diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2019-11-26 09:21:10 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2019-11-26 09:21:10 +0100 |
commit | b96148d4bc405d7179a7cd670c674d464e28493a (patch) | |
tree | bcbaa9207dd57b4abf46f6315a4aad38a799bde1 /athenz-identity-provider-service/src/main/java | |
parent | 670ca80219ccc3d29ae0b599eb42527978e078db (diff) |
Read principal from cert CN on refresh
Diffstat (limited to 'athenz-identity-provider-service/src/main/java')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index 4c01b0943e4..a1984557c31 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -38,6 +38,7 @@ import java.util.Objects; import java.util.Optional; import java.util.function.Function; import java.util.logging.Level; +import java.util.stream.Stream; /** * REST API for issuing and refreshing node certificates in a hosted Vespa system. @@ -113,7 +114,9 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { private HttpResponse refreshInstance(HttpRequest request, String provider, String service, String instanceId) { var instanceRefresh = deserializeRequest(request, InstanceSerializer::refreshFromSlime); var instanceIdFromCsr = Certificates.instanceIdFrom(instanceRefresh.csr()); - var athenzService = new AthenzService(request.getJDiscRequest().getUserPrincipal().getName()); + + var athenzService = getRequestAthenzService(request); + if (!instanceIdFromCsr.equals(instanceId)) { throw new IllegalArgumentException("Mismatch between instance ID in URL path and instance ID in CSR " + "[instanceId=" + instanceId + ",instanceIdFromCsr=" + instanceIdFromCsr + @@ -172,6 +175,16 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { .orElse(Collections.emptyList()); } + private AthenzService getRequestAthenzService(HttpRequest request) { + return getRequestCertificateChain(request).stream() + .findFirst() + .map(X509CertificateUtils::getSubjectCommonNames) + .map(List::stream) + .flatMap(Stream::findFirst) + .map(AthenzService::new) + .orElseThrow(() -> new RuntimeException("No certificate found")); + } + /** Returns CA private key from secret store */ private PrivateKey caPrivateKey() { return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName)); |