diff options
author | Morten Tokle <mortent@oath.com> | 2018-02-16 12:42:37 +0100 |
---|---|---|
committer | Morten Tokle <morten.tokle@gmail.com> | 2018-02-16 17:21:42 +0100 |
commit | d94b9fe55e3ec6aef06972ade555b69ea2b4c189 (patch) | |
tree | 8dbd5f2fe860838d2111c82e3ecc7631a2bd50f3 | |
parent | e845f561ee5a0345b920681bef65024ed8ceab43 (diff) |
Move identity provider to athenz-identity-provider-service module
19 files changed, 89 insertions, 243 deletions
diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml index bfd02d54d43..92ecd36b0c3 100644 --- a/athenz-identity-provider-service/pom.xml +++ b/athenz-identity-provider-service/pom.xml @@ -14,67 +14,6 @@ <relativePath>../parent/pom.xml</relativePath> </parent> <dependencies> - <!-- COMPILE --> - <dependency> - <groupId>com.yahoo.athenz</groupId> - <artifactId>athenz-zms-java-client</artifactId> - <scope>compile</scope> - <exclusions> - <!-- Provided by JDisc / container-dev --> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </exclusion> - <!--Exclude all Jersey bundles provided by JDisc--> - <exclusion> - <groupId>org.glassfish.jersey.core</groupId> - <artifactId>jersey-client</artifactId> - </exclusion> - <exclusion> - <groupId>org.glassfish.jersey.media</groupId> - <artifactId>jersey-media-json-jackson</artifactId> - </exclusion> - <!--Exclude all Jackson bundles provided by JDisc --> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>com.yahoo.athenz</groupId> - <artifactId>athenz-zts-java-client</artifactId> - <scope>compile</scope> - <exclusions> - <!-- Provided by JDisc / container-dev --> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </exclusion> - <!--Exclude all Jackson bundles provided by JDisc --> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - </exclusion> - </exclusions> - </dependency> - <!-- PROVIDED --> <dependency> <groupId>com.yahoo.vespa</groupId> @@ -110,6 +49,20 @@ <version>${project.version}</version> <scope>provided</scope> </dependency> + <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>vespa-athenz</artifactId> + <version>${project.version}</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpclient</artifactId> + </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + </dependency> <!-- TEST --> <dependency> @@ -130,18 +83,6 @@ <scope>test</scope> </dependency> <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - <version>4.4.1</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> - <version>4.4.1</version> - <scope>test</scope> - </dependency> - <dependency> <groupId>org.mockito</groupId> <artifactId>mockito-all</artifactId> <scope>test</scope> diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentials.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentials.java index 790a7c54333..36c1aee49e0 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentials.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentials.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import java.security.KeyPair; import java.security.cert.X509Certificate; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentialsService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentialsService.java index 5786eb9e398..4072568d9d2 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentialsService.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentialsService.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.container.core.identity.IdentityConfig; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImpl.java index b6072b03e03..6e09bb3bd32 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImpl.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; @@ -11,21 +11,8 @@ import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; import java.time.Clock; import java.time.Duration; import java.time.Instant; @@ -65,9 +52,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen static final String METRICS_UPDATER_TAG = "metrics-updater"; - private final AtomicReference<AthenzCredentials> credentials = new AtomicReference<>(); + private volatile AthenzCredentials credentials; private final AtomicReference<Throwable> lastThrowable = new AtomicReference<>(); - private final CountDownLatch credentialsRetrievedSignal = new CountDownLatch(1); private final AthenzCredentialsService athenzCredentialsService; private final Scheduler scheduler; private final Clock clock; @@ -99,10 +85,18 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen this.clock = clock; this.domain = config.domain(); this.service = config.service(); - scheduler.submit(new RegisterInstanceTask()); - scheduler.schedule(new TimeoutInitialWaitTask(), INITIAL_WAIT_NTOKEN); - metricUpdater = new CertificateExpiryMetricUpdater(metric); + registerInstance(); + } + + private void registerInstance() { + try { + credentials = athenzCredentialsService.registerInstance(); + scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD); + scheduler.submit(metricUpdater); + } catch (Throwable t) { + throw new AthenzIdentityProviderException("Could not retrieve Athenz credentials", t); + } } @Override @@ -119,8 +113,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen public SSLContext getIdentitySslContext() { return new AthenzSslContextBuilder() .withIdentityCertificate(new AthenzIdentityCertificate( - credentials.get().getCertificate(), - credentials.get().getKeyPair().getPrivate())) + credentials.getCertificate(), + credentials.getKeyPair().getPrivate())) .withTrustStore(new File("/opt/yahoo/share/ssl/certs/yahoo_certificate_bundle.jks"), "JKS") .build(); } @@ -138,56 +132,19 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen return credentials.getCreatedAt().plus(EXPIRES_AFTER).minus(EXPIRATION_MARGIN); } - private class RegisterInstanceTask implements RunnableWithTag { - - private final Duration backoffDelay; - - RegisterInstanceTask() { - this(INITIAL_BACKOFF_DELAY); - } - - RegisterInstanceTask(Duration backoffDelay) { - this.backoffDelay = backoffDelay; - } - - @Override - public void run() { - try { - credentials.set(athenzCredentialsService.registerInstance()); - credentialsRetrievedSignal.countDown(); - scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD); - scheduler.submit(metricUpdater); - } catch (Throwable t) { - log.log(LogLevel.ERROR, "Failed to register instance: " + t.getMessage(), t); - lastThrowable.set(t); - Duration nextBackoffDelay = backoffDelay.multipliedBy(BACKOFF_DELAY_MULTIPLIER); - if (nextBackoffDelay.compareTo(MAX_REGISTER_BACKOFF_DELAY) > 0) { - nextBackoffDelay = MAX_REGISTER_BACKOFF_DELAY; - } - scheduler.schedule(new RegisterInstanceTask(nextBackoffDelay), backoffDelay); - } - } - - @Override - public String tag() { - return REGISTER_INSTANCE_TAG; - } - } - private class UpdateCredentialsTask implements RunnableWithTag { @Override public void run() { - AthenzCredentials currentCredentials = credentials.get(); try { - AthenzCredentials newCredentials = isExpired(currentCredentials) + AthenzCredentials newCredentials = isExpired(credentials) ? athenzCredentialsService.registerInstance() - : athenzCredentialsService.updateCredentials(currentCredentials); - credentials.set(newCredentials); + : athenzCredentialsService.updateCredentials(credentials); + credentials = newCredentials; scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD); } catch (Throwable t) { log.log(LogLevel.WARNING, "Failed to update credentials: " + t.getMessage(), t); lastThrowable.set(t); - Duration timeToExpiration = Duration.between(clock.instant(), getExpirationTime(currentCredentials)); + Duration timeToExpiration = Duration.between(clock.instant(), getExpirationTime(credentials)); // NOTE: Update period might be after timeToExpiration, still we do not want to DDoS Athenz. Duration updatePeriod = timeToExpiration.compareTo(UPDATE_PERIOD) > 0 ? UPDATE_PERIOD : REDUCED_UPDATE_PERIOD; @@ -210,7 +167,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen @Override public void run() { - Instant expirationTime = getExpirationTime(credentials.get()); + Instant expirationTime = getExpirationTime(credentials); Duration remainingLifetime = Duration.between(clock.instant(), expirationTime); metric.set(CERTIFICATE_EXPIRY_METRIC_NAME, remainingLifetime.getSeconds(), null); scheduler.schedule(this, CERTIFICATE_EXPIRY_METRIC_UPDATE_PERIOD); @@ -222,18 +179,6 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen } } - private class TimeoutInitialWaitTask implements RunnableWithTag { - @Override - public void run() { - credentialsRetrievedSignal.countDown(); - } - - @Override - public String tag() { - return TIMEOUT_INITIAL_WAIT_TAG; - } - } - private static class ThreadPoolScheduler implements Scheduler { private static final Logger log = Logger.getLogger(ThreadPoolScheduler.class.getName()); diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzService.java index 898f90e3438..c9e3809ea96 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzService.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtils.java index 388b40a1fe0..6a766e7c49d 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtils.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.Extension; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/IdentityDocumentService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/IdentityDocumentService.java index 7878400964a..8a9137a491d 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/IdentityDocumentService.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/IdentityDocumentService.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.yahoo.vespa.defaults.Defaults; import org.apache.http.client.methods.CloseableHttpResponse; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceIdentity.java index 20bbb2aa67e..d6e986959cb 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceIdentity.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRefreshInformation.java index dd893cb3143..d0c22d1d0d2 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRefreshInformation.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRegisterInformation.java index e2355cb7a2d..dd9f164fef1 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRegisterInformation.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/SignedIdentityDocument.java index 5d5b5430859..7bbd49c953f 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/SignedIdentityDocument.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/package-info.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/package-info.java index 2d7cbbb6315..1b4842327dd 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/package-info.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/package-info.java @@ -3,6 +3,6 @@ * @author mortent */ @ExportPackage -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImplTest.java index 1ee23334a16..3a506a39c43 100644 --- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImplTest.java @@ -1,14 +1,16 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import com.yahoo.container.core.identity.IdentityConfig; import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; -import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.RunnableWithTag; -import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.Scheduler; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException; +import com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.RunnableWithTag; +import com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.Scheduler; import com.yahoo.jdisc.Metric; import com.yahoo.test.ManualClock; import org.junit.Test; +import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; import java.util.ArrayList; @@ -23,15 +25,15 @@ import java.util.function.Predicate; import java.util.stream.Collectors; import java.util.stream.Stream; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.INITIAL_BACKOFF_DELAY; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.INITIAL_WAIT_NTOKEN; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.MAX_REGISTER_BACKOFF_DELAY; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.METRICS_UPDATER_TAG; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.REDUCED_UPDATE_PERIOD; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.REGISTER_INSTANCE_TAG; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.TIMEOUT_INITIAL_WAIT_TAG; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.UPDATE_CREDENTIALS_TAG; -import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.UPDATE_PERIOD; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.INITIAL_BACKOFF_DELAY; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.INITIAL_WAIT_NTOKEN; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.MAX_REGISTER_BACKOFF_DELAY; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.METRICS_UPDATER_TAG; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.REDUCED_UPDATE_PERIOD; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.REGISTER_INSTANCE_TAG; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.TIMEOUT_INITIAL_WAIT_TAG; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.UPDATE_CREDENTIALS_TAG; +import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.UPDATE_PERIOD; import static org.junit.Assert.assertEquals; import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyString; @@ -46,77 +48,33 @@ public class AthenzIdentityProviderImplTest { private static final Metric DUMMY_METRIC = new Metric() { @Override - public void set(String s, Number number, Context context) {} + public void set(String s, Number number, Context context) { + } + @Override - public void add(String s, Number number, Context context) {} + public void add(String s, Number number, Context context) { + } + @Override - public Context createContext(Map<String, ?> stringMap) { return null; } + public Context createContext(Map<String, ?> stringMap) { + return null; + } }; private static final IdentityConfig IDENTITY_CONFIG = new IdentityConfig(new IdentityConfig.Builder() .service("tenantService").domain("tenantDomain").loadBalancerAddress("cfg")); - private final Set<String> IGNORED_TASKS = Stream.of(UPDATE_CREDENTIALS_TAG, METRICS_UPDATER_TAG) - .collect(Collectors.toSet()); - - @Test - public void athenz_credentials_are_retrieved_after_component_contruction_completed() { - IdentityDocumentService identityDocumentService = mock(IdentityDocumentService.class); - AthenzService athenzService = mock(AthenzService.class); - ManualClock clock = new ManualClock(Instant.EPOCH); - MockScheduler scheduler = new MockScheduler(clock); - - when(identityDocumentService.getSignedIdentityDocument()).thenReturn(getIdentityDocument()); - when(athenzService.sendInstanceRegisterRequest(any(), any())).thenReturn( - new InstanceIdentity(null, "TOKEN")); - AthenzCredentialsService credentialService = - new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, clock); - - AthenzIdentityProvider identityProvider = - new AthenzIdentityProviderImpl(IDENTITY_CONFIG, DUMMY_METRIC, credentialService, scheduler, clock); - - List<MockScheduler.CompletedTask> expectedTasks = - Arrays.asList( - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO), - new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN)); - // Don't run update credential tasks, otherwise infinite loop - List<MockScheduler.CompletedTask> completedTasks = - scheduler.runAllTasks(task -> !IGNORED_TASKS.contains(task.tag())); - assertEquals(expectedTasks, completedTasks); - assertEquals("TOKEN", identityProvider.getNToken()); - } - - @Test - public void register_instance_uses_exponential_backoff() { + @Test (expected = AthenzIdentityProviderException.class) + public void component_creation_fails_when_credentials_not_found() { AthenzCredentialsService credentialService = mock(AthenzCredentialsService.class); when(credentialService.registerInstance()) - .thenThrow(new RuntimeException("#1")) - .thenThrow(new RuntimeException("#2")) - .thenThrow(new RuntimeException("#3")) - .thenThrow(new RuntimeException("#4")) - .thenThrow(new RuntimeException("#5")) - .thenReturn(new AthenzCredentials("TOKEN", null, null, null, Instant.now())); + .thenThrow(new RuntimeException("athenz unavailable")); ManualClock clock = new ManualClock(Instant.EPOCH); MockScheduler scheduler = new MockScheduler(clock); AthenzIdentityProvider identityProvider = new AthenzIdentityProviderImpl(IDENTITY_CONFIG, DUMMY_METRIC, credentialService, scheduler, clock); - - List<MockScheduler.CompletedTask> expectedTasks = - Arrays.asList( - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO), - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY), - new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN), - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(2)), - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(4)), - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(8)), - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, MAX_REGISTER_BACKOFF_DELAY)); - // Don't run update credential tasks, otherwise infinite loop - List<MockScheduler.CompletedTask> completedTasks = - scheduler.runAllTasks(task -> !IGNORED_TASKS.contains(task.tag())); - assertEquals(expectedTasks, completedTasks); - assertEquals("TOKEN", identityProvider.getNToken()); } @Test @@ -125,6 +83,7 @@ public class AthenzIdentityProviderImplTest { AthenzService athenzService = mock(AthenzService.class); ManualClock clock = new ManualClock(Instant.EPOCH); MockScheduler scheduler = new MockScheduler(clock); + X509Certificate x509Certificate = mock(X509Certificate.class); when(identityDocumentService.getSignedIdentityDocument()).thenReturn(getIdentityDocument()); when(athenzService.sendInstanceRegisterRequest(any(), any())).thenReturn( @@ -143,8 +102,6 @@ public class AthenzIdentityProviderImplTest { List<MockScheduler.CompletedTask> expectedTasks = Arrays.asList( - new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO), - new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN), new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, UPDATE_PERIOD), new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, UPDATE_PERIOD), new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, REDUCED_UPDATE_PERIOD), @@ -153,9 +110,8 @@ public class AthenzIdentityProviderImplTest { AtomicInteger counter = new AtomicInteger(0); List<MockScheduler.CompletedTask> completedTasks = scheduler.runAllTasks(task -> !task.tag().equals(METRICS_UPDATER_TAG) && - counter.getAndIncrement() < expectedTasks.size()); + counter.getAndIncrement() < expectedTasks.size()); assertEquals(expectedTasks, completedTasks); - assertEquals("TOKEN", identityProvider.getNToken()); } private static String getIdentityDocument() { @@ -232,7 +188,7 @@ public class AthenzIdentityProviderImplTest { if (o == null || getClass() != o.getClass()) return false; CompletedTask that = (CompletedTask) o; return Objects.equals(tag, that.tag) && - Objects.equals(delay, that.delay); + Objects.equals(delay, that.delay); } @Override @@ -243,9 +199,9 @@ public class AthenzIdentityProviderImplTest { @Override public String toString() { return "CompletedTask{" + - "tag='" + tag + '\'' + - ", delay=" + delay + - '}'; + "tag='" + tag + '\'' + + ", delay=" + delay + + '}'; } } } diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtilsTest.java index dc9690355e8..0412b9071dd 100644 --- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtilsTest.java @@ -1,5 +1,5 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.container.jdisc.athenz.impl; +package com.yahoo.vespa.hosted.athenz.identityprovider; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.junit.Test; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java index 0368f7eaf3e..640a85d9b50 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java @@ -5,14 +5,13 @@ import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.AthenzService; import com.yahoo.config.provision.HostName; import com.yahoo.container.core.identity.IdentityConfig; -import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl; import com.yahoo.vespa.model.container.component.SimpleComponent; /** * @author mortent */ public class IdentityProvider extends SimpleComponent implements IdentityConfig.Producer { - public static final String CLASS = AthenzIdentityProviderImpl.class.getName(); + public static final String CLASS = "com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl"; private final AthenzDomain domain; private final AthenzService service; diff --git a/container-disc/pom.xml b/container-disc/pom.xml index f970de0b328..38b4bfc2ff5 100644 --- a/container-disc/pom.xml +++ b/container-disc/pom.xml @@ -106,12 +106,6 @@ <artifactId>vespalog</artifactId> <version>${project.version}</version> </dependency> - <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>vespa-athenz</artifactId> - <version>${project.version}</version> - <scope>provided</scope> - </dependency> <!-- WARNING: These are only here to make bundlification work --> <dependency> <groupId>com.yahoo.vespa</groupId> diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java b/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java index 132fa6b2882..26c71686a82 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java @@ -2,6 +2,9 @@ package com.yahoo.container.jdisc; +/** + * @author mortent + */ public interface Ckms { /** Returns the secret for this key */ String getSecret(String key); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index 08b59c8e14a..c050ddce2c6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -1,3 +1,4 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identity; import com.yahoo.athenz.auth.util.Crypto; @@ -13,6 +14,9 @@ import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; +/** + * @author mortent + */ public class SiaIdentityProvider implements AthenzIdentityProvider { private final AthenzDomain domain; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java index de845f3f985..da31e72a1fa 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java @@ -1,3 +1,7 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author mortent + */ @ExportPackage package com.yahoo.vespa.athenz.identity; |