Merge pull request #5239 from vespa-engine/bjorncs/configserver-tls-on-aws

Bjorncs/configserver tls on aws
author: Harald Musum <musum@oath.com> 2018-03-08 07:40:10 +0100
committer: GitHub <noreply@github.com> 2018-03-08 07:40:10 +0100
commit: e2c4ea34308fa19762da0a16d8c799aaa8e17bb9 (patch)
tree: b8a383d2b50d7d98ee8c6f5261e23bf58b8507d4 /athenz-identity-provider-service
parent: 48ffb83dbe2f4dcbfb1fded9ba8a6cc5ea67b6b9 (diff)
parent: dd879f134443d288aae3aca8d024bdb4f2db82bb (diff)
5 files changed, 25 insertions, 56 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
index da16bfe3c24..31e1a8519f4 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
@@ -5,6 +5,7 @@ import com.google.inject.Inject;
 import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.config.provision.Zone;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator;
 import com.yahoo.jdisc.http.ssl.SslKeyStoreContext;
 import com.yahoo.log.LogLevel;
@@ -57,13 +58,14 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
     private volatile KeyStore currentKeyStore;
 
     @Inject
-    public AthenzSslKeyStoreConfigurator(KeyProvider keyProvider,
+    public AthenzSslKeyStoreConfigurator(AthenzIdentityProvider bootstrapIdentity,
+                                         KeyProvider keyProvider,
                                          AthenzProviderServiceConfig config,
                                          Zone zone,
                                          ConfigserverConfig configserverConfig) {
         AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone);
         Path keystoreCachePath = createKeystoreCachePath(configserverConfig);
-        AthenzCertificateClient certificateClient = new AthenzCertificateClient(config, zoneConfig);
+        AthenzCertificateClient certificateClient = new AthenzCertificateClient(bootstrapIdentity, zoneConfig);
         Duration updatePeriod = Duration.ofDays(config.updatePeriodDays());
         this.certificateClient = certificateClient;
         this.keyProvider = keyProvider;
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 4dd6881c07e..e3a937919fe 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -23,26 +23,17 @@ public class IdentityDocumentGenerator {
     private final NodeRepository nodeRepository;
     private final Zone zone;
     private final KeyProvider keyProvider;
-    private final String dnsSuffix;
-    private final String providerService;
-    private final String ztsUrl;
-    private final String providerDomain;
-    private final int signingSecretVersion;
+    private final AthenzProviderServiceConfig.Zones zoneConfig;
 
     @Inject
     public IdentityDocumentGenerator(AthenzProviderServiceConfig config,
                                      NodeRepository nodeRepository,
                                      Zone zone,
                                      KeyProvider keyProvider) {
-        AthenzProviderServiceConfig.Zones zoneConfig = Utils.getZoneConfig(config, zone);
+        this.zoneConfig = Utils.getZoneConfig(config, zone);
         this.nodeRepository = nodeRepository;
         this.zone = zone;
         this.keyProvider = keyProvider;
-        this.dnsSuffix = config.certDnsSuffix();
-        this.providerService = zoneConfig.serviceName();
-        this.ztsUrl = config.ztsUrl();
-        this.providerDomain = zoneConfig.domain();
-        this.signingSecretVersion = zoneConfig.secretVersion();
     }
 
     public SignedIdentityDocument generateSignedIdentityDocument(String hostname) {
@@ -55,7 +46,7 @@ public class IdentityDocumentGenerator {
                     Base64.getEncoder().encodeToString(identityDocumentString.getBytes());
             Signature sigGenerator = Signature.getInstance("SHA512withRSA");
 
-            PrivateKey privateKey = keyProvider.getPrivateKey(signingSecretVersion);
+            PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion());
             sigGenerator.initSign(privateKey);
             sigGenerator.update(encodedIdentityDocument.getBytes());
             String signature = Base64.getEncoder().encodeToString(sigGenerator.sign());
@@ -65,9 +56,9 @@ public class IdentityDocumentGenerator {
                     signature,
                     SignedIdentityDocument.DEFAULT_KEY_VERSION,
                     identityDocument.providerUniqueId.asString(),
-                    toZoneDnsSuffix(zone, dnsSuffix),
-                    providerDomain + "." + providerService,
-                    ztsUrl,
+                    toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()),
+                    zoneConfig.domain() + "." + zoneConfig.serviceName(),
+                    zoneConfig.ztsUrl(),
                     SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION);
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
index c849de481dc..ca5c776bf3c 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
@@ -1,60 +1,40 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl;
 
-import com.yahoo.athenz.auth.impl.PrincipalAuthority;
-import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider;
 import com.yahoo.athenz.auth.util.Crypto;
 import com.yahoo.athenz.zts.InstanceRefreshRequest;
 import com.yahoo.athenz.zts.ZTSClient;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 
+import javax.net.ssl.SSLContext;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
-import java.time.temporal.ChronoUnit;
-import java.time.temporal.TemporalAmount;
-import java.util.concurrent.TimeUnit;
 
 /**
  * @author bjorncs
  */
 public class AthenzCertificateClient {
 
-    private final AthenzProviderServiceConfig config;
-    private final AthenzPrincipalAuthority authority;
     private final AthenzProviderServiceConfig.Zones zoneConfig;
+    private final AthenzIdentityProvider bootstrapIdentity;
 
-    public AthenzCertificateClient(AthenzProviderServiceConfig config, AthenzProviderServiceConfig.Zones zoneConfig) {
-        this.config = config;
-        this.authority = new AthenzPrincipalAuthority(config.athenzPrincipalHeaderName());
+    public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity,
+                                   AthenzProviderServiceConfig.Zones zoneConfig) {
+        this.bootstrapIdentity = bootstrapIdentity;
         this.zoneConfig = zoneConfig;
     }
 
     public X509Certificate updateCertificate(PrivateKey privateKey) {
-        SimpleServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider(
-                authority, zoneConfig.domain(), zoneConfig.serviceName(),
-                privateKey, Integer.toString(zoneConfig.secretVersion()), TimeUnit.MINUTES.toSeconds(10));
-        ZTSClient ztsClient = new ZTSClient(
-                config.ztsUrl(), zoneConfig.domain(), zoneConfig.serviceName(), identityProvider);
+        SSLContext bootstrapSslContext = bootstrapIdentity.getIdentitySslContext();
+        ZTSClient ztsClient = new ZTSClient(zoneConfig.ztsUrl(), bootstrapSslContext);
         InstanceRefreshRequest req =
                 ZTSClient.generateInstanceRefreshRequest(
-                        zoneConfig.domain(), zoneConfig.serviceName(), privateKey,
-                        config.certDnsSuffix(), /*expiryTime*/0);
+                        zoneConfig.domain(), zoneConfig.serviceName(), privateKey, zoneConfig.certDnsSuffix(), /*expiryTime*/0);
+        req.setKeyId(Integer.toString(zoneConfig.secretVersion()));
         String pemEncoded = ztsClient.postInstanceRefreshRequest(zoneConfig.domain(), zoneConfig.serviceName(), req)
                 .getCertificate();
         return Crypto.loadX509Certificate(pemEncoded);
     }
 
-    private static class AthenzPrincipalAuthority extends PrincipalAuthority {
-        private final String headerName;
-
-        public AthenzPrincipalAuthority(String headerName) {
-            this.headerName = headerName;
-        }
-
-        @Override
-        public String getHeader() {
-            return headerName;
-        }
-    }
-
 }
diff --git a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
index d3f758a2240..281db6fb43d 100644
--- a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
+++ b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
@@ -13,14 +13,11 @@ zones{}.secretName                        string
 # Secret version
 zones{}.secretVersion                     int
 
-# Athenz principal authority header name
-athenzPrincipalHeaderName                 string        default="Athenz-Principal-Auth"
+# Certificate DNS suffix
+zones{}.certDnsSuffix                     string
 
 # Athenz ZTS server url
-ztsUrl                                    string
-
-# Certificate DNS suffix
-certDnsSuffix                             string
+zones{}.ztsUrl                            string
 
 # Path to Athenz CA JKS trust store
 athenzCaTrustStore                        string
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
index da2bf929e82..9271fa74363 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
@@ -19,13 +19,12 @@ public class TestUtils {
                         .serviceName(service)
                         .secretVersion(0)
                         .domain(domain)
+                        .certDnsSuffix(dnsSuffix)
+                        .ztsUrl("localhost/zts")
                         .secretName("s3cr3t");
         return new AthenzProviderServiceConfig(
                 new AthenzProviderServiceConfig.Builder()
                         .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig))
-                        .certDnsSuffix(dnsSuffix)
-                        .ztsUrl("localhost/zts")
-                        .athenzPrincipalHeaderName("Athenz-Principal-Auth")
                         .athenzCaTrustStore("/dummy/path/to/athenz-ca.jks"));
     }
author	Harald Musum <musum@oath.com>	2018-03-08 07:40:10 +0100
committer	GitHub <noreply@github.com>	2018-03-08 07:40:10 +0100
commit	e2c4ea34308fa19762da0a16d8c799aaa8e17bb9 (patch)
tree	b8a383d2b50d7d98ee8c6f5261e23bf58b8507d4 /athenz-identity-provider-service
parent	48ffb83dbe2f4dcbfb1fded9ba8a6cc5ea67b6b9 (diff)
parent	dd879f134443d288aae3aca8d024bdb4f2db82bb (diff)