Merge pull request #14027 from vespa-engine/revert-14026-andreer/record-certificate-usage

Revert "record when endpoint certificates have last been requested"
author: Jon Marius Venstad <jonmv@users.noreply.github.com> 2020-08-11 16:29:53 +0200
committer: GitHub <noreply@github.com> 2020-08-11 16:29:53 +0200
commit: ce60b7900412c4df420c86d458535cfd6b01065c (patch)
tree: 081fece24c1f6a497bf70cf344811e83c2cd6beb
parent: 2489d302d50567e7f145c8aff971bb892c9ce87c (diff)
parent: 265de2d8a13bd08472e9872bfffef78e00fe444c (diff)
6 files changed, 17 insertions, 56 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
index e610e5505af..53366c9b922 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
@@ -16,21 +16,19 @@ public class EndpointCertificateMetadata {
     private final String keyName;
     private final String certName;
     private final int version;
-    private final long lastRequested;
     // TODO: make these fields required once all certs have them stored
     private final Optional<String> request_id;
     private final Optional<List<String>> requestedDnsSans;
     private final Optional<String> issuer;
 
-    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested) {
-        this(keyName, certName, version, lastRequested, Optional.empty(), Optional.empty(), Optional.empty());
+    public EndpointCertificateMetadata(String keyName, String certName, int version) {
+        this(keyName, certName, version, Optional.empty(), Optional.empty(), Optional.empty());
     }
 
-    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) {
+    public EndpointCertificateMetadata(String keyName, String certName, int version, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) {
         this.keyName = keyName;
         this.certName = certName;
         this.version = version;
-        this.lastRequested = lastRequested;
         this.request_id = request_id;
         this.requestedDnsSans = requestedDnsSans;
         this.issuer = issuer;
@@ -48,10 +46,6 @@ public class EndpointCertificateMetadata {
         return version;
     }
 
-    public long lastRequested() {
-        return lastRequested;
-    }
-
     public Optional<String> request_id() {
         return request_id;
     }
@@ -69,19 +63,6 @@ public class EndpointCertificateMetadata {
                 this.keyName,
                 this.certName,
                 version,
-                this.lastRequested,
-                this.request_id,
-                this.requestedDnsSans,
-                this.issuer
-        );
-    }
-
-    public EndpointCertificateMetadata withLastRequested(long lastRequested) {
-        return new EndpointCertificateMetadata(
-                this.keyName,
-                this.certName,
-                this.version,
-                lastRequested,
                 this.request_id,
                 this.requestedDnsSans,
                 this.issuer
@@ -94,7 +75,6 @@ public class EndpointCertificateMetadata {
                 "keyName='" + keyName + '\'' +
                 ", certName='" + certName + '\'' +
                 ", version=" + version +
-                ", lastRequested=" + lastRequested +
                 ", request_id=" + request_id +
                 ", requestedDnsSans=" + requestedDnsSans +
                 ", issuer=" + issuer +
@@ -107,7 +87,6 @@ public class EndpointCertificateMetadata {
         if (o == null || getClass() != o.getClass()) return false;
         EndpointCertificateMetadata that = (EndpointCertificateMetadata) o;
         return version == that.version &&
-                lastRequested == that.lastRequested &&
                 keyName.equals(that.keyName) &&
                 certName.equals(that.certName) &&
                 request_id.equals(that.request_id) &&
@@ -117,6 +96,6 @@ public class EndpointCertificateMetadata {
 
     @Override
     public int hashCode() {
-        return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer);
+        return Objects.hash(keyName, certName, version, request_id, requestedDnsSans, issuer);
     }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
index a484bb329a3..b0d45b0d7bb 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
@@ -25,7 +25,7 @@ public class EndpointCertificateMock implements EndpointCertificateProvider {
         this.dnsNames.put(applicationId, dnsNames);
         String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(),
                 applicationId.application(), applicationId.instance());
-        return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa"));
+        return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa"));
     }
 
     @Override
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java
index e4ec0b04978..1cf42cf0073 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java
@@ -95,7 +95,6 @@ public class EndpointCertificateManager {
     public Optional<EndpointCertificateMetadata> getEndpointCertificateMetadata(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) {
         var t0 = Instant.now();
         Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, instanceSpec);
-        metadata.ifPresent(m -> curator.writeEndpointCertificateMetadata(instance.id(), m.withLastRequested(clock.instant().getEpochSecond())));
         Duration duration = Duration.between(t0, Instant.now());
         if (duration.toSeconds() > 30) log.log(Level.INFO, String.format("Getting endpoint certificate metadata for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds()));
         return metadata;
@@ -186,7 +185,6 @@ public class EndpointCertificateManager {
                             storedMetaData.keyName(),
                             storedMetaData.certName(),
                             storedMetaData.version(),
-                            Instant.now().getEpochSecond(),
                             providerMetadata.request_id(),
                             providerMetadata.requestedDnsSans(),
                             providerMetadata.issuer());
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java
index ba882ef7985..80d8270eaaa 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java
@@ -32,7 +32,6 @@ public class EndpointCertificateMetadataSerializer {
     private final static String keyNameField = "keyName";
     private final static String certNameField = "certName";
     private final static String versionField = "version";
-    private final static String lastRequestedField = "lastRequested";
     private final static String requestIdField = "requestId";
     private final static String requestedDnsSansField = "requestedDnsSans";
     private final static String issuerField = "issuer";
@@ -43,7 +42,6 @@ public class EndpointCertificateMetadataSerializer {
         object.setString(keyNameField, metadata.keyName());
         object.setString(certNameField, metadata.certName());
         object.setLong(versionField, metadata.version());
-        object.setLong(lastRequestedField, metadata.lastRequested());
 
         metadata.request_id().ifPresent(id -> object.setString(requestIdField, id));
         metadata.requestedDnsSans().ifPresent(sans -> {
@@ -71,16 +69,10 @@ public class EndpointCertificateMetadataSerializer {
                 Optional.of(inspector.field(issuerField).asString()) :
                 Optional.empty();
 
-        long lastRequested = inspector.field(lastRequestedField).valid() ?
-                inspector.field(lastRequestedField).asLong() :
-                1597200000L; // Wed Aug 12 02:40:00 UTC 2020
-                // Not originally stored, so we default to when field was added
-
         return new EndpointCertificateMetadata(
                 inspector.field(keyNameField).asString(),
                 inspector.field(certNameField).asString(),
                 Math.toIntExact(inspector.field(versionField).asLong()),
-                lastRequested,
                 request_id,
                 requestedDnsSans,
                 issuer);
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java
index fe237797641..d0e87056821 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java
@@ -46,7 +46,7 @@ public class EndpointCertificateManagerTest {
     private final MockCuratorDb mockCuratorDb = new MockCuratorDb();
     private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock();
     private final InMemoryFlagSource inMemoryFlagSource = new InMemoryFlagSource();
-    private static final Clock clock = Clock.fixed(Instant.EPOCH, java.time.ZoneId.systemDefault());
+    private final Clock clock = Clock.systemUTC();
     private final EndpointCertificateManager endpointCertificateManager =
             new EndpointCertificateManager(zoneRegistryMock, mockCuratorDb, secretStore, endpointCertificateMock, clock, inMemoryFlagSource);
 
@@ -87,7 +87,7 @@ public class EndpointCertificateManagerTest {
                 .fromKeypair(
                         testKeyPair,
                         new X500Principal("CN=test"),
-                        clock.instant(), clock.instant().plus(5, ChronoUnit.MINUTES),
+                        Instant.now(), Instant.now().plus(5, ChronoUnit.MINUTES),
                         SignatureAlgorithm.SHA256_WITH_ECDSA,
                         X509CertificateBuilder.generateRandomSerialNumber());
         for (String san : sans) x509CertificateBuilder = x509CertificateBuilder.addSubjectAlternativeName(san);
@@ -129,7 +129,7 @@ public class EndpointCertificateManagerTest {
 
     @Test
     public void reuses_stored_certificate_metadata() {
-        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0));
+        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7));
         secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 7);
         secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 7);
         Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty());
@@ -148,7 +148,7 @@ public class EndpointCertificateManagerTest {
         secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 8);
         secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 9);
         secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 8);
-        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0));
+        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7));
         Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty());
         assertTrue(endpointCertificateMetadata.isPresent());
         assertEquals(testKeyName, endpointCertificateMetadata.get().keyName());
@@ -158,7 +158,7 @@ public class EndpointCertificateManagerTest {
 
     @Test
     public void reprovisions_certificate_when_necessary() {
-        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, Optional.of("uuid"), Optional.of(List.of()), Optional.empty()));
+        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, Optional.of("uuid"), Optional.of(List.of()), Optional.empty()));
         secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0);
         secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 0);
         Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty());
@@ -171,7 +171,7 @@ public class EndpointCertificateManagerTest {
     public void reprovisions_certificate_with_added_sans_when_deploying_to_new_zone() {
         ZoneId testZone = zoneRegistryMock.zones().directlyRouted().in(Environment.prod).zones().stream().skip(1).findFirst().orElseThrow().getId();
 
-        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, Optional.of("uuid"), Optional.of(expectedSans), Optional.of("mockCa")));
+        mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, Optional.of("uuid"), Optional.of(expectedSans), Optional.of("mockCa")));
         secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), -1);
         secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), -1);
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java
index 9c6790f630b..3c80245c025 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java
@@ -11,21 +11,21 @@ import static org.junit.Assert.*;
 public class EndpointCertificateMetadataSerializerTest {
 
     private final EndpointCertificateMetadata sample =
-            new EndpointCertificateMetadata("keyName", "certName", 1, 0);
+            new EndpointCertificateMetadata("keyName", "certName", 1);
     private final EndpointCertificateMetadata sampleWithRequestMetadata =
-            new EndpointCertificateMetadata("keyName", "certName", 1, 0, Optional.of("requestId"), Optional.of(List.of("SAN1", "SAN2")), Optional.of("issuer"));
+            new EndpointCertificateMetadata("keyName", "certName", 1, Optional.of("requestId"), Optional.of(List.of("SAN1", "SAN2")), Optional.of("issuer"));
 
     @Test
     public void serialize() {
         assertEquals(
-                "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0}",
+                "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}",
                 EndpointCertificateMetadataSerializer.toSlime(sample).toString());
     }
 
     @Test
     public void serializeWithRequestMetadata() {
         assertEquals(
-                "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}",
+                "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}",
                 EndpointCertificateMetadataSerializer.toSlime(sampleWithRequestMetadata).toString());
     }
 
@@ -34,7 +34,7 @@ public class EndpointCertificateMetadataSerializerTest {
         assertEquals(
                 sample,
                 EndpointCertificateMetadataSerializer.fromJsonString(
-                        "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0}"));
+                        "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}"));
     }
 
     @Test
@@ -42,14 +42,6 @@ public class EndpointCertificateMetadataSerializerTest {
         assertEquals(
                 sampleWithRequestMetadata,
                 EndpointCertificateMetadataSerializer.fromJsonString(
-                        "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}"));
-    }
-
-    @Test
-    public void deserializeFromJsonWithDefaultLastRequested() {
-        assertEquals(
-                new EndpointCertificateMetadata("keyName", "certName", 1, 1597200000),
-                EndpointCertificateMetadataSerializer.fromJsonString(
-                        "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}"));
+                        "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}"));
     }
 }
author	Jon Marius Venstad <jonmv@users.noreply.github.com>	2020-08-11 16:29:53 +0200
committer	GitHub <noreply@github.com>	2020-08-11 16:29:53 +0200
commit	ce60b7900412c4df420c86d458535cfd6b01065c (patch)
tree	081fece24c1f6a497bf70cf344811e83c2cd6beb
parent	2489d302d50567e7f145c8aff971bb892c9ce87c (diff)
parent	265de2d8a13bd08472e9872bfffef78e00fe444c (diff)