Merge pull request #3951 from vespa-engine/bjorncs/athenz-identity-provider-cleanup

Bjorncs/athenz identity provider cleanup
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2017-10-31 14:35:53 +0100
committer: GitHub <noreply@github.com> 2017-10-31 14:35:53 +0100
commit: 2eb4abb76f4c7169a48f317b94fcff560de81205 (patch)
tree: 2e2dec3f08c6d7cb1c233a6f947a0a1624dd3c75
parent: d28ab5ee8f5611a99a8f673cf35983adff62c338 (diff)
parent: 19e135d381c55b2674eb911b6350114e424d8f41 (diff)
8 files changed, 250 insertions, 114 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java
index 668444e2769..e66130332ac 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java
@@ -66,6 +66,7 @@ public class AthenzInstanceProviderService extends AbstractComponent {
                     config, keyProvider, sslContextFactory, nodeRepository, zone);
             AthenzCertificateUpdater reloader =
                     new AthenzCertificateUpdater(certificateClient, sslContextFactory, keyProvider, config);
+            // TODO Configurable update frequency
             scheduler.scheduleAtFixedRate(reloader, 0, 1, TimeUnit.DAYS);
             try {
                 jetty.start();
@@ -117,6 +118,7 @@ public class AthenzInstanceProviderService extends AbstractComponent {
 
     private static class AthenzCertificateUpdater implements Runnable {
 
+        // TODO Make expiry a configuration parameter
         private static final TemporalAmount EXPIRY_TIME = Duration.ofDays(30);
         private static final Logger log = Logger.getLogger(AthenzCertificateUpdater.class.getName());
 
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
index e5b8bc9bb01..19e04e0ae01 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
@@ -6,8 +6,8 @@ package com.yahoo.container.jdisc.athenz;
  */
 public interface AthenzIdentityProvider {
 
-    public String getNToken();
-    public String getX509Cert();
-    public String domain();
-    public String service();
+    String getNToken();
+    String getX509Cert();
+    String domain();
+    String service();
 }
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
index 483a4170dfb..d2c914fc209 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
@@ -1,37 +1,22 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.container.jdisc.athenz.impl;
 
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.Extension;
-import org.bouncycastle.asn1.x509.ExtensionsGenerator;
-import org.bouncycastle.asn1.x509.GeneralName;
-import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
-import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
-import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
-import org.bouncycastle.util.io.pem.PemObject;
 
-import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
-import java.io.StringWriter;
 import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
 
 /**
  * @author mortent
  */
 public final class AthenzIdentityProviderImpl extends AbstractComponent implements AthenzIdentityProvider {
 
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
     private InstanceIdentity instanceIdentity;
 
     private final String dnsSuffix;
@@ -45,95 +30,26 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     }
 
     // Test only
-    public AthenzIdentityProviderImpl(IdentityConfig config, ServiceProviderApi serviceProviderApi, AthenzService athenzService) throws IOException {
-        KeyPair keyPair = createKeyPair();
+    AthenzIdentityProviderImpl(IdentityConfig config,
+                               ServiceProviderApi serviceProviderApi,
+                               AthenzService athenzService) throws IOException {
+        KeyPair keyPair = CryptoUtils.createKeyPair();
         this.domain = config.domain();
         this.service = config.service();
-        String signedIdentityDocument = serviceProviderApi.getSignedIdentityDocument();
-        String ztsEndpoint = getZtsEndpoint(signedIdentityDocument);
-        this.dnsSuffix = getDnsSuffix(signedIdentityDocument);
-        this.providerUniqueId = getProviderUniqueId(signedIdentityDocument);
-        String providerServiceName = getProviderServiceName(signedIdentityDocument);
+        String rawDocument = serviceProviderApi.getSignedIdentityDocument();
+        SignedIdentityDocument document = objectMapper.readValue(rawDocument, SignedIdentityDocument.class);
+        this.dnsSuffix = document.dnsSuffix;
+        this.providerUniqueId = document.providerUniqueId;
 
         InstanceRegisterInformation instanceRegisterInformation = new InstanceRegisterInformation(
-                providerServiceName,
+                document.providerService,
                 this.domain,
                 this.service,
-                signedIdentityDocument,
-                createCSR(keyPair),
+                rawDocument,
+                CryptoUtils.toPem(CryptoUtils.createCSR(domain, service, dnsSuffix, providerUniqueId, keyPair)),
                 true
         );
-        instanceIdentity = athenzService.sendInstanceRegisterRequest(instanceRegisterInformation, ztsEndpoint);
-    }
-
-    private static String getProviderUniqueId(String signedIdentityDocument) throws IOException {
-        return getJsonNode(signedIdentityDocument, "provider-unique-id");
-    }
-
-    private static String getDnsSuffix(String signedIdentityDocument) throws IOException {
-        return getJsonNode(signedIdentityDocument, "dns-suffix");
-    }
-
-    private static String getProviderServiceName(String signedIdentityDocument) throws IOException {
-        return getJsonNode(signedIdentityDocument, "provider-service");
-    }
-
-    private static String getZtsEndpoint(String signedIdentityDocument) throws IOException {
-        return getJsonNode(signedIdentityDocument, "zts-endpoint");
-    }
-
-    private static String getJsonNode(String jsonString, String path) throws IOException {
-        ObjectMapper mapper = new ObjectMapper();
-        JsonNode jsonNode = mapper.readTree(jsonString);
-        return jsonNode.get(path).asText();
-    }
-
-    private static KeyPair createKeyPair() {
-        try {
-            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
-            return kpg.generateKeyPair();
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private String createCSR(KeyPair keyPair) throws IOException {
-
-        try {
-            // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
-            // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
-            GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{
-                    new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s",
-                                                                          service(),
-                                                                          domain().replace(".", "-"),
-                                                                          dnsSuffix)),
-                    new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s",
-                                                                       providerUniqueId,
-                                                                       dnsSuffix))
-            });
-
-            ExtensionsGenerator extGen = new ExtensionsGenerator();
-            extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
-
-            X500Principal subject = new X500Principal(
-                    String.format("CN=%s.%s", domain(), service()));
-
-            PKCS10CertificationRequestBuilder requestBuilder =
-                    new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
-            requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
-            PKCS10CertificationRequest csr = requestBuilder.build(
-                    new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
-
-            PemObject pemObject = new PemObject("CERTIFICATE REQUEST", csr.getEncoded());
-            try (StringWriter stringWriter = new StringWriter()) {
-                try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
-                    pemWriter.writeObject(pemObject);
-                    return stringWriter.toString();
-                }
-            }
-        } catch (OperatorCreationException e) {
-            throw new RuntimeException(e);
-        }
+        instanceIdentity = athenzService.sendInstanceRegisterRequest( instanceRegisterInformation, document.ztsEndpoint);
     }
 
     @Override
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java
index c259b01876c..dc1f8956def 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java
@@ -1,10 +1,12 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.container.jdisc.athenz.impl;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.conn.ssl.SSLContextBuilder;
 import org.apache.http.entity.ContentType;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -12,24 +14,70 @@ import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.util.EntityUtils;
 import org.eclipse.jetty.http.HttpStatus;
 
+import javax.net.ssl.SSLContext;
 import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 
 /**
  * @author mortent
+ * @author bjorncs
  */
 public class AthenzService {
 
+    private static final String INSTANCE_API_PATH = "zts/v1/instance";
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
     /**
      * Send instance register request to ZTS, get InstanceIdentity
      */
-     public InstanceIdentity sendInstanceRegisterRequest(InstanceRegisterInformation instanceRegisterInformation, String athenzUrl) {
+     public InstanceIdentity sendInstanceRegisterRequest(InstanceRegisterInformation instanceRegisterInformation,
+                                                         String ztsEndpoint) {
         try(CloseableHttpClient client = HttpClientBuilder.create().build()) {
-            ObjectMapper objectMapper = new ObjectMapper();
             HttpUriRequest postRequest = RequestBuilder.post()
-                    .setUri(athenzUrl + "zts/v1/instance")
-                    .setEntity(new StringEntity(objectMapper.writeValueAsString(instanceRegisterInformation), ContentType.APPLICATION_JSON))
+                    .setUri(ztsEndpoint + INSTANCE_API_PATH)
+                    .setEntity(toJsonStringEntity(instanceRegisterInformation))
                     .build();
-            CloseableHttpResponse response = client.execute(postRequest);
+            return getInstanceIdentity(client, postRequest);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    public InstanceIdentity sendInstanceRefreshRequest(String providerService,
+                                                       String instanceDomain,
+                                                       String instanceServiceName,
+                                                       String instanceId,
+                                                       InstanceRefreshInformation instanceRefreshInformation,
+                                                       String ztsEndpoint,
+                                                       X509Certificate certicate,
+                                                       PrivateKey privateKey) {
+        try (CloseableHttpClient client = createHttpClientWithTlsAuth(certicate, privateKey)) {
+            String uri = String.format("%s/%s/%s/%s/%s",
+                                       ztsEndpoint + INSTANCE_API_PATH,
+                                       providerService, instanceDomain, instanceServiceName, instanceId);
+            HttpUriRequest postRequest = RequestBuilder.post()
+                    .setUri(uri)
+                    .setEntity(toJsonStringEntity(instanceRefreshInformation))
+                    .build();
+            return getInstanceIdentity(client, postRequest);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    private InstanceIdentity getInstanceIdentity(CloseableHttpClient client, HttpUriRequest postRequest)
+            throws IOException {
+        try (CloseableHttpResponse response = client.execute(postRequest)) {
             if(HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) {
                 return objectMapper.readValue(response.getEntity().getContent(), InstanceIdentity.class);
             } else {
@@ -37,8 +85,30 @@ public class AthenzService {
                 throw new RuntimeException(String.format("Unable to get identity. http code/message: %d/%s",
                                                          response.getStatusLine().getStatusCode(), message));
             }
-        } catch (IOException e) {
+        }
+    }
+
+    private StringEntity toJsonStringEntity(Object value) throws JsonProcessingException {
+        return new StringEntity(objectMapper.writeValueAsString(value), ContentType.APPLICATION_JSON);
+    }
+
+    private static CloseableHttpClient createHttpClientWithTlsAuth(X509Certificate certificate, PrivateKey privateKey) {
+        try {
+            String dummyPassword = "athenz";
+            KeyStore keyStore = KeyStore.getInstance("JKS");
+            keyStore.load(null);
+            keyStore.setKeyEntry("athenz", privateKey, dummyPassword.toCharArray(), new Certificate[]{certificate});
+            SSLContext sslContext = new SSLContextBuilder()
+                    .loadKeyMaterial(keyStore, dummyPassword.toCharArray())
+                    .build();
+            return HttpClientBuilder.create()
+                    .setSslcontext(sslContext)
+                    .build();
+        } catch (KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException |
+                KeyManagementException | CertificateException e) {
             throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
         }
     }
 }
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
new file mode 100644
index 00000000000..8b24cf94d8a
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
@@ -0,0 +1,97 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.container.jdisc.athenz.impl;
+
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.ExtensionsGenerator;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemObject;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.io.UncheckedIOException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+
+/**
+ * @author bjorncs
+ */
+class CryptoUtils {
+
+    private CryptoUtils() {}
+
+    static KeyPair createKeyPair() {
+        try {
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+            return kpg.generateKeyPair();
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    static PKCS10CertificationRequest createCSR(String identityDomain,
+                                                String identityService,
+                                                String dnsSuffix,
+                                                String providerUniqueId,
+                                                KeyPair keyPair) throws IOException {
+        try {
+            // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
+            // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
+            GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{
+                    new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s",
+                                                                       identityService,
+                                                                       identityDomain.replace(".", "-"),
+                                                                       dnsSuffix)),
+                    new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s",
+                                                                       providerUniqueId,
+                                                                       dnsSuffix))
+            });
+
+            ExtensionsGenerator extGen = new ExtensionsGenerator();
+            extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
+
+            X500Principal subject = new X500Principal(
+                    String.format("CN=%s.%s", identityDomain, identityService));
+
+            PKCS10CertificationRequestBuilder requestBuilder =
+                    new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
+            requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
+            return requestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
+        } catch (OperatorCreationException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    static String toPem(PKCS10CertificationRequest csr) {
+        try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
+            pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded()));
+            return stringWriter.toString();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    static X509Certificate parseCertificate(String pemEncodedCertificate) {
+        try (PEMParser parser = new PEMParser(new StringReader(pemEncodedCertificate))) {
+            Object pemObject = parser.readObject();
+            if (!(pemObject instanceof X509Certificate)) {
+                throw new IllegalArgumentException("Expeceted X509Certificate instance, got " + pemObject);
+            }
+            return (X509Certificate) pemObject;
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+}
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java
new file mode 100644
index 00000000000..621eafca3bb
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java
@@ -0,0 +1,24 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.container.jdisc.athenz.impl;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author bjorncs
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class InstanceRefreshInformation {
+
+    @JsonProperty("csr")
+    private final String csr;
+    @JsonProperty("token")
+    private final boolean requestServiceToken;
+
+    public InstanceRefreshInformation(String csr, boolean requestServiceToken) {
+        this.csr = csr;
+        this.requestServiceToken = requestServiceToken;
+    }
+}
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java
new file mode 100644
index 00000000000..d302b3d96ce
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java
@@ -0,0 +1,30 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.container.jdisc.athenz.impl;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author bjorncs
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+class SignedIdentityDocument {
+    public final String providerUniqueId;
+    public final String dnsSuffix;
+    public final String providerService;
+    public final String ztsEndpoint;
+
+    public SignedIdentityDocument(@JsonProperty("provider-unique-id") String providerUniqueId,
+                                  @JsonProperty("dns-suffix") String dnsSuffix,
+                                  @JsonProperty("provider-service") String providerService,
+                                  @JsonProperty("zts-endpoint") String ztsEndpoint) {
+        this.providerUniqueId = providerUniqueId;
+        this.dnsSuffix = dnsSuffix;
+        this.providerService = providerService;
+        this.ztsEndpoint = ztsEndpoint;
+    }
+
+}
+
diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java
index 2cf2f8a4031..1f64fb0d379 100644
--- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java
+++ b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java
@@ -1,11 +1,8 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz;
+package com.yahoo.container.jdisc.athenz.impl;
 
 import com.yahoo.container.core.identity.IdentityConfig;
-import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl;
-import com.yahoo.container.jdisc.athenz.impl.AthenzService;
-import com.yahoo.container.jdisc.athenz.impl.InstanceIdentity;
-import com.yahoo.container.jdisc.athenz.impl.ServiceProviderApi;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import org.junit.Assert;
 import org.junit.Test;
 
@@ -19,7 +16,7 @@ import static org.mockito.Mockito.when;
 /**
  * @author mortent
  */
-public class AthenzIdentityProviderTest {
+public class AthenzIdentityProviderImplTest {
 
     @Test
     public void ntoken_fetched_on_init() throws IOException {
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2017-10-31 14:35:53 +0100
committer	GitHub <noreply@github.com>	2017-10-31 14:35:53 +0100
commit	2eb4abb76f4c7169a48f317b94fcff560de81205 (patch)
tree	2e2dec3f08c6d7cb1c233a6f947a0a1624dd3c75
parent	d28ab5ee8f5611a99a8f673cf35983adff62c338 (diff)
parent	19e135d381c55b2674eb911b6350114e424d8f41 (diff)