diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-28 21:40:05 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-28 21:40:05 +0200 |
commit | 8b37b6ed1eafc8d8967e4732ea978ed1806eca71 (patch) | |
tree | 3c401b108b9095f8cae4c580737a85f9077042c8 /athenz-identity-provider-service/src | |
parent | ec8efebdb70dd4c07288b0b9c6398af6635dced4 (diff) |
Revert "Include instance hostname in Athenz node certificates"
This reverts commit aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac.
Diffstat (limited to 'athenz-identity-provider-service/src')
3 files changed, 6 insertions, 76 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java index 24998a49faf..e6dd40faaca 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmation.java @@ -20,7 +20,6 @@ import java.io.IOException; import java.util.HashMap; import java.util.Map; import java.util.Objects; -import java.util.Optional; /** * InstanceConfirmation object as per Athenz InstanceConfirmation API. @@ -29,8 +28,6 @@ import java.util.Optional; */ public class InstanceConfirmation { - static final String HOSTNAME_ATTRIBUTE = "hostname"; - @JsonProperty("provider") public final String provider; @JsonProperty("domain") public final String domain; @JsonProperty("service") public final String service; @@ -56,10 +53,6 @@ public class InstanceConfirmation { attributes.put(name, value); } - public Optional<String> getInstanceHostname() { - return Optional.ofNullable(attributes.get(HOSTNAME_ATTRIBUTE)); - } - @Override public String toString() { return "InstanceConfirmation{" + diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index 54611172b57..f1a93e58526 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -10,7 +10,6 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; -import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner; @@ -159,34 +158,6 @@ public class InstanceValidator { log.log(LogLevel.WARNING, "Invalid InstanceConfirmation, wrong ip in : " + vespaUniqueInstanceId); return false; } - - // Validate hostname - boolean hasValidHostname = - confirmation.getInstanceHostname() - .map(requestHostname -> validateHostname(vespaUniqueInstanceId, node, requestHostname)) - .orElse(true); - if (!hasValidHostname) { - return false; - } - - return true; - } - - private static boolean validateHostname(VespaUniqueInstanceId vespaUniqueInstanceId, Node node, String requestedHostname) { - String nodeHostname = node.hostname(); - if (vespaUniqueInstanceId.type() == IdentityType.TENANT) { - log.log(LogLevel.WARNING, "Instance hostname not allowed in tenant certificates"); - return false; - } - if (!nodeHostname.equals(requestedHostname)) { - log.log(LogLevel.WARNING, - String.format( - "Invalid instance confirmation: request instance hostname is '%s', but node repository has '%s'", - requestedHostname, - nodeHostname)); - - return false; - } return true; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 89ca24f3e93..d5787516254 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; +import com.google.common.collect.ImmutableList; import com.yahoo.component.Version; import com.yahoo.config.model.api.ApplicationInfo; import com.yahoo.config.model.api.HostInfo; @@ -122,7 +123,7 @@ public class InstanceValidatorTest { nodeList = allocateNode(nodeList, node, applicationId); when(nodeRepository.getNodes()).thenReturn(nodeList); String nodeIp = node.ipAddresses().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, IdentityType.NODE, node.hostname(), List.of(nodeIp)); + InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ImmutableList.of(nodeIp)); assertTrue(instanceValidator.isValidRefresh(instanceConfirmation)); } @@ -139,41 +140,7 @@ public class InstanceValidatorTest { String nodeIp = node.ipAddresses().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); // Add invalid ip to list of ip addresses - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, IdentityType.NODE, node.hostname(), List.of(nodeIp, "::ff")); - - assertFalse(instanceValidator.isValidRefresh(instanceConfirmation)); - } - - @Test - public void rejects_invalid_hostname() { - NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); - - List<Node> nodeList = createNodes(10); - Node node = nodeList.get(0); - nodeList = allocateNode(nodeList, node, applicationId); - when(nodeRepository.getNodes()).thenReturn(nodeList); - String nodeIp = node.ipAddresses().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); - - // Add invalid ip to list of ip addresses - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, IdentityType.NODE, "invalidhostname", List.of(nodeIp)); - - assertFalse(instanceValidator.isValidRefresh(instanceConfirmation)); - } - - @Test - public void rejects_hostname_for_tenant_certificates() { - NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); - - List<Node> nodeList = createNodes(10); - Node node = nodeList.get(0); - nodeList = allocateNode(nodeList, node, applicationId); - when(nodeRepository.getNodes()).thenReturn(nodeList); - String nodeIp = node.ipAddresses().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node")); - - // Add invalid ip to list of ip addresses - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, IdentityType.TENANT, node.hostname(), List.of(nodeIp)); + InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ImmutableList.of(nodeIp, "::ff")); assertFalse(instanceValidator.isValidRefresh(instanceConfirmation)); } @@ -185,7 +152,7 @@ public class InstanceValidatorTest { List<Node> nodeList = createNodes(10); when(nodeRepository.getNodes()).thenReturn(nodeList); - InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, IdentityType.NODE, nodeList.get(0).hostname(), List.of("::11")); + InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ImmutableList.of("::11")); assertFalse(instanceValidator.isValidRefresh(instanceConfirmation)); @@ -206,11 +173,10 @@ public class InstanceValidatorTest { return createInstanceConfirmation(vespaUniqueInstanceId, domain, service, signedIdentityDocument); } - private InstanceConfirmation createRefreshInstanceConfirmation(ApplicationId applicationId, String domain, String service, IdentityType identityType, String hostname, List<String> ips) { - VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(0, "default", applicationId.instance().value(), applicationId.application().value(), applicationId.tenant().value(), "us-north-1", "dev", identityType); + private InstanceConfirmation createRefreshInstanceConfirmation(ApplicationId applicationId, String domain, String service, List<String> ips) { + VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(0, "default", applicationId.instance().value(), applicationId.application().value(), applicationId.tenant().value(), "us-north-1", "dev", IdentityType.NODE); InstanceConfirmation instanceConfirmation = createInstanceConfirmation(vespaUniqueInstanceId, domain, service, null); instanceConfirmation.set("sanIP", String.join(",", ips)); - instanceConfirmation.set(InstanceConfirmation.HOSTNAME_ATTRIBUTE, hostname); return instanceConfirmation; } |