diff options
author | Morten Tokle <morten.tokle@gmail.com> | 2018-06-01 09:53:02 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-06-01 09:53:02 +0200 |
commit | 5c57852b26126d72b080fb6e0893dc3d633c28c1 (patch) | |
tree | 8e1d453dd4a6c97d77729a2b64312e6dbe417401 /athenz-identity-provider-service | |
parent | e06c3fea20d9b189a9a78fea09520702a4a517e4 (diff) | |
parent | 78da30192dad43d338b9e3f04263dd7c83094b90 (diff) |
Merge pull request #6037 from vespa-engine/bjorncs/new-unique-instance-id
Bjorncs/new unique instance
Diffstat (limited to 'athenz-identity-provider-service')
6 files changed, 40 insertions, 31 deletions
diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml index 86d4defa861..982cb89f2bf 100644 --- a/athenz-identity-provider-service/pom.xml +++ b/athenz-identity-provider-service/pom.xml @@ -131,6 +131,14 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <compilerArgs> + <arg>-Xlint:all</arg> + <arg>-Xlint:-deprecation</arg> + <arg>-Xlint:-serial</arg> + <arg>-Werror</arg> + </compilerArgs> + </configuration> </plugin> </plugins> </build> diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 728406c297f..59126fd023f 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -7,6 +7,7 @@ import com.yahoo.net.HostName; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument; +import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; @@ -27,7 +28,10 @@ import java.util.Objects; import java.util.Set; /** + * Generates a signed identity document for a given hostname and type + * * @author mortent + * @author bjorncs */ public class IdentityDocumentGenerator { @@ -47,10 +51,10 @@ public class IdentityDocumentGenerator { this.keyProvider = keyProvider; } - public SignedIdentityDocument generateSignedIdentityDocument(String hostname) { + public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) { Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname)); try { - IdentityDocument identityDocument = generateIdDocument(node); + IdentityDocument identityDocument = generateIdDocument(node, identityType); String identityDocumentString = Utils.getMapper().writeValueAsString(EntityBindingsMapper.toIdentityDocumentEntity(identityDocument)); String encodedIdentityDocument = @@ -70,13 +74,18 @@ public class IdentityDocumentGenerator { toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()), new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()), URI.create(zoneConfig.ztsUrl()), - SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION); + SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION, + identityDocument.configServerHostname(), + identityDocument.instanceHostname(), + identityDocument.createdAt(), + identityDocument.ipAddresses(), + identityType); } catch (Exception e) { throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e); } } - private IdentityDocument generateIdDocument(Node node) { + private IdentityDocument generateIdDocument(Node node, IdentityType identityType) { Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname())); VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId( allocation.membership().index(), @@ -85,17 +94,10 @@ public class IdentityDocumentGenerator { allocation.owner().application().value(), allocation.owner().tenant().value(), zone.region().value(), - zone.environment().value()); + zone.environment().value(), + identityType); - // TODO: Hack to allow access from docker containers to non-ipv6 services. - // Remove when yca-bridge is no longer needed Set<String> ips = new HashSet<>(node.ipAddresses()); - if(node.parentHostname().isPresent()) { - String parentHostName = node.parentHostname().get(); - nodeRepository.getNode(parentHostName) - .map(Node::ipAddresses) - .ifPresent(ips::addAll); - } return new IdentityDocument( providerUniqueId, HostName.getLocalhost(), diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java index 93668006e26..219e12c7223 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java @@ -6,6 +6,7 @@ import com.yahoo.container.jaxrs.annotation.Component; import com.yahoo.jdisc.http.servlet.ServletRequest; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; +import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentApi; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal; @@ -18,7 +19,6 @@ import javax.ws.rs.InternalServerErrorException; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import java.util.logging.Logger; @@ -41,15 +41,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi { this.request = request; } - /** - * @deprecated Use {@link #getNodeIdentityDocument(String)} and {@link #getTenantIdentityDocument(String)} instead. - */ - @GET - @Produces(MediaType.APPLICATION_JSON) - @Deprecated - @Override - // TODO Make this method private when the rest api is not longer in use - public SignedIdentityDocumentEntity getIdentityDocument(@QueryParam("hostname") String hostname) { + private SignedIdentityDocumentEntity getIdentityDocument(String hostname, IdentityType identityType) { if (hostname == null) { throw new BadRequestException("The 'hostname' query parameter is missing"); } @@ -67,7 +59,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi { throw new ForbiddenException(); } try { - return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname)); + return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname, identityType)); } catch (Exception e) { String message = String.format("Unable to generate identity doument for '%s': %s", hostname, e.getMessage()); log.log(LogLevel.ERROR, message, e); @@ -80,7 +72,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi { @Path("/node/{host}") @Override public SignedIdentityDocumentEntity getNodeIdentityDocument(@PathParam("host") String host) { - return getIdentityDocument(host); + return getIdentityDocument(host, IdentityType.NODE); } @GET @@ -88,7 +80,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi { @Path("/tenant/{host}") @Override public SignedIdentityDocumentEntity getTenantIdentityDocument(@PathParam("host") String host) { - return getIdentityDocument(host); + return getIdentityDocument(host, IdentityType.TENANT); } } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index e457df37946..0201c46b253 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -82,6 +82,7 @@ public class InstanceValidator { } // If/when we dont care about logging exactly whats wrong, this can be simplified + // TODO Use identity type to determine if this check should be performed boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) { Optional<ApplicationInfo> applicationInfo = superModelProvider.getSuperModel().getApplicationInfo(applicationId); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java index d7b061ca2f1..078ef1b7e39 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java @@ -15,6 +15,7 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.TenantName; import com.yahoo.config.provision.Zone; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; +import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; @@ -81,7 +82,7 @@ public class IdentityDocumentGeneratorTest { AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix, ZONE); IdentityDocumentGenerator identityDocumentGenerator = new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider); - SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname); + SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname, IdentityType.TENANT); // Verify attributes assertEquals(containerHostname, signedIdentityDocument.identityDocument().instanceHostname()); @@ -92,11 +93,11 @@ public class IdentityDocumentGeneratorTest { assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix()); VespaUniqueInstanceId expectedProviderUniqueId = - new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment); + new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment, IdentityType.TENANT); assertEquals(expectedProviderUniqueId, signedIdentityDocument.providerUniqueId()); - // Validate that both parent and container ips are present - assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("127.0.0.1", "::1")); + // Validate that container ips are present + assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("::1")); SignedIdentityDocumentEntity signedIdentityDocumentEntity = EntityBindingsMapper.toSignedIdentityDocumentEntity(signedIdentityDocument); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 54786c86cd3..54411b424eb 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -143,7 +143,12 @@ public class InstanceValidatorTest { "dnssuffix", "service", URI.create("http://localhost/zts"), - 1)); + 1, + identityDocument.configServerHostname, + identityDocument.instanceHostname, + identityDocument.createdAt, + identityDocument.ipAddresses, + null)); // TODO Remove support for legacy representation without type } catch (Exception e) { throw new RuntimeException(e); } |