Revert "Include operator certificates in application trust store"

This reverts commit 05c8138b4936a3144e8b95348ebc525148ba709f.
author: Morten Tokle <mortent@verizonmedia.com> 2021-05-25 21:37:45 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-05-25 21:37:45 +0200
commit: 13096fabf62c04e25ea98355ca31ad3217efc155 (patch)
tree: c0f1ae6ec02159187235f52918b9f1e914fd9359
parent: ef420166ad85fb2a1560edb51df0041e134b6c63 (diff)
14 files changed, 9 insertions, 239 deletions
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
index e3afdec85b9..dcbc0a58bbc 100644
--- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
@@ -19,7 +19,6 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.net.URI;
-import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -137,8 +136,6 @@ public interface ModelContext {
 
         // Allow disabling mTLS for now, harden later
         default boolean allowDisableMtls() { return true; }
-
-        default List<X509Certificate> operatorCertificates() { return List.of(); }
     }
 
     @Retention(RetentionPolicy.RUNTIME)
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index 5f21e15b780..66e728957f3 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -16,7 +16,6 @@ import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.Zone;
 
 import java.net.URI;
-import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -61,7 +60,6 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     private String jvmOmitStackTraceInFastThrowOption;
     private int numDistributorStripes = 0;
     private boolean allowDisableMtls = true;
-    private List<X509Certificate> operatorCertificates = Collections.emptyList();
 
     @Override public ModelContext.FeatureFlags featureFlags() { return this; }
     @Override public boolean multitenant() { return multitenant; }
@@ -101,7 +99,6 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) { return jvmOmitStackTraceInFastThrowOption; }
     @Override public int numDistributorStripes() { return numDistributorStripes; }
     @Override public boolean allowDisableMtls() { return allowDisableMtls; }
-    @Override public List<X509Certificate> operatorCertificates() { return operatorCertificates; }
     @Override public boolean useExternalRankExpressions() { return useExternalRankExpression; }
 
     public TestProperties useExternalRankExpression(boolean value) {
@@ -245,11 +242,6 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
         return this;
     }
 
-    public TestProperties setOperatorCertificates(List<X509Certificate> operatorCertificates) {
-        this.operatorCertificates = List.copyOf(operatorCertificates);
-        return this;
-    }
-
     public static class Spec implements ConfigServerSpec {
 
         private final String hostName;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 4ce0a9c9dbb..b477587bcac 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -34,7 +34,6 @@ import com.yahoo.container.logging.FileConnectionLog;
 import com.yahoo.osgi.provider.model.ComponentModel;
 import com.yahoo.search.rendering.RendererRegistry;
 import com.yahoo.searchdefinition.derived.RankProfileList;
-import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.text.XML;
 import com.yahoo.vespa.defaults.Defaults;
 import com.yahoo.vespa.model.AbstractService;
@@ -90,7 +89,6 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
 import java.net.URI;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -433,7 +431,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
 
         // If the deployment contains certificate/private key reference, setup TLS port
         HostedSslConnectorFactory connectorFactory;
-        boolean enableHttp2 = deployState.featureFlags().enableJdiscHttp2();
         if (deployState.endpointCertificateSecrets().isPresent()) {
             boolean authorizeClient = deployState.zone().system().isPublic();
             if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
@@ -447,7 +444,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                     .orElse(false);
 
             connectorFactory = authorizeClient
-                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, getTlsClientAuthorities(deployState))
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get())
                     : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets, enforceHandshakeClientAuth);
         } else {
             connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName);
@@ -456,19 +453,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         server.addConnector(connectorFactory);
     }
 
-    /*
-    Return trusted certificates as a PEM encoded string containing the concatenation of
-    trusted certs from the application package and all operator certificates.
-     */
-    String getTlsClientAuthorities(DeployState deployState) {
-        List<X509Certificate> trustedCertificates = deployState.tlsClientAuthority()
-                .map(X509CertificateUtils::certificateListFromPem)
-                .orElse(Collections.emptyList());
-        ArrayList<X509Certificate> x509Certificates = new ArrayList<>(trustedCertificates);
-        x509Certificates.addAll(deployState.getProperties().operatorCertificates());
-        return X509CertificateUtils.toPem(x509Certificates);
-    }
-
     private static boolean isHostedTenantApplication(ConfigModelContext context) {
         var deployState = context.getDeployState();
         boolean isTesterApplication = deployState.getProperties().applicationId().instance().isTester();
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index 6649087f454..7f862afa1b0 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -40,11 +40,6 @@ import com.yahoo.net.HostName;
 import com.yahoo.path.Path;
 import com.yahoo.prelude.cluster.QrMonitorConfig;
 import com.yahoo.search.config.QrStartConfig;
-import com.yahoo.security.KeyAlgorithm;
-import com.yahoo.security.KeyUtils;
-import com.yahoo.security.SignatureAlgorithm;
-import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.defaults.Defaults;
 import com.yahoo.vespa.model.AbstractService;
@@ -58,7 +53,6 @@ import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.content.utils.ContentClusterUtils;
 import com.yahoo.vespa.model.test.VespaModelTester;
 import com.yahoo.vespa.model.test.utils.VespaModelCreatorWithFilePkg;
-import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
 import org.hamcrest.core.IsEqual;
 import org.junit.Rule;
@@ -67,14 +61,8 @@ import org.junit.rules.TemporaryFolder;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
-import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
 import java.io.StringReader;
-import java.math.BigInteger;
-import java.security.KeyPair;
-import java.security.cert.X509Certificate;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -94,7 +82,6 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.CoreMatchers.nullValue;
-import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
@@ -831,53 +818,6 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
     }
 
     @Test
-    public void operator_certificates_are_joined_with_clients_pem() {
-        var applicationPackage = new MockApplicationPackage.Builder()
-                .withRoot(applicationFolder.getRoot())
-                .build();
-
-        KeyPair key = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
-        var applicationTrustCert = X509CertificateUtils.toPem(
-                X509CertificateBuilder
-                        .fromKeypair(key, new X500Principal("CN=application"), Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1))
-                        .build());
-        var operatorCert = X509CertificateBuilder
-                        .fromKeypair(key, new X500Principal("CN=operator"), Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1))
-                        .build();
-
-        applicationPackage.getFile(Path.fromString("security")).createDirectory();
-        applicationPackage.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader(applicationTrustCert));
-
-        var deployState = new DeployState.Builder().properties(
-                new TestProperties()
-                        .setOperatorCertificates(List.of(operatorCert))
-                        .setHostedVespa(true)
-                        .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
-                .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName()))
-                .applicationPackage(applicationPackage)
-                .build();
-
-        Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");
-
-        createModel(root, deployState, null, clusterElem);
-
-        ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
-        List<ConnectorFactory> connectorFactories = container.getHttp().getHttpServer().get().getConnectorFactories();
-        ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
-
-        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
-        tlsPort.getConfig(builder);
-
-        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
-        var caCerts = X509CertificateUtils.certificateListFromPem(connectorConfig.ssl().caCertificate());
-        assertEquals(2, caCerts.size());
-        List<String> certnames = caCerts.stream()
-                .map(cert -> cert.getSubjectX500Principal().getName())
-                .collect(Collectors.toList());
-        assertThat(certnames, containsInAnyOrder("CN=operator", "CN=application"));
-    }
-
-    @Test
     public void environment_vars_are_honoured() {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
index 0f5f0ad1dfc..f44694f5066 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
@@ -37,7 +37,6 @@ import com.yahoo.vespa.flags.UnboundFlag;
 
 import java.io.File;
 import java.net.URI;
-import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -285,7 +284,6 @@ public class ModelContextImpl implements ModelContext {
         private final SecretStore secretStore;
         private final StringFlag jvmGCOptionsFlag;
         private final boolean allowDisableMtls;
-        private final List<X509Certificate> operatorCertificates;
 
         public Properties(ApplicationId applicationId,
                           ConfigserverConfig configserverConfig,
@@ -299,8 +297,7 @@ public class ModelContextImpl implements ModelContext {
                           Optional<ApplicationRoles> applicationRoles,
                           Optional<Quota> maybeQuota,
                           List<TenantSecretStore> tenantSecretStores,
-                          SecretStore secretStore,
-                          List<X509Certificate> operatorCertificates) {
+                          SecretStore secretStore) {
             this.featureFlags = new FeatureFlags(flagSource, applicationId);
             this.applicationId = applicationId;
             this.multitenant = configserverConfig.multitenant() || configserverConfig.hostedVespa() || Boolean.getBoolean("multitenant");
@@ -323,7 +320,6 @@ public class ModelContextImpl implements ModelContext {
                                                                  .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm());
             this.allowDisableMtls = PermanentFlags.ALLOW_DISABLE_MTLS.bindTo(flagSource)
                     .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value();
-            this.operatorCertificates = operatorCertificates;
         }
 
         @Override public ModelContext.FeatureFlags featureFlags() { return featureFlags; }
@@ -392,11 +388,6 @@ public class ModelContextImpl implements ModelContext {
             return allowDisableMtls;
         }
 
-        @Override
-        public List<X509Certificate> operatorCertificates() {
-            return operatorCertificates;
-        }
-
         public String flagValueForClusterType(StringFlag flag, Optional<ClusterSpec.Type> clusterType) {
             return clusterType.map(type -> flag.with(CLUSTER_TYPE, type.name()))
                               .orElse(flag)
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java b/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java
index ada278709fd..5c0207878f1 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java
@@ -37,9 +37,7 @@ import com.yahoo.vespa.config.server.tenant.TenantRepository;
 import com.yahoo.vespa.curator.Curator;
 import com.yahoo.vespa.flags.FlagSource;
 
-import java.security.cert.X509Certificate;
 import java.util.Comparator;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.logging.Level;
@@ -165,8 +163,7 @@ public class ActivatedModelsBuilder extends ModelsBuilder<Application> {
                                                        .readApplicationRoles(applicationId),
                                                zkClient.readQuota(),
                                                zkClient.readTenantSecretStores(),
-                                               secretStore,
-                                               zkClient.readOperatorCertificates());
+                                               secretStore);
     }
 
 }
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java
index 1b43e57c01a..ea2a525b440 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java
@@ -1,7 +1,6 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.config.server.session;
 
-import com.google.common.collect.ImmutableList;
 import com.yahoo.component.Version;
 import com.yahoo.config.model.api.ApplicationRoles;
 import com.yahoo.config.model.api.ContainerEndpoint;
@@ -12,8 +11,6 @@ import com.yahoo.config.provision.AthenzDomain;
 import com.yahoo.config.provision.DockerImage;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.container.jdisc.HttpRequest;
-import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.slime.ArrayTraverser;
 import com.yahoo.slime.Inspector;
 import com.yahoo.slime.Slime;
 import com.yahoo.slime.SlimeUtils;
@@ -23,18 +20,14 @@ import com.yahoo.vespa.config.server.http.SessionHandler;
 import com.yahoo.vespa.config.server.tenant.ContainerEndpointSerializer;
 import com.yahoo.vespa.config.server.tenant.EndpointCertificateMetadataSerializer;
 import com.yahoo.vespa.config.server.tenant.TenantSecretStoreSerializer;
-import org.eclipse.jetty.util.ssl.X509;
 
-import java.security.cert.X509Certificate;
 import java.time.Clock;
 import java.time.Duration;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Function;
-import java.util.stream.Collectors;
 
 /**
  * Parameters for preparing an application. Immutable.
@@ -59,7 +52,6 @@ public final class PrepareParams {
     static final String TENANT_SECRET_STORES_PARAM_NAME = "tenantSecretStores";
     static final String FORCE_PARAM_NAME = "force";
     static final String WAIT_FOR_RESOURCES_IN_PREPARE = "waitForResourcesInPrepare";
-    static final String OPERATOR_CERTIFICATES = "operatorCertificates";
 
     private final ApplicationId applicationId;
     private final TimeoutBudget timeoutBudget;
@@ -77,7 +69,6 @@ public final class PrepareParams {
     private final Optional<ApplicationRoles> applicationRoles;
     private final Optional<Quota> quota;
     private final List<TenantSecretStore> tenantSecretStores;
-    private final List<X509Certificate> operatorCertificates;
 
     private PrepareParams(ApplicationId applicationId, TimeoutBudget timeoutBudget, boolean ignoreValidationErrors,
                           boolean dryRun, boolean verbose, boolean isBootstrap, Optional<Version> vespaVersion,
@@ -85,7 +76,7 @@ public final class PrepareParams {
                           Optional<EndpointCertificateMetadata> endpointCertificateMetadata,
                           Optional<DockerImage> dockerImageRepository, Optional<AthenzDomain> athenzDomain,
                           Optional<ApplicationRoles> applicationRoles, Optional<Quota> quota, List<TenantSecretStore> tenantSecretStores,
-                          boolean force, boolean waitForResourcesInPrepare, List<X509Certificate> operatorCertificates) {
+                          boolean force, boolean waitForResourcesInPrepare) {
         this.timeoutBudget = timeoutBudget;
         this.applicationId = Objects.requireNonNull(applicationId);
         this.ignoreValidationErrors = ignoreValidationErrors;
@@ -102,7 +93,6 @@ public final class PrepareParams {
         this.tenantSecretStores = tenantSecretStores;
         this.force = force;
         this.waitForResourcesInPrepare = waitForResourcesInPrepare;
-        this.operatorCertificates = operatorCertificates;
     }
 
     public static class Builder {
@@ -123,7 +113,6 @@ public final class PrepareParams {
         private Optional<ApplicationRoles> applicationRoles = Optional.empty();
         private Optional<Quota> quota = Optional.empty();
         private List<TenantSecretStore> tenantSecretStores = List.of();
-        private List<X509Certificate> operatorCertificates = List.of();
 
         public Builder() { }
 
@@ -256,17 +245,11 @@ public final class PrepareParams {
             return this;
         }
 
-        public Builder withOperatorCertificates(List<X509Certificate> operatorCertificates) {
-            this.operatorCertificates = List.copyOf(operatorCertificates);
-            return this;
-        }
-
         public PrepareParams build() {
             return new PrepareParams(applicationId, timeoutBudget, ignoreValidationErrors, dryRun,
                                      verbose, isBootstrap, vespaVersion, containerEndpoints,
                                      endpointCertificateMetadata, dockerImageRepository, athenzDomain,
-                                     applicationRoles, quota, tenantSecretStores, force, waitForResourcesInPrepare,
-                                     operatorCertificates);
+                                     applicationRoles, quota, tenantSecretStores, force, waitForResourcesInPrepare);
         }
     }
 
@@ -309,7 +292,6 @@ public final class PrepareParams {
                 .tenantSecretStores(SlimeUtils.optionalString(params.field(TENANT_SECRET_STORES_PARAM_NAME)).orElse(null))
                 .force(booleanValue(params, FORCE_PARAM_NAME))
                 .waitForResourcesInPrepare(booleanValue(params, WAIT_FOR_RESOURCES_IN_PREPARE))
-                .withOperatorCertificates(deserialize(params.field(OPERATOR_CERTIFICATES), PrepareParams::readOperatorCertificates, Collections.emptyList()))
                 .build();
     }
 
@@ -361,13 +343,6 @@ public final class PrepareParams {
         return Optional.ofNullable(request.getProperty(propertyName));
     }
 
-    private static List<X509Certificate> readOperatorCertificates(Inspector array) {
-        return SlimeUtils.entriesStream(array)
-                .map(Inspector::asString)
-                .map(X509CertificateUtils::fromPem)
-                .collect(Collectors.toList());
-    }
-
     public String getApplicationName() {
         return applicationId.application().value();
     }
@@ -425,8 +400,4 @@ public final class PrepareParams {
     public List<TenantSecretStore> tenantSecretStores() {
         return tenantSecretStores;
     }
-
-    public List<X509Certificate> operatorCertificates() {
-        return operatorCertificates;
-    }
 }
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/Session.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/Session.java
index 542b54d877e..f1044b28049 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/Session.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/Session.java
@@ -17,7 +17,6 @@ import com.yahoo.transaction.Transaction;
 import com.yahoo.vespa.config.server.application.ApplicationSet;
 import com.yahoo.vespa.config.server.tenant.TenantRepository;
 
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.List;
 import java.util.Optional;
@@ -138,10 +137,6 @@ public abstract class Session implements Comparable<Session>  {
         sessionZooKeeperClient.writeTenantSecretStores(tenantSecretStores);
     }
 
-    public void setOperatorCertificates(List<X509Certificate> operatorCertificates) {
-        sessionZooKeeperClient.writeOperatorCertificates(operatorCertificates);
-    }
-
     /** Returns application id read from ZooKeeper. Will throw RuntimeException if not found */
     public ApplicationId getApplicationId() {
         return sessionZooKeeperClient.readApplicationId()
@@ -177,10 +172,6 @@ public abstract class Session implements Comparable<Session>  {
         return sessionZooKeeperClient.readTenantSecretStores();
     }
 
-    public List<X509Certificate> getOperatorCertificates() {
-        return sessionZooKeeperClient.readOperatorCertificates();
-    }
-
     private Transaction createSetStatusTransaction(Status status) {
         return sessionZooKeeperClient.createWriteStatusTransaction(status);
     }
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java
index 9360a2b1a2a..30cdc0f6e8a 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java
@@ -51,7 +51,6 @@ import com.yahoo.vespa.flags.FlagSource;
 
 import java.io.File;
 import java.io.IOException;
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Collection;
 import java.util.List;
@@ -205,8 +204,7 @@ public class SessionPreparer {
                                                               applicationRoles,
                                                               params.quota(),
                                                               params.tenantSecretStores(),
-                                                              secretStore,
-                                                              params.operatorCertificates());
+                                                              secretStore);
             this.fileDistributionProvider = fileDistributionFactory.createProvider(serverDbSessionDir);
             this.preparedModelsBuilder = new PreparedModelsBuilder(modelFactoryRegistry,
                                                                    permanentApplicationPackage,
@@ -279,8 +277,7 @@ public class SessionPreparer {
                                   prepareResult.allocatedHosts(),
                                   athenzDomain,
                                   params.quota(),
-                                  params.tenantSecretStores(),
-                                  params.operatorCertificates());
+                                  params.tenantSecretStores());
             checkTimeout("write state to zookeeper");
         }
 
@@ -330,8 +327,7 @@ public class SessionPreparer {
                                        AllocatedHosts allocatedHosts,
                                        Optional<AthenzDomain> athenzDomain,
                                        Optional<Quota> quota,
-                                       List<TenantSecretStore> tenantSecretStores,
-                                       List<X509Certificate> operatorCertificates) {
+                                       List<TenantSecretStore> tenantSecretStores) {
         ZooKeeperDeployer zkDeployer = zooKeeperClient.createDeployer(deployLogger);
         try {
             zkDeployer.deploy(applicationPackage, fileRegistryMap, allocatedHosts);
@@ -343,7 +339,6 @@ public class SessionPreparer {
             zooKeeperClient.writeAthenzDomain(athenzDomain);
             zooKeeperClient.writeQuota(quota);
             zooKeeperClient.writeTenantSecretStores(tenantSecretStores);
-            zooKeeperClient.writeOperatorCertificates(operatorCertificates);
         } catch (RuntimeException | IOException e) {
             zkDeployer.cleanup();
             throw new RuntimeException("Error preparing session", e);
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionRepository.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionRepository.java
index 0386b1ca4ef..cb46d65c4c5 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionRepository.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionRepository.java
@@ -259,7 +259,6 @@ public class SessionRepository {
         session.setDockerImageRepository(existingSession.getDockerImageRepository());
         session.setAthenzDomain(existingSession.getAthenzDomain());
         session.setTenantSecretStores(existingSession.getTenantSecretStores());
-        session.setOperatorCertificates(existingSession.getOperatorCertificates());
         return session;
     }
 
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java
index c3d6bba0ac2..c7c4f1926d7 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java
@@ -21,7 +21,6 @@ import com.yahoo.transaction.Transaction;
 import com.yahoo.vespa.config.server.UserConfigDefinitionRepo;
 import com.yahoo.vespa.config.server.deploy.ZooKeeperClient;
 import com.yahoo.vespa.config.server.deploy.ZooKeeperDeployer;
-import com.yahoo.vespa.config.server.tenant.OperatorCertificateSerializer;
 import com.yahoo.vespa.config.server.tenant.TenantRepository;
 import com.yahoo.vespa.config.server.tenant.TenantSecretStoreSerializer;
 import com.yahoo.vespa.config.server.zookeeper.ConfigCurator;
@@ -30,7 +29,6 @@ import com.yahoo.vespa.curator.Curator;
 import com.yahoo.vespa.curator.transaction.CuratorOperations;
 import com.yahoo.vespa.curator.transaction.CuratorTransaction;
 
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.List;
 import java.util.Optional;
@@ -59,7 +57,6 @@ public class SessionZooKeeperClient {
     private static final String ATHENZ_DOMAIN = "athenzDomain";
     private static final String QUOTA_PATH = "quota";
     private static final String TENANT_SECRET_STORES_PATH = "tenantSecretStores";
-    private static final String OPERATOR_CERTIFICATES_PATH = "operatorCertificates";
 
     private final Curator curator;
     private final ConfigCurator configCurator;
@@ -194,10 +191,6 @@ public class SessionZooKeeperClient {
         return sessionPath.append(TENANT_SECRET_STORES_PATH).getAbsolute();
     }
 
-    private String operatorCertificatesPath() {
-        return sessionPath.append(OPERATOR_CERTIFICATES_PATH).getAbsolute();
-    }
-
     public void writeVespaVersion(Version version) {
         configCurator.putData(versionPath(), version.toString());
     }
@@ -289,21 +282,6 @@ public class SessionZooKeeperClient {
                 .orElse(List.of());
     }
 
-    public void writeOperatorCertificates(List<X509Certificate> certificates) {
-        if( ! certificates.isEmpty()) {
-            var bytes = uncheck(() -> SlimeUtils.toJsonBytes(OperatorCertificateSerializer.toSlime(certificates)));
-            configCurator.putData(operatorCertificatesPath(), bytes);
-        }
-    }
-
-    public List<X509Certificate> readOperatorCertificates() {
-        if ( ! configCurator.exists(operatorCertificatesPath())) return List.of();
-        return Optional.ofNullable(configCurator.getData(operatorCertificatesPath()))
-                .map(SlimeUtils::jsonToSlime)
-                .map(slime -> OperatorCertificateSerializer.fromSlime(slime.get()))
-                .orElse(List.of());
-    }
-
     /**
      * Create necessary paths atomically for a new session.
      *
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/OperatorCertificateSerializer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/OperatorCertificateSerializer.java
deleted file mode 100644
index 7fe2ab5e12f..00000000000
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/OperatorCertificateSerializer.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-
-package com.yahoo.vespa.config.server.tenant;
-
-import com.yahoo.config.model.api.ApplicationRoles;
-import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.slime.Cursor;
-import com.yahoo.slime.Inspector;
-import com.yahoo.slime.Slime;
-import com.yahoo.slime.SlimeUtils;
-
-import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.stream.Collectors;
-
-public class OperatorCertificateSerializer {
-
-    public static Slime toSlime(List<X509Certificate> certificateList) {
-        Slime slime = new Slime();
-        Cursor array = slime.setArray();
-        certificateList.stream()
-                .map(X509CertificateUtils::toPem)
-                .forEach(array::addString);
-        return slime;
-    }
-
-    public static List<X509Certificate> fromSlime(Inspector array) {
-        return SlimeUtils.entriesStream(array)
-                .map(Inspector::asString)
-                .map(X509CertificateUtils::fromPem)
-                .collect(Collectors.toList());
-    }
-}
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java
index 0acf4404326..7b9420b6b9e 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java
@@ -74,8 +74,7 @@ public class ModelContextImplTest {
                         Optional.empty(),
                         Optional.empty(),
                         List.of(),
-                        new SecretStoreProvider().get(),
-                        List.of()),
+                        new SecretStoreProvider().get()),
                 Optional.empty(),
                 Optional.empty(),
                 new Version(7),
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
index 06ff9f4b3f6..f50238f2b85 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
@@ -7,11 +7,6 @@ import com.yahoo.config.model.api.EndpointCertificateMetadata;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.container.jdisc.HttpRequest;
-import com.yahoo.security.KeyAlgorithm;
-import com.yahoo.security.KeyUtils;
-import com.yahoo.security.SignatureAlgorithm;
-import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.slime.ArrayInserter;
 import com.yahoo.slime.Cursor;
 import com.yahoo.slime.Injector;
@@ -25,16 +20,10 @@ import com.yahoo.vespa.config.server.tenant.ContainerEndpointSerializer;
 import com.yahoo.vespa.config.server.tenant.EndpointCertificateMetadataSerializer;
 import org.junit.Test;
 
-import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
-import java.math.BigInteger;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
-import java.security.KeyPair;
-import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -190,26 +179,6 @@ public class PrepareParamsTest {
         assertPrepareParamsEqual(urlPrepareParams, jsonPrepareParams);
     }
 
-    @Test
-    public void testOperatorCertificates() throws IOException {
-        Slime slime = SlimeUtils.jsonToSlime(json);
-        Cursor cursor = slime.get();
-        Cursor array = cursor.setArray(PrepareParams.OPERATOR_CERTIFICATES);
-
-        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
-        X500Principal subject = new X500Principal("CN=myservice");
-        X509Certificate cert =
-                X509CertificateBuilder.fromKeypair(keyPair, subject, Instant.now(),
-                                                   Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA256_WITH_ECDSA,
-                                                   BigInteger.valueOf(1))
-                        .setBasicConstraints(true, true)
-                        .build();
-        array.addString(X509CertificateUtils.toPem(cert));
-        PrepareParams prepareParams = PrepareParams.fromJson(SlimeUtils.toJsonBytes(slime), TenantName.from("foo"), Duration.ofSeconds(60));
-        assertEquals(1, prepareParams.operatorCertificates().size());
-        assertEquals(cert, prepareParams.operatorCertificates().get(0));
-    }
-
     private void assertPrepareParamsEqual(PrepareParams urlParams, PrepareParams jsonParams) {
         assertEquals(urlParams.ignoreValidationErrors(), jsonParams.ignoreValidationErrors());
         assertEquals(urlParams.isDryRun(), jsonParams.isDryRun());
author	Morten Tokle <mortent@verizonmedia.com>	2021-05-25 21:37:45 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-05-25 21:37:45 +0200
commit	13096fabf62c04e25ea98355ca31ad3217efc155 (patch)
tree	c0f1ae6ec02159187235f52918b9f1e914fd9359
parent	ef420166ad85fb2a1560edb51df0041e134b6c63 (diff)