientException(String message, Throwable cause) {
-        super(message, cause);
+    public String getDescription() {
+        return description;
     }
+
+    private static String createMessage(int code, String description) {
+        return String.format("Received error from ZTS: code=%d, message=\"%s\"", code, description);
+    }
+
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java
new file mode 100644
index 00000000000..431af084f9f
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java
@@ -0,0 +1,23 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.client.zts.bindings;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author bjorncs
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ErrorResponseEntity {
+
+    public final int code;
+    public final String description;
+
+    @JsonCreator
+    public ErrorResponseEntity(@JsonProperty("code") int code,
+                               @JsonProperty("message") String description) {
+        this.code = code;
+        this.description = description;
+    }
+}