diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-04-27 08:50:52 +0200 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-04-27 08:50:52 +0200 |
commit | 4fba60cd48d4befbc38d54487e7bba471ec93a89 (patch) | |
tree | e307fd7d2886ae17191765965e3376e4cc169b60 | |
parent | 58daaccf83103d8b082c8ca724dc5c78f5d84392 (diff) |
Revert "Optional identity document. Skip in public"
This reverts commit 6d58df3ac8ab8e94eb3b7f71d9a3792f97d63e56.
4 files changed, 23 insertions, 36 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 3ab1fdf211b..13c0c5d0bb5 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -107,10 +107,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { public boolean converge(NodeAgentContext context) { var modified = false; modified |= maintain(context, NODE); - - if (context.zone().getSystemName().isPublic()) - return modified; - if (shouldWriteTenantServiceIdentity(context)) modified |= maintain(context, TENANT); else @@ -125,10 +121,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { context.log(logger, Level.FINE, "Checking certificate"); ContainerPath siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa()); ContainerPath identityDocumentFile = siaDirectory.resolve(identityType.getIdentityDocument()); - Optional<AthenzIdentity> optionalAthenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile); - if (optionalAthenzIdentity.isEmpty()) - return false; - AthenzIdentity athenzIdentity = optionalAthenzIdentity.get(); + AthenzIdentity athenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile); ContainerPath privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity); ContainerPath certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity); if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) { @@ -210,17 +203,16 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa()); var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument()); if (!Files.exists(identityDocumentFile)) return false; - return getAthenzIdentity(context, TENANT, identityDocumentFile).map(athenzIdentity -> { - var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity); - var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity); - try { - return Files.deleteIfExists(identityDocumentFile) || - Files.deleteIfExists(privateKeyFile) || - Files.deleteIfExists(certificateFile); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - }).orElse(false); + var athenzIdentity = getAthenzIdentity(context, TENANT, identityDocumentFile); + var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity); + var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity); + try { + return Files.deleteIfExists(identityDocumentFile) || + Files.deleteIfExists(privateKeyFile) || + Files.deleteIfExists(certificateFile); + } catch (IOException e) { + throw new UncheckedIOException(e); + } } private boolean shouldRefreshCredentials(Duration age) { @@ -329,23 +321,22 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private SignedIdentityDocument signedIdentityDocument(NodeAgentContext context, IdentityType identityType) { return switch (identityType) { case NODE -> identityDocumentClient.getNodeIdentityDocument(context.hostname().value(), documentVersion(context)); - case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).get(); + case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)); }; } - private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) { + private AthenzIdentity getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) { return switch (identityType) { - case NODE -> Optional.of(context.identity()); + case NODE -> context.identity(); case TENANT -> getTenantIdentity(context, identityDocumentFile); }; } - private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) { + private AthenzIdentity getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) { if (Files.exists(identityDocumentFile)) { - return Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity()); + return EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity(); } else { - return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)) - .map(doc -> doc.identityDocument().serviceIdentity()); + return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).identityDocument().serviceIdentity(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java index a3c2f0264d3..0e13cba8de9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.api; -import java.util.Optional; import java.util.OptionalInt; /** @@ -11,5 +10,5 @@ import java.util.OptionalInt; */ public interface IdentityDocumentClient { SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion); - Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion); + SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index d26386702d5..1858653c9b4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -76,7 +76,7 @@ class AthenzCredentialsService { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); IdentityDocumentClient identityDocumentClient = createIdentityDocumentClient(); // Use legacy version for now. - SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION).orElseThrow(); + SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION); IdentityDocument document = signedDocument.identityDocument(); Pkcs10Csr csr = csrGenerator.generateInstanceCsr( tenantIdentity, diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java index f95a3335c24..48fc021dced 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java @@ -23,7 +23,6 @@ import java.io.IOException; import java.io.UncheckedIOException; import java.net.URI; import java.time.Duration; -import java.util.Optional; import java.util.function.Supplier; /** @@ -58,15 +57,15 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient { @Override public SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion) { - return getIdentityDocument(host, "node", documentVersion).orElseThrow(); + return getIdentityDocument(host, "node", documentVersion); } @Override - public Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion) { + public SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion) { return getIdentityDocument(host, "tenant", documentVersion); } - private Optional<SignedIdentityDocument> getIdentityDocument(String host, String type, int documentVersion) { + private SignedIdentityDocument getIdentityDocument(String host, String type, int documentVersion) { try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) { URI uri = configserverUri @@ -84,9 +83,7 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient { int statusCode = response.getStatusLine().getStatusCode(); if (statusCode >= 200 && statusCode <= 299) { SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class); - return Optional.of(EntityBindingsMapper.toSignedIdentityDocument(entity)); - } else if (statusCode == 404) { - return Optional.empty(); + return EntityBindingsMapper.toSignedIdentityDocument(entity); } else { throw new RuntimeException( String.format( |