summaryrefslogtreecommitdiffstats
path: root/athenz-identity-provider-service
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2017-11-16 13:49:25 +0100
committerBjørn Christian Seime <bjorncs@oath.com>2017-11-17 13:04:36 +0100
commit6d0a38f454795f4be2945fa4c7213f2a02243805 (patch)
treeeb649e54658ae564de292348423005a07b94c3c3 /athenz-identity-provider-service
parent5dfe2d92972397ceef53432b581579b9fe32108b (diff)
Remove AthenzInstanceProviderService and related classes
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java205
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/FileBackedKeyProvider.java44
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/StatusServlet.java21
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java218
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AutoGeneratedKeyProvider.java42
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java35
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGeneratorTest.java6
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidatorTest.java4
8 files changed, 82 insertions, 493 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java
deleted file mode 100644
index e6280abfacb..00000000000
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderService.java
+++ /dev/null
@@ -1,205 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
-
-import com.google.inject.Inject;
-import com.yahoo.component.AbstractComponent;
-import com.yahoo.config.model.api.SuperModelProvider;
-import com.yahoo.config.provision.SystemName;
-import com.yahoo.config.provision.Zone;
-import com.yahoo.jdisc.http.SecretStore;
-import com.yahoo.log.LogLevel;
-import com.yahoo.net.HostName;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca.CertificateSigner;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.AthenzCertificateClient;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.CertificateClient;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.IdentityDocumentGenerator;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.InstanceValidator;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.KeyProvider;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.SecretStoreKeyProvider;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.StatusServlet;
-import com.yahoo.vespa.hosted.provision.NodeRepository;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.servlet.ServletHandler;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.temporal.TemporalAmount;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-import java.util.logging.Logger;
-
-/**
- * A component acting as both SIA for configserver and provides a lightweight Jetty instance hosting the InstanceConfirmation API
- *
- * @author bjorncs
- */
-public class AthenzInstanceProviderService extends AbstractComponent {
-
- private static final Logger log = Logger.getLogger(AthenzInstanceProviderService.class.getName());
-
- private final ScheduledExecutorService scheduler;
- private final Server jetty;
-
- @Inject
- public AthenzInstanceProviderService(AthenzProviderServiceConfig config, SuperModelProvider superModelProvider,
- NodeRepository nodeRepository, Zone zone, SecretStore secretStore) {
- this(config, new SecretStoreKeyProvider(secretStore, getZoneConfig(config, zone).secretName()), Executors.newSingleThreadScheduledExecutor(),
- superModelProvider, nodeRepository, zone, new AthenzCertificateClient(config, getZoneConfig(config, zone)), createSslContextFactory());
- }
-
- private AthenzInstanceProviderService(AthenzProviderServiceConfig config,
- KeyProvider keyProvider,
- ScheduledExecutorService scheduler,
- SuperModelProvider superModelProvider,
- NodeRepository nodeRepository,
- Zone zone,
- CertificateClient certificateClient,
- SslContextFactory sslContextFactory) {
- this(config, scheduler, zone, sslContextFactory,
- new CertificateSigner(keyProvider, getZoneConfig(config, zone), HostName.getLocalhost()),
- new InstanceValidator(keyProvider, superModelProvider),
- new IdentityDocumentGenerator(config, getZoneConfig(config, zone), nodeRepository, zone, keyProvider),
- new AthenzCertificateUpdater(
- certificateClient, sslContextFactory, keyProvider, config, getZoneConfig(config, zone)));
- }
-
- AthenzInstanceProviderService(AthenzProviderServiceConfig config,
- ScheduledExecutorService scheduler,
- Zone zone,
- SslContextFactory sslContextFactory,
- CertificateSigner certificateSigner,
- InstanceValidator instanceValidator,
- IdentityDocumentGenerator identityDocumentGenerator,
- AthenzCertificateUpdater reloader) {
- // TODO: Enable for all systems. Currently enabled for CD system only
- if (SystemName.cd.equals(zone.system())) {
- this.scheduler = scheduler;
- this.jetty = createJettyServer(config, sslContextFactory,
- certificateSigner, instanceValidator, identityDocumentGenerator);
-
- // TODO Configurable update frequency
- scheduler.scheduleAtFixedRate(reloader, 0, 1, TimeUnit.DAYS);
- try {
- jetty.start();
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- } else {
- this.scheduler = null;
- this.jetty = null;
- }
- }
-
- private static Server createJettyServer(AthenzProviderServiceConfig config,
- SslContextFactory sslContextFactory,
- CertificateSigner certificateSigner,
- InstanceValidator instanceValidator,
- IdentityDocumentGenerator identityDocumentGenerator) {
- Server server = new Server();
- ServerConnector connector = new ServerConnector(server, sslContextFactory);
- connector.setPort(config.port());
- server.addConnector(connector);
-
- ServletHandler handler = new ServletHandler();
-
- handler.addServletWithMapping(StatusServlet.class, "/status.html");
- server.setHandler(handler);
- return server;
-
- }
-
- private static AthenzProviderServiceConfig.Zones getZoneConfig(AthenzProviderServiceConfig config, Zone zone) {
- String key = zone.environment().value() + "." + zone.region().value();
- return config.zones(key);
- }
-
- static SslContextFactory createSslContextFactory() {
- try {
- SslContextFactory sslContextFactory = new SslContextFactory();
- sslContextFactory.setWantClientAuth(true);
- sslContextFactory.setProtocol("TLS");
- sslContextFactory.setKeyManagerFactoryAlgorithm("SunX509");
- return sslContextFactory;
- } catch (Exception e) {
- throw new IllegalArgumentException("Failed to create SSL context factory: " + e.getMessage(), e);
- }
- }
-
- static class AthenzCertificateUpdater implements Runnable {
-
- // TODO Make expiry a configuration parameter
- private static final TemporalAmount EXPIRY_TIME = Duration.ofDays(30);
- private static final Logger log = Logger.getLogger(AthenzCertificateUpdater.class.getName());
-
- private final CertificateClient certificateClient;
- private final SslContextFactory sslContextFactory;
- private final KeyProvider keyProvider;
- private final AthenzProviderServiceConfig config;
- private final AthenzProviderServiceConfig.Zones zoneConfig;
-
- AthenzCertificateUpdater(CertificateClient certificateClient,
- SslContextFactory sslContextFactory,
- KeyProvider keyProvider,
- AthenzProviderServiceConfig config,
- AthenzProviderServiceConfig.Zones zoneConfig) {
- this.certificateClient = certificateClient;
- this.sslContextFactory = sslContextFactory;
- this.keyProvider = keyProvider;
- this.config = config;
- this.zoneConfig = zoneConfig;
- }
-
- @Override
- public void run() {
- try {
- log.log(LogLevel.INFO, "Updating Athenz certificate through ZTS");
- PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion());
- X509Certificate certificate = certificateClient.updateCertificate(privateKey, EXPIRY_TIME);
-
- String dummyPassword = "athenz";
- KeyStore keyStore = KeyStore.getInstance("JKS");
- keyStore.load(null);
- keyStore.setKeyEntry("athenz",
- privateKey,
- dummyPassword.toCharArray(),
- new Certificate[]{certificate});
-
- sslContextFactory.reload(sslContextFactory -> {
- sslContextFactory.setKeyStore(keyStore);
- sslContextFactory.setKeyStorePassword(dummyPassword);
- });
- log.log(LogLevel.INFO, "Athenz certificate reload successfully completed");
- } catch (Throwable e) {
- log.log(LogLevel.ERROR, "Failed to update certificate from ZTS: " + e.getMessage(), e);
- }
- }
- }
-
- @Override
- public void deconstruct() {
- try {
- // TODO: Fix deconstruct when setup properly in all zones
- log.log(LogLevel.INFO, "Deconstructing Athenz provider service");
- if(scheduler != null)
- scheduler.shutdown();
- if(jetty != null)
- jetty.stop();
- if (scheduler != null && !scheduler.awaitTermination(1, TimeUnit.MINUTES)) {
- log.log(LogLevel.ERROR, "Failed to stop certificate updater");
- }
- } catch (InterruptedException e) {
- log.log(LogLevel.ERROR, "Failed to stop certificate updater: " + e.getMessage(), e);
- } catch (Exception e) {
- log.log(LogLevel.ERROR, "Failed to stop Jetty: " + e.getMessage(), e);
- } finally {
- super.deconstruct();
- }
- }
-}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/FileBackedKeyProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/FileBackedKeyProvider.java
deleted file mode 100644
index 40a2a1dbcc9..00000000000
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/FileBackedKeyProvider.java
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl;
-
-import com.yahoo.athenz.auth.util.Crypto;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.UncheckedIOException;
-import java.nio.file.Files;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-
-/**
- * @author bjorncs
- */
-public class FileBackedKeyProvider implements KeyProvider {
-
- private final String keyPathPrefix;
-
- public FileBackedKeyProvider(String keyPathPrefix) {
- this.keyPathPrefix = keyPathPrefix;
- }
-
- @Override
- public PrivateKey getPrivateKey(int version) {
- return Crypto.loadPrivateKey(readPemStringFromFile(new File(keyPathPrefix + ".priv." + version)));
- }
-
- @Override
- public PublicKey getPublicKey(int version) {
- return Crypto.loadPublicKey(readPemStringFromFile(new File(keyPathPrefix + ".pub." + version)));
- }
-
- private static String readPemStringFromFile(File file) {
- try {
- if (!file.exists() || !file.isFile()) {
- throw new IllegalArgumentException("Key missing: " + file.getAbsolutePath());
- }
- return new String(Files.readAllBytes(file.toPath()));
- } catch (IOException e) {
- throw new UncheckedIOException(e);
- }
- }
-}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/StatusServlet.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/StatusServlet.java
deleted file mode 100644
index fd5ba5843aa..00000000000
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/StatusServlet.java
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * A simple status servlet that should return status code 200 as long as the provider service servlet is up.
- *
- * @author bjorncs
- */
-public class StatusServlet extends HttpServlet {
-
- @Override
- protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- resp.setStatus(HttpServletResponse.SC_OK);
- }
-}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java
deleted file mode 100644
index c58e86f7585..00000000000
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzInstanceProviderServiceTest.java
+++ /dev/null
@@ -1,218 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
-
-import athenz.shade.zts.jersey.repackaged.com.google.common.collect.ImmutableMap;
-import com.yahoo.config.provision.Environment;
-import com.yahoo.config.provision.RegionName;
-import com.yahoo.config.provision.SystemName;
-import com.yahoo.config.provision.Zone;
-import com.yahoo.log.LogLevel;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AthenzInstanceProviderService.AthenzCertificateUpdater;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca.CertificateSigner;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.CertificateClient;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.IdentityDocumentGenerator;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.InstanceValidator;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.KeyProvider;
-import org.apache.http.HttpResponse;
-import org.apache.http.HttpStatus;
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.apache.http.ssl.SSLContextBuilder;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.cert.CertIOException;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.junit.Test;
-
-import javax.net.ssl.SSLContext;
-import java.math.BigInteger;
-import java.security.KeyManagementException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.time.temporal.TemporalAmount;
-import java.util.Calendar;
-import java.util.Date;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.logging.Logger;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Matchers.any;
-import static org.mockito.Matchers.anyLong;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-/**
- * @author bjorncs
- */
-public class AthenzInstanceProviderServiceTest {
-
- private static final Logger log = Logger.getLogger(AthenzInstanceProviderServiceTest.class.getName());
- private static final int PORT = 12345;
- private static final Zone ZONE = new Zone(SystemName.cd, Environment.dev, RegionName.from("us-north-1"));
-
- @Test
- public void provider_service_hosts_endpoint_secured_with_tls() throws Exception {
- String domain = "domain";
- String service = "service";
-
- AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider();
- AthenzProviderServiceConfig config = getAthenzProviderConfig(domain, service, "vespa.dns.suffix", ZONE);
- SslContextFactory sslContextFactory = AthenzInstanceProviderService.createSslContextFactory();
- AthenzCertificateUpdater certificateUpdater = new AthenzCertificateUpdater(
- new SelfSignedCertificateClient(keyProvider.getKeyPair(), getZoneConfig(config, ZONE)),
- sslContextFactory,
- keyProvider,
- config,
- getZoneConfig(config, ZONE));
-
- ScheduledExecutorService executor = mock(ScheduledExecutorService.class);
- when(executor.awaitTermination(anyLong(), any())).thenReturn(true);
-
- CertificateSigner certificateSigner = mock(CertificateSigner.class);
-
- InstanceValidator instanceValidator = mock(InstanceValidator.class);
- when(instanceValidator.isValidInstance(any())).thenReturn(true);
-
- IdentityDocumentGenerator identityDocumentGenerator = mock(IdentityDocumentGenerator.class);
-
- AthenzInstanceProviderService athenzInstanceProviderService = new AthenzInstanceProviderService(
- config, executor, ZONE, sslContextFactory, certificateSigner, instanceValidator,
- identityDocumentGenerator, certificateUpdater);
-
- try (CloseableHttpClient client = createHttpClient(domain, service)) {
- assertFalse(getStatus(client));
- certificateUpdater.run();
- assertTrue(getStatus(client));
- certificateUpdater.run();
- assertTrue(getStatus(client));
- } finally {
- athenzInstanceProviderService.deconstruct();
- }
- }
-
- public static AthenzProviderServiceConfig getAthenzProviderConfig(String domain, String service, String dnsSuffix, Zone zone) {
- AthenzProviderServiceConfig.Zones.Builder zoneConfig =
- new AthenzProviderServiceConfig.Zones.Builder()
- .serviceName(service)
- .secretVersion(0)
- .domain(domain)
- .secretName("s3cr3t");
-
- return new AthenzProviderServiceConfig(
- new AthenzProviderServiceConfig.Builder()
- .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig))
- .port(PORT)
- .certDnsSuffix(dnsSuffix)
- .ztsUrl("localhost/zts")
- .athenzPrincipalHeaderName("Athenz-Principal-Auth")
- .apiPath(""));
-
- }
-
- public static AthenzProviderServiceConfig.Zones getZoneConfig(AthenzProviderServiceConfig config, Zone zone) {
- return config.zones(zone.environment().value() + "." + zone.region().value());
- }
-
- private static boolean getStatus(HttpClient client) {
- try {
- HttpResponse response = client.execute(new HttpGet("https://localhost:" + PORT + "/status.html"));
- return response.getStatusLine().getStatusCode() == HttpStatus.SC_OK;
- } catch (Exception e) {
- log.log(LogLevel.INFO, "Status.html failed: " + e);
- return false;
- }
- }
-
- private static CloseableHttpClient createHttpClient(String domain, String service)
- throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
- SSLContext sslContext = new SSLContextBuilder()
- .loadTrustMaterial(null, (certificateChain, ignoredAuthType) ->
- certificateChain[0].getSubjectX500Principal().getName().equals("CN=" + domain + "." + service))
- .build();
-
- return HttpClients.custom()
- .setSslcontext(sslContext)
- .setSSLHostnameVerifier(new NoopHostnameVerifier())
- .build();
- }
-
-
- public static class AutoGeneratedKeyProvider implements KeyProvider {
-
- private final KeyPair keyPair;
-
- public AutoGeneratedKeyProvider() {
- try {
- KeyPairGenerator rsa = KeyPairGenerator.getInstance("RSA");
- rsa.initialize(2048);
- keyPair = rsa.genKeyPair();
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public PrivateKey getPrivateKey(int version) {
- return keyPair.getPrivate();
- }
-
- @Override
- public PublicKey getPublicKey(int version) {
- return keyPair.getPublic();
- }
-
- public KeyPair getKeyPair() {
- return keyPair;
- }
- }
-
- private static class SelfSignedCertificateClient implements CertificateClient {
-
- private final KeyPair keyPair;
- private final AthenzProviderServiceConfig.Zones zoneConfig;
-
- private SelfSignedCertificateClient(KeyPair keyPair,
- AthenzProviderServiceConfig.Zones zoneConfig) {
- this.keyPair = keyPair;
- this.zoneConfig = zoneConfig;
- }
-
- @Override
- public X509Certificate updateCertificate(PrivateKey privateKey, TemporalAmount expiryTime) {
- try {
- ContentSigner contentSigner = new JcaContentSignerBuilder("SHA512WithRSA").build(keyPair.getPrivate());
- X500Name dnName = new X500Name("CN=" + zoneConfig.domain() + "." + zoneConfig.serviceName());
- Calendar calendar = Calendar.getInstance();
- calendar.add(Calendar.HOUR, 1);
- Date endDate = calendar.getTime();
- JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
- dnName, BigInteger.ONE, new Date(), endDate, dnName, keyPair.getPublic());
- certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, new BasicConstraints(true));
-
- return new JcaX509CertificateConverter()
- .setProvider(new BouncyCastleProvider())
- .getCertificate(certBuilder.build(contentSigner));
- } catch (CertificateException | CertIOException | OperatorCreationException e) {
- throw new RuntimeException(e);
- }
- }
- }
-}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AutoGeneratedKeyProvider.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AutoGeneratedKeyProvider.java
new file mode 100644
index 00000000000..3096eca0313
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AutoGeneratedKeyProvider.java
@@ -0,0 +1,42 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
+
+import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.KeyProvider;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/**
+ * @author bjorncs
+ */
+public class AutoGeneratedKeyProvider implements KeyProvider {
+
+ private final KeyPair keyPair;
+
+ public AutoGeneratedKeyProvider() {
+ try {
+ KeyPairGenerator rsa = KeyPairGenerator.getInstance("RSA");
+ rsa.initialize(2048);
+ keyPair = rsa.genKeyPair();
+ } catch (NoSuchAlgorithmException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ @Override
+ public PrivateKey getPrivateKey(int version) {
+ return keyPair.getPrivate();
+ }
+
+ @Override
+ public PublicKey getPublicKey(int version) {
+ return keyPair.getPublic();
+ }
+
+ public KeyPair getKeyPair() {
+ return keyPair;
+ }
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
new file mode 100644
index 00000000000..c851ca2d6c3
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
@@ -0,0 +1,35 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
+
+import com.google.common.collect.ImmutableMap;
+import com.yahoo.config.provision.Zone;
+import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
+
+/**
+ * @author bjorncs
+ */
+public class TestUtils {
+
+ private static final int PORT = 12345;
+
+ public static AthenzProviderServiceConfig getAthenzProviderConfig(String domain,
+ String service,
+ String dnsSuffix,
+ Zone zone) {
+ AthenzProviderServiceConfig.Zones.Builder zoneConfig =
+ new AthenzProviderServiceConfig.Zones.Builder()
+ .serviceName(service)
+ .secretVersion(0)
+ .domain(domain)
+ .secretName("s3cr3t");
+ return new AthenzProviderServiceConfig(
+ new AthenzProviderServiceConfig.Builder()
+ .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig))
+ .port(PORT)
+ .certDnsSuffix(dnsSuffix)
+ .ztsUrl("localhost/zts")
+ .athenzPrincipalHeaderName("Athenz-Principal-Auth")
+ .apiPath(""));
+ }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGeneratorTest.java
index ae725e6ac06..f18af3f3db8 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/IdentityDocumentGeneratorTest.java
@@ -13,7 +13,7 @@ import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.TenantName;
import com.yahoo.config.provision.Zone;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AthenzInstanceProviderServiceTest.AutoGeneratedKeyProvider;
+import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AutoGeneratedKeyProvider;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.ProviderUniqueId;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.SignedIdentityDocument;
@@ -27,8 +27,8 @@ import org.junit.Test;
import java.util.HashSet;
import java.util.Optional;
-import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.AthenzInstanceProviderServiceTest.getAthenzProviderConfig;
-import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.AthenzInstanceProviderServiceTest.getZoneConfig;
+import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.TestUtils.getAthenzProviderConfig;
+import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.getZoneConfig;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.mockito.Matchers.eq;
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidatorTest.java
index c1fab319ebf..91c2bc22293 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/InstanceValidatorTest.java
@@ -8,7 +8,7 @@ import com.yahoo.config.model.api.ServiceInfo;
import com.yahoo.config.model.api.SuperModel;
import com.yahoo.config.model.api.SuperModelProvider;
import com.yahoo.config.provision.ApplicationId;
-import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AthenzInstanceProviderServiceTest.AutoGeneratedKeyProvider;
+import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AutoGeneratedKeyProvider;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.IdentityDocument;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.InstanceConfirmation;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.model.ProviderUniqueId;
@@ -168,4 +168,4 @@ public class InstanceValidatorTest {
return new ApplicationInfo(appId, 0, model);
}
-} \ No newline at end of file
+}