Add SAN URI with cluster type in instance certificates

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:22:44 +0100
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:23:24 +0100
commit: 90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree: 0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /athenz-identity-provider-service/src/main
parent: e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)
3 files changed, 5 insertions, 4 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
index 5042c8cf617..258cd3fc091 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
@@ -65,7 +65,7 @@ public class IdentityDocumentGenerator {
 
             String configServerHostname = HostName.getLocalhost();
             Instant createdAt = Instant.now();
-            var clusterType = allocation.membership().cluster().type().name();
+            var clusterType = allocation.membership().cluster().type();
             String signature = signer.generateSignature(
                     providerUniqueId, providerService, configServerHostname,
                     node.hostname(), createdAt, ips, identityType, clusterType, privateKey);
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
index 82f486f1bc0..b316d9fb0b4 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
@@ -176,9 +176,9 @@ public class InstanceValidator {
             log.log(Level.WARNING, "Invalid SAN URIs: " + urisCommaSeparated);
             return false;
         }
-        var clusterType = node.allocation().map(a -> a.membership().cluster().type().name()).orElse(null);
+        var clusterType = node.allocation().map(a -> a.membership().cluster().type()).orElse(null);
         Set<URI> allowedUris = clusterType != null
-                ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType))) : Set.of();
+                ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType.name()))) : Set.of();
         if (!allowedUris.containsAll(requestedUris)) {
             log.log(Level.WARNING, "Illegal SAN URIs: expected '%s' found '%s'".formatted(allowedUris, requestedUris));
             return false;
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
index 2e143bc53cc..800636943d9 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.ca.restapi;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.security.Pkcs10CsrUtils;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.slime.ArrayTraverser;
@@ -98,7 +99,7 @@ public class InstanceSerializer {
         requireField(IDD_IPADDRESSES_FIELD, root).traverse((ArrayTraverser)  (__, entry) -> ips.add(entry.asString()));
         IdentityType identityType = IdentityType.fromId(requireField(IDD_IDENTITY_TYPE_FIELD, root).asString());
         var clusterTypeField = root.field(IDD_CLUSTER_TYPE_FIELD);
-        var clusterType = root.valid() ? clusterTypeField.asString() : null;
+        var clusterType = clusterTypeField.valid() ? ClusterSpec.Type.from(clusterTypeField.asString()) : null;
 
 
         return new SignedIdentityDocument(signature, (int)signingKeyVersion, providerUniqueId, athenzService, (int)documentVersion,
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:22:44 +0100
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:23:24 +0100
commit	90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree	0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /athenz-identity-provider-service/src/main
parent	e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)