diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-04-09 08:09:12 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-04-09 08:47:16 +0200 |
commit | b3e8953bc5a8396b76613d1b8dbcd504262658f8 (patch) | |
tree | a659eb3f6228cd3da645f0c87883866909417dfd | |
parent | 50ba6295c808cf9cbe0e0a02daa96fb0ed16105f (diff) |
Validate ips on register
2 files changed, 44 insertions, 13 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java index 3dcb5a13d6d..816da5d095d 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java @@ -87,11 +87,15 @@ public class InstanceValidator { log.log(Level.FINE, () -> String.format("Validating instance %s.", providerUniqueId)); PublicKey publicKey = keyProvider.getPublicKey(signedIdentityDocument.signingKeyVersion()); - if (signer.hasValidSignature(signedIdentityDocument, publicKey)) { + if (! signer.hasValidSignature(signedIdentityDocument, publicKey)) { + log.log(Level.SEVERE, () -> String.format("Instance %s has invalid signature.", providerUniqueId)); + return false; + } + + if(validateAttributes(instanceConfirmation, providerUniqueId)) { log.log(Level.FINE, () -> String.format("Instance %s is valid.", providerUniqueId)); return true; } - log.log(Level.SEVERE, () -> String.format("Instance %s has invalid signature.", providerUniqueId)); return false; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java index cde63c6a0cb..9e6e10fbf6d 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java @@ -102,7 +102,7 @@ public class InstanceValidatorTest { mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo))); IdentityDocumentSigner signer = mock(IdentityDocumentSigner.class); when(signer.hasValidSignature(any(), any())).thenReturn(true); - InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer, vespaTenantDomain); + InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, mockNodeRepo(), signer, vespaTenantDomain); assertTrue(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -118,6 +118,22 @@ public class InstanceValidatorTest { } @Test + public void rejects_unknown_ips_in_csr() { + NodeRepository nodeRepository = mockNodeRepo(); + InstanceValidator instanceValidator = new InstanceValidator(null, mockSuperModelProvider(), nodeRepository, null, vespaTenantDomain); + InstanceConfirmation instanceConfirmation = createRegisterInstanceConfirmation(applicationId, domain, service); + Set<String> nodeIp = nodeRepository.nodes().list().owner(applicationId).stream().findFirst() + .map(Node::ipConfig) + .map(IP.Config::primary) + .orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); + + List<String> ips = new ArrayList<>(nodeIp); + ips.add("::ff"); + instanceConfirmation.set("sanIP", String.join(",", ips)); + assertFalse(instanceValidator.isValidInstance(instanceConfirmation)); + } + + @Test public void accepts_valid_refresh_requests() { NodeRepository nodeRepository = mock(NodeRepository.class); Nodes nodes = mock(Nodes.class); @@ -136,20 +152,18 @@ public class InstanceValidatorTest { @Test public void rejects_refresh_on_ip_mismatch() { - NodeRepository nodeRepository = mock(NodeRepository.class); - Nodes nodes = mock(Nodes.class); - when(nodeRepository.nodes()).thenReturn(nodes); - + NodeRepository nodeRepository = mockNodeRepo(); InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); - List<Node> nodeList = createNodes(10); - Node node = nodeList.get(0); - nodeList = allocateNode(nodeList, node, applicationId); - when(nodes.list()).thenReturn(NodeList.copyOf(nodeList)); - String nodeIp = node.ipConfig().primary().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); + Set<String> nodeIp = nodeRepository.nodes().list().owner(applicationId).stream().findFirst() + .map(Node::ipConfig) + .map(IP.Config::primary) + .orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); + List<String> ips = new ArrayList<>(nodeIp); + ips.add("::ff"); // Add invalid ip to list of ip addresses - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ImmutableList.of(nodeIp, "::ff")); + InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ips); assertFalse(instanceValidator.isValidRefresh(instanceConfirmation)); } @@ -171,6 +185,19 @@ public class InstanceValidatorTest { } + private NodeRepository mockNodeRepo() { + NodeRepository nodeRepository = mock(NodeRepository.class); + Nodes nodes = mock(Nodes.class); + when(nodeRepository.nodes()).thenReturn(nodes); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); + + List<Node> nodeList = createNodes(10); + Node node = nodeList.get(0); + nodeList = allocateNode(nodeList, node, applicationId); + when(nodes.list()).thenReturn(NodeList.copyOf(nodeList)); + return nodeRepository; + } + private InstanceConfirmation createRegisterInstanceConfirmation(ApplicationId applicationId, String domain, String service) { VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(0, "default", applicationId.instance().value(), applicationId.application().value(), applicationId.tenant().value(), "us-north-1", "dev", IdentityType.NODE); SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument(null, |