aboutsummaryrefslogtreecommitdiffstats
path: root/athenz-identity-provider-service
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2018-04-19 13:33:20 +0200
committerBjørn Christian Seime <bjorncs@oath.com>2018-04-19 14:54:16 +0200
commitbc89a5c29f5c8c84eee09e3fc46cff1bda524766 (patch)
tree1815ca54a818c0611506ddc97a3f72ed92cfbb8b /athenz-identity-provider-service
parent9d67a3260b62851976bb67798410a592a7f3fa77 (diff)
Retrieve host identity through client certificate
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java1
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java22
2 files changed, 17 insertions, 6 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 95e9713f335..0ecce2e82c7 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -96,6 +96,7 @@ public class IdentityDocumentGenerator {
* If remote hostname is parent of requested hostname in node repo --> OK
* Otherwise NOT OK
*/
+ // TODO Move this check to AuthorizationFilter in node-repository
boolean validateAccess(String hostname, String remoteAddr) {
try {
InetAddress addr = InetAddress.getByName(remoteAddr);
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
index 1d65308577a..943da5cdcb4 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
@@ -3,13 +3,16 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.identitydocument;
import com.google.inject.Inject;
import com.yahoo.container.jaxrs.annotation.Component;
+import com.yahoo.jdisc.http.servlet.ServletRequest;
import com.yahoo.log.LogLevel;
+import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
+import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
@@ -43,15 +46,22 @@ public class IdentityDocumentResource {
// TODO Make this method private when the rest api is not longer in use
public SignedIdentityDocument getIdentityDocument(@QueryParam("hostname") String hostname,
@Context HttpServletRequest request) {
- // TODO Use TLS client authentication instead of blindly trusting hostname
- // Until we have distributed Athenz x509 certificates we will validate that remote address
- // is authorized to access the provided hostname. This means any container
- if (!identityDocumentGenerator.validateAccess(hostname, request.getRemoteAddr())) {
- throw new ForbiddenException();
- }
if (hostname == null) {
throw new BadRequestException("The 'hostname' query parameter is missing");
}
+ NodePrincipal principal = (NodePrincipal) request.getAttribute(ServletRequest.JDISC_REQUEST_PRINCIPAL);
+ String remoteHost;
+ if (principal == null) {
+ // TODO Remove once self-signed certs are gone
+ log.warning("Client is not authenticated - fallback to remote ip");
+ remoteHost = request.getRemoteAddr();
+ } else {
+ remoteHost = principal.getHostIdentityName();
+ }
+ // TODO Move this check to AuthorizationFilter in node-repository
+ if (!identityDocumentGenerator.validateAccess(hostname, remoteHost)) {
+ throw new ForbiddenException();
+ }
try {
return identityDocumentGenerator.generateSignedIdentityDocument(hostname);
} catch (Exception e) {