Include instance hostname in Athenz node certificates

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-08-26 15:15:53 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-08-26 15:15:53 +0200
commit: aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch)
tree: 457edb12eda58d61feab5812fe4ebed72763b6e9 /athenz-identity-provider-service/src/main
parent: f49fbf259ea28bf3025580f875885762f12dc651 (diff)
2 files changed, 36 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java
index e6dd40faaca..24998a49faf 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java
@@ -20,6 +20,7 @@ import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 
 /**
  * InstanceConfirmation object as per Athenz InstanceConfirmation API.
@@ -28,6 +29,8 @@ import java.util.Objects;
  */
 public class InstanceConfirmation {
 
+    static final String HOSTNAME_ATTRIBUTE = "hostname";
+
     @JsonProperty("provider") public final String provider;
     @JsonProperty("domain") public final String domain;
     @JsonProperty("service") public final String service;
@@ -53,6 +56,10 @@ public class InstanceConfirmation {
         attributes.put(name, value);
     }
 
+    public Optional<String> getInstanceHostname() {
+        return Optional.ofNullable(attributes.get(HOSTNAME_ATTRIBUTE));
+    }
+
     @Override
     public String toString() {
         return "InstanceConfirmation{" +
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
index f1a93e58526..54611172b57 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
@@ -10,6 +10,7 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner;
@@ -158,6 +159,34 @@ public class InstanceValidator {
             log.log(LogLevel.WARNING, "Invalid InstanceConfirmation, wrong ip in : " + vespaUniqueInstanceId);
             return false;
         }
+
+        // Validate hostname
+        boolean hasValidHostname =
+                confirmation.getInstanceHostname()
+                        .map(requestHostname -> validateHostname(vespaUniqueInstanceId, node, requestHostname))
+                        .orElse(true);
+        if (!hasValidHostname) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private static boolean validateHostname(VespaUniqueInstanceId vespaUniqueInstanceId, Node node, String requestedHostname) {
+        String nodeHostname = node.hostname();
+        if (vespaUniqueInstanceId.type() == IdentityType.TENANT) {
+            log.log(LogLevel.WARNING, "Instance hostname not allowed in tenant certificates");
+            return false;
+        }
+        if (!nodeHostname.equals(requestedHostname)) {
+            log.log(LogLevel.WARNING,
+                    String.format(
+                            "Invalid instance confirmation: request instance hostname is '%s', but node repository has '%s'",
+                            requestedHostname,
+                            nodeHostname));
+
+            return false;
+        }
         return true;
     }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-08-26 15:15:53 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-08-26 15:15:53 +0200
commit	aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch)
tree	457edb12eda58d61feab5812fe4ebed72763b6e9 /athenz-identity-provider-service/src/main
parent	f49fbf259ea28bf3025580f875885762f12dc651 (diff)