diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-28 13:52:34 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-28 13:52:34 +0100 |
commit | 8fcbfa718a322c9fb785e593507358bf04619836 (patch) | |
tree | 162fb6153b506bfcd09a1bb8a6151c181d516f70 /athenz-identity-provider-service | |
parent | 29b39068a3ffd22f906e72fdf2eedb9fe4d9d096 (diff) |
Rewrite server TLS init to use bootstrap identity and allow AWS
Diffstat (limited to 'athenz-identity-provider-service')
5 files changed, 32 insertions, 52 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index beff50b52c6..d2ed3336c9a 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.config.provision.Zone; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslKeyStoreContext; import com.yahoo.log.LogLevel; @@ -35,9 +36,6 @@ import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.g @SuppressWarnings("unused") // Component injected into Jetty connector factory public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements SslKeyStoreConfigurator { private static final Logger log = Logger.getLogger(AthenzSslKeyStoreConfigurator.class.getName()); - // TODO Make expiry and update frequency configurable parameters - private static final Duration CERTIFICATE_EXPIRY_TIME = Duration.ofDays(30); - private static final Duration CERTIFICATE_UPDATE_PERIOD = Duration.ofDays(7); private static final String CERTIFICATE_ALIAS = "athenz"; private static final String CERTIFICATE_PASSWORD = "athenz"; @@ -46,17 +44,20 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements private final KeyProvider keyProvider; private final AthenzProviderServiceConfig.Zones zoneConfig; private final AtomicBoolean alreadyConfigured = new AtomicBoolean(); + private final Duration updatePeriod; private volatile KeyStore currentKeyStore; @Inject - public AthenzSslKeyStoreConfigurator(KeyProvider keyProvider, + public AthenzSslKeyStoreConfigurator(AthenzIdentityProvider bootstrapIdentity, + KeyProvider keyProvider, AthenzProviderServiceConfig config, Zone zone) { AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone); - this.certificateClient = new AthenzCertificateClient(config, zoneConfig); + this.certificateClient = new AthenzCertificateClient(bootstrapIdentity, config, zoneConfig); this.keyProvider = keyProvider; this.zoneConfig = zoneConfig; this.currentKeyStore = downloadCertificate(keyProvider, certificateClient, zoneConfig); + this.updatePeriod = Duration.ofDays(config.updatePeriodDays()); } @Override @@ -66,9 +67,9 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements } sslKeyStoreContext.updateKeyStore(currentKeyStore, CERTIFICATE_PASSWORD); scheduler.scheduleAtFixedRate(new AthenzCertificateUpdater(sslKeyStoreContext), - CERTIFICATE_UPDATE_PERIOD.toMinutes()/*initial delay*/, - CERTIFICATE_UPDATE_PERIOD.toMinutes(), - TimeUnit.MINUTES); + updatePeriod.toDays()/*initial delay*/, + updatePeriod.toDays(), + TimeUnit.DAYS); } @Override @@ -92,9 +93,10 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements AthenzProviderServiceConfig.Zones zoneConfig) { try { PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); - X509Certificate certificate = certificateClient.updateCertificate(privateKey, CERTIFICATE_EXPIRY_TIME); - verifyActualExpiry(certificate); - + X509Certificate certificate = certificateClient.updateCertificate(privateKey); + Instant expirationTime = certificate.getNotAfter().toInstant(); + Duration expiry = Duration.between(certificate.getNotBefore().toInstant(), expirationTime); + log.log(LogLevel.INFO, String.format("Got Athenz x509 certificate with expiry %s (expires %s)", expiry, expirationTime)); KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(null); keyStore.setKeyEntry( @@ -105,15 +107,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements } } - private static void verifyActualExpiry(X509Certificate certificate) { - Duration actualExpiry = - Duration.between(certificate.getNotBefore().toInstant(), certificate.getNotAfter().toInstant()); - if (CERTIFICATE_EXPIRY_TIME.compareTo(actualExpiry) > 0) { - log.log(LogLevel.WARNING, - String.format("Expected expiry %s, got %s", CERTIFICATE_EXPIRY_TIME, actualExpiry)); - } - } - private class AthenzCertificateUpdater implements Runnable { private final SslKeyStoreContext sslKeyStoreContext; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 4dd6881c07e..eb1c6b09f0f 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -38,7 +38,7 @@ public class IdentityDocumentGenerator { this.nodeRepository = nodeRepository; this.zone = zone; this.keyProvider = keyProvider; - this.dnsSuffix = config.certDnsSuffix(); + this.dnsSuffix = zoneConfig.certDnsSuffix(); this.providerService = zoneConfig.serviceName(); this.ztsUrl = config.ztsUrl(); this.providerDomain = zoneConfig.domain(); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java index c6aee673f9c..381a8d236d1 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java @@ -6,8 +6,10 @@ import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zts.InstanceRefreshRequest; import com.yahoo.athenz.zts.ZTSClient; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; +import javax.net.ssl.SSLContext; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.temporal.ChronoUnit; @@ -20,41 +22,27 @@ import java.util.concurrent.TimeUnit; public class AthenzCertificateClient { private final AthenzProviderServiceConfig config; - private final AthenzPrincipalAuthority authority; private final AthenzProviderServiceConfig.Zones zoneConfig; + private final AthenzIdentityProvider bootstrapIdentity; - public AthenzCertificateClient(AthenzProviderServiceConfig config, AthenzProviderServiceConfig.Zones zoneConfig) { + public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity, + AthenzProviderServiceConfig config, + AthenzProviderServiceConfig.Zones zoneConfig) { + this.bootstrapIdentity = bootstrapIdentity; this.config = config; - this.authority = new AthenzPrincipalAuthority(config.athenzPrincipalHeaderName()); this.zoneConfig = zoneConfig; } - public X509Certificate updateCertificate(PrivateKey privateKey, TemporalAmount expiryTime) { - SimpleServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider( - authority, zoneConfig.domain(), zoneConfig.serviceName(), - privateKey, Integer.toString(zoneConfig.secretVersion()), TimeUnit.MINUTES.toSeconds(10)); - ZTSClient ztsClient = new ZTSClient( - config.ztsUrl(), zoneConfig.domain(), zoneConfig.serviceName(), identityProvider); + public X509Certificate updateCertificate(PrivateKey privateKey) { + SSLContext bootstrapSslContext = bootstrapIdentity.getIdentitySslContext(); + ZTSClient ztsClient = new ZTSClient(config.ztsUrl(), bootstrapSslContext); InstanceRefreshRequest req = ZTSClient.generateInstanceRefreshRequest( - zoneConfig.domain(), zoneConfig.serviceName(), privateKey, - config.certDnsSuffix(), (int)expiryTime.get(ChronoUnit.SECONDS)); + zoneConfig.domain(), zoneConfig.serviceName(), privateKey, zoneConfig.certDnsSuffix(), /*expiryTime*/0); + req.setKeyId(Integer.toString(zoneConfig.secretVersion())); String pemEncoded = ztsClient.postInstanceRefreshRequest(zoneConfig.domain(), zoneConfig.serviceName(), req) .getCertificate(); return Crypto.loadX509Certificate(pemEncoded); } - private static class AthenzPrincipalAuthority extends PrincipalAuthority { - private final String headerName; - - public AthenzPrincipalAuthority(String headerName) { - this.headerName = headerName; - } - - @Override - public String getHeader() { - return headerName; - } - } - } diff --git a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def index 21f2aea6ab0..2cdbdf2c628 100644 --- a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def +++ b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def @@ -13,14 +13,14 @@ zones{}.secretName string # Secret version zones{}.secretVersion int -# Athenz principal authority header name -athenzPrincipalHeaderName string default="Athenz-Principal-Auth" +# Certificate DNS suffix +zones{}.certDnsSuffix string # Athenz ZTS server url ztsUrl string -# Certificate DNS suffix -certDnsSuffix string - # Path to Athenz CA JKS trust store athenzCaTrustStore string + +# Period between certificate updates +updatePeriodDays int default=5 diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java index da2bf929e82..5ae4b9f9bc5 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java @@ -19,13 +19,12 @@ public class TestUtils { .serviceName(service) .secretVersion(0) .domain(domain) + .certDnsSuffix(dnsSuffix) .secretName("s3cr3t"); return new AthenzProviderServiceConfig( new AthenzProviderServiceConfig.Builder() .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig)) - .certDnsSuffix(dnsSuffix) .ztsUrl("localhost/zts") - .athenzPrincipalHeaderName("Athenz-Principal-Auth") .athenzCaTrustStore("/dummy/path/to/athenz-ca.jks")); } |