diff options
author | Morten Tokle <mortent@oath.com> | 2017-10-23 11:15:16 +0200 |
---|---|---|
committer | Morten Tokle <mortent@oath.com> | 2017-10-23 11:21:26 +0200 |
commit | 4cd5e7ca38c4f8cc752e4c0d0a97c83c8f27863f (patch) | |
tree | 1bb4ab06f3adaf9df839c0e016127686f12c95c2 | |
parent | ce5b8db39f64101d7ac9fae2847f3db614f14638 (diff) |
Add fields to signed identity document
10 files changed, 221 insertions, 47 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java index e862717d1d1..301d6250b31 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java @@ -58,7 +58,7 @@ public class AthenzInstanceProviderService extends AbstractComponent { ScheduledExecutorService scheduler, NodeRepository nodeRepository, Zone zone) { this.scheduler = scheduler; SslContextFactory sslContextFactory = createSslContextFactory(); - this.jetty = createJettyServer(config.port(), config.apiPath(), keyProvider, sslContextFactory, + this.jetty = createJettyServer(config, keyProvider, sslContextFactory, nodeRepository, zone); AthenzCertificateUpdater reloader = new AthenzCertificateUpdater( sslContextFactory, keyProvider, config); @@ -70,20 +70,20 @@ public class AthenzInstanceProviderService extends AbstractComponent { } } - private static Server createJettyServer(int port, String apiPath, + private static Server createJettyServer(AthenzProviderServiceConfig config, KeyProvider keyProvider, SslContextFactory sslContextFactory, NodeRepository nodeRepository, Zone zone) { Server server = new Server(); ServerConnector connector = new ServerConnector(server, sslContextFactory); - connector.setPort(port); + connector.setPort(config.port()); server.addConnector(connector); ServletHandler handler = new ServletHandler(); ProviderServiceServlet providerServiceServlet = - new ProviderServiceServlet(new InstanceValidator(keyProvider), new IdentityDocumentGenerator(nodeRepository, zone, keyProvider)); - handler.addServletWithMapping(new ServletHolder(providerServiceServlet), apiPath); + new ProviderServiceServlet(new InstanceValidator(keyProvider), new IdentityDocumentGenerator(config, nodeRepository, zone, keyProvider)); + handler.addServletWithMapping(new ServletHolder(providerServiceServlet), config.apiPath()); handler.addServletWithMapping(StatusServlet.class, "/status.html"); server.setHandler(handler); return server; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java index 833f1348338..9e01b0e6421 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGenerator.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.config.provision.Zone; +import com.yahoo.vespa.hosted.athenz.identityproviderservice.config.AthenzProviderServiceConfig; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.IdentityDocument; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.ProviderUniqueId; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.SignedIdentityDocument; @@ -22,11 +23,17 @@ public class IdentityDocumentGenerator { private final NodeRepository nodeRepository; private final Zone zone; private final KeyProvider keyProvider; + private final String dnsSuffix; + private final String providerService; + private final String ztsUrl; - public IdentityDocumentGenerator(NodeRepository nodeRepository, Zone zone, KeyProvider keyProvider) { + public IdentityDocumentGenerator(AthenzProviderServiceConfig config, NodeRepository nodeRepository, Zone zone, KeyProvider keyProvider) { this.nodeRepository = nodeRepository; this.zone = zone; this.keyProvider = keyProvider; + this.dnsSuffix = config.certDnsSuffix(); + this.providerService = config.serviceName(); + this.ztsUrl = config.ztsUrl(); } public String generateSignedIdentityDocument(String hostname) { @@ -49,16 +56,20 @@ public class IdentityDocumentGenerator { encodedIdentityDocument, signature, SignedIdentityDocument.DEFAULT_KEY_VERSION, + identityDocument.providerUniqueId.asString(), + dnsSuffix, + providerService, + ztsUrl, SignedIdentityDocument.DEFAILT_DOCUMENT_VERSION ); return Utils.getMapper().writeValueAsString(signedIdentityDocument); } catch (Exception e) { - throw new RuntimeException("Exception generating identity document: " + e.getMessage()); + throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e); } } private IdentityDocument generateIdDocument(Node node) { - Allocation allocation = node.allocation().get(); + Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); ProviderUniqueId providerUniqueId = new ProviderUniqueId( allocation.owner().tenant().value(), allocation.owner().application().value(), @@ -74,6 +85,5 @@ public class IdentityDocumentGenerator { node.hostname(), Instant.now()); } - } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidator.java index da8a4afebd8..f5c2c319041 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidator.java @@ -43,7 +43,7 @@ public class InstanceValidator { return false; } - private static boolean isSignatureValid(PublicKey publicKey, String rawIdentityDocument, String signature) { + public static boolean isSignatureValid(PublicKey publicKey, String rawIdentityDocument, String signature) { try { Signature signatureVerifier = Signature.getInstance("SHA512withRSA"); signatureVerifier.initVerify(publicKey); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/ProviderUniqueId.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/ProviderUniqueId.java index ec699120802..810c75ef0c5 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/ProviderUniqueId.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/ProviderUniqueId.java @@ -41,6 +41,10 @@ public class ProviderUniqueId { this.clusterIndex = clusterIndex; } + public String asString() { + return String.format("%s.%s.%s.%s.%s.%s.%d", tenant, application, environment, region, instance, clusterId, clusterIndex); + } + @Override public String toString() { return "ProviderUniqueId{" + diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/SignedIdentityDocument.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/SignedIdentityDocument.java index 09d57582fa3..37f94d48a95 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/SignedIdentityDocument.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/model/SignedIdentityDocument.java @@ -23,17 +23,29 @@ public class SignedIdentityDocument { @JsonIgnore public final IdentityDocument identityDocument; @JsonProperty("signature") public final String signature; @JsonProperty("signing-key-version") public final int signingKeyVersion; + @JsonProperty("provider-unique-id") public final String providerUniqueId; // String representation + @JsonProperty("dns-suffix") public final String dnsSuffix; + @JsonProperty("provider-service") public final String providerService; + @JsonProperty("zts-endpoint") public final String ztsEndpoint; @JsonProperty("document-version") public final int documentVersion; @JsonCreator public SignedIdentityDocument(@JsonProperty("identity-document") String rawIdentityDocument, @JsonProperty("signature") String signature, @JsonProperty("signing-key-version") int signingKeyVersion, + @JsonProperty("provider-unique-id") String providerUniqueId, + @JsonProperty("dns-suffix") String dnsSuffix, + @JsonProperty("provider-service") String providerService, + @JsonProperty("zts-endpoint") String ztsEndpoint, @JsonProperty("document-version") int documentVersion) { this.rawIdentityDocument = rawIdentityDocument; this.identityDocument = parseIdentityDocument(rawIdentityDocument); this.signature = signature; this.signingKeyVersion = signingKeyVersion; + this.providerUniqueId = providerUniqueId; + this.dnsSuffix = dnsSuffix; + this.providerService = providerService; + this.ztsEndpoint = ztsEndpoint; this.documentVersion = documentVersion; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java index 900bdec6855..125f8a3cb0f 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java @@ -3,19 +3,34 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.ImmutableSet; import com.yahoo.athenz.auth.util.Crypto; +import com.yahoo.component.Version; +import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.ApplicationName; +import com.yahoo.config.provision.ClusterMembership; import com.yahoo.config.provision.Environment; +import com.yahoo.config.provision.Flavor; +import com.yahoo.config.provision.InstanceName; +import com.yahoo.config.provision.NodeType; import com.yahoo.config.provision.RegionName; +import com.yahoo.config.provision.TenantName; import com.yahoo.config.provision.Zone; import com.yahoo.log.LogLevel; import com.yahoo.vespa.hosted.athenz.identityproviderservice.config.AthenzProviderServiceConfig; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.IdentityDocumentGenerator; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.InstanceValidator; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.KeyProvider; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.IdentityDocument; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.InstanceConfirmation; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.ProviderUniqueId; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.SignedIdentityDocument; +import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; +import com.yahoo.vespa.hosted.provision.node.Allocation; +import com.yahoo.vespa.hosted.provision.node.Generation; +import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors; import org.apache.http.HttpEntity; import org.apache.http.HttpResponse; import org.apache.http.HttpStatus; @@ -27,14 +42,19 @@ import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.ssl.SSLContextBuilder; +import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.junit.Ignore; import org.junit.Test; import javax.net.ssl.SSLContext; import java.io.IOException; +import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; +import java.security.Key; import java.security.KeyManagementException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; @@ -42,13 +62,18 @@ import java.security.Signature; import java.security.SignatureException; import java.time.Instant; import java.util.Base64; +import java.util.HashSet; +import java.util.Optional; import java.util.logging.Logger; import static org.hamcrest.CoreMatchers.equalTo; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.eq; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; /** * @author bjorncs @@ -66,17 +91,7 @@ public class AthenzInstanceProviderServiceTest { DummyKeyProvider keyProvider = new DummyKeyProvider(); PrivateKey privateKey = Crypto.loadPrivateKey(keyProvider.getPrivateKey(0)); - AthenzProviderServiceConfig config = - new AthenzProviderServiceConfig( - new AthenzProviderServiceConfig.Builder() - .domain(domain) - .serviceName(service) - .port(PORT) - .keyPathPrefix("dummy-path") - .certDnsSuffix("INSERT DNS SUFFIX HERE") - .ztsUrl("INSERT ZTS URL HERE") - .athenzPrincipalHeaderName("INSERT PRINCIPAL HEADER NAME HERE") - .apiPath("/")); + AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service, "INSERT ZTS URL HERE", "INSERT DNS SUFFIX HERE"); ScheduledExecutorServiceMock executor = new ScheduledExecutorServiceMock(); NodeRepository nodeRepository = mock(NodeRepository.class); @@ -97,6 +112,49 @@ public class AthenzInstanceProviderServiceTest { } } + @Test + public void generates_valid_identity_document() throws IOException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { + String hostname = "x.y.com"; + AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider(); + AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", "localhost/zts", "dnsSuffix"); + + NodeRepository nodeRepository = mock(NodeRepository.class); + MockNodeFlavors nodeFlavors = new MockNodeFlavors(); + ApplicationId appid = ApplicationId.from(TenantName.from("tenant"), ApplicationName.from("application"), InstanceName.from("default")); + Allocation allocation = new Allocation(appid, ClusterMembership.from("container/default/0/0", Version.fromString("1.2.3")), Generation.inital(), false); Flavor flavor = nodeFlavors.getFlavorOrThrow("default"); + Node n = Node.create("ostkid", ImmutableSet.of("127.0.0.1"), new HashSet<>(), hostname, Optional.empty(), flavor, NodeType.tenant).with(allocation); + when(nodeRepository.getNode(eq(hostname))).thenReturn(Optional.of(n)); + Zone zone = new Zone(Environment.dev, RegionName.from("us-north-1")); + + IdentityDocumentGenerator identityDocumentGenerator = new IdentityDocumentGenerator(config, nodeRepository, zone, keyProvider); + String rawSignedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(hostname); + + + SignedIdentityDocument signedIdentityDocument = Utils.getMapper().readValue(rawSignedIdentityDocument, SignedIdentityDocument.class); + + // Verify attributes + assertEquals(hostname, signedIdentityDocument.identityDocument.instanceHostname); + ProviderUniqueId expectedProviderUniqueId = new ProviderUniqueId("tenant", "application", "dev", "us-north-1", "default", "default", 0); + assertEquals(expectedProviderUniqueId, signedIdentityDocument.identityDocument.providerUniqueId); + + // Validate signature + assertTrue("Message", InstanceValidator.isSignatureValid(Crypto.loadPublicKey(keyProvider.getPublicKey(0)), signedIdentityDocument.rawIdentityDocument, signedIdentityDocument.signature)); + + } + + private AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service, String ztsUrl, String dnsSuffix) { + return new AthenzProviderServiceConfig( + new AthenzProviderServiceConfig.Builder() + .domain(domain) + .serviceName(service) + .port(PORT) + .keyPathPrefix("dummy-path") + .certDnsSuffix(dnsSuffix) + .ztsUrl(ztsUrl) + .athenzPrincipalHeaderName("INSERT PRINCIPAL HEADER NAME HERE") + .apiPath("/")); + + } private static boolean getStatus(HttpClient client) { try { HttpResponse response = client.execute(new HttpGet("https://localhost:" + PORT + "/status.html")); @@ -143,7 +201,7 @@ public class AthenzInstanceProviderServiceTest { InstanceConfirmation instanceConfirmation = new InstanceConfirmation( "provider", "domain", "service", - new SignedIdentityDocument(encodedIdentityDocument, signature, 0, 1)); + new SignedIdentityDocument(encodedIdentityDocument, signature, 0, identityDocument.providerUniqueId.asString(), "dnssuffix", "service", "localhost/zts",1)); return new StringEntity(mapper.writeValueAsString(instanceConfirmation)); } catch (JsonProcessingException | NoSuchAlgorithmException @@ -166,4 +224,37 @@ public class AthenzInstanceProviderServiceTest { return "INSERT PUB KEY"; } } + + private static class AutoGeneratedKeyProvider implements KeyProvider { + + private final String publicKey; + private final String privateKey; + + public AutoGeneratedKeyProvider() throws IOException, NoSuchAlgorithmException { + KeyPairGenerator rsa = KeyPairGenerator.getInstance("RSA"); + rsa.initialize(2048); + KeyPair keyPair = rsa.genKeyPair(); + publicKey = pemEncode("RSA PUBLIC KEY", keyPair.getPublic()); + privateKey = pemEncode("RSA PRIVATE KEY", keyPair.getPrivate()); + } + + private String pemEncode(String description, Key key) throws IOException { + StringWriter stringWriter = new StringWriter(); + JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter); + pemWriter.writeObject(key); + pemWriter.flush(); + return stringWriter.toString(); + + } + + @Override + public String getPrivateKey(int version) { + return privateKey; + } + + @Override + public String getPublicKey(int version) { + return publicKey; + } + } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/configserver/TestOptions.java b/config-model/src/test/java/com/yahoo/vespa/model/container/configserver/TestOptions.java index 663a656347d..fe5cd3dc029 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/configserver/TestOptions.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/configserver/TestOptions.java @@ -115,6 +115,9 @@ public class TestOptions implements CloudConfigOptions { @Override public Optional<String> dockerVespaBaseImage() { return Optional.empty(); } + @Override + public Optional<String> serviceProviderEndpoint() { return Optional.empty(); } + public TestOptions numParallelTenantLoaders(int numLoaders) { this.numParallelTenantLoaders = Optional.of(numLoaders); return this; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java index 2acd630aa7d..cc5fa6a889b 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java @@ -43,5 +43,4 @@ public class AthenzService { throw new RuntimeException(e); } } - } diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java index e2b65685cdb..45ef4c68d8e 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java @@ -14,34 +14,42 @@ import java.util.Map; @JsonIgnoreProperties(ignoreUnknown = true) @JsonInclude(JsonInclude.Include.NON_NULL) class InstanceIdentity { - @JsonProperty("attributes") - Map<String, String> attributes; - @JsonProperty("provider") - private String provider; - @JsonProperty("name") - private String name; - @JsonProperty("instanceId") - private String instanceId; - @JsonProperty("x509Certificate") - private String x509Certificate; - @JsonProperty("x509CertificateSigner") - private String x509CertificateSigner; - @JsonProperty("sshCertificate") - private String sshCertificate; - @JsonProperty("sshCertificateSigner") - private String sshCertificateSigner; - @JsonProperty("serviceToken") - private String serviceToken; + @JsonProperty("attributes") private final Map<String, String> attributes; + @JsonProperty("provider") private final String provider; + @JsonProperty("name") private final String name; + @JsonProperty("instanceId") private final String instanceId; + @JsonProperty("x509Certificate") private final String x509Certificate; + @JsonProperty("x509CertificateSigner") private final String x509CertificateSigner; + @JsonProperty("sshCertificate") private final String sshCertificate; + @JsonProperty("sshCertificateSigner") private final String sshCertificateSigner; + @JsonProperty("serviceToken") private final String serviceToken; - public String getX509Certificate() { - return x509Certificate; + public InstanceIdentity( + @JsonProperty("attributes") Map<String, String> attributes, + @JsonProperty("provider") String provider, + @JsonProperty("name") String name, + @JsonProperty("instanceId") String instanceId, + @JsonProperty("x509Certificate") String x509Certificate, + @JsonProperty("x509CertificateSigner") String x509CertificateSigner, + @JsonProperty("sshCertificate") String sshCertificate, + @JsonProperty("sshCertificateSigner") String sshCertificateSigner, + @JsonProperty("serviceToken") String serviceToken) { + this.attributes = attributes; + this.provider = provider; + this.name = name; + this.instanceId = instanceId; + this.x509Certificate = x509Certificate; + this.x509CertificateSigner = x509CertificateSigner; + this.sshCertificate = sshCertificate; + this.sshCertificateSigner = sshCertificateSigner; + this.serviceToken = serviceToken; } - public String getServiceToken() { - return serviceToken; + String getX509Certificate() { + return x509Certificate; } - public void setServiceToken(String serviceToken) { - this.serviceToken = serviceToken; + String getServiceToken() { + return serviceToken; } } diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java new file mode 100644 index 00000000000..4b351f1d2c0 --- /dev/null +++ b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java @@ -0,0 +1,47 @@ +package com.yahoo.container.jdisc.athenz; + +import com.yahoo.container.core.identity.IdentityConfig; +import org.junit.Assert; +import org.junit.Test; + +import java.io.IOException; + +import static org.mockito.Matchers.any; +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +/** + * @author mortent + */ +public class AthenzIdentityProviderTest { + + @Test + public void ntoken_fetched_on_init() throws IOException { + IdentityConfig config = new IdentityConfig(new IdentityConfig.Builder().serviceName("tenantService").domain("tenantDomain")); + ServiceProviderApi serviceProviderApi = mock(ServiceProviderApi.class); + AthenzService athenzService = mock(AthenzService.class); + + when(serviceProviderApi.getSignedIdentityDocument()).thenReturn(getIdentityDocument()); + when(athenzService.sendInstanceRegisterRequest(any(), anyString())).thenReturn( + new InstanceIdentity(null,null,null,null,null,null, null, null, "TOKEN")); + + AthenzIdentityProvider identityProvider = new AthenzIdentityProvider(config, serviceProviderApi, athenzService); + + Assert.assertEquals("TOKEN", identityProvider.getNToken()); + } + + private String getIdentityDocument() { + return "{\n" + + " \"identity-document\": \"eyJwcm92aWRlci11bmlxdWUtaWQiOnsidGVuYW50IjoidGVuYW50IiwiYXBwbGljYXRpb24iOiJhcHBsaWNhdGlvbiIsImVudmlyb25tZW50IjoiZGV2IiwicmVnaW9uIjoidXMtbm9ydGgtMSIsImluc3RhbmNlIjoiZGVmYXVsdCIsImNsdXN0ZXItaWQiOiJkZWZhdWx0IiwiY2x1c3Rlci1pbmRleCI6MH0sImNvbmZpZ3NlcnZlci1ob3N0bmFtZSI6ImxvY2FsaG9zdCIsImluc3RhbmNlLWhvc3RuYW1lIjoieC55LmNvbSIsImNyZWF0ZWQtYXQiOjE1MDg3NDgyODUuNzQyMDAwMDAwfQ==\",\n" + + " \"signature\": \"kkEJB/98cy1FeXxzSjtvGH2a6BFgZu/9/kzCcAqRMZjENxnw5jyO1/bjZVzw2Sz4YHPsWSx2uxb32hiQ0U8rMP0zfA9nERIalSP0jB/hMU8laezGhdpk6VKZPJRC6YKAB9Bsv2qUIfMsSxkMqf66GUvjZAGaYsnNa2yHc1jIYHOGMeJO+HNPYJjGv26xPfAOPIKQzs3RmKrc3FoweTCsIwm5oblqekdJvVWYe0obwlOSB5uwc1zpq3Ie1QBFtJRuCGMVHg1pDPxXKBHLClGIrEvzLmICy6IRdHszSO5qiwujUD7sbrbM0sB/u0cYucxbcsGRUmBvme3UAw2mW9POVQ==\",\n" + + " \"signing-key-version\": 0,\n" + + " \"provider-unique-id\": \"tenant.application.dev.us-north-1.default.default.0\",\n" + + " \"dns-suffix\": \"dnsSuffix\",\n" + + " \"provider-service\": \"service\",\n" + + " \"zts-endpoint\": \"localhost/zts\", \n" + + " \"document-version\": 1\n" + + "}"; + + } +} |