diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-26 14:47:39 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-15 09:59:53 +0200 |
commit | 68e4890241b7ace78f1e0eaa26577a47623ec42a (patch) | |
tree | 150b79914ad1ed64e8c0c581e4042edff086adc2 /athenz-identity-provider-service | |
parent | 9a402fd71acf3af060302600ab436ed256069fcf (diff) |
Remove wrapped document structure from SignedIdentityDocument
Diffstat (limited to 'athenz-identity-provider-service')
2 files changed, 23 insertions, 82 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 0abbb5a64f5..2c57db7f9b0 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -5,7 +5,6 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Zone; import com.yahoo.net.HostName; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; @@ -49,57 +48,48 @@ public class IdentityDocumentGenerator { } public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) { - Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); try { - IdentityDocument identityDocument = generateIdDocument(node, identityType); + Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); + Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); + VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId( + allocation.membership().index(), + allocation.membership().cluster().id().value(), + allocation.owner().instance().value(), + allocation.owner().application().value(), + allocation.owner().tenant().value(), + zone.region().value(), + zone.environment().value(), + identityType); + + Set<String> ips = new HashSet<>(node.ipAddresses()); PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); AthenzService providerService = new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()); + String configServerHostname = HostName.getLocalhost(); + Instant createdAt = Instant.now(); String signature = signer.generateSignature( - identityDocument.providerUniqueId(), providerService, identityDocument.configServerHostname(), - identityDocument.instanceHostname(), identityDocument.createdAt(), identityDocument.ipAddresses(), identityType, privateKey); + providerUniqueId, providerService, configServerHostname, + node.hostname(), createdAt, ips, identityType, privateKey); return new SignedIdentityDocument( - identityDocument, signature, SignedIdentityDocument.DEFAULT_KEY_VERSION, - identityDocument.providerUniqueId(), + providerUniqueId, toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()), providerService, URI.create(zoneConfig.ztsUrl()), SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION, - identityDocument.configServerHostname(), - identityDocument.instanceHostname(), - identityDocument.createdAt(), - identityDocument.ipAddresses(), + configServerHostname, + node.hostname(), + createdAt, + ips, identityType); } catch (Exception e) { throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e); } } - private IdentityDocument generateIdDocument(Node node, IdentityType identityType) { - Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); - VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId( - allocation.membership().index(), - allocation.membership().cluster().id().value(), - allocation.owner().instance().value(), - allocation.owner().application().value(), - allocation.owner().tenant().value(), - zone.region().value(), - zone.environment().value(), - identityType); - - Set<String> ips = new HashSet<>(node.ipAddresses()); - return new IdentityDocument( - providerUniqueId, - HostName.getLocalhost(), - node.hostname(), - Instant.now(), - ips); - } - private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) { return zone.environment().value() + "-" + zone.region().value() + "." + dnsSuffix; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 04c4d4da51a..56777325231 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -1,8 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.common.collect.ImmutableSet; import com.yahoo.config.model.api.ApplicationInfo; import com.yahoo.config.model.api.HostInfo; import com.yahoo.config.model.api.Model; @@ -10,18 +8,8 @@ import com.yahoo.config.model.api.ServiceInfo; import com.yahoo.config.model.api.SuperModel; import com.yahoo.config.model.api.SuperModelProvider; import com.yahoo.config.provision.ApplicationId; -import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; -import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentEntity; -import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; -import com.yahoo.vespa.athenz.identityprovider.api.bindings.VespaUniqueInstanceIdEntity; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import org.junit.Test; -import java.net.URI; -import java.security.PrivateKey; -import java.security.Signature; -import java.time.Instant; -import java.util.Base64; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -40,6 +28,7 @@ import static org.mockito.Mockito.when; /** * @author valerijf + * @author bjorncs */ public class InstanceValidatorTest { @@ -93,44 +82,6 @@ public class InstanceValidatorTest { assertTrue(instanceValidator.isSameIdentityAsInServicesXml(applicationId, domain, service)); } - private static InstanceConfirmation createInstanceConfirmation(PrivateKey privateKey, ApplicationId applicationId, - String domain, String service) { - IdentityDocumentEntity identityDocument = new IdentityDocumentEntity( - new VespaUniqueInstanceIdEntity(applicationId.tenant().value(), applicationId.application().value(), - "environment", "region", applicationId.instance().value(), "cluster-id", 0), - "hostname", - "instance-hostname", - Instant.now(), - ImmutableSet.of("127.0.0.1", "::1")); - - try { - ObjectMapper mapper = Utils.getMapper(); - String encodedIdentityDocument = - Base64.getEncoder().encodeToString(mapper.writeValueAsString(identityDocument).getBytes()); - Signature sigGenerator = Signature.getInstance("SHA512withRSA"); - sigGenerator.initSign(privateKey); - sigGenerator.update(encodedIdentityDocument.getBytes()); - - return new InstanceConfirmation( - "provider", domain, service, - new SignedIdentityDocumentEntity(encodedIdentityDocument, - Base64.getEncoder().encodeToString(sigGenerator.sign()), - 0, - EntityBindingsMapper.toVespaUniqueInstanceId(identityDocument.providerUniqueId).asDottedString(), - "dnssuffix", - "service", - URI.create("http://localhost/zts"), - 1, - identityDocument.configServerHostname, - identityDocument.instanceHostname, - identityDocument.createdAt, - identityDocument.ipAddresses, - null)); // TODO Remove support for legacy representation without type - } catch (Exception e) { - throw new RuntimeException(e); - } - } - private SuperModelProvider mockSuperModelProvider(ApplicationInfo... appInfos) { SuperModel superModel = new SuperModel(Stream.of(appInfos) .collect(Collectors.groupingBy( |