diff options
author | Martin Polden <mpolden@mpolden.no> | 2019-09-23 13:56:53 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2019-09-23 14:32:20 +0200 |
commit | e241ebcd59fcaab4749be542b16aaff590628e52 (patch) | |
tree | b16c73fe5f1adcdadd88fe30ca3eea7cc11233ec | |
parent | e0b06c1104b0815bf8bfe23628b4ada8f899918e (diff) |
Implement refresh instance
2 files changed, 67 insertions, 17 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index ba4f0ce932c..b2120f24160 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -25,12 +25,14 @@ import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Clock; import java.util.Optional; +import java.util.function.Function; import java.util.logging.Level; /** * REST API for issuing and refreshing node certificates in a hosted Vespa system. * * The API implements the following subset of methods from the Athenz ZTS REST API: + * * - Instance registration * - Instance refresh * @@ -59,12 +61,12 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { try { switch (request.getMethod()) { case POST: return handlePost(request); - default: return ErrorResponse.methodNotAllowed("Method '" + request.getMethod() + "' is unsupported"); + default: return ErrorResponse.methodNotAllowed("Method " + request.getMethod() + " is unsupported"); } } catch (IllegalArgumentException e) { - return ErrorResponse.badRequest(Exceptions.toMessageString(e)); + return ErrorResponse.badRequest(request.getMethod() + " " + request.getUri() + " failed: " + Exceptions.toMessageString(e)); } catch (RuntimeException e) { - log.log(Level.WARNING, "Unexpected error handling '" + request.getUri() + "'", e); + log.log(Level.WARNING, "Unexpected error handling " + request.getMethod() + " " + request.getUri(), e); return ErrorResponse.internalServerError(Exceptions.toMessageString(e)); } } @@ -72,13 +74,12 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { private HttpResponse handlePost(HttpRequest request) { Path path = new Path(request.getUri()); if (path.matches("/ca/v1/instance/")) return registerInstance(request); - // TODO: Implement refresh + if (path.matches("/ca/v1/instance/{provider}/{domain}/{service}/{instanceId}")) return refreshInstance(request, path.get("provider"), path.get("service"), path.get("instanceId")); return ErrorResponse.notFoundError("Nothing at " + path); } private HttpResponse registerInstance(HttpRequest request) { - var body = slimeFromRequest(request); - var instanceRegistration = InstanceSerializer.registrationFromSlime(body); + var instanceRegistration = deserializeRequest(request, InstanceSerializer::registrationFromSlime); var certificate = certificates.create(instanceRegistration.csr(), caCertificate(), caPrivateKey()); var instanceId = Certificates.extractDnsName(instanceRegistration.csr()); var identity = new InstanceIdentity(instanceRegistration.provider(), instanceRegistration.service(), instanceId, @@ -86,6 +87,18 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { return new SlimeJsonResponse(InstanceSerializer.identityToSlime(identity)); } + private HttpResponse refreshInstance(HttpRequest request, String provider, String service, String instanceId) { + var instanceRefresh = deserializeRequest(request, InstanceSerializer::refreshFromSlime); + var instanceIdFromCsr = Certificates.extractDnsName(instanceRefresh.csr()); + if (!instanceIdFromCsr.equals(instanceId)) { + throw new IllegalArgumentException("Mismatched instance ID and SAN DNS name [instanceId=" + instanceId + + ",dnsName=" + instanceIdFromCsr + "]"); + } + var certificate = certificates.create(instanceRefresh.csr(), caCertificate(), caPrivateKey()); + var identity = new InstanceIdentity(provider, service, instanceIdFromCsr, Optional.of(certificate)); + return new SlimeJsonResponse(InstanceSerializer.identityToSlime(identity)); + } + /** Returns CA certificate from secret store */ private X509Certificate caCertificate() { var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase()); @@ -98,9 +111,10 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName)); } - private static Slime slimeFromRequest(HttpRequest request) { + private static <T> T deserializeRequest(HttpRequest request, Function<Slime, T> serializer) { try { - return SlimeUtils.jsonToSlime(request.getData().readAllBytes()); + var slime = SlimeUtils.jsonToSlime(request.getData().readAllBytes()); + return serializer.apply(slime); } catch (IOException e) { throw new UncheckedIOException(e); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index 4393c3a25b9..a1d708a1107 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -35,9 +35,9 @@ public class CertificateAuthorityApiTest extends ContainerTester { public void register_instance() throws Exception { // POST instance registration var csr = CertificateTester.createCsr("node1.example.com"); - assertRegistration(new Request("http://localhost:12345/ca/v1/instance/", - instanceRegistrationJson(csr), - Request.Method.POST)); + assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/", + instanceRegistrationJson(csr), + Request.Method.POST)); // POST instance registration with ZTS client var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); @@ -49,9 +49,26 @@ public class CertificateAuthorityApiTest extends ContainerTester { } @Test - public void invalid_register_instance() { + public void refresh_instance() throws Exception { + // POST instance refresh + var csr = CertificateTester.createCsr("node1.example.com"); + assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com", + instanceRefreshJson(csr), + Request.Method.POST)); + + // POST instance refresh with ZTS client + var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); + var instanceIdentity = ztsClient.refreshInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), + new AthenzService("vespa.external", "tenant"), + "node1.example.com", + csr); + assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName()); + } + + @Test + public void invalid_requests() { // POST instance registration with missing fields - assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Missing required field 'provider'\"}", + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: Missing required field 'provider'\"}", new Request("http://localhost:12345/ca/v1/instance/", new byte[0], Request.Method.POST)); @@ -61,7 +78,20 @@ public class CertificateAuthorityApiTest extends ContainerTester { var request = new Request("http://localhost:12345/ca/v1/instance/", instanceRegistrationJson(csr), Request.Method.POST); - assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"DNS name not found in CSR\"}", request); + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: DNS name not found in CSR\"}", request); + + // POST instance refresh with missing field + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com failed: Missing required field 'csr'\"}", + new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com", + new byte[0], + Request.Method.POST)); + + // POST instance refresh where instanceId does not match CSR dnsName + csr = CertificateTester.createCsr("node1.example.com"); + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com failed: Mismatched instance ID and SAN DNS name [instanceId=node2.example.com,dnsName=node1.example.com]\"}", + new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com", + instanceRefreshJson(csr), + Request.Method.POST)); } private void setCaCertificateAndKey() { @@ -72,11 +102,11 @@ public class CertificateAuthorityApiTest extends ContainerTester { .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem); } - private void assertRegistration(Request request) { + private void assertIdentityResponse(Request request) { assertResponse(200, (body) -> { var slime = SlimeUtils.jsonToSlime(body); var root = slime.get(); - assertEquals("provider_prod_us-north-1", root.field("provider").asString()); + assertEquals("vespa.external.provider_prod_us-north-1", root.field("provider").asString()); assertEquals("tenant", root.field("service").asString()); assertEquals("node1.example.com", root.field("instanceId").asString()); var pemEncodedCertificate = root.field("x509Certificate").asString(); @@ -86,10 +116,16 @@ public class CertificateAuthorityApiTest extends ContainerTester { }, request); } + private static byte[] instanceRefreshJson(Pkcs10Csr csr) { + var csrPem = Pkcs10CsrUtils.toPem(csr); + var json = "{\"csr\": \"" + csrPem + "\"}"; + return json.getBytes(StandardCharsets.UTF_8); + } + private static byte[] instanceRegistrationJson(Pkcs10Csr csr) { var csrPem = Pkcs10CsrUtils.toPem(csr); var json = "{\n" + - " \"provider\": \"provider_prod_us-north-1\",\n" + + " \"provider\": \"vespa.external.provider_prod_us-north-1\",\n" + " \"domain\": \"vespa.external\",\n" + " \"service\": \"tenant\",\n" + " \"attestationData\": \"identity document generated by config server\",\n" + |