diff options
author | Jon Marius Venstad <jonmv@users.noreply.github.com> | 2020-08-11 16:29:53 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-11 16:29:53 +0200 |
commit | ce60b7900412c4df420c86d458535cfd6b01065c (patch) | |
tree | 081fece24c1f6a497bf70cf344811e83c2cd6beb | |
parent | 2489d302d50567e7f145c8aff971bb892c9ce87c (diff) | |
parent | 265de2d8a13bd08472e9872bfffef78e00fe444c (diff) |
Merge pull request #14027 from vespa-engine/revert-14026-andreer/record-certificate-usage
Revert "record when endpoint certificates have last been requested"
6 files changed, 17 insertions, 56 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java index e610e5505af..53366c9b922 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java @@ -16,21 +16,19 @@ public class EndpointCertificateMetadata { private final String keyName; private final String certName; private final int version; - private final long lastRequested; // TODO: make these fields required once all certs have them stored private final Optional<String> request_id; private final Optional<List<String>> requestedDnsSans; private final Optional<String> issuer; - public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested) { - this(keyName, certName, version, lastRequested, Optional.empty(), Optional.empty(), Optional.empty()); + public EndpointCertificateMetadata(String keyName, String certName, int version) { + this(keyName, certName, version, Optional.empty(), Optional.empty(), Optional.empty()); } - public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) { + public EndpointCertificateMetadata(String keyName, String certName, int version, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) { this.keyName = keyName; this.certName = certName; this.version = version; - this.lastRequested = lastRequested; this.request_id = request_id; this.requestedDnsSans = requestedDnsSans; this.issuer = issuer; @@ -48,10 +46,6 @@ public class EndpointCertificateMetadata { return version; } - public long lastRequested() { - return lastRequested; - } - public Optional<String> request_id() { return request_id; } @@ -69,19 +63,6 @@ public class EndpointCertificateMetadata { this.keyName, this.certName, version, - this.lastRequested, - this.request_id, - this.requestedDnsSans, - this.issuer - ); - } - - public EndpointCertificateMetadata withLastRequested(long lastRequested) { - return new EndpointCertificateMetadata( - this.keyName, - this.certName, - this.version, - lastRequested, this.request_id, this.requestedDnsSans, this.issuer @@ -94,7 +75,6 @@ public class EndpointCertificateMetadata { "keyName='" + keyName + '\'' + ", certName='" + certName + '\'' + ", version=" + version + - ", lastRequested=" + lastRequested + ", request_id=" + request_id + ", requestedDnsSans=" + requestedDnsSans + ", issuer=" + issuer + @@ -107,7 +87,6 @@ public class EndpointCertificateMetadata { if (o == null || getClass() != o.getClass()) return false; EndpointCertificateMetadata that = (EndpointCertificateMetadata) o; return version == that.version && - lastRequested == that.lastRequested && keyName.equals(that.keyName) && certName.equals(that.certName) && request_id.equals(that.request_id) && @@ -117,6 +96,6 @@ public class EndpointCertificateMetadata { @Override public int hashCode() { - return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer); + return Objects.hash(keyName, certName, version, request_id, requestedDnsSans, issuer); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java index a484bb329a3..b0d45b0d7bb 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java @@ -25,7 +25,7 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { this.dnsNames.put(applicationId, dnsNames); String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(), applicationId.application(), applicationId.instance()); - return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa")); + return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa")); } @Override diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java index e4ec0b04978..1cf42cf0073 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManager.java @@ -95,7 +95,6 @@ public class EndpointCertificateManager { public Optional<EndpointCertificateMetadata> getEndpointCertificateMetadata(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) { var t0 = Instant.now(); Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, instanceSpec); - metadata.ifPresent(m -> curator.writeEndpointCertificateMetadata(instance.id(), m.withLastRequested(clock.instant().getEpochSecond()))); Duration duration = Duration.between(t0, Instant.now()); if (duration.toSeconds() > 30) log.log(Level.INFO, String.format("Getting endpoint certificate metadata for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds())); return metadata; @@ -186,7 +185,6 @@ public class EndpointCertificateManager { storedMetaData.keyName(), storedMetaData.certName(), storedMetaData.version(), - Instant.now().getEpochSecond(), providerMetadata.request_id(), providerMetadata.requestedDnsSans(), providerMetadata.issuer()); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java index ba882ef7985..80d8270eaaa 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java @@ -32,7 +32,6 @@ public class EndpointCertificateMetadataSerializer { private final static String keyNameField = "keyName"; private final static String certNameField = "certName"; private final static String versionField = "version"; - private final static String lastRequestedField = "lastRequested"; private final static String requestIdField = "requestId"; private final static String requestedDnsSansField = "requestedDnsSans"; private final static String issuerField = "issuer"; @@ -43,7 +42,6 @@ public class EndpointCertificateMetadataSerializer { object.setString(keyNameField, metadata.keyName()); object.setString(certNameField, metadata.certName()); object.setLong(versionField, metadata.version()); - object.setLong(lastRequestedField, metadata.lastRequested()); metadata.request_id().ifPresent(id -> object.setString(requestIdField, id)); metadata.requestedDnsSans().ifPresent(sans -> { @@ -71,16 +69,10 @@ public class EndpointCertificateMetadataSerializer { Optional.of(inspector.field(issuerField).asString()) : Optional.empty(); - long lastRequested = inspector.field(lastRequestedField).valid() ? - inspector.field(lastRequestedField).asLong() : - 1597200000L; // Wed Aug 12 02:40:00 UTC 2020 - // Not originally stored, so we default to when field was added - return new EndpointCertificateMetadata( inspector.field(keyNameField).asString(), inspector.field(certNameField).asString(), Math.toIntExact(inspector.field(versionField).asLong()), - lastRequested, request_id, requestedDnsSans, issuer); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java index fe237797641..d0e87056821 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificateManagerTest.java @@ -46,7 +46,7 @@ public class EndpointCertificateManagerTest { private final MockCuratorDb mockCuratorDb = new MockCuratorDb(); private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock(); private final InMemoryFlagSource inMemoryFlagSource = new InMemoryFlagSource(); - private static final Clock clock = Clock.fixed(Instant.EPOCH, java.time.ZoneId.systemDefault()); + private final Clock clock = Clock.systemUTC(); private final EndpointCertificateManager endpointCertificateManager = new EndpointCertificateManager(zoneRegistryMock, mockCuratorDb, secretStore, endpointCertificateMock, clock, inMemoryFlagSource); @@ -87,7 +87,7 @@ public class EndpointCertificateManagerTest { .fromKeypair( testKeyPair, new X500Principal("CN=test"), - clock.instant(), clock.instant().plus(5, ChronoUnit.MINUTES), + Instant.now(), Instant.now().plus(5, ChronoUnit.MINUTES), SignatureAlgorithm.SHA256_WITH_ECDSA, X509CertificateBuilder.generateRandomSerialNumber()); for (String san : sans) x509CertificateBuilder = x509CertificateBuilder.addSubjectAlternativeName(san); @@ -129,7 +129,7 @@ public class EndpointCertificateManagerTest { @Test public void reuses_stored_certificate_metadata() { - mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0)); + mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7)); secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 7); secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 7); Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty()); @@ -148,7 +148,7 @@ public class EndpointCertificateManagerTest { secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 8); secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 9); secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 8); - mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0)); + mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7)); Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty()); assertTrue(endpointCertificateMetadata.isPresent()); assertEquals(testKeyName, endpointCertificateMetadata.get().keyName()); @@ -158,7 +158,7 @@ public class EndpointCertificateManagerTest { @Test public void reprovisions_certificate_when_necessary() { - mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, Optional.of("uuid"), Optional.of(List.of()), Optional.empty())); + mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, Optional.of("uuid"), Optional.of(List.of()), Optional.empty())); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 0); Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificateManager.getEndpointCertificateMetadata(testInstance, testZone, Optional.empty()); @@ -171,7 +171,7 @@ public class EndpointCertificateManagerTest { public void reprovisions_certificate_with_added_sans_when_deploying_to_new_zone() { ZoneId testZone = zoneRegistryMock.zones().directlyRouted().in(Environment.prod).zones().stream().skip(1).findFirst().orElseThrow().getId(); - mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, Optional.of("uuid"), Optional.of(expectedSans), Optional.of("mockCa"))); + mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, Optional.of("uuid"), Optional.of(expectedSans), Optional.of("mockCa"))); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), -1); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), -1); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java index 9c6790f630b..3c80245c025 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java @@ -11,21 +11,21 @@ import static org.junit.Assert.*; public class EndpointCertificateMetadataSerializerTest { private final EndpointCertificateMetadata sample = - new EndpointCertificateMetadata("keyName", "certName", 1, 0); + new EndpointCertificateMetadata("keyName", "certName", 1); private final EndpointCertificateMetadata sampleWithRequestMetadata = - new EndpointCertificateMetadata("keyName", "certName", 1, 0, Optional.of("requestId"), Optional.of(List.of("SAN1", "SAN2")), Optional.of("issuer")); + new EndpointCertificateMetadata("keyName", "certName", 1, Optional.of("requestId"), Optional.of(List.of("SAN1", "SAN2")), Optional.of("issuer")); @Test public void serialize() { assertEquals( - "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0}", + "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}", EndpointCertificateMetadataSerializer.toSlime(sample).toString()); } @Test public void serializeWithRequestMetadata() { assertEquals( - "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}", + "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}", EndpointCertificateMetadataSerializer.toSlime(sampleWithRequestMetadata).toString()); } @@ -34,7 +34,7 @@ public class EndpointCertificateMetadataSerializerTest { assertEquals( sample, EndpointCertificateMetadataSerializer.fromJsonString( - "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0}")); + "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}")); } @Test @@ -42,14 +42,6 @@ public class EndpointCertificateMetadataSerializerTest { assertEquals( sampleWithRequestMetadata, EndpointCertificateMetadataSerializer.fromJsonString( - "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}")); - } - - @Test - public void deserializeFromJsonWithDefaultLastRequested() { - assertEquals( - new EndpointCertificateMetadata("keyName", "certName", 1, 1597200000), - EndpointCertificateMetadataSerializer.fromJsonString( - "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1}")); + "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"requestId\":\"requestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}")); } } |