diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-12 12:17:24 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-12 12:31:42 +0200 |
commit | a78e1ec449e493fe8ff4f7131a0fb84bae0eda1d (patch) | |
tree | 1a844e8fc6febc5389d0440f8a6d4cd25fa03723 /athenz-identity-provider-service/src | |
parent | fc0cb46cff6f2097168a204eee123173271c905c (diff) |
Remove temporary access control from '/athenz/v1/identity-document'
Diffstat (limited to 'athenz-identity-provider-service/src')
2 files changed, 3 insertions, 47 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 59126fd023f..5fff85f695d 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -17,14 +17,12 @@ import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.node.Allocation; -import java.net.InetAddress; import java.net.URI; import java.security.PrivateKey; import java.security.Signature; import java.time.Instant; import java.util.Base64; import java.util.HashSet; -import java.util.Objects; import java.util.Set; /** @@ -110,28 +108,5 @@ public class IdentityDocumentGenerator { return zone.environment().value() + "-" + zone.region().value() + "." + dnsSuffix; } - /* - * Basic access control until we have mutual auth where athenz x509certs are distributed on all docker nodes by node admin - * Checks: - * If remote hostname == requested hostname --> OK - * If remote hostname is parent of requested hostname in node repo --> OK - * Otherwise NOT OK - */ - // TODO Move this check to AuthorizationFilter in node-repository - boolean validateAccess(String hostname, String remoteAddr) { - try { - InetAddress addr = InetAddress.getByName(remoteAddr); - String remoteHostname = addr.getHostName(); - if (Objects.equals(hostname, remoteHostname)) { - return true; - } - Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); - return node.parentHostname() - .map(parent -> Objects.equals(parent, remoteHostname)) - .orElse(false); - } catch (Exception e) { - throw new RuntimeException(e); - } - } } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java index 219e12c7223..7151de9ccc9 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java @@ -3,27 +3,24 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.identitydocument; import com.google.inject.Inject; import com.yahoo.container.jaxrs.annotation.Component; -import com.yahoo.jdisc.http.servlet.ServletRequest; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentApi; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; -import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal; -import javax.servlet.http.HttpServletRequest; import javax.ws.rs.BadRequestException; -import javax.ws.rs.ForbiddenException; import javax.ws.rs.GET; import javax.ws.rs.InternalServerErrorException; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import java.util.logging.Logger; /** + * An API that issues signed identity documents for Vespa nodes. + * * @author bjorncs */ @Path("/identity-document") @@ -32,32 +29,16 @@ public class IdentityDocumentResource implements IdentityDocumentApi { private static final Logger log = Logger.getLogger(IdentityDocumentResource.class.getName()); private final IdentityDocumentGenerator identityDocumentGenerator; - private final HttpServletRequest request; @Inject - public IdentityDocumentResource(@Component IdentityDocumentGenerator identityDocumentGenerator, - @Context HttpServletRequest request) { + public IdentityDocumentResource(@Component IdentityDocumentGenerator identityDocumentGenerator) { this.identityDocumentGenerator = identityDocumentGenerator; - this.request = request; } private SignedIdentityDocumentEntity getIdentityDocument(String hostname, IdentityType identityType) { if (hostname == null) { throw new BadRequestException("The 'hostname' query parameter is missing"); } - NodePrincipal principal = (NodePrincipal) request.getAttribute(ServletRequest.JDISC_REQUEST_PRINCIPAL); - String remoteHost; - if (principal == null) { - // TODO Remove once self-signed certs are gone - log.warning("Client is not authenticated - fallback to remote ip"); - remoteHost = request.getRemoteAddr(); - } else { - remoteHost = principal.getHostIdentityName(); - } - // TODO Move this check to AuthorizationFilter in node-repository - if (!identityDocumentGenerator.validateAccess(hostname, remoteHost)) { - throw new ForbiddenException(); - } try { return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname, identityType)); } catch (Exception e) { |