Merge pull request #10753 from vespa-engine/mpolden/ca-api

Initial CA API
author: Martin Polden <mpolden@mpolden.no> 2019-09-23 10:55:56 +0200
committer: GitHub <noreply@github.com> 2019-09-23 10:55:56 +0200
commit: f07176a7d3df4cc3bd9087e86b195eac0d7b6f3d (patch)
tree: f4f828b7a3789464826348d0f52a8ea5cf8fac8e /athenz-identity-provider-service
parent: cfe167148c1c19a4ceb6175268d10ac01982f7d3 (diff)
parent: 00c7e655dfb56f00e8451b2aaaee44189077b433 (diff)
12 files changed, 749 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml
index 501904a1d62..a8de9b58269 100644
--- a/athenz-identity-provider-service/pom.xml
+++ b/athenz-identity-provider-service/pom.xml
@@ -94,6 +94,12 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.yahoo.vespa</groupId>
+            <artifactId>container-dev</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
 
         <!-- COMPILE -->
         <dependency>
@@ -134,6 +140,18 @@
             <version>${project.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.yahoo.vespa</groupId>
+            <artifactId>application</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+        </dependency>
+      <dependency>
+        <groupId>com.yahoo.vespa</groupId>
+        <artifactId>testutil</artifactId>
+        <version>${project.version}</version>
+        <scope>test</scope>
+      </dependency>
     </dependencies>
 
     <build>
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
new file mode 100644
index 00000000000..6d121657a40
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
@@ -0,0 +1,57 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca;
+
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.SubjectAlternativeName;
+import com.yahoo.security.X509CertificateBuilder;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.time.Clock;
+import java.time.Duration;
+import java.util.Objects;
+
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+
+/**
+ * Helper class for creating {@link X509Certificate}s.
+ *
+ * @author mpolden
+ */
+public class Certificates {
+
+    private static final Duration CERTIFICATE_TTL = Duration.ofDays(30);
+
+    private final Clock clock;
+
+    public Certificates(Clock clock) {
+        this.clock = Objects.requireNonNull(clock, "clock must be non-null");
+    }
+
+    /** Create a new certificate from csr signed by the given CA private key */
+    public X509Certificate create(Pkcs10Csr csr, X509Certificate caCertificate, PrivateKey caPrivateKey) {
+        var x500principal = caCertificate.getSubjectX500Principal();
+        var now = clock.instant();
+        var notBefore = now.minus(Duration.ofHours(1));
+        var notAfter = now.plus(CERTIFICATE_TTL);
+        return X509CertificateBuilder.fromCsr(csr,
+                                              x500principal,
+                                              notBefore,
+                                              notAfter,
+                                              caPrivateKey,
+                                              SHA256_WITH_ECDSA,
+                                              X509CertificateBuilder.generateRandomSerialNumber())
+                                     .build();
+    }
+
+    /** Returns the DNS name field from Subject Alternative Names in given csr */
+    public static String extractDnsName(Pkcs10Csr csr) {
+        return csr.getSubjectAlternativeNames().stream()
+                  .filter(san -> san.getType() == DNS_NAME)
+                  .map(SubjectAlternativeName::getValue)
+                  .findFirst()
+                  .orElseThrow(() -> new IllegalArgumentException("DNS name not found in CSR"));
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceIdentity.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceIdentity.java
new file mode 100644
index 00000000000..b499debcc47
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceIdentity.java
@@ -0,0 +1,64 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.instance;
+
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+import java.util.Optional;
+
+/**
+ * A signed instance identity object that includes a client certificate. This is the result of a successful
+ * {@link InstanceRegistration}.
+ *
+ * @author mpolden
+ */
+public class InstanceIdentity {
+
+    private final String provider;
+    private final String service;
+    private final String instanceId;
+    private final Optional<X509Certificate> x509Certificate;
+
+    public InstanceIdentity(String provider, String service, String instanceId, Optional<X509Certificate> x509Certificate) {
+        this.provider = Objects.requireNonNull(provider, "provider must be non-null");
+        this.service = Objects.requireNonNull(service, "service must be non-null");
+        this.instanceId = Objects.requireNonNull(instanceId, "instanceId must be non-null");
+        this.x509Certificate = Objects.requireNonNull(x509Certificate, "x509Certificate must be non-null");
+    }
+
+    /** Same as {@link InstanceRegistration#domain()} */
+    public String provider() {
+        return provider;
+    }
+
+    /** Same as {@link InstanceRegistration#service()} ()} */
+    public String service() {
+        return service;
+    }
+
+    /** A unique identifier of the instance to which the certificate is issued */
+    public String instanceId() {
+        return instanceId;
+    }
+
+    /** The issued certificate */
+    public Optional<X509Certificate> x509Certificate() {
+        return x509Certificate;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        InstanceIdentity that = (InstanceIdentity) o;
+        return provider.equals(that.provider) &&
+               service.equals(that.service) &&
+               instanceId.equals(that.instanceId) &&
+               x509Certificate.equals(that.x509Certificate);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(provider, service, instanceId, x509Certificate);
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceRegistration.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceRegistration.java
new file mode 100644
index 00000000000..7a9ec74e075
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/instance/InstanceRegistration.java
@@ -0,0 +1,81 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.instance;
+
+import com.yahoo.security.Pkcs10Csr;
+
+import java.util.Objects;
+
+/**
+ * Information for registering a new instance in the system. This is similar to the InstanceRegisterInformation type in
+ * ZTS.
+ *
+ * @author mpolden
+ */
+public class InstanceRegistration {
+
+    private final String provider;
+    private final String domain;
+    private final String service;
+    private final String attestationData;
+    private final Pkcs10Csr csr;
+
+    public InstanceRegistration(String provider, String domain, String service, String attestationData, Pkcs10Csr csr) {
+        this.provider = Objects.requireNonNull(provider, "provider must be non-null");
+        this.domain = Objects.requireNonNull(domain, "domain must be non-null");
+        this.service = Objects.requireNonNull(service, "service must be non-null");
+        this.attestationData = Objects.requireNonNull(attestationData, "attestationData must be non-null");
+        this.csr = Objects.requireNonNull(csr, "csr must be non-null");
+    }
+
+    /** The provider which issued the attestation data contained in this */
+    public String provider() {
+        return provider;
+    }
+
+    /** Athenz domain of the instance */
+    public String domain() {
+        return domain;
+    }
+
+    /** Athenz service of the instance */
+    public String service() {
+        return service;
+    }
+
+    /** Host document describing this instance (received from config server) */
+    public String attestationData() {
+        return attestationData;
+    }
+
+    public Pkcs10Csr csr() {
+        return csr;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        InstanceRegistration that = (InstanceRegistration) o;
+        return provider.equals(that.provider) &&
+               domain.equals(that.domain) &&
+               service.equals(that.service) &&
+               attestationData.equals(that.attestationData) &&
+               csr.equals(that.csr);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(provider, domain, service, attestationData, csr);
+    }
+
+    @Override
+    public String toString() {
+        return "InstanceRegistration{" +
+               "provider='" + provider + '\'' +
+               ", domain='" + domain + '\'' +
+               ", service='" + service + '\'' +
+               ", attestationData='" + attestationData + '\'' +
+               ", csr=" + csr +
+               '}';
+    }
+}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
new file mode 100644
index 00000000000..ba4f0ce932c
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -0,0 +1,109 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi;
+
+import com.google.inject.Inject;
+import com.yahoo.config.provision.SystemName;
+import com.yahoo.config.provision.Zone;
+import com.yahoo.container.jdisc.HttpRequest;
+import com.yahoo.container.jdisc.HttpResponse;
+import com.yahoo.container.jdisc.LoggingRequestHandler;
+import com.yahoo.container.jdisc.secretstore.SecretStore;
+import com.yahoo.restapi.Path;
+import com.yahoo.restapi.SlimeJsonResponse;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.slime.Slime;
+import com.yahoo.vespa.config.SlimeUtils;
+import com.yahoo.vespa.hosted.ca.Certificates;
+import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
+import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
+import com.yahoo.yolean.Exceptions;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.time.Clock;
+import java.util.Optional;
+import java.util.logging.Level;
+
+/**
+ * REST API for issuing and refreshing node certificates in a hosted Vespa system.
+ *
+ * The API implements the following subset of methods from the Athenz ZTS REST API:
+ * - Instance registration
+ * - Instance refresh
+ *
+ * @author mpolden
+ */
+public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
+
+    private final SecretStore secretStore;
+    private final Certificates certificates;
+    private final SystemName system;
+
+    @Inject
+    public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) {
+        this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system());
+    }
+
+    CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) {
+        super(ctx);
+        this.secretStore = secretStore;
+        this.certificates = certificates;
+        this.system = system;
+    }
+
+    @Override
+    public HttpResponse handle(HttpRequest request) {
+        try {
+            switch (request.getMethod()) {
+                case POST: return handlePost(request);
+                default: return ErrorResponse.methodNotAllowed("Method '" + request.getMethod() + "' is unsupported");
+            }
+        } catch (IllegalArgumentException e) {
+            return ErrorResponse.badRequest(Exceptions.toMessageString(e));
+        } catch (RuntimeException e) {
+            log.log(Level.WARNING, "Unexpected error handling '" + request.getUri() + "'", e);
+            return ErrorResponse.internalServerError(Exceptions.toMessageString(e));
+        }
+    }
+
+    private HttpResponse handlePost(HttpRequest request) {
+        Path path = new Path(request.getUri());
+        if (path.matches("/ca/v1/instance/")) return registerInstance(request);
+        // TODO: Implement refresh
+        return ErrorResponse.notFoundError("Nothing at " + path);
+    }
+
+    private HttpResponse registerInstance(HttpRequest request) {
+        var body = slimeFromRequest(request);
+        var instanceRegistration = InstanceSerializer.registrationFromSlime(body);
+        var certificate = certificates.create(instanceRegistration.csr(), caCertificate(), caPrivateKey());
+        var instanceId = Certificates.extractDnsName(instanceRegistration.csr());
+        var identity = new InstanceIdentity(instanceRegistration.provider(), instanceRegistration.service(), instanceId,
+                                            Optional.of(certificate));
+        return new SlimeJsonResponse(InstanceSerializer.identityToSlime(identity));
+    }
+
+    /** Returns CA certificate from secret store */
+    private X509Certificate caCertificate() {
+        var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase());
+        return X509CertificateUtils.fromPem(secretStore.getSecret(keyName));
+    }
+
+    /** Returns CA private key from secret store */
+    private PrivateKey caPrivateKey() {
+        var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase());
+        return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName));
+    }
+
+    private static Slime slimeFromRequest(HttpRequest request) {
+        try {
+            return SlimeUtils.jsonToSlime(request.getData().readAllBytes());
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
new file mode 100644
index 00000000000..46a09e9c6f2
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
@@ -0,0 +1,54 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi;
+
+import com.yahoo.security.Pkcs10CsrUtils;
+import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.slime.Cursor;
+import com.yahoo.slime.Slime;
+import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
+import com.yahoo.vespa.hosted.ca.instance.InstanceRegistration;
+
+/**
+ * @author mpolden
+ */
+public class InstanceSerializer {
+
+    private static final String PROVIDER_FIELD = "provider";
+    private static final String DOMAIN_FIELD = "domain";
+    private static final String SERVICE_FIELD = "service";
+    private static final String ATTESTATION_DATA_FIELD = "attestationData";
+    private static final String CSR_FIELD = "csr";
+    private static final String NAME_FIELD = "service";
+    private static final String INSTANCE_ID_FIELD = "instanceId";
+    private static final String X509_CERTIFICATE_FIELD = "x509Certificate";
+
+    private InstanceSerializer() {}
+
+    public static InstanceRegistration registrationFromSlime(Slime slime) {
+        Cursor root = slime.get();
+        return new InstanceRegistration(requireField(PROVIDER_FIELD, root).asString(),
+                                        requireField(DOMAIN_FIELD, root).asString(),
+                                        requireField(SERVICE_FIELD, root).asString(),
+                                        requireField(ATTESTATION_DATA_FIELD, root).asString(),
+                                        Pkcs10CsrUtils.fromPem(requireField(CSR_FIELD, root).asString()));
+    }
+
+    public static Slime identityToSlime(InstanceIdentity identity) {
+        Slime slime = new Slime();
+        Cursor root = slime.setObject();
+        root.setString(PROVIDER_FIELD, identity.provider());
+        root.setString(NAME_FIELD, identity.service());
+        root.setString(INSTANCE_ID_FIELD, identity.instanceId());
+        identity.x509Certificate()
+                .map(X509CertificateUtils::toPem)
+                .ifPresent(pem -> root.setString(X509_CERTIFICATE_FIELD, pem));
+        return slime;
+    }
+
+    private static Cursor requireField(String fieldName, Cursor root) {
+        var field = root.field(fieldName);
+        if (!field.valid()) throw new IllegalArgumentException("Missing required field '" + fieldName + "'");
+        return field;
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
new file mode 100644
index 00000000000..4946de93f6d
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
@@ -0,0 +1,60 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca;
+
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.Pkcs10CsrBuilder;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.SubjectAlternativeName;
+import com.yahoo.security.X509CertificateBuilder;
+
+import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
+
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
+
+/**
+ * Helper class for creating certificates, CSRs etc. for testing purposes.
+ *
+ * @author mpolden
+ */
+public class CertificateTester {
+
+    private CertificateTester() {}
+
+    public static X509Certificate createCertificate() {
+        var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+        return createCertificate("subject", keyPair);
+    }
+
+    public static X509Certificate createCertificate(String cn, KeyPair keyPair) {
+        var subject = new X500Principal("CN=" + cn);
+        return X509CertificateBuilder.fromKeypair(keyPair,
+                                                  subject,
+                                                  Instant.EPOCH,
+                                                  Instant.EPOCH.plus(Duration.ofMinutes(1)),
+                                                  SHA256_WITH_ECDSA,
+                                                  BigInteger.ONE)
+                                     .build();
+    }
+
+    public static Pkcs10Csr createCsr() {
+        return createCsr(null);
+    }
+
+    public static Pkcs10Csr createCsr(String dnsName) {
+        X500Principal subject = new X500Principal("CN=subject");
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+        var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA);
+        if (dnsName != null) {
+            builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName);
+        }
+        return builder.build();
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
new file mode 100644
index 00000000000..4e306d9a70e
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
@@ -0,0 +1,33 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca;
+
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.test.ManualClock;
+import org.junit.Test;
+
+import java.time.Duration;
+
+import static java.time.temporal.ChronoUnit.SECONDS;
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author mpolden
+ */
+public class CertificatesTest {
+
+    @Test
+    public void expiry() {
+        var clock = new ManualClock();
+        var certificates = new Certificates(clock);
+        var csr = CertificateTester.createCsr();
+        var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+        var caCertificate = CertificateTester.createCertificate("CA", keyPair);
+        var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate());
+        var now = clock.instant();
+
+        assertEquals(now.minus(Duration.ofHours(1)).truncatedTo(SECONDS), certificate.getNotBefore().toInstant());
+        assertEquals(now.plus(Duration.ofDays(30)).truncatedTo(SECONDS), certificate.getNotAfter().toInstant());
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
new file mode 100644
index 00000000000..4393c3a25b9
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
@@ -0,0 +1,101 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi;
+
+import com.yahoo.application.container.handler.Request;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.Pkcs10CsrUtils;
+import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
+import com.yahoo.vespa.config.SlimeUtils;
+import com.yahoo.vespa.hosted.ca.CertificateTester;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.net.ssl.SSLContext;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author mpolden
+ */
+public class CertificateAuthorityApiTest extends ContainerTester {
+
+    @Before
+    public void before() {
+        setCaCertificateAndKey();
+    }
+
+    @Test
+    public void register_instance() throws Exception {
+        // POST instance registration
+        var csr = CertificateTester.createCsr("node1.example.com");
+        assertRegistration(new Request("http://localhost:12345/ca/v1/instance/",
+                                       instanceRegistrationJson(csr),
+                                       Request.Method.POST));
+
+        // POST instance registration with ZTS client
+        var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault());
+        var instanceIdentity = ztsClient.registerInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"),
+                                                          new AthenzService("vespa.external", "tenant"),
+                                                          "identity document generated by config server",
+                                                          csr);
+        assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName());
+    }
+
+    @Test
+    public void invalid_register_instance() {
+        // POST instance registration with missing fields
+        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Missing required field 'provider'\"}",
+                       new Request("http://localhost:12345/ca/v1/instance/",
+                                   new byte[0],
+                                   Request.Method.POST));
+
+        // POST instance registration without DNS name in CSR
+        var csr = CertificateTester.createCsr();
+        var request = new Request("http://localhost:12345/ca/v1/instance/",
+                                  instanceRegistrationJson(csr),
+                                  Request.Method.POST);
+        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"DNS name not found in CSR\"}", request);
+    }
+
+    private void setCaCertificateAndKey() {
+        var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+        var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair));
+        var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate());
+        secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem)
+                     .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem);
+    }
+
+    private void assertRegistration(Request request) {
+        assertResponse(200, (body) -> {
+            var slime = SlimeUtils.jsonToSlime(body);
+            var root = slime.get();
+            assertEquals("provider_prod_us-north-1", root.field("provider").asString());
+            assertEquals("tenant", root.field("service").asString());
+            assertEquals("node1.example.com", root.field("instanceId").asString());
+            var pemEncodedCertificate = root.field("x509Certificate").asString();
+            assertTrue("Response contains PEM certificate",
+                       pemEncodedCertificate.startsWith("-----BEGIN CERTIFICATE-----") &&
+                       pemEncodedCertificate.endsWith("-----END CERTIFICATE-----\n"));
+        }, request);
+    }
+
+    private static byte[] instanceRegistrationJson(Pkcs10Csr csr) {
+        var csrPem = Pkcs10CsrUtils.toPem(csr);
+        var json  = "{\n" +
+               "  \"provider\": \"provider_prod_us-north-1\",\n" +
+               "  \"domain\": \"vespa.external\",\n" +
+               "  \"service\": \"tenant\",\n" +
+               "  \"attestationData\": \"identity document generated by config server\",\n" +
+               "  \"csr\": \"" + csrPem + "\"\n" +
+               "}";
+        return json.getBytes(StandardCharsets.UTF_8);
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
new file mode 100644
index 00000000000..2ca45cf7e56
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
@@ -0,0 +1,72 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi;
+
+import com.yahoo.application.Networking;
+import com.yahoo.application.container.JDisc;
+import com.yahoo.application.container.handler.Request;
+import com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock;
+import org.junit.After;
+import org.junit.Before;
+
+import java.io.UncheckedIOException;
+import java.nio.charset.CharacterCodingException;
+import java.util.function.Consumer;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * The superclass of REST API tests which require a functional container instance.
+ *
+ * @author mpolden
+ */
+public class ContainerTester {
+
+    private JDisc container;
+
+    @Before
+    public void startContainer() {
+        container = JDisc.fromServicesXml(servicesXml(), Networking.enable);
+    }
+
+    @After
+    public void stopContainer() {
+        container.close();
+    }
+
+    public SecretStoreMock secretStore() {
+        return (SecretStoreMock) container.components().getComponent(SecretStoreMock.class.getName());
+    }
+
+    public void assertResponse(int expectedStatus, String expectedBody, Request request) {
+        assertResponse(expectedStatus, (body) -> assertEquals(expectedBody, body), request);
+    }
+
+    public void assertResponse(int expectedStatus, Consumer<String> bodyAsserter, Request request) {
+        var response = container.handleRequest(request);
+        try {
+            bodyAsserter.accept(response.getBodyAsString());
+        } catch (CharacterCodingException e) {
+            throw new UncheckedIOException(e);
+        }
+        assertEquals(expectedStatus, response.getStatus());
+        assertEquals("application/json; charset=UTF-8", response.getHeaders().getFirst("Content-Type"));
+    }
+
+    private static String servicesXml() {
+        return "<container version='1.0'>\n" +
+               "  <config name=\"container.handler.threadpool\">\n" +
+               "    <maxthreads>10</maxthreads>\n" +
+               "  </config> \n" +
+               "  <component id='com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors'/>\n" +
+               "  <component id='com.yahoo.config.provision.Zone'/>\n" +
+               "  <component id='com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock'/>\n" +
+               "  <handler id='com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler'>\n" +
+               "    <binding>http://*/ca/v1/*</binding>\n" +
+               "  </handler>\n" +
+               "  <http>\n" +
+               "    <server id='default' port='12345'/>\n" +
+               "  </http>\n" +
+               "</container>";
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java
new file mode 100644
index 00000000000..51010422b6d
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java
@@ -0,0 +1,66 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi;
+
+import com.yahoo.security.Pkcs10CsrUtils;
+import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.slime.Slime;
+import com.yahoo.vespa.config.SlimeUtils;
+import com.yahoo.vespa.hosted.ca.CertificateTester;
+import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
+import com.yahoo.vespa.hosted.ca.instance.InstanceRegistration;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author mpolden
+ */
+public class InstanceSerializerTest {
+
+    @Test
+    public void deserialize_instance_registration() {
+        var csr = CertificateTester.createCsr();
+        var csrPem = Pkcs10CsrUtils.toPem(csr);
+        var json = "{\n" +
+                   "  \"provider\": \"provider_prod_us-north-1\",\n" +
+                   "  \"domain\": \"vespa.external\",\n" +
+                   "  \"service\": \"tenant\",\n" +
+                   "  \"attestationData\": \"identity document from configserevr\",\n" +
+                   "  \"csr\": \"" + csrPem + "\"\n" +
+                   "}";
+        var instanceRegistration = new InstanceRegistration("provider_prod_us-north-1", "vespa.external",
+                                                            "tenant", "identity document from configserevr",
+                                                            csr);
+        var deserialized = InstanceSerializer.registrationFromSlime(SlimeUtils.jsonToSlime(json));
+        assertEquals(instanceRegistration, deserialized);
+    }
+
+    @Test
+    public void serialize_instance_identity() {
+        var certificate = CertificateTester.createCertificate();
+        var pem = X509CertificateUtils.toPem(certificate);
+        var identity = new InstanceIdentity("provider_prod_us-north-1", "tenant", "node1.example.com",
+                                            Optional.of(certificate));
+        var json = "{" +
+                   "\"provider\":\"provider_prod_us-north-1\"," +
+                   "\"service\":\"tenant\"," +
+                   "\"instanceId\":\"node1.example.com\"," +
+                   "\"x509Certificate\":\"" + pem.replace("\n", "\\n") + "\"" +
+                   "}";
+        assertEquals(json, asJsonString(InstanceSerializer.identityToSlime(identity)));
+    }
+
+    private static String asJsonString(Slime slime) {
+        try {
+            return new String(SlimeUtils.toJsonBytes(slime), StandardCharsets.UTF_8);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/SecretStoreMock.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/SecretStoreMock.java
new file mode 100644
index 00000000000..a53bf9d9fd3
--- /dev/null
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/SecretStoreMock.java
@@ -0,0 +1,34 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.ca.restapi.mock;
+
+import com.yahoo.component.AbstractComponent;
+import com.yahoo.container.jdisc.secretstore.SecretStore;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author mpolden
+ */
+public class SecretStoreMock extends AbstractComponent implements SecretStore {
+
+    private final Map<String, String> secrets = new HashMap<>();
+
+    public SecretStoreMock setSecret(String key, String value) {
+        secrets.put(key, value);
+        return this;
+    }
+
+    @Override
+    public String getSecret(String key) {
+        if (!secrets.containsKey(key)) throw new RuntimeException("No such key '" + key + "'");
+        return secrets.get(key);
+    }
+
+    @Override
+    public String getSecret(String key, int version) {
+        if (!secrets.containsKey(key)) throw new RuntimeException("No such key '" + key + "'");
+        return secrets.get(key);
+    }
+
+}
author	Martin Polden <mpolden@mpolden.no>	2019-09-23 10:55:56 +0200
committer	GitHub <noreply@github.com>	2019-09-23 10:55:56 +0200
commit	f07176a7d3df4cc3bd9087e86b195eac0d7b6f3d (patch)
tree	f4f828b7a3789464826348d0f52a8ea5cf8fac8e /athenz-identity-provider-service
parent	cfe167148c1c19a4ceb6175268d10ac01982f7d3 (diff)
parent	00c7e655dfb56f00e8451b2aaaee44189077b433 (diff)