diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-26 15:15:53 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-26 15:15:53 +0200 |
commit | aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch) | |
tree | 457edb12eda58d61feab5812fe4ebed72763b6e9 /athenz-identity-provider-service/src/main | |
parent | f49fbf259ea28bf3025580f875885762f12dc651 (diff) |
Include instance hostname in Athenz node certificates
Diffstat (limited to 'athenz-identity-provider-service/src/main')
2 files changed, 36 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java index e6dd40faaca..24998a49faf 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java @@ -20,6 +20,7 @@ import java.io.IOException; import java.util.HashMap; import java.util.Map; import java.util.Objects; +import java.util.Optional; /** * InstanceConfirmation object as per Athenz InstanceConfirmation API. @@ -28,6 +29,8 @@ import java.util.Objects; */ public class InstanceConfirmation { + static final String HOSTNAME_ATTRIBUTE = "hostname"; + @JsonProperty("provider") public final String provider; @JsonProperty("domain") public final String domain; @JsonProperty("service") public final String service; @@ -53,6 +56,10 @@ public class InstanceConfirmation { attributes.put(name, value); } + public Optional<String> getInstanceHostname() { + return Optional.ofNullable(attributes.get(HOSTNAME_ATTRIBUTE)); + } + @Override public String toString() { return "InstanceConfirmation{" + diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index f1a93e58526..54611172b57 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -10,6 +10,7 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; +import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner; @@ -158,6 +159,34 @@ public class InstanceValidator { log.log(LogLevel.WARNING, "Invalid InstanceConfirmation, wrong ip in : " + vespaUniqueInstanceId); return false; } + + // Validate hostname + boolean hasValidHostname = + confirmation.getInstanceHostname() + .map(requestHostname -> validateHostname(vespaUniqueInstanceId, node, requestHostname)) + .orElse(true); + if (!hasValidHostname) { + return false; + } + + return true; + } + + private static boolean validateHostname(VespaUniqueInstanceId vespaUniqueInstanceId, Node node, String requestedHostname) { + String nodeHostname = node.hostname(); + if (vespaUniqueInstanceId.type() == IdentityType.TENANT) { + log.log(LogLevel.WARNING, "Instance hostname not allowed in tenant certificates"); + return false; + } + if (!nodeHostname.equals(requestedHostname)) { + log.log(LogLevel.WARNING, + String.format( + "Invalid instance confirmation: request instance hostname is '%s', but node repository has '%s'", + requestedHostname, + nodeHostname)); + + return false; + } return true; } |