Revert "public vespa provider"

author: Morten Tokle <morten.tokle@gmail.com> 2023-02-27 13:57:35 +0100
committer: GitHub <noreply@github.com> 2023-02-27 13:57:35 +0100
commit: 153b45b3aaf818c28a95d2cc47f586d768af6a54 (patch)
tree: a4fc3f26078969a89579de9b38883b32b464e9d2 /athenz-identity-provider-service
parent: 311f0b4a454dc7d56db50a2921ffc9376bab92b2 (diff)
7 files changed, 8 insertions, 40 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
index 5138bee1ff6..5143a38b2c1 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGenerator.java
@@ -3,10 +3,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
 
 import com.yahoo.component.annotation.Inject;
 import com.yahoo.config.provision.Zone;
-import com.yahoo.container.jdisc.secretstore.SecretStore;
 import com.yahoo.net.HostName;
-import com.yahoo.security.KeyUtils;
-
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.ClusterType;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
@@ -35,20 +32,17 @@ public class IdentityDocumentGenerator {
     private final NodeRepository nodeRepository;
     private final Zone zone;
     private final KeyProvider keyProvider;
-    private final SecretStore secretStore;
     private final AthenzProviderServiceConfig athenzProviderServiceConfig;
 
     @Inject
     public IdentityDocumentGenerator(AthenzProviderServiceConfig config,
                                      NodeRepository nodeRepository,
                                      Zone zone,
-                                     KeyProvider keyProvider,
-                                     SecretStore secretStore) {
+                                     KeyProvider keyProvider) {
         this.athenzProviderServiceConfig = config;
         this.nodeRepository = nodeRepository;
         this.zone = zone;
         this.keyProvider = keyProvider;
-        this.secretStore = secretStore;
     }
 
     public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) {
@@ -67,7 +61,7 @@ public class IdentityDocumentGenerator {
 
             Set<String> ips = new HashSet<>(node.ipConfig().primary());
 
-            PrivateKey privateKey = privateKey(node);
+            PrivateKey privateKey = keyProvider.getPrivateKey(athenzProviderServiceConfig.secretVersion());
             AthenzService providerService = new AthenzService(athenzProviderServiceConfig.domain(), athenzProviderServiceConfig.serviceName());
 
             String configServerHostname = HostName.getLocalhost();
@@ -79,28 +73,11 @@ public class IdentityDocumentGenerator {
             return new SignedIdentityDocument(
                     signature, athenzProviderServiceConfig.secretVersion(), providerUniqueId, providerService,
                     SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION, configServerHostname, node.hostname(),
-                    createdAt, ips, identityType, clusterType, ztsUrl(node));
+                    createdAt, ips, identityType, clusterType);
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
         }
     }
 
-    private PrivateKey privateKey(Node node) {
-        // return sisSecret for public non-enclave hosts. secret otherwise
-        if (zone.system().isPublic() && !node.cloudAccount().isEnclave(zone)) {
-            String keyPem = secretStore.getSecret(athenzProviderServiceConfig.sisSecretName(), athenzProviderServiceConfig.sisSecretVersion());
-            return KeyUtils.fromPemEncodedPrivateKey(keyPem);
-        } else {
-            return keyProvider.getPrivateKey(athenzProviderServiceConfig.secretVersion());
-        }
-    }
-    private String ztsUrl(Node node) {
-        // return sisUrl for public non-enclave hosts, ztsUrl otherwise
-        if (zone.system().isPublic() && !node.cloudAccount().isEnclave(zone)) {
-            return athenzProviderServiceConfig.sisUrl();
-        } else {
-            return athenzProviderServiceConfig.ztsUrl();
-        }
-    }
 }
 
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
index 231f22ac56b..531a815922b 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -65,7 +65,7 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler {
         super(ctx);
         this.secretStore = secretStore;
         this.certificates = certificates;
-        this.caPrivateKeySecretName = athenzProviderServiceConfig.sisSecretName();
+        this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName();
         this.caCertificateSecretName = athenzProviderServiceConfig.caCertSecretName();
         this.instanceValidator = instanceValidator;
     }
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
index 8c575a6403b..fec03afab69 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializer.java
@@ -49,7 +49,6 @@ public class InstanceSerializer {
     private static final String IDD_IPADDRESSES_FIELD = "ip-addresses";
     private static final String IDD_IDENTITY_TYPE_FIELD = "identity-type";
     private static final String IDD_CLUSTER_TYPE_FIELD = "cluster-type";
-    private static final String IDD_ZTS_URL_FIELD = "zts-url";
 
     private static final ObjectMapper objectMapper = new ObjectMapper();
     static {
@@ -101,12 +100,10 @@ public class InstanceSerializer {
         IdentityType identityType = IdentityType.fromId(requireField(IDD_IDENTITY_TYPE_FIELD, root).asString());
         var clusterTypeField = root.field(IDD_CLUSTER_TYPE_FIELD);
         var clusterType = clusterTypeField.valid() ? ClusterType.from(clusterTypeField.asString()) : null;
-        var ztsUrlField = root.field(IDD_ZTS_URL_FIELD);
-        var ztsUrl = ztsUrlField.valid() ? ztsUrlField.asString() : "";
 
 
         return new SignedIdentityDocument(signature, (int)signingKeyVersion, providerUniqueId, athenzService, (int)documentVersion,
-                                          configserverHostname, instanceHostname, createdAt, ips, identityType, clusterType, ztsUrl);
+                                          configserverHostname, instanceHostname, createdAt, ips, identityType, clusterType);
     }
 
     private static Instant getJsr310Instant(double v) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGeneratorTest.java
index 340be33c2a3..9205baff0fc 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/IdentityDocumentGeneratorTest.java
@@ -18,7 +18,6 @@ import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
-import com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
 import com.yahoo.vespa.hosted.provision.node.Allocation;
@@ -75,12 +74,11 @@ public class IdentityDocumentGeneratorTest {
         when(nodes.node(eq(parentHostname))).thenReturn(Optional.of(parentNode));
         when(nodes.node(eq(containerHostname))).thenReturn(Optional.of(containerNode));
         AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider();
-        SecretStoreMock secretStore = new SecretStoreMock();
 
         String dnsSuffix = "vespa.dns.suffix";
         AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix);
         IdentityDocumentGenerator identityDocumentGenerator =
-                new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider, secretStore);
+                new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider);
         SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname, IdentityType.TENANT);
 
         // Verify attributes
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
index e7355c75d8e..a7947aff283 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
@@ -225,7 +225,7 @@ public class InstanceValidatorTest {
                         IdentityType.NODE, keyProvider.getPrivateKey(0));
         SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument(
                 signature, 0, vespaUniqueInstanceId, domainService, 0, "localhost", "localhost",
-                clock, Collections.emptySet(), IdentityType.NODE, clusterType, "https://zts.url");
+                clock, Collections.emptySet(), IdentityType.NODE, clusterType);
         return createInstanceConfirmation(vespaUniqueInstanceId, domain, service, signedIdentityDocument);
     }
 
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
index d880fd5220b..8112f5779e5 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
@@ -64,8 +64,6 @@ public class ContainerTester {
                "    <serviceName>servicename</serviceName>\n" +
                "    <secretName>secretname</secretName>\n" +
                "    <secretVersion>0</secretVersion>\n" +
-               "    <sisSecretName>secretname</sisSecretName>\n" +
-               "    <sisSecretVersion>0</sisSecretVersion>\n" +
                "    <caCertSecretName>vespa.external.ca.cert</caCertSecretName>\n" +
                "    <certDnsSuffix>suffix</certDnsSuffix>\n" +
                "    <ztsUrl>https://localhost:123/</ztsUrl>\n" +
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java
index 02398b19627..ca624918beb 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/InstanceSerializerTest.java
@@ -1,7 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.ca.restapi;
 
-import com.yahoo.config.provision.Cloud;
 import com.yahoo.security.Pkcs10CsrUtils;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.slime.Slime;
@@ -49,8 +48,7 @@ public class InstanceSerializerTest {
                 Instant.now().truncatedTo(ChronoUnit.MICROS),  // Truncate to the precision given from EntityBindingsMapper.toAttestationData()
                 Collections.emptySet(),
                 IdentityType.NODE,
-                ClusterType.CONTAINER,
-                "https://zts.url");
+                ClusterType.CONTAINER);
 
         var json = String.format("{\n" +
                 "  \"provider\": \"provider_prod_us-north-1\",\n" +
author	Morten Tokle <morten.tokle@gmail.com>	2023-02-27 13:57:35 +0100
committer	GitHub <noreply@github.com>	2023-02-27 13:57:35 +0100
commit	153b45b3aaf818c28a95d2cc47f586d768af6a54 (patch)
tree	a4fc3f26078969a89579de9b38883b32b464e9d2 /athenz-identity-provider-service
parent	311f0b4a454dc7d56db50a2921ffc9376bab92b2 (diff)