Validate ips on register

author: Morten Tokle <mortent@verizonmedia.com> 2021-04-09 08:09:12 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-04-09 08:47:16 +0200
commit: b3e8953bc5a8396b76613d1b8dbcd504262658f8 (patch)
tree: a659eb3f6228cd3da645f0c87883866909417dfd /athenz-identity-provider-service
parent: 50ba6295c808cf9cbe0e0a02daa96fb0ed16105f (diff)
2 files changed, 44 insertions, 13 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
index 3dcb5a13d6d..816da5d095d 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.java
@@ -87,11 +87,15 @@ public class InstanceValidator {
         log.log(Level.FINE, () -> String.format("Validating instance %s.", providerUniqueId));
 
         PublicKey publicKey = keyProvider.getPublicKey(signedIdentityDocument.signingKeyVersion());
-        if (signer.hasValidSignature(signedIdentityDocument, publicKey)) {
+        if (! signer.hasValidSignature(signedIdentityDocument, publicKey)) {
+            log.log(Level.SEVERE, () -> String.format("Instance %s has invalid signature.", providerUniqueId));
+            return false;
+        }
+
+        if(validateAttributes(instanceConfirmation, providerUniqueId)) {
             log.log(Level.FINE, () -> String.format("Instance %s is valid.", providerUniqueId));
             return true;
         }
-        log.log(Level.SEVERE, () -> String.format("Instance %s has invalid signature.", providerUniqueId));
         return false;
     }
 
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
index cde63c6a0cb..9e6e10fbf6d 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java
@@ -102,7 +102,7 @@ public class InstanceValidatorTest {
                 mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo)));
         IdentityDocumentSigner signer = mock(IdentityDocumentSigner.class);
         when(signer.hasValidSignature(any(), any())).thenReturn(true);
-        InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer, vespaTenantDomain);
+        InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, mockNodeRepo(), signer, vespaTenantDomain);
 
         assertTrue(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service)));
     }
@@ -118,6 +118,22 @@ public class InstanceValidatorTest {
     }
 
     @Test
+    public void rejects_unknown_ips_in_csr() {
+        NodeRepository nodeRepository = mockNodeRepo();
+        InstanceValidator instanceValidator = new InstanceValidator(null, mockSuperModelProvider(), nodeRepository, null, vespaTenantDomain);
+        InstanceConfirmation instanceConfirmation = createRegisterInstanceConfirmation(applicationId, domain, service);
+        Set<String> nodeIp = nodeRepository.nodes().list().owner(applicationId).stream().findFirst()
+                .map(Node::ipConfig)
+                .map(IP.Config::primary)
+                .orElseThrow(() -> new RuntimeException("No ipaddress for mocked node"));
+
+        List<String> ips = new ArrayList<>(nodeIp);
+        ips.add("::ff");
+        instanceConfirmation.set("sanIP", String.join(",", ips));
+        assertFalse(instanceValidator.isValidInstance(instanceConfirmation));
+    }
+
+    @Test
     public void accepts_valid_refresh_requests() {
         NodeRepository nodeRepository = mock(NodeRepository.class);
         Nodes nodes = mock(Nodes.class);
@@ -136,20 +152,18 @@ public class InstanceValidatorTest {
 
     @Test
     public void rejects_refresh_on_ip_mismatch() {
-        NodeRepository nodeRepository = mock(NodeRepository.class);
-        Nodes nodes = mock(Nodes.class);
-        when(nodeRepository.nodes()).thenReturn(nodes);
-
+        NodeRepository nodeRepository = mockNodeRepo();
         InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain);
 
-        List<Node> nodeList = createNodes(10);
-        Node node = nodeList.get(0);
-        nodeList = allocateNode(nodeList, node, applicationId);
-        when(nodes.list()).thenReturn(NodeList.copyOf(nodeList));
-        String nodeIp = node.ipConfig().primary().stream().findAny().orElseThrow(() -> new RuntimeException("No ipaddress for mocked node"));
+        Set<String> nodeIp = nodeRepository.nodes().list().owner(applicationId).stream().findFirst()
+                .map(Node::ipConfig)
+                .map(IP.Config::primary)
+                .orElseThrow(() -> new RuntimeException("No ipaddress for mocked node"));
 
+        List<String> ips = new ArrayList<>(nodeIp);
+        ips.add("::ff");
         // Add invalid ip to list of ip addresses
-        InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ImmutableList.of(nodeIp, "::ff"));
+        InstanceConfirmation instanceConfirmation = createRefreshInstanceConfirmation(applicationId, domain, service, ips);
 
         assertFalse(instanceValidator.isValidRefresh(instanceConfirmation));
     }
@@ -171,6 +185,19 @@ public class InstanceValidatorTest {
 
     }
 
+    private NodeRepository mockNodeRepo() {
+        NodeRepository nodeRepository = mock(NodeRepository.class);
+        Nodes nodes = mock(Nodes.class);
+        when(nodeRepository.nodes()).thenReturn(nodes);
+        InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain);
+
+        List<Node> nodeList = createNodes(10);
+        Node node = nodeList.get(0);
+        nodeList = allocateNode(nodeList, node, applicationId);
+        when(nodes.list()).thenReturn(NodeList.copyOf(nodeList));
+        return nodeRepository;
+    }
+
     private InstanceConfirmation createRegisterInstanceConfirmation(ApplicationId applicationId, String domain, String service) {
         VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(0, "default", applicationId.instance().value(), applicationId.application().value(), applicationId.tenant().value(), "us-north-1", "dev", IdentityType.NODE);
         SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument(null,
author	Morten Tokle <mortent@verizonmedia.com>	2021-04-09 08:09:12 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-04-09 08:47:16 +0200
commit	b3e8953bc5a8396b76613d1b8dbcd504262658f8 (patch)
tree	a659eb3f6228cd3da645f0c87883866909417dfd /athenz-identity-provider-service
parent	50ba6295c808cf9cbe0e0a02daa96fb0ed16105f (diff)