diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-10 11:56:18 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-10 11:58:19 +0200 |
commit | fea7749face6e52ee44dfaf879b91a22fc70c57b (patch) | |
tree | 866a9d6997f6c284cbbc4e48c20c72f1bdf22f55 /athenz-identity-provider-service | |
parent | 7e455bac266335787b6b7d534cdca0b9c5395994 (diff) |
Split registration and refresh
Validation for instance register cannot be reused as the identity
document is not part of the refresh request. Refresh is split into a
separate validation step that is currently a no-op. This is neccessary
to allow certificates to be refreshed correctly.
Diffstat (limited to 'athenz-identity-provider-service')
3 files changed, 55 insertions, 1 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java index 4c71cb7855d..5c93bf423d3 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java @@ -16,7 +16,7 @@ import java.util.logging.Logger; /** * @author bjorncs */ -@Path("/{path: instance|refresh}") +@Path("/instance") public class InstanceConfirmationResource { private static final Logger log = Logger.getLogger(InstanceConfirmationResource.class.getName()); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java new file mode 100644 index 00000000000..a88bfbc15e6 --- /dev/null +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java @@ -0,0 +1,43 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; + +import com.google.inject.Inject; +import com.yahoo.container.jaxrs.annotation.Component; +import com.yahoo.log.LogLevel; + +import javax.ws.rs.Consumes; +import javax.ws.rs.ForbiddenException; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; +import java.util.logging.Logger; + +/** + * ZTS calls this resource when it's requested to refresh an instance certificate + * + * @author bjorncs + */ +@Path("/refresh") +public class InstanceRefreshResource { + + private static final Logger log = Logger.getLogger(InstanceRefreshResource.class.getName()); + + private final InstanceValidator instanceValidator; + + @Inject + public InstanceRefreshResource(@Component InstanceValidator instanceValidator) { + this.instanceValidator = instanceValidator; + } + + @POST + @Consumes(MediaType.APPLICATION_JSON) + @Produces(MediaType.APPLICATION_JSON) + public InstanceConfirmation confirmInstanceRefresh(InstanceConfirmation instanceConfirmation) { + if (!instanceValidator.isValidRefresh(instanceConfirmation)) { + log.log(LogLevel.ERROR, "Invalid instance refresh: " + instanceConfirmation); + throw new ForbiddenException("Instance is invalid"); + } + return instanceConfirmation; + } +} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index b75f7d05394..dcaf50c1c04 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -61,6 +61,17 @@ public class InstanceValidator { return false; } + // TODO Add actual validation. Cannot reuse isValidInstance as identity document is not part of the refresh request. + // We'll have to perform some validation on the instance id and other fields of the attribute map. + // Separate between tenant and node certificate as well. + public boolean isValidRefresh(InstanceConfirmation confirmation) { + log.log(LogLevel.INFO, () -> String.format("Accepting refresh for instance with identity '%s', provider '%s', instanceId '%s'.", + new AthenzService(confirmation.domain, confirmation.service).getFullName(), + confirmation.provider, + confirmation.attributes.get("sanDNS").toString())); + return true; + } + // If/when we dont care about logging exactly whats wrong, this can be simplified // TODO Use identity type to determine if this check should be performed boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) { |