Rewrite server TLS init to use bootstrap identity and allow AWS

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-28 13:52:34 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-28 13:52:34 +0100
commit: 8fcbfa718a322c9fb785e593507358bf04619836 (patch)
tree: 162fb6153b506bfcd09a1bb8a6151c181d516f70 /athenz-identity-provider-service
parent: 29b39068a3ffd22f906e72fdf2eedb9fe4d9d096 (diff)
5 files changed, 32 insertions, 52 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
index beff50b52c6..d2ed3336c9a 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.config.provision.Zone;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator;
 import com.yahoo.jdisc.http.ssl.SslKeyStoreContext;
 import com.yahoo.log.LogLevel;
@@ -35,9 +36,6 @@ import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.g
 @SuppressWarnings("unused") // Component injected into Jetty connector factory
 public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements SslKeyStoreConfigurator {
     private static final Logger log = Logger.getLogger(AthenzSslKeyStoreConfigurator.class.getName());
-    // TODO Make expiry and update frequency configurable parameters
-    private static final Duration CERTIFICATE_EXPIRY_TIME = Duration.ofDays(30);
-    private static final Duration CERTIFICATE_UPDATE_PERIOD = Duration.ofDays(7);
     private static final String CERTIFICATE_ALIAS = "athenz";
     private static final String CERTIFICATE_PASSWORD = "athenz";
 
@@ -46,17 +44,20 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
     private final KeyProvider keyProvider;
     private final AthenzProviderServiceConfig.Zones zoneConfig;
     private final AtomicBoolean alreadyConfigured = new AtomicBoolean();
+    private final Duration updatePeriod;
     private volatile KeyStore currentKeyStore;
 
     @Inject
-    public AthenzSslKeyStoreConfigurator(KeyProvider keyProvider,
+    public AthenzSslKeyStoreConfigurator(AthenzIdentityProvider bootstrapIdentity,
+                                         KeyProvider keyProvider,
                                          AthenzProviderServiceConfig config,
                                          Zone zone) {
         AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone);
-        this.certificateClient = new AthenzCertificateClient(config, zoneConfig);
+        this.certificateClient = new AthenzCertificateClient(bootstrapIdentity, config, zoneConfig);
         this.keyProvider = keyProvider;
         this.zoneConfig = zoneConfig;
         this.currentKeyStore = downloadCertificate(keyProvider, certificateClient, zoneConfig);
+        this.updatePeriod = Duration.ofDays(config.updatePeriodDays());
     }
 
     @Override
@@ -66,9 +67,9 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
         }
         sslKeyStoreContext.updateKeyStore(currentKeyStore, CERTIFICATE_PASSWORD);
         scheduler.scheduleAtFixedRate(new AthenzCertificateUpdater(sslKeyStoreContext),
-                                      CERTIFICATE_UPDATE_PERIOD.toMinutes()/*initial delay*/,
-                                      CERTIFICATE_UPDATE_PERIOD.toMinutes(),
-                                      TimeUnit.MINUTES);
+                                      updatePeriod.toDays()/*initial delay*/,
+                                      updatePeriod.toDays(),
+                                      TimeUnit.DAYS);
     }
 
     @Override
@@ -92,9 +93,10 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
                                                 AthenzProviderServiceConfig.Zones zoneConfig) {
         try {
             PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion());
-            X509Certificate certificate = certificateClient.updateCertificate(privateKey, CERTIFICATE_EXPIRY_TIME);
-            verifyActualExpiry(certificate);
-
+            X509Certificate certificate = certificateClient.updateCertificate(privateKey);
+            Instant expirationTime = certificate.getNotAfter().toInstant();
+            Duration expiry = Duration.between(certificate.getNotBefore().toInstant(), expirationTime);
+            log.log(LogLevel.INFO, String.format("Got Athenz x509 certificate with expiry %s (expires %s)", expiry, expirationTime));
             KeyStore keyStore = KeyStore.getInstance("JKS");
             keyStore.load(null);
             keyStore.setKeyEntry(
@@ -105,15 +107,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
         }
     }
 
-    private static void verifyActualExpiry(X509Certificate certificate) {
-        Duration actualExpiry =
-                Duration.between(certificate.getNotBefore().toInstant(),  certificate.getNotAfter().toInstant());
-        if (CERTIFICATE_EXPIRY_TIME.compareTo(actualExpiry) > 0) {
-            log.log(LogLevel.WARNING,
-                    String.format("Expected expiry %s, got %s", CERTIFICATE_EXPIRY_TIME, actualExpiry));
-        }
-    }
-
     private class AthenzCertificateUpdater implements Runnable {
 
         private final SslKeyStoreContext sslKeyStoreContext;
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 4dd6881c07e..eb1c6b09f0f 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -38,7 +38,7 @@ public class IdentityDocumentGenerator {
         this.nodeRepository = nodeRepository;
         this.zone = zone;
         this.keyProvider = keyProvider;
-        this.dnsSuffix = config.certDnsSuffix();
+        this.dnsSuffix = zoneConfig.certDnsSuffix();
         this.providerService = zoneConfig.serviceName();
         this.ztsUrl = config.ztsUrl();
         this.providerDomain = zoneConfig.domain();
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
index c6aee673f9c..381a8d236d1 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java
@@ -6,8 +6,10 @@ import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider;
 import com.yahoo.athenz.auth.util.Crypto;
 import com.yahoo.athenz.zts.InstanceRefreshRequest;
 import com.yahoo.athenz.zts.ZTSClient;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 
+import javax.net.ssl.SSLContext;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.time.temporal.ChronoUnit;
@@ -20,41 +22,27 @@ import java.util.concurrent.TimeUnit;
 public class AthenzCertificateClient {
 
     private final AthenzProviderServiceConfig config;
-    private final AthenzPrincipalAuthority authority;
     private final AthenzProviderServiceConfig.Zones zoneConfig;
+    private final AthenzIdentityProvider bootstrapIdentity;
 
-    public AthenzCertificateClient(AthenzProviderServiceConfig config, AthenzProviderServiceConfig.Zones zoneConfig) {
+    public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity,
+                                   AthenzProviderServiceConfig config,
+                                   AthenzProviderServiceConfig.Zones zoneConfig) {
+        this.bootstrapIdentity = bootstrapIdentity;
         this.config = config;
-        this.authority = new AthenzPrincipalAuthority(config.athenzPrincipalHeaderName());
         this.zoneConfig = zoneConfig;
     }
 
-    public X509Certificate updateCertificate(PrivateKey privateKey, TemporalAmount expiryTime) {
-        SimpleServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider(
-                authority, zoneConfig.domain(), zoneConfig.serviceName(),
-                privateKey, Integer.toString(zoneConfig.secretVersion()), TimeUnit.MINUTES.toSeconds(10));
-        ZTSClient ztsClient = new ZTSClient(
-                config.ztsUrl(), zoneConfig.domain(), zoneConfig.serviceName(), identityProvider);
+    public X509Certificate updateCertificate(PrivateKey privateKey) {
+        SSLContext bootstrapSslContext = bootstrapIdentity.getIdentitySslContext();
+        ZTSClient ztsClient = new ZTSClient(config.ztsUrl(), bootstrapSslContext);
         InstanceRefreshRequest req =
                 ZTSClient.generateInstanceRefreshRequest(
-                        zoneConfig.domain(), zoneConfig.serviceName(), privateKey,
-                        config.certDnsSuffix(), (int)expiryTime.get(ChronoUnit.SECONDS));
+                        zoneConfig.domain(), zoneConfig.serviceName(), privateKey, zoneConfig.certDnsSuffix(), /*expiryTime*/0);
+        req.setKeyId(Integer.toString(zoneConfig.secretVersion()));
         String pemEncoded = ztsClient.postInstanceRefreshRequest(zoneConfig.domain(), zoneConfig.serviceName(), req)
                 .getCertificate();
         return Crypto.loadX509Certificate(pemEncoded);
     }
 
-    private static class AthenzPrincipalAuthority extends PrincipalAuthority {
-        private final String headerName;
-
-        public AthenzPrincipalAuthority(String headerName) {
-            this.headerName = headerName;
-        }
-
-        @Override
-        public String getHeader() {
-            return headerName;
-        }
-    }
-
 }
diff --git a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
index 21f2aea6ab0..2cdbdf2c628 100644
--- a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
+++ b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def
@@ -13,14 +13,14 @@ zones{}.secretName                        string
 # Secret version
 zones{}.secretVersion                     int
 
-# Athenz principal authority header name
-athenzPrincipalHeaderName                 string        default="Athenz-Principal-Auth"
+# Certificate DNS suffix
+zones{}.certDnsSuffix                     string
 
 # Athenz ZTS server url
 ztsUrl                                    string
 
-# Certificate DNS suffix
-certDnsSuffix                             string
-
 # Path to Athenz CA JKS trust store
 athenzCaTrustStore                        string
+
+# Period between certificate updates
+updatePeriodDays                          int  default=5
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
index da2bf929e82..5ae4b9f9bc5 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java
@@ -19,13 +19,12 @@ public class TestUtils {
                         .serviceName(service)
                         .secretVersion(0)
                         .domain(domain)
+                        .certDnsSuffix(dnsSuffix)
                         .secretName("s3cr3t");
         return new AthenzProviderServiceConfig(
                 new AthenzProviderServiceConfig.Builder()
                         .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig))
-                        .certDnsSuffix(dnsSuffix)
                         .ztsUrl("localhost/zts")
-                        .athenzPrincipalHeaderName("Athenz-Principal-Auth")
                         .athenzCaTrustStore("/dummy/path/to/athenz-ca.jks"));
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-28 13:52:34 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-28 13:52:34 +0100
commit	8fcbfa718a322c9fb785e593507358bf04619836 (patch)
tree	162fb6153b506bfcd09a1bb8a6151c181d516f70 /athenz-identity-provider-service
parent	29b39068a3ffd22f906e72fdf2eedb9fe4d9d096 (diff)