diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-16 16:14:26 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 12:35:44 +0100 |
commit | 96f5cb0fe8b72b5c322f6d8b022a51ec4ef8788d (patch) | |
tree | b4b46d136f92b9832788ac414de5cc38317dea85 /controller-api | |
parent | ac0e0340fd7989ae4410aaf7e33eb2e1e848a88b (diff) |
Move Athenz types from controller-api to vespa-athenz
Diffstat (limited to 'controller-api')
20 files changed, 39 insertions, 639 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java index a2a16d10cdb..72e7c758070 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java @@ -1,6 +1,8 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.vespa.athenz.api.NToken; + /** * @author bjorncs */ diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java deleted file mode 100644 index 747eb439ef5..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - - -import com.yahoo.vespa.athenz.api.AthenzDomain; - -/** - * @author bjorncs - */ -public interface AthenzIdentity { - AthenzDomain getDomain(); - String getName(); - default String getFullName() { - return getDomain().getName() + "." + getName(); - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java deleted file mode 100644 index d53817c09e4..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import java.security.PrivateKey; -import java.security.cert.X509Certificate; - -/** - * @author bjorncs - */ -public class AthenzIdentityCertificate { - - private final X509Certificate certificate; - private final PrivateKey privateKey; - - public AthenzIdentityCertificate(X509Certificate certificate, PrivateKey privateKey) { - this.certificate = certificate; - this.privateKey = privateKey; - } - - public X509Certificate getCertificate() { - return certificate; - } - - public PrivateKey getPrivateKey() { - return privateKey; - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java deleted file mode 100644 index 6f8ebc4c5db..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLSession; -import java.security.cert.X509Certificate; -import java.util.Set; -import java.util.logging.Level; -import java.util.logging.Logger; - -/** - * A {@link HostnameVerifier} that validates Athenz x509 certificates using the identity in the Common Name attribute. - * - * @author bjorncs - */ -// TODO Move to dedicated Athenz bundle -public class AthenzIdentityVerifier implements HostnameVerifier { - - private static final Logger log = Logger.getLogger(AthenzIdentityVerifier.class.getName()); - - private final Set<AthenzIdentity> allowedIdentities; - - public AthenzIdentityVerifier(Set<AthenzIdentity> allowedIdentities) { - this.allowedIdentities = allowedIdentities; - } - - @Override - public boolean verify(String hostname, SSLSession session) { - try { - X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - return isTrusted(AthenzUtils.createAthenzIdentity(cert)); - } catch (SSLPeerUnverifiedException e) { - log.log(Level.WARNING, "Unverified client: " + hostname); - return false; - } - } - - public boolean isTrusted(AthenzIdentity identity) { - return allowedIdentities.contains(identity); - } - -} - diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java deleted file mode 100644 index b24efccd61c..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java +++ /dev/null @@ -1,64 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.yahoo.vespa.athenz.api.AthenzDomain; - -import java.security.Principal; -import java.util.Objects; -import java.util.Optional; - -/** - * @author bjorncs - */ -public class AthenzPrincipal implements Principal { - - private final AthenzIdentity athenzIdentity; - private final NToken nToken; - - public AthenzPrincipal(AthenzIdentity athenzIdentity) { - this(athenzIdentity, null); - } - - public AthenzPrincipal(AthenzIdentity athenzIdentity, - NToken nToken) { - this.athenzIdentity = athenzIdentity; - this.nToken = nToken; - } - - public AthenzIdentity getIdentity() { - return athenzIdentity; - } - - @Override - public String getName() { - return athenzIdentity.getFullName(); - } - - public AthenzDomain getDomain() { - return athenzIdentity.getDomain(); - } - - public Optional<NToken> getNToken() { - return Optional.ofNullable(nToken); - } - - @Override - public String toString() { - return "AthenzPrincipal{" + - "athenzIdentity=" + athenzIdentity + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzPrincipal principal = (AthenzPrincipal) o; - return Objects.equals(athenzIdentity, principal.athenzIdentity); - } - - @Override - public int hashCode() { - return Objects.hash(athenzIdentity); - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java deleted file mode 100644 index c7f370dd4e3..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import java.security.PublicKey; -import java.util.Objects; - -/** - * @author bjorncs - */ -public class AthenzPublicKey { - - private final PublicKey publicKey; - private final String keyId; - - public AthenzPublicKey(PublicKey publicKey, String keyId) { - this.publicKey = publicKey; - this.keyId = keyId; - } - - public PublicKey getPublicKey() { - return publicKey; - } - - public String getKeyId() { - return keyId; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzPublicKey that = (AthenzPublicKey) o; - return Objects.equals(publicKey, that.publicKey) && - Objects.equals(keyId, that.keyId); - } - - @Override - public int hashCode() { - return Objects.hash(publicKey, keyId); - } - - @Override - public String toString() { - return "AthenzPublicKey{" + - "publicKey=" + publicKey + - ", keyId='" + keyId + '\'' + - '}'; - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java deleted file mode 100644 index 80548cccd89..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import java.security.PrivateKey; -import java.security.cert.X509Certificate; - -/** - * @author bjorncs - */ -public class AthenzRoleCertificate { - - private final X509Certificate certificate; - private final PrivateKey privateKey; - - public AthenzRoleCertificate(X509Certificate certificate, PrivateKey privateKey) { - this.certificate = certificate; - this.privateKey = privateKey; - } - - public X509Certificate getCertificate() { - return certificate; - } - - public PrivateKey getPrivateKey() { - return privateKey; - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java deleted file mode 100644 index 8d5d1c23882..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class AthenzService implements AthenzIdentity { - - private final AthenzDomain domain; - private final String serviceName; - - public AthenzService(AthenzDomain domain, String serviceName) { - this.domain = domain; - this.serviceName = serviceName; - } - - public AthenzService(String domain, String serviceName) { - this(new AthenzDomain(domain), serviceName); - } - - public static AthenzService fromScrewdriverId(ScrewdriverId screwdriverId) { - return new AthenzService(AthenzUtils.SCREWDRIVER_DOMAIN, "sd" + screwdriverId.id()); - } - - @Override - public AthenzDomain getDomain() { - return domain; - } - - @Override - public String getName() { - return serviceName; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzService that = (AthenzService) o; - return Objects.equals(domain, that.domain) && - Objects.equals(serviceName, that.serviceName); - } - - @Override - public int hashCode() { - return Objects.hash(domain, serviceName); - } - - @Override - public String toString() { - return String.format("AthenzService(%s)", getFullName()); - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java deleted file mode 100644 index 91d17fcc84a..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class AthenzUser implements AthenzIdentity { - private final UserId userId; - - public AthenzUser(UserId userId) { - this.userId = userId; - } - - public static AthenzUser fromUserId(UserId userId) { - return new AthenzUser(userId); - } - - @Override - public AthenzDomain getDomain() { - return AthenzUtils.USER_PRINCIPAL_DOMAIN; - } - - @Override - public String getName() { - return userId.id(); - } - - public UserId getUserId() { - return userId; - } - - @Override - public String toString() { - return "AthenzUser{" + - "userId=" + userId + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - AthenzUser that = (AthenzUser) o; - return Objects.equals(userId, that.userId); - } - - @Override - public int hashCode() { - return Objects.hash(userId); - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java deleted file mode 100644 index 6984e7da57b..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java +++ /dev/null @@ -1,66 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; - -import javax.naming.NamingException; -import javax.naming.ldap.LdapName; -import java.security.cert.X509Certificate; - -/** - * @author bjorncs - */ -public class AthenzUtils { - - private AthenzUtils() {} - - public static final AthenzDomain USER_PRINCIPAL_DOMAIN = new AthenzDomain("user"); - public static final AthenzDomain SCREWDRIVER_DOMAIN = new AthenzDomain("cd.screwdriver.project"); - public static final AthenzService ZMS_ATHENZ_SERVICE = new AthenzService("sys.auth", "zms"); - - public static AthenzIdentity createAthenzIdentity(AthenzDomain domain, String identityName) { - if (domain.equals(USER_PRINCIPAL_DOMAIN)) { - return AthenzUser.fromUserId(new UserId(identityName)); - } else { - return new AthenzService(domain, identityName); - } - } - - public static AthenzIdentity createAthenzIdentity(String fullName) { - int domainIdentityNameSeparatorIndex = fullName.lastIndexOf('.'); - if (domainIdentityNameSeparatorIndex == -1 - || domainIdentityNameSeparatorIndex == 0 - || domainIdentityNameSeparatorIndex == fullName.length() - 1) { - throw new IllegalArgumentException("Invalid Athenz identity: " + fullName); - } - AthenzDomain domain = new AthenzDomain(fullName.substring(0, domainIdentityNameSeparatorIndex)); - String identityName = fullName.substring(domainIdentityNameSeparatorIndex + 1, fullName.length()); - return createAthenzIdentity(domain, identityName); - } - - public static AthenzIdentity createAthenzIdentity(X509Certificate certificate) { - String commonName = getCommonName(certificate); - if (isAthenzRoleIdentity(commonName)) { - throw new IllegalArgumentException("Athenz role certificate not supported"); - } - return createAthenzIdentity(commonName); - } - - private static boolean isAthenzRoleIdentity(String commonName) { - return commonName.contains(":role."); - } - - private static String getCommonName(X509Certificate certificate) { - try { - String subjectPrincipal = certificate.getSubjectX500Principal().getName(); - return new LdapName(subjectPrincipal).getRdns().stream() - .filter(rdn -> rdn.getType().equalsIgnoreCase("cn")) - .map(rdn -> rdn.getValue().toString()) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal)); - } catch (NamingException e) { - throw new IllegalArgumentException("Invalid CN: " + e, e); - } - } -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java new file mode 100644 index 00000000000..bd385034a90 --- /dev/null +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java @@ -0,0 +1,27 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.controller.api.integration.athenz; + +import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzUser; +import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId; +import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; + +/** + * @author bjorncs + */ +public class HostedAthenzIdentities { + + public static final AthenzDomain SCREWDRIVER_DOMAIN = new AthenzDomain("cd.screwdriver.project"); + + private HostedAthenzIdentities() {} + + public static AthenzUser from(UserId userId) { + return AthenzUser.fromUserId(userId.id()); + } + + public static AthenzService from(ScrewdriverId screwdriverId) { + return new AthenzService(SCREWDRIVER_DOMAIN, "sd" + screwdriverId.id()); + } + +} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java deleted file mode 100644 index c2796befdc8..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import java.util.Objects; - -/** - * Represents an Athenz NToken (principal token) - * - * @author bjorncs - */ -public class NToken { - - private final String rawToken; - - public NToken(String rawToken) { - this.rawToken = rawToken; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - NToken nToken = (NToken) o; - return Objects.equals(rawToken, nToken.rawToken); - } - - public String getRawToken() { - return rawToken; - } - - @Override - public int hashCode() { - return Objects.hash(rawToken); - } - -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java deleted file mode 100644 index cfa63b04197..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import java.util.Objects; - -/** - * Represents an Athenz ZToken (role token) - * - * @author bjorncs - */ -public class ZToken { - - private final String rawToken; - - public ZToken(String rawToken) { - this.rawToken = rawToken; - } - - public String getRawToken() { - return rawToken; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - ZToken zToken = (ZToken) o; - return Objects.equals(rawToken, zToken.rawToken); - } - - @Override - public int hashCode() { - return Objects.hash(rawToken); - } - -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java index bd38494da5b..a8e5db4f952 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java @@ -1,8 +1,11 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; -import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzPublicKey; +import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import java.util.List; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java index e2cb38a8466..b3dc9fd4fe1 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java @@ -1,6 +1,8 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.vespa.athenz.api.AthenzService; + import java.security.PublicKey; import java.util.Optional; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java index 92fa214c621..381896c11cf 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java @@ -2,6 +2,9 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; +import com.yahoo.vespa.athenz.api.AthenzRoleCertificate; import java.util.List; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java index 09e6aa11490..81283ce802f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java @@ -4,8 +4,8 @@ package com.yahoo.vespa.hosted.controller.api.integration.zone; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.RegionName; import com.yahoo.config.provision.SystemName; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService; import java.net.URI; import java.time.Duration; diff --git a/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java b/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java deleted file mode 100644 index 637a643cf63..00000000000 --- a/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java +++ /dev/null @@ -1,55 +0,0 @@ -package com.yahoo.vespa.athenz.api; - -import org.hamcrest.CoreMatchers; -import org.junit.Test; - -import java.util.concurrent.Callable; -import java.util.function.Supplier; - -import static org.hamcrest.CoreMatchers.containsString; -import static org.hamcrest.CoreMatchers.startsWith; -import static org.junit.Assert.*; - -/** - * @author bjorncs - */ -public class AthenzDomainTest { - - @Test - public void domain_can_be_constructed_from_valid_string() { - new AthenzDomain("home.john.my-app"); - } - - @Test - public void invalid_domain_throws_exception() { - assertInvalid(() -> new AthenzDomain("endswithdot.")); - assertInvalid(() -> new AthenzDomain(".startswithdot")); - } - - @Test - public void parent_domain_is_without_name_suffix() { - assertEquals(new AthenzDomain("home.john"), new AthenzDomain("home.john.myapp").getParent()); - } - - @Test - public void domain_name_suffix_is_the_suffix_after_last_dot() { - assertEquals("myapp", new AthenzDomain("home.john.myapp").getNameSuffix()); - } - - @Test - public void domain_without_dot_is_toplevel() { - assertTrue(new AthenzDomain("toplevel").isTopLevelDomain()); - assertFalse(new AthenzDomain("not.toplevel").isTopLevelDomain()); - } - - private static void assertInvalid(Supplier<AthenzDomain> domainCreator) { - try { - AthenzDomain domain = domainCreator.get(); - fail("Expected IllegalArgumentException for domain: " + domain.getName()); - } catch (IllegalArgumentException e) { - assertThat(e.getMessage(), startsWith("Not a valid domain name")); - } - } - - -}
\ No newline at end of file diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java deleted file mode 100644 index 88da28fb273..00000000000 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java +++ /dev/null @@ -1,82 +0,0 @@ -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.cert.CertIOException; -import org.bouncycastle.cert.X509v3CertificateBuilder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.junit.Test; - -import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLSession; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.time.Duration; -import java.time.Instant; -import java.util.Date; - -import static java.util.Collections.singleton; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -/** - * @author bjorncs - */ -public class AthenzIdentityVerifierTest { - - @Test - public void verifies_certificate_with_athenz_service_as_common_name() throws Exception { - AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice"); - AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory"); - KeyPair keyPair = createKeyPair(); - AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity)); - assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity)))); - assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity)))); - } - - private static KeyPair createKeyPair() throws NoSuchAlgorithmException { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512); - return keyGen.generateKeyPair(); - } - - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, AthenzIdentity identity) - throws OperatorCreationException, CertIOException, CertificateException { - ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(keyPair.getPrivate()); - X500Name x500Name = new X500Name("CN="+ identity.getFullName()); - Instant now = Instant.now(); - Date notBefore = Date.from(now); - Date notAfter = Date.from(now.plus(Duration.ofDays(30))); - - X509v3CertificateBuilder certificateBuilder = - new JcaX509v3CertificateBuilder( - x500Name, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic() - ) - .addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); - - return new JcaX509CertificateConverter() - .setProvider(new BouncyCastleProvider()) - .getCertificate(certificateBuilder.build(contentSigner)); - - } - - private static SSLSession createSslSessionMock(X509Certificate certificate) throws SSLPeerUnverifiedException { - SSLSession sslSession = mock(SSLSession.class); - when(sslSession.getPeerCertificates()).thenReturn(new Certificate[]{certificate}); - return sslSession; - } - -}
\ No newline at end of file diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java deleted file mode 100644 index f257255a07e..00000000000 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java +++ /dev/null @@ -1,21 +0,0 @@ -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.yahoo.vespa.athenz.api.AthenzDomain; -import org.junit.Test; - -import static org.junit.Assert.assertEquals; - -/** - * @author bjorncs - */ -public class AthenzUtilsTest { - - @Test - public void athenz_identity_is_parsed_from_dot_separated_string() { - AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename"); - String fullName = expectedIdentity.getFullName(); - AthenzIdentity actualIdentity = AthenzUtils.createAthenzIdentity(fullName); - assertEquals(expectedIdentity, actualIdentity); - } - -}
\ No newline at end of file |