Revert "Read secret names from config"

author: Morten Tokle <morten.tokle@gmail.com> 2019-10-02 12:57:45 +0200
committer: GitHub <noreply@github.com> 2019-10-02 12:57:45 +0200
commit: 01c62ce9ecf975a86aac056b01b6c99d7f1f1b67 (patch)
tree: c5cd95c66dcdf33697e8f4dce6dfe50f865119c6 /athenz-identity-provider-service
parent: 131eceb70230554ce9225dbfeb0af57bca80c083 (diff)
3 files changed, 16 insertions, 22 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
index ca1697c7bb1..28b6c6c0939 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -2,6 +2,8 @@
 package com.yahoo.vespa.hosted.ca.restapi;
 
 import com.google.inject.Inject;
+import com.yahoo.config.provision.SystemName;
+import com.yahoo.config.provision.Zone;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.container.jdisc.LoggingRequestHandler;
@@ -13,7 +15,6 @@ import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.slime.Slime;
 import com.yahoo.vespa.config.SlimeUtils;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 import com.yahoo.vespa.hosted.ca.Certificates;
 import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
 import com.yahoo.yolean.Exceptions;
@@ -41,20 +42,18 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
 
     private final SecretStore secretStore;
     private final Certificates certificates;
-    private final String caPrivateKeySecretName;
-    private final String caCertificateSecretName;
+    private final SystemName system;
 
     @Inject
-    public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, AthenzProviderServiceConfig athenzProviderServiceConfig) {
-        this(ctx, secretStore, new Certificates(Clock.systemUTC()), athenzProviderServiceConfig);
+    public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) {
+        this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system());
     }
 
-    CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, AthenzProviderServiceConfig athenzProviderServiceConfig) {
+    CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) {
         super(ctx);
         this.secretStore = secretStore;
         this.certificates = certificates;
-        this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName();
-        this.caCertificateSecretName = athenzProviderServiceConfig.domain() + ".ca.cert";
+        this.system = system;
     }
 
     @Override
@@ -102,12 +101,14 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
 
     /** Returns CA certificate from secret store */
     private X509Certificate caCertificate() {
-        return X509CertificateUtils.fromPem(secretStore.getSecret(caCertificateSecretName));
+        var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase());
+        return X509CertificateUtils.fromPem(secretStore.getSecret(keyName));
     }
 
     /** Returns CA private key from secret store */
     private PrivateKey caPrivateKey() {
-        return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName));
+        var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase());
+        return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName));
     }
 
     private static <T> T deserializeRequest(HttpRequest request, Function<Slime, T> serializer) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
index 8e4605499f7..a1d708a1107 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
@@ -98,8 +98,8 @@ public class CertificateAuthorityApiTest extends ContainerTester {
         var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
         var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair));
         var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate());
-        secretStore().setSecret("vespa.external.ca.cert", caCertificatePem)
-                     .setSecret("secretname", privateKeyPem);
+        secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem)
+                     .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem);
     }
 
     private void assertIdentityResponse(Request request) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
index 139314b0f86..2ca45cf7e56 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
@@ -56,16 +56,9 @@ public class ContainerTester {
         return "<container version='1.0'>\n" +
                "  <config name=\"container.handler.threadpool\">\n" +
                "    <maxthreads>10</maxthreads>\n" +
-               "  </config>\n" +
-               "  <config name='vespa.hosted.athenz.instanceproviderservice.config.athenz-provider-service'>\n" +
-               "    <athenzCaTrustStore>/path/to/file</athenzCaTrustStore>\n" +
-               "    <domain>vespa.external</domain>\n" +
-               "    <serviceName>servicename</serviceName>\n" +
-               "    <secretName>secretname</secretName>\n" +
-               "    <secretVersion>0</secretVersion>\n" +
-               "    <certDnsSuffix>suffix</certDnsSuffix>\n" +
-               "    <ztsUrl>https://localhost:123/</ztsUrl>\n" +
-               "  </config>\n" +
+               "  </config> \n" +
+               "  <component id='com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors'/>\n" +
+               "  <component id='com.yahoo.config.provision.Zone'/>\n" +
                "  <component id='com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock'/>\n" +
                "  <handler id='com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler'>\n" +
                "    <binding>http://*/ca/v1/*</binding>\n" +
author	Morten Tokle <morten.tokle@gmail.com>	2019-10-02 12:57:45 +0200
committer	GitHub <noreply@github.com>	2019-10-02 12:57:45 +0200
commit	01c62ce9ecf975a86aac056b01b6c99d7f1f1b67 (patch)
tree	c5cd95c66dcdf33697e8f4dce6dfe50f865119c6 /athenz-identity-provider-service
parent	131eceb70230554ce9225dbfeb0af57bca80c083 (diff)