diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-11-06 09:22:14 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2020-11-06 09:22:14 +0100 |
commit | a8850f505638d11aabfc267f0ab17f18fe6ecf67 (patch) | |
tree | ba0fcce6b03ff21377d9a810a1873733e6ec3a84 | |
parent | fcf7dba7523c9cebf2970a58e5e66c81508d9a00 (diff) |
Create DefaultZtsClient builder
8 files changed, 45 insertions, 30 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java index ae4a5933ac2..880646e37e5 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.google.inject.Inject; import com.yahoo.jdisc.http.ssl.impl.TlsContextBasedProvider; -import java.util.logging.Level; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; @@ -37,6 +36,7 @@ import java.util.UUID; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; +import java.util.logging.Level; import java.util.logging.Logger; /** @@ -66,7 +66,8 @@ public class ConfigserverSslContextFactoryProvider extends TlsContextBasedProvid KeyProvider keyProvider, AthenzProviderServiceConfig config) { this.athenzProviderServiceConfig = config; - this.ztsClient = new DefaultZtsClient(URI.create(athenzProviderServiceConfig.ztsUrl()), bootstrapIdentity); + this.ztsClient = new DefaultZtsClient.Builder(URI.create(athenzProviderServiceConfig.ztsUrl())) + .withIdentityProvider(bootstrapIdentity).build(); this.keyProvider = keyProvider; this.configserverIdentity = new AthenzService(athenzProviderServiceConfig.domain(), athenzProviderServiceConfig.serviceName()); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index 343a9feeed6..3adc445a781 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -8,11 +8,11 @@ import com.yahoo.security.KeyUtils; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.Pkcs10CsrUtils; import com.yahoo.security.X509CertificateUtils; +import com.yahoo.slime.SlimeUtils; import com.yahoo.text.StringUtilities; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; -import com.yahoo.slime.SlimeUtils; import com.yahoo.vespa.hosted.ca.CertificateTester; import org.apache.http.client.ResponseHandler; import org.apache.http.client.methods.HttpUriRequest; @@ -224,7 +224,7 @@ public class CertificateAuthorityApiTest extends ContainerTester { private final X509Certificate certificate; public TestZtsClient(Principal principal, X509Certificate certificate, URI ztsUrl, SSLContext sslContext) { - super(ztsUrl, sslContext); + super(ztsUrl, () -> sslContext, null); this.principal = principal; this.certificate = certificate; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index 173729c7472..1626e4fd559 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -45,7 +45,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { */ @Override public ZtsClient createZtsClient() { - return new DefaultZtsClient(URI.create(config.ztsUrl()), identityProvider); + return new DefaultZtsClient.Builder(URI.create(config.ztsUrl())).withIdentityProvider(identityProvider).build(); } @Override diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index d6c08a820cd..0a29da57220 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -198,7 +198,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { HostnameVerifier ztsHostNameVerifier = useInternalZts ? new AthenzIdentityVerifier(Set.of(configserverIdentity)) : null; - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider, ztsHostNameVerifier)) { + try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( configserverIdentity, @@ -227,7 +227,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { HostnameVerifier ztsHostNameVerifier = useInternalZts ? new AthenzIdentityVerifier(Set.of(configserverIdentity)) : null; - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentitySslContext, ztsHostNameVerifier)) { + try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) { InstanceIdentity instanceIdentity = ztsClient.refreshInstance( configserverIdentity, diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/aws/AwsCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/aws/AwsCredentials.java index b027e7272ea..30ff63fb108 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/aws/AwsCredentials.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/aws/AwsCredentials.java @@ -35,11 +35,11 @@ public class AwsCredentials { } public AwsCredentials(URI ztsUrl, ServiceIdentityProvider identityProvider, AthenzDomain athenzDomain, AwsRole awsRole) { - this(new DefaultZtsClient(ztsUrl, identityProvider), athenzDomain, awsRole); + this(new DefaultZtsClient.Builder(ztsUrl).withIdentityProvider(identityProvider).build(), athenzDomain, awsRole); } public AwsCredentials(URI ztsUrl, SSLContext sslContext, AthenzDomain athenzDomain, AwsRole awsRole) { - this(new DefaultZtsClient(ztsUrl, sslContext), athenzDomain, awsRole); + this(new DefaultZtsClient.Builder(ztsUrl).withSslContext(sslContext).build(), athenzDomain, awsRole); } /** diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index c05213c8008..e8c0072731a 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -37,6 +37,7 @@ import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; import java.util.List; +import java.util.Objects; import java.util.Optional; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -52,24 +53,7 @@ import static java.util.stream.Collectors.toList; public class DefaultZtsClient extends ClientBase implements ZtsClient { private final URI ztsUrl; - - public DefaultZtsClient(URI ztsUrl, SSLContext sslContext) { - this(ztsUrl, sslContext, null); - } - - public DefaultZtsClient(URI ztsUrl, SSLContext sslContext, HostnameVerifier hostnameVerifier) { - this(ztsUrl, () -> sslContext, hostnameVerifier); - } - - public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider) { - this(ztsUrl, identityProvider::getIdentitySslContext, null); - } - - public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider, HostnameVerifier hostnameVerifier) { - this(ztsUrl, identityProvider::getIdentitySslContext, hostnameVerifier); - } - - private DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) { + protected DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) { super("vespa-zts-client", sslContextSupplier, ZtsClientException::new, hostnameVerifier); this.ztsUrl = addTrailingSlash(ztsUrl); } @@ -239,5 +223,35 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { else return URI.create(ztsUrl.toString() + '/'); } + public static class Builder { + private URI ztsUrl; + private HostnameVerifier hostnameVerifier = null; + private Supplier<SSLContext> sslContextSupplier = null; + public Builder(URI ztsUrl) { + this.ztsUrl = ztsUrl; + } + + public Builder withHostnameVerifier(HostnameVerifier hostnameVerifier) { + this.hostnameVerifier = hostnameVerifier; + return this; + } + + public Builder withSslContext(SSLContext sslContext) { + this.sslContextSupplier = () -> sslContext; + return this; + } + + public Builder withIdentityProvider(ServiceIdentityProvider identityProvider) { + this.sslContextSupplier = identityProvider::getIdentitySslContext; + return this; + } + + public DefaultZtsClient build() { + if (Objects.isNull(sslContextSupplier)) { + throw new IllegalArgumentException("No ssl context or identity provider available to set up zts client"); + } + return new DefaultZtsClient(ztsUrl, sslContextSupplier, hostnameVerifier); + } + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 8e029906c30..612f9caa691 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -81,7 +81,7 @@ class AthenzCredentialsService { document.ipAddresses(), keyPair); - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, nodeIdentityProvider)) { + try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withIdentityProvider(nodeIdentityProvider).build()) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( configserverIdentity, @@ -102,7 +102,7 @@ class AthenzCredentialsService { document.ipAddresses(), newKeyPair); - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, sslContext)) { + try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withSslContext(sslContext).build()) { InstanceIdentity instanceIdentity = ztsClient.refreshInstance( configserverIdentity, diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 65574d7583e..724a3059f6d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -301,7 +301,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen } private DefaultZtsClient createZtsClient() { - return new DefaultZtsClient(ztsEndpoint, getIdentitySslContext()); + return new DefaultZtsClient.Builder(ztsEndpoint).withSslContext(getIdentitySslContext()).build(); } @Override |