Split registration and refresh

Validation for instance register cannot be reused as the identity document is not part of the refresh request. Refresh is split into a separate validation step that is currently a no-op. This is neccessary to allow certificates to be refreshed correctly.
author: Bjørn Christian Seime <bjorncs@oath.com> 2018-07-10 11:56:18 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-07-10 11:58:19 +0200
commit: fea7749face6e52ee44dfaf879b91a22fc70c57b (patch)
tree: 866a9d6997f6c284cbbc4e48c20c72f1bdf22f55 /athenz-identity-provider-service
parent: 7e455bac266335787b6b7d534cdca0b9c5395994 (diff)
3 files changed, 55 insertions, 1 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java
index 4c71cb7855d..5c93bf423d3 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java
@@ -16,7 +16,7 @@ import java.util.logging.Logger;
 /**
  * @author bjorncs
  */
-@Path("/{path: instance|refresh}")
+@Path("/instance")
 public class InstanceConfirmationResource {
 
     private static final Logger log = Logger.getLogger(InstanceConfirmationResource.class.getName());
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java
new file mode 100644
index 00000000000..a88bfbc15e6
--- /dev/null
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java
@@ -0,0 +1,43 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation;
+
+import com.google.inject.Inject;
+import com.yahoo.container.jaxrs.annotation.Component;
+import com.yahoo.log.LogLevel;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import java.util.logging.Logger;
+
+/**
+ * ZTS calls this resource when it's requested to refresh an instance certificate
+ *
+ * @author bjorncs
+ */
+@Path("/refresh")
+public class InstanceRefreshResource {
+
+    private static final Logger log = Logger.getLogger(InstanceRefreshResource.class.getName());
+
+    private final InstanceValidator instanceValidator;
+
+    @Inject
+    public InstanceRefreshResource(@Component InstanceValidator instanceValidator) {
+        this.instanceValidator = instanceValidator;
+    }
+
+    @POST
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    public InstanceConfirmation confirmInstanceRefresh(InstanceConfirmation instanceConfirmation) {
+        if (!instanceValidator.isValidRefresh(instanceConfirmation)) {
+            log.log(LogLevel.ERROR, "Invalid instance refresh: " + instanceConfirmation);
+            throw new ForbiddenException("Instance is invalid");
+        }
+        return instanceConfirmation;
+    }
+}
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
index b75f7d05394..dcaf50c1c04 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
@@ -61,6 +61,17 @@ public class InstanceValidator {
         return false;
     }
 
+    // TODO Add actual validation. Cannot reuse isValidInstance as identity document is not part of the refresh request.
+    //      We'll have to perform some validation on the instance id and other fields of the attribute map.
+    //      Separate between tenant and node certificate as well.
+    public boolean isValidRefresh(InstanceConfirmation confirmation) {
+        log.log(LogLevel.INFO, () -> String.format("Accepting refresh for instance with identity '%s', provider '%s', instanceId '%s'.",
+                                                   new AthenzService(confirmation.domain, confirmation.service).getFullName(),
+                                                   confirmation.provider,
+                                                   confirmation.attributes.get("sanDNS").toString()));
+        return true;
+    }
+
     // If/when we dont care about logging exactly whats wrong, this can be simplified
     // TODO Use identity type to determine if this check should be performed
     boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) {
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-07-10 11:56:18 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-07-10 11:58:19 +0200
commit	fea7749face6e52ee44dfaf879b91a22fc70c57b (patch)
tree	866a9d6997f6c284cbbc4e48c20c72f1bdf22f55 /athenz-identity-provider-service
parent	7e455bac266335787b6b7d534cdca0b9c5395994 (diff)