Merge pull request #3956 from vespa-engine/bjorncs/fix

Bjorncs/fix
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2017-10-31 16:45:42 +0100
committer: GitHub <noreply@github.com> 2017-10-31 16:45:42 +0100
commit: 405bd2337aa06c52262659a3e9ed8e41cdb4a93b (patch)
tree: 803b3dcc34624ad4c0304dd154c84d604807fae3
parent: cbe778006ebdaec1963c9eea6162fffa98e2a8a9 (diff)
parent: 3b46a03b6ef37e2e7e063f6fb238b1135a9781c8 (diff)
4 files changed, 45 insertions, 6 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java
index efb2179ff6b..0e8ca0017f4 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java
@@ -59,7 +59,7 @@ public class IdentityDocumentGenerator {
                     signature,
                     SignedIdentityDocument.DEFAULT_KEY_VERSION,
                     identityDocument.providerUniqueId.asString(),
-                    dnsSuffix,
+                    toZoneDnsSuffix(zone, dnsSuffix),
                     providerDomain + "." + providerService,
                     ztsUrl,
                     SignedIdentityDocument.DEFAILT_DOCUMENT_VERSION
@@ -87,5 +87,9 @@ public class IdentityDocumentGenerator {
                 node.hostname(),
                 Instant.now());
     }
+
+    private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) {
+        return zone.environment().value() + "-" + zone.region().value() + "." + dnsSuffix;
+    }
 }
 
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java
index c32f8e18c00..c49122a07b8 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java
@@ -103,7 +103,7 @@ public class AthenzInstanceProviderServiceTest {
         String service = "service";
         AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider();
         PrivateKey privateKey = keyProvider.getPrivateKey(0);
-        AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service);
+        AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service, "vespa.dns.suffix");
         ScheduledExecutorServiceMock executor = new ScheduledExecutorServiceMock();
 
         AthenzInstanceProviderService athenzInstanceProviderService =
@@ -152,8 +152,9 @@ public class AthenzInstanceProviderServiceTest {
         when(nodeRepository.getNode(eq(hostname))).thenReturn(Optional.of(n));
         AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider();
 
+        String dnsSuffix = "vespa.dns.suffix";
         IdentityDocumentGenerator identityDocumentGenerator = new IdentityDocumentGenerator(
-                getAthenzProviderConfig("domain", "service"),
+                getAthenzProviderConfig("domain", "service", dnsSuffix),
                 nodeRepository,
                 ZONE,
                 keyProvider);
@@ -165,8 +166,14 @@ public class AthenzInstanceProviderServiceTest {
 
         // Verify attributes
         assertEquals(hostname, signedIdentityDocument.identityDocument.instanceHostname);
+
+        String environment = "dev";
+        String region = "us-north-1";
+        String expectedZoneDnsSuffix = environment + "-" + region + "." + dnsSuffix;
+        assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix);
+
         ProviderUniqueId expectedProviderUniqueId =
-                new ProviderUniqueId("tenant", "application", "dev", "us-north-1", "default", "default", 0);
+                new ProviderUniqueId("tenant", "application", environment, region, "default", "default", 0);
         assertEquals(expectedProviderUniqueId, signedIdentityDocument.identityDocument.providerUniqueId);
 
         // Validate signature
@@ -175,14 +182,14 @@ public class AthenzInstanceProviderServiceTest {
                                                                  signedIdentityDocument.signature));
     }
 
-    private static AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service) {
+    private static AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service, String dnsSuffix) {
         return new AthenzProviderServiceConfig(
                         new AthenzProviderServiceConfig.Builder()
                                 .domain(domain)
                                 .serviceName(service)
                                 .port(PORT)
                                 .keyPathPrefix("dummy-path")
-                                .certDnsSuffix("dnsSuffix")
+                                .certDnsSuffix(dnsSuffix)
                                 .ztsUrl("localhost/zts")
                                 .athenzPrincipalHeaderName("Athenz-Principal-Auth")
                                 .apiPath(""));
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
index 8b24cf94d8a..1b109e4bacb 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
@@ -77,6 +77,7 @@ class CryptoUtils {
     static String toPem(PKCS10CertificationRequest csr) {
         try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
             pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded()));
+            pemWriter.flush();
             return stringWriter.toString();
         } catch (IOException e) {
             throw new UncheckedIOException(e);
diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java
new file mode 100644
index 00000000000..2a265a3c6fd
--- /dev/null
+++ b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java
@@ -0,0 +1,27 @@
+package com.yahoo.container.jdisc.athenz.impl;
+
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.security.KeyPair;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.junit.Assert.assertThat;
+
+/**
+ * @author bjorncs
+ */
+public class CryptoUtilsTest {
+
+    @Test
+    public void certificate_signing_request_is_correct_and_can_be_serialized_to_pem() throws IOException {
+        KeyPair keyPair = CryptoUtils.createKeyPair();
+        PKCS10CertificationRequest csr = CryptoUtils.createCSR(
+                "identity-domain", "identity-service", "vespa.cloud.com", "unique.instance.id", keyPair);
+        String pem = CryptoUtils.toPem(csr);
+        assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST"));
+        assertThat(pem, containsString("END CERTIFICATE REQUEST"));
+    }
+
+}
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2017-10-31 16:45:42 +0100
committer	GitHub <noreply@github.com>	2017-10-31 16:45:42 +0100
commit	405bd2337aa06c52262659a3e9ed8e41cdb4a93b (patch)
tree	803b3dcc34624ad4c0304dd154c84d604807fae3
parent	cbe778006ebdaec1963c9eea6162fffa98e2a8a9 (diff)
parent	3b46a03b6ef37e2e7e063f6fb238b1135a9781c8 (diff)