Merge pull request #6037 from vespa-engine/bjorncs/new-unique-instance-id

Bjorncs/new unique instance
author: Morten Tokle <morten.tokle@gmail.com> 2018-06-01 09:53:02 +0200
committer: GitHub <noreply@github.com> 2018-06-01 09:53:02 +0200
commit: 5c57852b26126d72b080fb6e0893dc3d633c28c1 (patch)
tree: 8e1d453dd4a6c97d77729a2b64312e6dbe417401 /athenz-identity-provider-service
parent: e06c3fea20d9b189a9a78fea09520702a4a517e4 (diff)
parent: 78da30192dad43d338b9e3f04263dd7c83094b90 (diff)
6 files changed, 40 insertions, 31 deletions
diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml
index 86d4defa861..982cb89f2bf 100644
--- a/athenz-identity-provider-service/pom.xml
+++ b/athenz-identity-provider-service/pom.xml
@@ -131,6 +131,14 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <compilerArgs>
+                        <arg>-Xlint:all</arg>
+                        <arg>-Xlint:-deprecation</arg>
+                        <arg>-Xlint:-serial</arg>
+                        <arg>-Werror</arg>
+                    </compilerArgs>
+                </configuration>
             </plugin>
         </plugins>
     </build>
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 728406c297f..59126fd023f 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -7,6 +7,7 @@ import com.yahoo.net.HostName;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider;
@@ -27,7 +28,10 @@ import java.util.Objects;
 import java.util.Set;
 
 /**
+ * Generates a signed identity document for a given hostname and type
+ *
  * @author mortent
+ * @author bjorncs
  */
 public class IdentityDocumentGenerator {
 
@@ -47,10 +51,10 @@ public class IdentityDocumentGenerator {
         this.keyProvider = keyProvider;
     }
 
-    public SignedIdentityDocument generateSignedIdentityDocument(String hostname) {
+    public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) {
         Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname));
         try {
-            IdentityDocument identityDocument = generateIdDocument(node);
+            IdentityDocument identityDocument = generateIdDocument(node, identityType);
             String identityDocumentString = Utils.getMapper().writeValueAsString(EntityBindingsMapper.toIdentityDocumentEntity(identityDocument));
 
             String encodedIdentityDocument =
@@ -70,13 +74,18 @@ public class IdentityDocumentGenerator {
                     toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()),
                     new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()),
                     URI.create(zoneConfig.ztsUrl()),
-                    SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION);
+                    SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION,
+                    identityDocument.configServerHostname(),
+                    identityDocument.instanceHostname(),
+                    identityDocument.createdAt(),
+                    identityDocument.ipAddresses(),
+                    identityType);
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
         }
     }
 
-    private IdentityDocument generateIdDocument(Node node) {
+    private IdentityDocument generateIdDocument(Node node, IdentityType identityType) {
         Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname()));
         VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId(
                 allocation.membership().index(),
@@ -85,17 +94,10 @@ public class IdentityDocumentGenerator {
                 allocation.owner().application().value(),
                 allocation.owner().tenant().value(),
                 zone.region().value(),
-                zone.environment().value());
+                zone.environment().value(),
+                identityType);
 
-        // TODO: Hack to allow access from docker containers to non-ipv6 services.
-        // Remove when yca-bridge is no longer needed
         Set<String> ips = new HashSet<>(node.ipAddresses());
-        if(node.parentHostname().isPresent()) {
-            String parentHostName = node.parentHostname().get();
-            nodeRepository.getNode(parentHostName)
-                    .map(Node::ipAddresses)
-                    .ifPresent(ips::addAll);
-        }
         return new IdentityDocument(
                 providerUniqueId,
                 HostName.getLocalhost(),
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
index 93668006e26..219e12c7223 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
@@ -6,6 +6,7 @@ import com.yahoo.container.jaxrs.annotation.Component;
 import com.yahoo.jdisc.http.servlet.ServletRequest;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentApi;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
 import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal;
@@ -18,7 +19,6 @@ import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import java.util.logging.Logger;
@@ -41,15 +41,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
         this.request = request;
     }
 
-    /**
-     * @deprecated Use {@link #getNodeIdentityDocument(String)} and {@link #getTenantIdentityDocument(String)} instead.
-     */
-    @GET
-    @Produces(MediaType.APPLICATION_JSON)
-    @Deprecated
-    @Override
-    // TODO Make this method private when the rest api is not longer in use
-    public SignedIdentityDocumentEntity getIdentityDocument(@QueryParam("hostname") String hostname) {
+    private SignedIdentityDocumentEntity getIdentityDocument(String hostname, IdentityType identityType) {
         if (hostname == null) {
             throw new BadRequestException("The 'hostname' query parameter is missing");
         }
@@ -67,7 +59,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
             throw new ForbiddenException();
         }
         try {
-            return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname));
+            return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname, identityType));
         } catch (Exception e) {
             String message = String.format("Unable to generate identity doument for '%s': %s", hostname, e.getMessage());
             log.log(LogLevel.ERROR, message, e);
@@ -80,7 +72,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
     @Path("/node/{host}")
     @Override
     public SignedIdentityDocumentEntity getNodeIdentityDocument(@PathParam("host") String host) {
-        return getIdentityDocument(host);
+        return getIdentityDocument(host, IdentityType.NODE);
     }
 
     @GET
@@ -88,7 +80,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
     @Path("/tenant/{host}")
     @Override
     public SignedIdentityDocumentEntity getTenantIdentityDocument(@PathParam("host") String host) {
-        return getIdentityDocument(host);
+        return getIdentityDocument(host, IdentityType.TENANT);
     }
 
 }
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
index e457df37946..0201c46b253 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
@@ -82,6 +82,7 @@ public class InstanceValidator {
     }
 
     // If/when we dont care about logging exactly whats wrong, this can be simplified
+    // TODO Use identity type to determine if this check should be performed
     boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) {
 
         Optional<ApplicationInfo> applicationInfo = superModelProvider.getSuperModel().getApplicationInfo(applicationId);
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
index d7b061ca2f1..078ef1b7e39 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
@@ -15,6 +15,7 @@ import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
@@ -81,7 +82,7 @@ public class IdentityDocumentGeneratorTest {
         AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix, ZONE);
         IdentityDocumentGenerator identityDocumentGenerator =
                 new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider);
-        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname);
+        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname, IdentityType.TENANT);
 
         // Verify attributes
         assertEquals(containerHostname, signedIdentityDocument.identityDocument().instanceHostname());
@@ -92,11 +93,11 @@ public class IdentityDocumentGeneratorTest {
         assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix());
 
         VespaUniqueInstanceId expectedProviderUniqueId =
-                new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment);
+                new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment, IdentityType.TENANT);
         assertEquals(expectedProviderUniqueId, signedIdentityDocument.providerUniqueId());
 
-        // Validate that both parent and container ips are present
-        assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("127.0.0.1", "::1"));
+        // Validate that container ips are present
+        assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("::1"));
 
         SignedIdentityDocumentEntity signedIdentityDocumentEntity = EntityBindingsMapper.toSignedIdentityDocumentEntity(signedIdentityDocument);
 
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
index 54786c86cd3..54411b424eb 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
@@ -143,7 +143,12 @@ public class InstanceValidatorTest {
                                                      "dnssuffix",
                                                      "service",
                                                      URI.create("http://localhost/zts"),
-                                                     1));
+                                                     1,
+                                                     identityDocument.configServerHostname,
+                                                     identityDocument.instanceHostname,
+                                                     identityDocument.createdAt,
+                                                     identityDocument.ipAddresses,
+                                                     null)); // TODO Remove support for legacy representation without type
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
author	Morten Tokle <morten.tokle@gmail.com>	2018-06-01 09:53:02 +0200
committer	GitHub <noreply@github.com>	2018-06-01 09:53:02 +0200
commit	5c57852b26126d72b080fb6e0893dc3d633c28c1 (patch)
tree	8e1d453dd4a6c97d77729a2b64312e6dbe417401 /athenz-identity-provider-service
parent	e06c3fea20d9b189a9a78fea09520702a4a517e4 (diff)
parent	78da30192dad43d338b9e3f04263dd7c83094b90 (diff)