diff options
author | Martin Polden <mpolden@mpolden.no> | 2019-10-10 13:07:01 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2019-10-10 13:08:56 +0200 |
commit | c1670f5b33c5bf3d2b8161b4a1b73f17eb685999 (patch) | |
tree | 1364aaf535aa7bfea6dc99163dec13487bbed3ad /athenz-identity-provider-service/src/test | |
parent | c047a2364581b470d367fc345c8031a38aaf9af8 (diff) |
Parse instance ID from DNS name
Diffstat (limited to 'athenz-identity-provider-service/src/test')
3 files changed, 36 insertions, 15 deletions
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java index 130a4ec5e66..f24f731801d 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java @@ -15,6 +15,7 @@ import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; +import java.util.List; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; @@ -44,14 +45,22 @@ public class CertificateTester { } public static Pkcs10Csr createCsr() { - return createCsr(null); + return createCsr(List.of(), List.of()); } - public static Pkcs10Csr createCsr(String dnsName, String... ipAddresses) { + public static Pkcs10Csr createCsr(String dnsName) { + return createCsr(List.of(dnsName), List.of()); + } + + public static Pkcs10Csr createCsr(List<String> dnsNames) { + return createCsr(dnsNames, List.of()); + } + + public static Pkcs10Csr createCsr(List<String> dnsNames, List<String> ipAddresses) { X500Principal subject = new X500Principal("CN=subject"); KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA); - if (dnsName != null) { + for (var dnsName : dnsNames) { builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName); } for (var ipAddress : ipAddresses) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java index fa86979656d..9bb733787f1 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java @@ -41,7 +41,7 @@ public class CertificatesTest { var certificates = new Certificates(new ManualClock()); var dnsName = "host.example.com"; var ip = "192.0.2.42"; - var csr = CertificateTester.createCsr(dnsName, ip); + var csr = CertificateTester.createCsr(List.of(dnsName), List.of(ip)); var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate()); assertNotNull(certificate.getSubjectAlternativeNames()); @@ -54,4 +54,12 @@ public class CertificatesTest { subjectAlternativeNames.get(1)); } + @Test + public void parse_instance_id() { + var instanceId = "1.cluster1.default.app1.tenant1.us-north-1.prod.node"; + var instanceIdWithSuffix = instanceId + ".instanceid.athenz.dev-us-north-1.vespa.aws.oath.cloud"; + var csr = CertificateTester.createCsr(List.of("foo", "bar", instanceIdWithSuffix)); + assertEquals(instanceId, Certificates.instanceIdFrom(csr)); + } + } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index 8e4605499f7..21b1e392702 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -17,6 +17,7 @@ import org.junit.Test; import javax.net.ssl.SSLContext; import java.net.URI; import java.nio.charset.StandardCharsets; +import java.util.List; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -26,6 +27,9 @@ import static org.junit.Assert.assertTrue; */ public class CertificateAuthorityApiTest extends ContainerTester { + private static final String INSTANCE_ID = "1.cluster1.default.app1.tenant1.us-north-1.prod.node"; + private static final String INSTANCE_ID_WITH_SUFFIX = INSTANCE_ID + ".instanceid.athenz.dev-us-north-1.vespa.aws.oath.cloud"; + @Before public void before() { setCaCertificateAndKey(); @@ -34,7 +38,7 @@ public class CertificateAuthorityApiTest extends ContainerTester { @Test public void register_instance() throws Exception { // POST instance registration - var csr = CertificateTester.createCsr("node1.example.com"); + var csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/", instanceRegistrationJson(csr), Request.Method.POST)); @@ -51,8 +55,8 @@ public class CertificateAuthorityApiTest extends ContainerTester { @Test public void refresh_instance() throws Exception { // POST instance refresh - var csr = CertificateTester.createCsr("node1.example.com"); - assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com", + var csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); + assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/" + INSTANCE_ID, instanceRefreshJson(csr), Request.Method.POST)); @@ -60,7 +64,7 @@ public class CertificateAuthorityApiTest extends ContainerTester { var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault()); var instanceIdentity = ztsClient.refreshInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"), new AthenzService("vespa.external", "tenant"), - "node1.example.com", + INSTANCE_ID, csr); assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName()); } @@ -78,18 +82,18 @@ public class CertificateAuthorityApiTest extends ContainerTester { var request = new Request("http://localhost:12345/ca/v1/instance/", instanceRegistrationJson(csr), Request.Method.POST); - assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: DNS name not found in CSR\"}", request); + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: No instance ID found in CSR\"}", request); // POST instance refresh with missing field - assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com failed: Missing required field 'csr'\"}", - new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com", + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/1.cluster1.default.app1.tenant1.us-north-1.prod.node failed: Missing required field 'csr'\"}", + new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/" + INSTANCE_ID, new byte[0], Request.Method.POST)); // POST instance refresh where instanceId does not match CSR dnsName - csr = CertificateTester.createCsr("node1.example.com"); - assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com failed: Mismatched instance ID and SAN DNS name [instanceId=node2.example.com,dnsName=node1.example.com]\"}", - new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com", + csr = CertificateTester.createCsr(List.of("node1.example.com", INSTANCE_ID_WITH_SUFFIX)); + assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/foobar failed: Mismatched instance ID and SAN DNS name [instanceId=foobar,instanceIdFromCsr=1.cluster1.default.app1.tenant1.us-north-1.prod.node]\"}", + new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/foobar", instanceRefreshJson(csr), Request.Method.POST)); } @@ -108,7 +112,7 @@ public class CertificateAuthorityApiTest extends ContainerTester { var root = slime.get(); assertEquals("vespa.external.provider_prod_us-north-1", root.field("provider").asString()); assertEquals("tenant", root.field("service").asString()); - assertEquals("node1.example.com", root.field("instanceId").asString()); + assertEquals(INSTANCE_ID, root.field("instanceId").asString()); var pemEncodedCertificate = root.field("x509Certificate").asString(); assertTrue("Response contains PEM certificate", pemEncodedCertificate.startsWith("-----BEGIN CERTIFICATE-----") && |