diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2019-08-19 11:47:35 +0200 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2019-08-19 11:47:35 +0200 |
commit | 2af85a042b5d7ca94fdc8a0b8a04c258d6b64df2 (patch) | |
tree | e697607d1dd6cdd4de57a8fd1b9de345317a2619 | |
parent | 0c4ce4cb5bb3573b7b6c21573224b0edd064b177 (diff) |
Rename EndpointAuthenticator -> Authenticator, and doc fixes
5 files changed, 11 insertions, 103 deletions
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/EndpointAuthenticator.java b/hosted-api/src/main/java/ai/vespa/hosted/api/EndpointAuthenticator.java deleted file mode 100644 index 62b1d2b4c92..00000000000 --- a/hosted-api/src/main/java/ai/vespa/hosted/api/EndpointAuthenticator.java +++ /dev/null @@ -1,20 +0,0 @@ -package ai.vespa.hosted.api; - -import javax.net.ssl.SSLContext; -import java.net.http.HttpRequest; -import java.util.Optional; - -/** - * Adds environment dependent authentication to HTTP request against Vespa deployments. - * - * @author jonmv - */ -public interface EndpointAuthenticator { - - /** Returns an SSLContext which provides authentication against a Vespa endpoint. */ - SSLContext sslContext(); - - /** Adds necessary authentication to the given HTTP request builder, to pass the data plane of a Vespa endpoint. */ - HttpRequest.Builder authenticated(HttpRequest.Builder request); - -} diff --git a/tenant-auth/src/main/java/ai/vespa/hosted/auth/EndpointAuthenticator.java b/tenant-auth/src/main/java/ai/vespa/hosted/auth/EndpointAuthenticator.java deleted file mode 100644 index abb4197bda1..00000000000 --- a/tenant-auth/src/main/java/ai/vespa/hosted/auth/EndpointAuthenticator.java +++ /dev/null @@ -1,68 +0,0 @@ -package ai.vespa.hosted.auth; - -import com.yahoo.config.provision.SystemName; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.X509CertificateUtils; - -import javax.net.ssl.SSLContext; -import java.io.IOException; -import java.io.UncheckedIOException; -import java.net.http.HttpRequest; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.util.Optional; - -import static ai.vespa.hosted.api.Properties.getNonBlankProperty; - -/** - * Authenticates against the hosted Vespa API using private key signatures, and against Vespa applications using mutual TLS. - * - * @author jonmv - */ -public class EndpointAuthenticator implements ai.vespa.hosted.api.EndpointAuthenticator { - - /** Don't touch. */ - public EndpointAuthenticator(@SuppressWarnings("unused") SystemName __) { } - - /** - * If {@code System.getProperty("vespa.test.credentials.root")} is set, key and certificate files - * "key" and "cert" in that directory are used; otherwise, the system default SSLContext is returned. - */ - @Override - public SSLContext sslContext() { - try { - Optional<String> credentialsRootProperty = getNonBlankProperty("vespa.test.credentials.root"); - if (credentialsRootProperty.isEmpty()) - return SSLContext.getDefault(); - - Path credentialsRoot = Path.of(credentialsRootProperty.get()); - Path certificateFile = credentialsRoot.resolve("cert"); - Path privateKeyFile = credentialsRoot.resolve("key"); - - X509Certificate certificate = X509CertificateUtils.fromPem(new String(Files.readAllBytes(certificateFile))); - if ( Instant.now().isBefore(certificate.getNotBefore().toInstant()) - || Instant.now().isAfter(certificate.getNotAfter().toInstant())) - throw new IllegalStateException("Certificate at '" + certificateFile + "' is valid between " + - certificate.getNotBefore() + " and " + certificate.getNotAfter() + " — not now."); - - PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(privateKeyFile))); - return new SslContextBuilder().withKeyStore(privateKey, certificate).build(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - catch (NoSuchAlgorithmException e) { - throw new IllegalStateException(e); - } - } - - @Override - public HttpRequest.Builder authenticated(HttpRequest.Builder request) { - return request; - } - -} diff --git a/tenant-cd/src/main/java/ai/vespa/hosted/cd/TestRuntime.java b/tenant-cd/src/main/java/ai/vespa/hosted/cd/TestRuntime.java index 4ae1c0b7a5e..e10d627808f 100644 --- a/tenant-cd/src/main/java/ai/vespa/hosted/cd/TestRuntime.java +++ b/tenant-cd/src/main/java/ai/vespa/hosted/cd/TestRuntime.java @@ -1,10 +1,10 @@ package ai.vespa.hosted.cd; -import ai.vespa.hosted.api.ApiAuthenticator; -import ai.vespa.hosted.api.EndpointAuthenticator; +import ai.vespa.hosted.api.Authenticator; import ai.vespa.hosted.api.ControllerHttpClient; import ai.vespa.hosted.api.Properties; import ai.vespa.hosted.api.TestConfig; +import ai.vespa.hosted.auth.CertificateAndKeyAuthenticator; import ai.vespa.hosted.cd.http.HttpDeployment; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Environment; @@ -29,7 +29,7 @@ public class TestRuntime { private final Map<String, Deployment> productionDeployments; private final Deployment deploymentToTest; - private TestRuntime(TestConfig config, EndpointAuthenticator authenticator) { + private TestRuntime(TestConfig config, Authenticator authenticator) { this.config = config; this.productionDeployments = config.deployments().entrySet().stream() .filter(zoneDeployment -> zoneDeployment.getKey().environment() == Environment.prod) @@ -41,7 +41,7 @@ public class TestRuntime { } /** - * Returns the config for this test, or null if it has not been provided. + * Returns the config and authenticator to use when running integration tests. * * If the system property {@code "vespa.test.config"} is set (to a file path), a file at that location * is attempted read, and config parsed from it. @@ -55,13 +55,13 @@ public class TestRuntime { String configPath = System.getProperty("vespa.test.config"); TestConfig config = configPath != null ? fromFile(configPath) : fromController(); theRuntime = new TestRuntime(config, - new ai.vespa.hosted.auth.EndpointAuthenticator(config.system())); + new CertificateAndKeyAuthenticator(config.system())); } return theRuntime; } /** Returns a copy of this runtime, with the given endpoint authenticator. */ - public TestRuntime with(EndpointAuthenticator authenticator) { + public TestRuntime with(Authenticator authenticator) { return new TestRuntime(config, authenticator); } diff --git a/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpDeployment.java b/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpDeployment.java index 22c622effae..04cebcf50b2 100644 --- a/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpDeployment.java +++ b/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpDeployment.java @@ -1,6 +1,6 @@ package ai.vespa.hosted.cd.http; -import ai.vespa.hosted.api.EndpointAuthenticator; +import ai.vespa.hosted.api.Authenticator; import ai.vespa.hosted.cd.TestDeployment; import ai.vespa.hosted.cd.TestEndpoint; import com.yahoo.config.provision.Environment; @@ -22,7 +22,7 @@ public class HttpDeployment implements TestDeployment { private final Map<String, HttpEndpoint> endpoints; /** Creates a representation of the given deployment endpoints, using the authenticator for data plane access. */ - public HttpDeployment(Map<String, URI> endpoints, ZoneId zone, EndpointAuthenticator authenticator) { + public HttpDeployment(Map<String, URI> endpoints, ZoneId zone, Authenticator authenticator) { this.zone = zone; this.endpoints = endpoints.entrySet().stream() .collect(Collectors.toUnmodifiableMap(entry -> entry.getKey(), diff --git a/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpEndpoint.java b/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpEndpoint.java index 17703d8fbab..a9d8f2e7cc5 100644 --- a/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpEndpoint.java +++ b/tenant-cd/src/main/java/ai/vespa/hosted/cd/http/HttpEndpoint.java @@ -1,9 +1,6 @@ package ai.vespa.hosted.cd.http; -import ai.vespa.hosted.api.EndpointAuthenticator; -import com.yahoo.slime.Inspector; -import com.yahoo.slime.JsonDecoder; -import com.yahoo.slime.Slime; +import ai.vespa.hosted.api.Authenticator; import ai.vespa.hosted.cd.Digest; import ai.vespa.hosted.cd.Feed; import ai.vespa.hosted.cd.Query; @@ -14,7 +11,6 @@ import ai.vespa.hosted.cd.Visit; import ai.vespa.hosted.cd.metric.Metrics; import java.io.IOException; -import java.io.UncheckedIOException; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; @@ -37,9 +33,9 @@ public class HttpEndpoint implements TestEndpoint { private final URI endpoint; private final HttpClient client; - private final EndpointAuthenticator authenticator; + private final Authenticator authenticator; - public HttpEndpoint(URI endpoint, EndpointAuthenticator authenticator) { + public HttpEndpoint(URI endpoint, Authenticator authenticator) { this.endpoint = requireNonNull(endpoint); this.authenticator = requireNonNull(authenticator); this.client = HttpClient.newBuilder() |