Read secret names from config

author: Morten Tokle <mortent@verizonmedia.com> 2019-10-02 10:29:19 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2019-10-02 10:52:29 +0200
commit: e29140ca0dbfd18a45d89e827ce425ec642fc7de (patch)
tree: 6ecca3a5c38095814b385e317313e2687b9b88b9 /athenz-identity-provider-service
parent: f3ee650a4688c2dae2a46578ff876ff7f7b0589b (diff)
3 files changed, 22 insertions, 16 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
index 28b6c6c0939..ca1697c7bb1 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -2,8 +2,6 @@
 package com.yahoo.vespa.hosted.ca.restapi;
 
 import com.google.inject.Inject;
-import com.yahoo.config.provision.SystemName;
-import com.yahoo.config.provision.Zone;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.container.jdisc.LoggingRequestHandler;
@@ -15,6 +13,7 @@ import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.slime.Slime;
 import com.yahoo.vespa.config.SlimeUtils;
+import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 import com.yahoo.vespa.hosted.ca.Certificates;
 import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
 import com.yahoo.yolean.Exceptions;
@@ -42,18 +41,20 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
 
     private final SecretStore secretStore;
     private final Certificates certificates;
-    private final SystemName system;
+    private final String caPrivateKeySecretName;
+    private final String caCertificateSecretName;
 
     @Inject
-    public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) {
-        this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system());
+    public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, AthenzProviderServiceConfig athenzProviderServiceConfig) {
+        this(ctx, secretStore, new Certificates(Clock.systemUTC()), athenzProviderServiceConfig);
     }
 
-    CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) {
+    CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, AthenzProviderServiceConfig athenzProviderServiceConfig) {
         super(ctx);
         this.secretStore = secretStore;
         this.certificates = certificates;
-        this.system = system;
+        this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName();
+        this.caCertificateSecretName = athenzProviderServiceConfig.domain() + ".ca.cert";
     }
 
     @Override
@@ -101,14 +102,12 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
 
     /** Returns CA certificate from secret store */
     private X509Certificate caCertificate() {
-        var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase());
-        return X509CertificateUtils.fromPem(secretStore.getSecret(keyName));
+        return X509CertificateUtils.fromPem(secretStore.getSecret(caCertificateSecretName));
     }
 
     /** Returns CA private key from secret store */
     private PrivateKey caPrivateKey() {
-        var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase());
-        return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName));
+        return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName));
     }
 
     private static <T> T deserializeRequest(HttpRequest request, Function<Slime, T> serializer) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
index a1d708a1107..8e4605499f7 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java
@@ -98,8 +98,8 @@ public class CertificateAuthorityApiTest extends ContainerTester {
         var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
         var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair));
         var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate());
-        secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem)
-                     .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem);
+        secretStore().setSecret("vespa.external.ca.cert", caCertificatePem)
+                     .setSecret("secretname", privateKeyPem);
     }
 
     private void assertIdentityResponse(Request request) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
index 2ca45cf7e56..139314b0f86 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java
@@ -56,9 +56,16 @@ public class ContainerTester {
         return "<container version='1.0'>\n" +
                "  <config name=\"container.handler.threadpool\">\n" +
                "    <maxthreads>10</maxthreads>\n" +
-               "  </config> \n" +
-               "  <component id='com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors'/>\n" +
-               "  <component id='com.yahoo.config.provision.Zone'/>\n" +
+               "  </config>\n" +
+               "  <config name='vespa.hosted.athenz.instanceproviderservice.config.athenz-provider-service'>\n" +
+               "    <athenzCaTrustStore>/path/to/file</athenzCaTrustStore>\n" +
+               "    <domain>vespa.external</domain>\n" +
+               "    <serviceName>servicename</serviceName>\n" +
+               "    <secretName>secretname</secretName>\n" +
+               "    <secretVersion>0</secretVersion>\n" +
+               "    <certDnsSuffix>suffix</certDnsSuffix>\n" +
+               "    <ztsUrl>https://localhost:123/</ztsUrl>\n" +
+               "  </config>\n" +
                "  <component id='com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock'/>\n" +
                "  <handler id='com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler'>\n" +
                "    <binding>http://*/ca/v1/*</binding>\n" +
author	Morten Tokle <mortent@verizonmedia.com>	2019-10-02 10:29:19 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2019-10-02 10:52:29 +0200
commit	e29140ca0dbfd18a45d89e827ce425ec642fc7de (patch)
tree	6ecca3a5c38095814b385e317313e2687b9b88b9 /athenz-identity-provider-service
parent	f3ee650a4688c2dae2a46578ff876ff7f7b0589b (diff)