diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-03 12:22:44 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-03 12:23:24 +0100 |
commit | 90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch) | |
tree | 0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /athenz-identity-provider-service/src/main | |
parent | e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff) |
Add SAN URI with cluster type in instance certificates
Diffstat (limited to 'athenz-identity-provider-service/src/main')
3 files changed, 5 insertions, 4 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java index 5042c8cf617..258cd3fc091 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java @@ -65,7 +65,7 @@ public class IdentityDocumentGenerator { String configServerHostname = HostName.getLocalhost(); Instant createdAt = Instant.now(); - var clusterType = allocation.membership().cluster().type().name(); + var clusterType = allocation.membership().cluster().type(); String signature = signer.generateSignature( providerUniqueId, providerService, configServerHostname, node.hostname(), createdAt, ips, identityType, clusterType, privateKey); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java index 82f486f1bc0..b316d9fb0b4 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java @@ -176,9 +176,9 @@ public class InstanceValidator { log.log(Level.WARNING, "Invalid SAN URIs: " + urisCommaSeparated); return false; } - var clusterType = node.allocation().map(a -> a.membership().cluster().type().name()).orElse(null); + var clusterType = node.allocation().map(a -> a.membership().cluster().type()).orElse(null); Set<URI> allowedUris = clusterType != null - ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType))) : Set.of(); + ? Set.of(URI.create("vespa://cluster-type/%s".formatted(clusterType.name()))) : Set.of(); if (!allowedUris.containsAll(requestedUris)) { log.log(Level.WARNING, "Illegal SAN URIs: expected '%s' found '%s'".formatted(allowedUris, requestedUris)); return false; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java index 2e143bc53cc..800636943d9 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.ca.restapi; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import com.yahoo.config.provision.ClusterSpec; import com.yahoo.security.Pkcs10CsrUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.slime.ArrayTraverser; @@ -98,7 +99,7 @@ public class InstanceSerializer { requireField(IDD_IPADDRESSES_FIELD, root).traverse((ArrayTraverser) (__, entry) -> ips.add(entry.asString())); IdentityType identityType = IdentityType.fromId(requireField(IDD_IDENTITY_TYPE_FIELD, root).asString()); var clusterTypeField = root.field(IDD_CLUSTER_TYPE_FIELD); - var clusterType = root.valid() ? clusterTypeField.asString() : null; + var clusterType = clusterTypeField.valid() ? ClusterSpec.Type.from(clusterTypeField.asString()) : null; return new SignedIdentityDocument(signature, (int)signingKeyVersion, providerUniqueId, athenzService, (int)documentVersion, |