diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-07-10 15:01:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-10 15:01:19 +0200 |
commit | 80a1b939a6ba01a24af5f29d857b22aecfe1546e (patch) | |
tree | 0aa0155f6e929fa5c522cda6d5acca377efb1fab | |
parent | b991edef1ec5c789314412e9dba139269cd8964e (diff) | |
parent | b7d15a1804d42204dc8ce9cf507a9febc1b3d59f (diff) |
Merge pull request #6374 from vespa-engine/bjorncs/handle-certificate-revoke
Bjorncs/handle certificate revoke
4 files changed, 54 insertions, 11 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index ff85c49bb13..a8403b8b10d 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.InstanceIdentity; import com.yahoo.vespa.athenz.client.zts.ZtsClient; +import com.yahoo.vespa.athenz.client.zts.ZtsClientException; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; @@ -142,6 +143,8 @@ public class AthenzCredentialsMaintainer { log.info(String.format("Deleted private key file (path=%s)", privateKeyFile)); if (Files.deleteIfExists(certificateFile)) log.info(String.format("Deleted certificate file (path=%s)", certificateFile)); + if (Files.deleteIfExists(identityDocumentFile)) + log.info(String.format("Deleted identity document file (path=%s)", certificateFile)); } catch (IOException e) { throw new UncheckedIOException(e); } @@ -201,6 +204,12 @@ public class AthenzCredentialsMaintainer { csr); writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); log.info("Instance successfully refreshed and credentials written to file"); + } catch (ZtsClientException e) { + // TODO Find out why certificate was revoked and hopefully remove this workaround + if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) { + log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); + registerIdentity(); + } } catch (IOException e) { throw new UncheckedIOException(e); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 8c67c3386b7..8a94518cee7 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -10,10 +10,11 @@ import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.athenz.api.ZToken; +import com.yahoo.vespa.athenz.client.zts.bindings.ErrorResponseEntity; +import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity; import com.yahoo.vespa.athenz.client.zts.bindings.IdentityResponseEntity; import com.yahoo.vespa.athenz.client.zts.bindings.InstanceIdentityCredentials; import com.yahoo.vespa.athenz.client.zts.bindings.InstanceRefreshInformation; -import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity; import com.yahoo.vespa.athenz.client.zts.bindings.InstanceRegisterInformation; import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateRequestEntity; import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateResponseEntity; @@ -33,7 +34,6 @@ import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.DefaultHttpRequestRetryHandler; import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.util.EntityUtils; import org.eclipse.jetty.http.HttpStatus; import javax.net.ssl.SSLContext; @@ -48,7 +48,6 @@ import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReadWriteLock; import java.util.concurrent.locks.ReentrantReadWriteLock; -import java.util.stream.Collectors; import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; @@ -237,10 +236,8 @@ public class DefaultZtsClient implements ZtsClient { if (HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) { return objectMapper.readValue(response.getEntity().getContent(), entityType); } else { - String message = EntityUtils.toString(response.getEntity()); - throw new ZtsClientException( - String.format("Unable to get identity. http code/message: %d/%s", - response.getStatusLine().getStatusCode(), message)); + ErrorResponseEntity errorEntity = objectMapper.readValue(response.getEntity().getContent(), ErrorResponseEntity.class); + throw new ZtsClientException(errorEntity.code, errorEntity.description); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java index 3d3696ad870..0b0d6914fea 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClientException.java @@ -8,11 +8,25 @@ package com.yahoo.vespa.athenz.client.zts; */ public class ZtsClientException extends RuntimeException { - public ZtsClientException(String message) { - super(message); + private final int errorCode; + private final String description; + + public ZtsClientException(int errorCode, String description) { + super(createMessage(errorCode, description)); + this.errorCode = errorCode; + this.description = description; + } + + public int getErrorCode() { + return errorCode; } - public ZtsClientException(String message, Throwable cause) { - super(message, cause); + public String getDescription() { + return description; } + + private static String createMessage(int code, String description) { + return String.format("Received error from ZTS: code=%d, message=\"%s\"", code, description); + } + } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java new file mode 100644 index 00000000000..431af084f9f --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/ErrorResponseEntity.java @@ -0,0 +1,23 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zts.bindings; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * @author bjorncs + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class ErrorResponseEntity { + + public final int code; + public final String description; + + @JsonCreator + public ErrorResponseEntity(@JsonProperty("code") int code, + @JsonProperty("message") String description) { + this.code = code; + this.description = description; + } +} |