diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2017-10-31 16:45:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-31 16:45:42 +0100 |
commit | 405bd2337aa06c52262659a3e9ed8e41cdb4a93b (patch) | |
tree | 803b3dcc34624ad4c0304dd154c84d604807fae3 | |
parent | cbe778006ebdaec1963c9eea6162fffa98e2a8a9 (diff) | |
parent | 3b46a03b6ef37e2e7e063f6fb238b1135a9781c8 (diff) |
Merge pull request #3956 from vespa-engine/bjorncs/fix
Bjorncs/fix
4 files changed, 45 insertions, 6 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java index efb2179ff6b..0e8ca0017f4 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java @@ -59,7 +59,7 @@ public class IdentityDocumentGenerator { signature, SignedIdentityDocument.DEFAULT_KEY_VERSION, identityDocument.providerUniqueId.asString(), - dnsSuffix, + toZoneDnsSuffix(zone, dnsSuffix), providerDomain + "." + providerService, ztsUrl, SignedIdentityDocument.DEFAILT_DOCUMENT_VERSION @@ -87,5 +87,9 @@ public class IdentityDocumentGenerator { node.hostname(), Instant.now()); } + + private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) { + return zone.environment().value() + "-" + zone.region().value() + "." + dnsSuffix; + } } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java index c32f8e18c00..c49122a07b8 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java @@ -103,7 +103,7 @@ public class AthenzInstanceProviderServiceTest { String service = "service"; AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider(); PrivateKey privateKey = keyProvider.getPrivateKey(0); - AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service); + AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service, "vespa.dns.suffix"); ScheduledExecutorServiceMock executor = new ScheduledExecutorServiceMock(); AthenzInstanceProviderService athenzInstanceProviderService = @@ -152,8 +152,9 @@ public class AthenzInstanceProviderServiceTest { when(nodeRepository.getNode(eq(hostname))).thenReturn(Optional.of(n)); AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider(); + String dnsSuffix = "vespa.dns.suffix"; IdentityDocumentGenerator identityDocumentGenerator = new IdentityDocumentGenerator( - getAthenzProviderConfig("domain", "service"), + getAthenzProviderConfig("domain", "service", dnsSuffix), nodeRepository, ZONE, keyProvider); @@ -165,8 +166,14 @@ public class AthenzInstanceProviderServiceTest { // Verify attributes assertEquals(hostname, signedIdentityDocument.identityDocument.instanceHostname); + + String environment = "dev"; + String region = "us-north-1"; + String expectedZoneDnsSuffix = environment + "-" + region + "." + dnsSuffix; + assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix); + ProviderUniqueId expectedProviderUniqueId = - new ProviderUniqueId("tenant", "application", "dev", "us-north-1", "default", "default", 0); + new ProviderUniqueId("tenant", "application", environment, region, "default", "default", 0); assertEquals(expectedProviderUniqueId, signedIdentityDocument.identityDocument.providerUniqueId); // Validate signature @@ -175,14 +182,14 @@ public class AthenzInstanceProviderServiceTest { signedIdentityDocument.signature)); } - private static AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service) { + private static AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service, String dnsSuffix) { return new AthenzProviderServiceConfig( new AthenzProviderServiceConfig.Builder() .domain(domain) .serviceName(service) .port(PORT) .keyPathPrefix("dummy-path") - .certDnsSuffix("dnsSuffix") + .certDnsSuffix(dnsSuffix) .ztsUrl("localhost/zts") .athenzPrincipalHeaderName("Athenz-Principal-Auth") .apiPath("")); diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java index 8b24cf94d8a..1b109e4bacb 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java @@ -77,6 +77,7 @@ class CryptoUtils { static String toPem(PKCS10CertificationRequest csr) { try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded())); + pemWriter.flush(); return stringWriter.toString(); } catch (IOException e) { throw new UncheckedIOException(e); diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java new file mode 100644 index 00000000000..2a265a3c6fd --- /dev/null +++ b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java @@ -0,0 +1,27 @@ +package com.yahoo.container.jdisc.athenz.impl; + +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.junit.Test; + +import java.io.IOException; +import java.security.KeyPair; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.junit.Assert.assertThat; + +/** + * @author bjorncs + */ +public class CryptoUtilsTest { + + @Test + public void certificate_signing_request_is_correct_and_can_be_serialized_to_pem() throws IOException { + KeyPair keyPair = CryptoUtils.createKeyPair(); + PKCS10CertificationRequest csr = CryptoUtils.createCSR( + "identity-domain", "identity-service", "vespa.cloud.com", "unique.instance.id", keyPair); + String pem = CryptoUtils.toPem(csr); + assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST")); + assertThat(pem, containsString("END CERTIFICATE REQUEST")); + } + +} |