diff options
| author | Morten Tokle <morten.tokle@gmail.com> | 2018-08-07 09:34:17 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-07 09:34:17 +0200 |
| commit | b1e6aad3a041d5b934562bdb589ad3a0a01dd0b9 (patch) | |
| tree | bc675a3446aef61fdc04332552f3747e0859eb8d | |
| parent | 5694de3199a631126f6155f8cdc26cb26822a381 (diff) | |
Revert "Bjorncs/remove wrapped identity document"
10 files changed, 436 insertions, 38 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 950d2df9532..0abbb5a64f5 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -5,6 +5,7 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Zone; import com.yahoo.net.HostName; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; @@ -16,6 +17,7 @@ import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.node.Allocation; +import java.net.URI; import java.security.PrivateKey; import java.time.Instant; import java.util.HashSet; @@ -47,46 +49,57 @@ public class IdentityDocumentGenerator { } public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) { + Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); try { - Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); - Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); - VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId( - allocation.membership().index(), - allocation.membership().cluster().id().value(), - allocation.owner().instance().value(), - allocation.owner().application().value(), - allocation.owner().tenant().value(), - zone.region().value(), - zone.environment().value(), - identityType); - - Set<String> ips = new HashSet<>(node.ipAddresses()); + IdentityDocument identityDocument = generateIdDocument(node, identityType); PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); AthenzService providerService = new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()); - String configServerHostname = HostName.getLocalhost(); - Instant createdAt = Instant.now(); String signature = signer.generateSignature( - providerUniqueId, providerService, configServerHostname, - node.hostname(), createdAt, ips, identityType, privateKey); + identityDocument.providerUniqueId(), providerService, identityDocument.configServerHostname(), + identityDocument.instanceHostname(), identityDocument.createdAt(), identityDocument.ipAddresses(), identityType, privateKey); return new SignedIdentityDocument( + identityDocument, signature, SignedIdentityDocument.DEFAULT_KEY_VERSION, - providerUniqueId, + identityDocument.providerUniqueId(), + toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()), providerService, + URI.create(zoneConfig.ztsUrl()), SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION, - configServerHostname, - node.hostname(), - createdAt, - ips, + identityDocument.configServerHostname(), + identityDocument.instanceHostname(), + identityDocument.createdAt(), + identityDocument.ipAddresses(), identityType); } catch (Exception e) { throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e); } } + private IdentityDocument generateIdDocument(Node node, IdentityType identityType) { + Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); + VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId( + allocation.membership().index(), + allocation.membership().cluster().id().value(), + allocation.owner().instance().value(), + allocation.owner().application().value(), + allocation.owner().tenant().value(), + zone.region().value(), + zone.environment().value(), + identityType); + + Set<String> ips = new HashSet<>(node.ipAddresses()); + return new IdentityDocument( + providerUniqueId, + HostName.getLocalhost(), + node.hostname(), + Instant.now(), + ips); + } + private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) { return zone.environment().value() + "-" + zone.region().value() + "." + dnsSuffix; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java index 48e85f6047e..a1839ec62a2 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java @@ -87,6 +87,8 @@ public class IdentityDocumentGeneratorTest { String environment = "dev"; String region = "us-north-1"; + String expectedZoneDnsSuffix = environment + "-" + region + "." + dnsSuffix; + assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix()); VespaUniqueInstanceId expectedProviderUniqueId = new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment, IdentityType.TENANT); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 56777325231..04c4d4da51a 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -1,6 +1,8 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.ImmutableSet; import com.yahoo.config.model.api.ApplicationInfo; import com.yahoo.config.model.api.HostInfo; import com.yahoo.config.model.api.Model; @@ -8,8 +10,18 @@ import com.yahoo.config.model.api.ServiceInfo; import com.yahoo.config.model.api.SuperModel; import com.yahoo.config.model.api.SuperModelProvider; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentEntity; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.VespaUniqueInstanceIdEntity; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import org.junit.Test; +import java.net.URI; +import java.security.PrivateKey; +import java.security.Signature; +import java.time.Instant; +import java.util.Base64; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -28,7 +40,6 @@ import static org.mockito.Mockito.when; /** * @author valerijf - * @author bjorncs */ public class InstanceValidatorTest { @@ -82,6 +93,44 @@ public class InstanceValidatorTest { assertTrue(instanceValidator.isSameIdentityAsInServicesXml(applicationId, domain, service)); } + private static InstanceConfirmation createInstanceConfirmation(PrivateKey privateKey, ApplicationId applicationId, + String domain, String service) { + IdentityDocumentEntity identityDocument = new IdentityDocumentEntity( + new VespaUniqueInstanceIdEntity(applicationId.tenant().value(), applicationId.application().value(), + "environment", "region", applicationId.instance().value(), "cluster-id", 0), + "hostname", + "instance-hostname", + Instant.now(), + ImmutableSet.of("127.0.0.1", "::1")); + + try { + ObjectMapper mapper = Utils.getMapper(); + String encodedIdentityDocument = + Base64.getEncoder().encodeToString(mapper.writeValueAsString(identityDocument).getBytes()); + Signature sigGenerator = Signature.getInstance("SHA512withRSA"); + sigGenerator.initSign(privateKey); + sigGenerator.update(encodedIdentityDocument.getBytes()); + + return new InstanceConfirmation( + "provider", domain, service, + new SignedIdentityDocumentEntity(encodedIdentityDocument, + Base64.getEncoder().encodeToString(sigGenerator.sign()), + 0, + EntityBindingsMapper.toVespaUniqueInstanceId(identityDocument.providerUniqueId).asDottedString(), + "dnssuffix", + "service", + URI.create("http://localhost/zts"), + 1, + identityDocument.configServerHostname, + identityDocument.instanceHostname, + identityDocument.createdAt, + identityDocument.ipAddresses, + null)); // TODO Remove support for legacy representation without type + } catch (Exception e) { + throw new RuntimeException(e); + } + } + private SuperModelProvider mockSuperModelProvider(ApplicationInfo... appInfos) { SuperModel superModel = new SuperModel(Stream.of(appInfos) .collect(Collectors.groupingBy( diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java index a01bbe2fae1..3bfe492a125 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java @@ -5,11 +5,14 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentEntity; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.VespaUniqueInstanceIdEntity; import java.io.IOException; import java.io.UncheckedIOException; import java.nio.file.Path; +import java.util.Base64; import static com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId.fromDottedString; @@ -32,12 +35,29 @@ public class EntityBindingsMapper { } } + public static VespaUniqueInstanceId toVespaUniqueInstanceId(VespaUniqueInstanceIdEntity entity) { + return new VespaUniqueInstanceId( + entity.clusterIndex, entity.clusterId, entity.instance, entity.application, entity.tenant, entity.region, entity.environment, entity.type != null ? IdentityType.fromId(entity.type) : null); // TODO Remove support for legacy representation without type + } + + public static IdentityDocument toIdentityDocument(IdentityDocumentEntity entity) { + return new IdentityDocument( + toVespaUniqueInstanceId(entity.providerUniqueId), + entity.configServerHostname, + entity.instanceHostname, + entity.createdAt, + entity.ipAddresses); + } + public static SignedIdentityDocument toSignedIdentityDocument(SignedIdentityDocumentEntity entity) { return new SignedIdentityDocument( + entity.identityDocument != null ? toIdentityDocument(entity.identityDocument) : null, entity.signature, entity.signingKeyVersion, fromDottedString(entity.providerUniqueId), + entity.dnsSuffix, new AthenzService(entity.providerService), + entity.ztsEndpoint, entity.documentVersion, entity.configServerHostname, entity.instanceHostname, @@ -46,18 +66,42 @@ public class EntityBindingsMapper { entity.identityType != null ? IdentityType.fromId(entity.identityType) : null); // TODO Remove support for legacy representation without type } - public static SignedIdentityDocumentEntity toSignedIdentityDocumentEntity(SignedIdentityDocument model) { - return new SignedIdentityDocumentEntity( - model.signature(), - model.signingKeyVersion(), - model.providerUniqueId().asDottedString(), - model.providerService().getFullName(), - model.documentVersion(), + public static VespaUniqueInstanceIdEntity toVespaUniqueInstanceIdEntity(VespaUniqueInstanceId model) { + return new VespaUniqueInstanceIdEntity( + model.tenant(), model.application(), model.environment(), model.region(), + model.instance(), model.clusterId(), model.clusterIndex(), model.type() != null ? model.type().id() : null); // TODO Remove support for legacy representation without type + } + + public static IdentityDocumentEntity toIdentityDocumentEntity(IdentityDocument model) { + return new IdentityDocumentEntity( + toVespaUniqueInstanceIdEntity(model.providerUniqueId()), model.configServerHostname(), model.instanceHostname(), model.createdAt(), - model.ipAddresses(), - model.identityType() != null ? model.identityType().id() : null); // TODO Remove support for legacy representation without type + model.ipAddresses()); + } + + public static SignedIdentityDocumentEntity toSignedIdentityDocumentEntity(SignedIdentityDocument model) { + try { + IdentityDocumentEntity identityDocumentEntity = model.identityDocument() != null ? toIdentityDocumentEntity(model.identityDocument()) : null; + String rawDocument = Base64.getEncoder().encodeToString(mapper.writeValueAsString(identityDocumentEntity).getBytes()); + return new SignedIdentityDocumentEntity( + rawDocument, + model.signature(), + model.signingKeyVersion(), + model.providerUniqueId().asDottedString(), + model.dnsSuffix(), + model.providerService().getFullName(), + model.ztsEndpoint(), + model.documentVersion(), + model.configServerHostname(), + model.instanceHostname(), + model.createdAt(), + model.ipAddresses(), + model.identityType() != null ? model.identityType().id() : null); // TODO Remove support for legacy representation without type + } catch (JsonProcessingException e) { + throw new RuntimeException(e); + } } public static SignedIdentityDocument readSignedIdentityDocumentFromFile(Path file) { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java new file mode 100644 index 00000000000..82d0a3d622c --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java @@ -0,0 +1,52 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api; + +import java.time.Instant; +import java.util.Set; + +/** + * The identity document that contains the instance specific information + * + * @author bjorncs + * @deprecated Will soon be inlined into {@link SignedIdentityDocument} + */ +@Deprecated +public class IdentityDocument { + private final VespaUniqueInstanceId providerUniqueId; + private final String configServerHostname; + private final String instanceHostname; + private final Instant createdAt; + private final Set<String> ipAddresses; + + public IdentityDocument(VespaUniqueInstanceId providerUniqueId, + String configServerHostname, + String instanceHostname, + Instant createdAt, + Set<String> ipAddresses) { + this.providerUniqueId = providerUniqueId; + this.configServerHostname = configServerHostname; + this.instanceHostname = instanceHostname; + this.createdAt = createdAt; + this.ipAddresses = ipAddresses; + } + + public VespaUniqueInstanceId providerUniqueId() { + return providerUniqueId; + } + + public String configServerHostname() { + return configServerHostname; + } + + public String instanceHostname() { + return instanceHostname; + } + + public Instant createdAt() { + return createdAt; + } + + public Set<String> ipAddresses() { + return ipAddresses; + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java index dc5dae9d516..aa1dbd4dac3 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java @@ -3,11 +3,12 @@ package com.yahoo.vespa.athenz.identityprovider.api; import com.yahoo.vespa.athenz.api.AthenzService; +import java.net.URI; import java.time.Instant; import java.util.Set; /** - * A signed identity document + * A signed identity document which contains a {@link IdentityDocument} * * @author bjorncs */ @@ -15,10 +16,13 @@ public class SignedIdentityDocument { public static final int DEFAULT_KEY_VERSION = 0; public static final int DEFAULT_DOCUMENT_VERSION = 1; + private final IdentityDocument identityDocument; private final String signature; private final int signingKeyVersion; private final VespaUniqueInstanceId providerUniqueId; + private final String dnsSuffix; private final AthenzService providerService; + private final URI ztsEndpoint; private final int documentVersion; private final String configServerHostname; private final String instanceHostname; @@ -26,20 +30,26 @@ public class SignedIdentityDocument { private final Set<String> ipAddresses; private final IdentityType identityType; - public SignedIdentityDocument(String signature, + public SignedIdentityDocument(IdentityDocument identityDocument, + String signature, int signingKeyVersion, VespaUniqueInstanceId providerUniqueId, + String dnsSuffix, AthenzService providerService, + URI ztsEndpoint, int documentVersion, String configServerHostname, String instanceHostname, Instant createdAt, Set<String> ipAddresses, IdentityType identityType) { + this.identityDocument = identityDocument; this.signature = signature; this.signingKeyVersion = signingKeyVersion; this.providerUniqueId = providerUniqueId; + this.dnsSuffix = dnsSuffix; this.providerService = providerService; + this.ztsEndpoint = ztsEndpoint; this.documentVersion = documentVersion; this.configServerHostname = configServerHostname; this.instanceHostname = instanceHostname; @@ -48,6 +58,11 @@ public class SignedIdentityDocument { this.identityType = identityType; } + @Deprecated + public IdentityDocument identityDocument() { + return identityDocument; + } + public String signature() { return signature; } @@ -60,10 +75,20 @@ public class SignedIdentityDocument { return providerUniqueId; } + @Deprecated + public String dnsSuffix() { + return dnsSuffix; + } + public AthenzService providerService() { return providerService; } + @Deprecated + public URI ztsEndpoint() { + return ztsEndpoint; + } + public int documentVersion() { return documentVersion; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java new file mode 100644 index 00000000000..b4b2e82ab0e --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java @@ -0,0 +1,73 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.time.Instant; +import java.util.Objects; +import java.util.Set; + +/** + * @author bjorncs + * @deprecated Will soon be inlined into {@link SignedIdentityDocumentEntity} + */ +@JsonIgnoreProperties(ignoreUnknown = true) +@Deprecated +public class IdentityDocumentEntity { + + @JsonProperty("provider-unique-id") + public final VespaUniqueInstanceIdEntity providerUniqueId; + @JsonProperty("configserver-hostname") + public final String configServerHostname; + @JsonProperty("instance-hostname") + public final String instanceHostname; + @JsonProperty("created-at") + public final Instant createdAt; + @JsonProperty("ip-addresses") + public final Set<String> ipAddresses; + + public IdentityDocumentEntity( + @JsonProperty("provider-unique-id") VespaUniqueInstanceIdEntity providerUniqueId, + @JsonProperty("configserver-hostname") String configServerHostname, + @JsonProperty("instance-hostname") String instanceHostname, + @JsonProperty("created-at") Instant createdAt, + @JsonProperty("ip-addresses") Set<String> ipAddresses) { + this.providerUniqueId = providerUniqueId; + this.configServerHostname = configServerHostname; + this.instanceHostname = instanceHostname; + this.createdAt = createdAt; + this.ipAddresses = ipAddresses; + } + + + @Override + public String toString() { + return "IdentityDocumentEntity{" + + "providerUniqueId=" + providerUniqueId + + ", configServerHostname='" + configServerHostname + '\'' + + ", instanceHostname='" + instanceHostname + '\'' + + ", createdAt=" + createdAt + + ", ipAddresses=" + ipAddresses + + '}'; + } + + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + IdentityDocumentEntity that = (IdentityDocumentEntity) o; + return Objects.equals(providerUniqueId, that.providerUniqueId) && + Objects.equals(configServerHostname, that.configServerHostname) && + Objects.equals(instanceHostname, that.instanceHostname) && + Objects.equals(createdAt, that.createdAt) && + Objects.equals(ipAddresses, that.ipAddresses); + } + + @Override + public int hashCode() { + + return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt, ipAddresses); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java index 52d33f79c1d..3d4872549d6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java @@ -2,10 +2,17 @@ package com.yahoo.vespa.athenz.identityprovider.api.bindings; import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.net.URI; import java.time.Instant; +import java.util.Base64; import java.util.Objects; import java.util.Set; @@ -15,10 +22,16 @@ import java.util.Set; @JsonIgnoreProperties(ignoreUnknown = true) public class SignedIdentityDocumentEntity { + private static final ObjectMapper mapper = createObjectMapper(); + + @JsonProperty("identity-document")public final String rawIdentityDocument; + @JsonIgnore @Deprecated public final IdentityDocumentEntity identityDocument; @JsonProperty("signature") public final String signature; @JsonProperty("signing-key-version") public final int signingKeyVersion; @JsonProperty("provider-unique-id") public final String providerUniqueId; // String representation + @JsonProperty("dns-suffix") public final String dnsSuffix; @JsonProperty("provider-service") public final String providerService; + @JsonProperty("zts-endpoint") public final URI ztsEndpoint; @JsonProperty("document-version") public final int documentVersion; @JsonProperty("configserver-hostname") public final String configServerHostname; @JsonProperty("instance-hostname") public final String instanceHostname; @@ -27,20 +40,27 @@ public class SignedIdentityDocumentEntity { @JsonProperty("identity-type") public final String identityType; @JsonCreator - public SignedIdentityDocumentEntity(@JsonProperty("signature") String signature, + public SignedIdentityDocumentEntity(@JsonProperty("identity-document") String rawIdentityDocument, + @JsonProperty("signature") String signature, @JsonProperty("signing-key-version") int signingKeyVersion, @JsonProperty("provider-unique-id") String providerUniqueId, + @JsonProperty("dns-suffix") String dnsSuffix, @JsonProperty("provider-service") String providerService, + @JsonProperty("zts-endpoint") URI ztsEndpoint, @JsonProperty("document-version") int documentVersion, @JsonProperty("configserver-hostname") String configServerHostname, @JsonProperty("instance-hostname") String instanceHostname, @JsonProperty("created-at") Instant createdAt, @JsonProperty("ip-addresses") Set<String> ipAddresses, @JsonProperty("identity-type") String identityType) { + this.rawIdentityDocument = rawIdentityDocument; + this.identityDocument = parseIdentityDocument(rawIdentityDocument); this.signature = signature; this.signingKeyVersion = signingKeyVersion; this.providerUniqueId = providerUniqueId; + this.dnsSuffix = dnsSuffix; this.providerService = providerService; + this.ztsEndpoint = ztsEndpoint; this.documentVersion = documentVersion; this.configServerHostname = configServerHostname; this.instanceHostname = instanceHostname; @@ -49,13 +69,31 @@ public class SignedIdentityDocumentEntity { this.identityType = identityType; } + private static IdentityDocumentEntity parseIdentityDocument(String rawIdentityDocument) { + try { + return mapper.readValue(Base64.getDecoder().decode(rawIdentityDocument), IdentityDocumentEntity.class); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + private static ObjectMapper createObjectMapper() { + ObjectMapper mapper = new ObjectMapper(); + mapper.registerModule(new JavaTimeModule()); + return mapper; + } + @Override public String toString() { return "SignedIdentityDocumentEntity{" + + "rawIdentityDocument='" + rawIdentityDocument + '\'' + + ", identityDocument=" + identityDocument + ", signature='" + signature + '\'' + ", signingKeyVersion=" + signingKeyVersion + ", providerUniqueId='" + providerUniqueId + '\'' + + ", dnsSuffix='" + dnsSuffix + '\'' + ", providerService='" + providerService + '\'' + + ", ztsEndpoint=" + ztsEndpoint + ", documentVersion=" + documentVersion + ", configServerHostname='" + configServerHostname + '\'' + ", instanceHostname='" + instanceHostname + '\'' + @@ -72,9 +110,13 @@ public class SignedIdentityDocumentEntity { SignedIdentityDocumentEntity that = (SignedIdentityDocumentEntity) o; return signingKeyVersion == that.signingKeyVersion && documentVersion == that.documentVersion && + Objects.equals(rawIdentityDocument, that.rawIdentityDocument) && + Objects.equals(identityDocument, that.identityDocument) && Objects.equals(signature, that.signature) && Objects.equals(providerUniqueId, that.providerUniqueId) && + Objects.equals(dnsSuffix, that.dnsSuffix) && Objects.equals(providerService, that.providerService) && + Objects.equals(ztsEndpoint, that.ztsEndpoint) && Objects.equals(configServerHostname, that.configServerHostname) && Objects.equals(instanceHostname, that.instanceHostname) && Objects.equals(createdAt, that.createdAt) && @@ -84,6 +126,6 @@ public class SignedIdentityDocumentEntity { @Override public int hashCode() { - return Objects.hash(signature, signingKeyVersion, providerUniqueId, providerService, documentVersion, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType); + return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, providerUniqueId, dnsSuffix, providerService, ztsEndpoint, documentVersion, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java new file mode 100644 index 00000000000..3fdbb49b28e --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java @@ -0,0 +1,97 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Objects; + +/** + * @author bjorncs + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class VespaUniqueInstanceIdEntity { + + @JsonProperty("tenant") + public final String tenant; + @JsonProperty("application") + public final String application; + @JsonProperty("environment") + public final String environment; + @JsonProperty("region") + public final String region; + @JsonProperty("instance") + public final String instance; + @JsonProperty("cluster-id") + public final String clusterId; + @JsonProperty("cluster-index") + public final int clusterIndex; + @JsonProperty("type") + public final String type; + + @JsonCreator + public VespaUniqueInstanceIdEntity(@JsonProperty("tenant") String tenant, + @JsonProperty("application") String application, + @JsonProperty("environment") String environment, + @JsonProperty("region") String region, + @JsonProperty("instance") String instance, + @JsonProperty("cluster-id") String clusterId, + @JsonProperty("cluster-index") int clusterIndex, + @JsonProperty("type") String type) { + this.tenant = tenant; + this.application = application; + this.environment = environment; + this.region = region; + this.instance = instance; + this.clusterId = clusterId; + this.clusterIndex = clusterIndex; + this.type = type; + } + + @Deprecated + public VespaUniqueInstanceIdEntity(String tenant, + String application, + String environment, + String region, + String instance, + String clusterId, + int clusterIndex) { + this(tenant, application, environment, region, instance, clusterId, clusterIndex, null); + } + + + @Override + public String toString() { + return "VespaUniqueInstanceIdEntity{" + + "tenant='" + tenant + '\'' + + ", application='" + application + '\'' + + ", environment='" + environment + '\'' + + ", region='" + region + '\'' + + ", instance='" + instance + '\'' + + ", clusterId='" + clusterId + '\'' + + ", clusterIndex=" + clusterIndex + + ", type='" + type + '\'' + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + VespaUniqueInstanceIdEntity that = (VespaUniqueInstanceIdEntity) o; + return clusterIndex == that.clusterIndex && + Objects.equals(tenant, that.tenant) && + Objects.equals(application, that.application) && + Objects.equals(environment, that.environment) && + Objects.equals(region, that.region) && + Objects.equals(instance, that.instance) && + Objects.equals(clusterId, that.clusterId) && + Objects.equals(type, that.type); + } + + @Override + public int hashCode() { + return Objects.hash(tenant, application, environment, region, instance, clusterId, clusterIndex, type); + } +} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java index 38483bdbaee..9cc500ee241 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java @@ -9,6 +9,7 @@ import com.yahoo.vespa.athenz.tls.KeyAlgorithm; import com.yahoo.vespa.athenz.tls.KeyUtils; import org.junit.Test; +import java.net.URI; import java.security.KeyPair; import java.time.Instant; import java.util.Arrays; @@ -17,7 +18,7 @@ import java.util.HashSet; import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.TENANT; import static com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION; import static com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument.DEFAULT_KEY_VERSION; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; /** * @author bjorncs @@ -40,7 +41,7 @@ public class IdentityDocumentSignerTest { signer.generateSignature(id, providerService, configserverHostname, instanceHostname, createdAt, ipAddresses, identityType, keyPair.getPrivate()); SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument( - signature, DEFAULT_KEY_VERSION, id, providerService, + null, signature, DEFAULT_KEY_VERSION, id, "dns-suffix", providerService, URI.create("https://zts"), DEFAULT_DOCUMENT_VERSION, configserverHostname, instanceHostname, createdAt, ipAddresses, identityType); assertTrue(signer.hasValidSignature(signedIdentityDocument, keyPair.getPublic())); |