Move Athenz types from controller-api to vespa-athenz

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-01-16 16:14:26 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-01-17 12:35:44 +0100
commit: 96f5cb0fe8b72b5c322f6d8b022a51ec4ef8788d (patch)
tree: b4b46d136f92b9832788ac414de5cc38317dea85 /controller-api
parent: ac0e0340fd7989ae4410aaf7e33eb2e1e848a88b (diff)
20 files changed, 39 insertions, 639 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
index a2a16d10cdb..72e7c758070 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
@@ -1,6 +1,8 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
+import com.yahoo.vespa.athenz.api.NToken;
+
 /**
  * @author bjorncs
  */
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java
deleted file mode 100644
index 747eb439ef5..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentity.java
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-
-/**
- * @author bjorncs
- */
-public interface AthenzIdentity {
-    AthenzDomain getDomain();
-    String getName();
-    default String getFullName() {
-        return getDomain().getName() + "." + getName();
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java
deleted file mode 100644
index d53817c09e4..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityCertificate.java
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-
-/**
- * @author bjorncs
- */
-public class AthenzIdentityCertificate {
-
-    private final X509Certificate certificate;
-    private final PrivateKey privateKey;
-
-    public AthenzIdentityCertificate(X509Certificate certificate, PrivateKey privateKey) {
-        this.certificate = certificate;
-        this.privateKey = privateKey;
-    }
-
-    public X509Certificate getCertificate() {
-        return certificate;
-    }
-
-    public PrivateKey getPrivateKey() {
-        return privateKey;
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java
deleted file mode 100644
index 6f8ebc4c5db..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import java.security.cert.X509Certificate;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-/**
- * A {@link HostnameVerifier} that validates Athenz x509 certificates using the identity in the Common Name attribute.
- *
- * @author bjorncs
- */
-// TODO Move to dedicated Athenz bundle
-public class AthenzIdentityVerifier implements HostnameVerifier {
-
-    private static final Logger log = Logger.getLogger(AthenzIdentityVerifier.class.getName());
-
-    private final Set<AthenzIdentity> allowedIdentities;
-
-    public AthenzIdentityVerifier(Set<AthenzIdentity> allowedIdentities) {
-        this.allowedIdentities = allowedIdentities;
-    }
-
-    @Override
-    public boolean verify(String hostname, SSLSession session) {
-        try {
-            X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0];
-            return isTrusted(AthenzUtils.createAthenzIdentity(cert));
-        } catch (SSLPeerUnverifiedException e) {
-            log.log(Level.WARNING, "Unverified client: " + hostname);
-            return false;
-        }
-    }
-
-    public boolean isTrusted(AthenzIdentity identity) {
-        return allowedIdentities.contains(identity);
-    }
-
-}
-
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java
deleted file mode 100644
index b24efccd61c..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPrincipal.java
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-
-import java.security.Principal;
-import java.util.Objects;
-import java.util.Optional;
-
-/**
- * @author bjorncs
- */
-public class AthenzPrincipal implements Principal {
-
-    private final AthenzIdentity athenzIdentity;
-    private final NToken nToken;
-
-    public AthenzPrincipal(AthenzIdentity athenzIdentity) {
-        this(athenzIdentity, null);
-    }
-
-    public AthenzPrincipal(AthenzIdentity athenzIdentity,
-                           NToken nToken) {
-        this.athenzIdentity = athenzIdentity;
-        this.nToken = nToken;
-    }
-
-    public AthenzIdentity getIdentity() {
-        return athenzIdentity;
-    }
-
-    @Override
-    public String getName() {
-        return athenzIdentity.getFullName();
-    }
-
-    public AthenzDomain getDomain() {
-        return athenzIdentity.getDomain();
-    }
-
-    public Optional<NToken> getNToken() {
-        return Optional.ofNullable(nToken);
-    }
-
-    @Override
-    public String toString() {
-        return "AthenzPrincipal{" +
-                "athenzIdentity=" + athenzIdentity +
-                '}';
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AthenzPrincipal principal = (AthenzPrincipal) o;
-        return Objects.equals(athenzIdentity, principal.athenzIdentity);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(athenzIdentity);
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java
deleted file mode 100644
index c7f370dd4e3..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzPublicKey.java
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import java.security.PublicKey;
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class AthenzPublicKey {
-
-    private final PublicKey publicKey;
-    private final String keyId;
-
-    public AthenzPublicKey(PublicKey publicKey, String keyId) {
-        this.publicKey = publicKey;
-        this.keyId = keyId;
-    }
-
-    public PublicKey getPublicKey() {
-        return publicKey;
-    }
-
-    public String getKeyId() {
-        return keyId;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AthenzPublicKey that = (AthenzPublicKey) o;
-        return Objects.equals(publicKey, that.publicKey) &&
-                Objects.equals(keyId, that.keyId);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(publicKey, keyId);
-    }
-
-    @Override
-    public String toString() {
-        return "AthenzPublicKey{" +
-                "publicKey=" + publicKey +
-                ", keyId='" + keyId + '\'' +
-                '}';
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java
deleted file mode 100644
index 80548cccd89..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzRoleCertificate.java
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-
-/**
- * @author bjorncs
- */
-public class AthenzRoleCertificate {
-
-    private final X509Certificate certificate;
-    private final PrivateKey privateKey;
-
-    public AthenzRoleCertificate(X509Certificate certificate, PrivateKey privateKey) {
-        this.certificate = certificate;
-        this.privateKey = privateKey;
-    }
-
-    public X509Certificate getCertificate() {
-        return certificate;
-    }
-
-    public PrivateKey getPrivateKey() {
-        return privateKey;
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java
deleted file mode 100644
index 8d5d1c23882..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzService.java
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId;
-
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class AthenzService implements AthenzIdentity {
-
-    private final AthenzDomain domain;
-    private final String serviceName;
-
-    public AthenzService(AthenzDomain domain, String serviceName) {
-        this.domain = domain;
-        this.serviceName = serviceName;
-    }
-
-    public AthenzService(String domain, String serviceName) {
-        this(new AthenzDomain(domain), serviceName);
-    }
-
-    public static AthenzService fromScrewdriverId(ScrewdriverId screwdriverId) {
-        return new AthenzService(AthenzUtils.SCREWDRIVER_DOMAIN, "sd" + screwdriverId.id());
-    }
-
-    @Override
-    public AthenzDomain getDomain() {
-        return domain;
-    }
-
-    @Override
-    public String getName() {
-        return serviceName;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AthenzService that = (AthenzService) o;
-        return Objects.equals(domain, that.domain) &&
-                Objects.equals(serviceName, that.serviceName);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(domain, serviceName);
-    }
-
-    @Override
-    public String toString() {
-        return String.format("AthenzService(%s)", getFullName());
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java
deleted file mode 100644
index 91d17fcc84a..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUser.java
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
-
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class AthenzUser implements AthenzIdentity {
-    private final UserId userId;
-
-    public AthenzUser(UserId userId) {
-        this.userId = userId;
-    }
-
-    public static AthenzUser fromUserId(UserId userId) {
-        return new AthenzUser(userId);
-    }
-
-    @Override
-    public AthenzDomain getDomain() {
-        return AthenzUtils.USER_PRINCIPAL_DOMAIN;
-    }
-
-    @Override
-    public String getName() {
-        return userId.id();
-    }
-
-    public UserId getUserId() {
-        return userId;
-    }
-
-    @Override
-    public String toString() {
-        return "AthenzUser{" +
-                "userId=" + userId +
-                '}';
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        AthenzUser that = (AthenzUser) o;
-        return Objects.equals(userId, that.userId);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(userId);
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
deleted file mode 100644
index 6984e7da57b..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtils.java
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
-
-import javax.naming.NamingException;
-import javax.naming.ldap.LdapName;
-import java.security.cert.X509Certificate;
-
-/**
- * @author bjorncs
- */
-public class AthenzUtils {
-
-    private AthenzUtils() {}
-
-    public static final AthenzDomain USER_PRINCIPAL_DOMAIN = new AthenzDomain("user");
-    public static final AthenzDomain SCREWDRIVER_DOMAIN = new AthenzDomain("cd.screwdriver.project");
-    public static final AthenzService ZMS_ATHENZ_SERVICE = new AthenzService("sys.auth", "zms");
-
-    public static AthenzIdentity createAthenzIdentity(AthenzDomain domain, String identityName) {
-        if (domain.equals(USER_PRINCIPAL_DOMAIN)) {
-            return AthenzUser.fromUserId(new UserId(identityName));
-        } else {
-            return new AthenzService(domain, identityName);
-        }
-    }
-
-    public static AthenzIdentity createAthenzIdentity(String fullName) {
-        int domainIdentityNameSeparatorIndex = fullName.lastIndexOf('.');
-        if (domainIdentityNameSeparatorIndex == -1
-                || domainIdentityNameSeparatorIndex == 0
-                || domainIdentityNameSeparatorIndex == fullName.length() - 1) {
-            throw new IllegalArgumentException("Invalid Athenz identity: " + fullName);
-        }
-        AthenzDomain domain = new AthenzDomain(fullName.substring(0, domainIdentityNameSeparatorIndex));
-        String identityName = fullName.substring(domainIdentityNameSeparatorIndex + 1, fullName.length());
-        return createAthenzIdentity(domain, identityName);
-    }
-
-    public static AthenzIdentity createAthenzIdentity(X509Certificate certificate) {
-        String commonName = getCommonName(certificate);
-        if (isAthenzRoleIdentity(commonName)) {
-            throw new IllegalArgumentException("Athenz role certificate not supported");
-        }
-        return createAthenzIdentity(commonName);
-    }
-
-    private static boolean isAthenzRoleIdentity(String commonName) {
-        return commonName.contains(":role.");
-    }
-
-    private static String getCommonName(X509Certificate certificate) {
-        try {
-            String subjectPrincipal = certificate.getSubjectX500Principal().getName();
-            return new LdapName(subjectPrincipal).getRdns().stream()
-                    .filter(rdn -> rdn.getType().equalsIgnoreCase("cn"))
-                    .map(rdn -> rdn.getValue().toString())
-                    .findFirst()
-                    .orElseThrow(() -> new IllegalArgumentException("Could not find CN in certificate: " + subjectPrincipal));
-        } catch (NamingException e) {
-            throw new IllegalArgumentException("Invalid CN: " + e, e);
-        }
-    }
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java
new file mode 100644
index 00000000000..bd385034a90
--- /dev/null
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/HostedAthenzIdentities.java
@@ -0,0 +1,27 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.controller.api.integration.athenz;
+
+import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.api.AthenzUser;
+import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId;
+import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
+
+/**
+ * @author bjorncs
+ */
+public class HostedAthenzIdentities {
+
+    public static final AthenzDomain SCREWDRIVER_DOMAIN = new AthenzDomain("cd.screwdriver.project");
+
+    private HostedAthenzIdentities() {}
+
+    public static AthenzUser from(UserId userId) {
+        return AthenzUser.fromUserId(userId.id());
+    }
+
+    public static AthenzService from(ScrewdriverId screwdriverId) {
+        return new AthenzService(SCREWDRIVER_DOMAIN, "sd" + screwdriverId.id());
+    }
+
+}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java
deleted file mode 100644
index c2796befdc8..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/NToken.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import java.util.Objects;
-
-/**
- * Represents an Athenz NToken (principal token)
- *
- * @author bjorncs
- */
-public class NToken {
-
-    private final String rawToken;
-
-    public NToken(String rawToken) {
-        this.rawToken = rawToken;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        NToken nToken = (NToken) o;
-        return Objects.equals(rawToken, nToken.rawToken);
-    }
-
-    public String getRawToken() {
-        return rawToken;
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(rawToken);
-    }
-
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java
deleted file mode 100644
index cfa63b04197..00000000000
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZToken.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import java.util.Objects;
-
-/**
- * Represents an Athenz ZToken (role token)
- *
- * @author bjorncs
- */
-public class ZToken {
-
-    private final String rawToken;
-
-    public ZToken(String rawToken) {
-        this.rawToken = rawToken;
-    }
-
-    public String getRawToken() {
-        return rawToken;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        ZToken zToken = (ZToken) o;
-        return Objects.equals(rawToken, zToken.rawToken);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(rawToken);
-    }
-
-}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java
index bd38494da5b..a8e5db4f952 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java
@@ -1,8 +1,11 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
-import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzPublicKey;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 
 import java.util.List;
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java
index e2cb38a8466..b3dc9fd4fe1 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsKeystore.java
@@ -1,6 +1,8 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
+import com.yahoo.vespa.athenz.api.AthenzService;
+
 import java.security.PublicKey;
 import java.util.Optional;
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java
index 92fa214c621..381896c11cf 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZtsClient.java
@@ -2,6 +2,9 @@
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate;
+import com.yahoo.vespa.athenz.api.AthenzRoleCertificate;
 
 import java.util.List;
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
index 09e6aa11490..81283ce802f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
@@ -4,8 +4,8 @@ package com.yahoo.vespa.hosted.controller.api.integration.zone;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.config.provision.RegionName;
 import com.yahoo.config.provision.SystemName;
+import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzService;
 
 import java.net.URI;
 import java.time.Duration;
diff --git a/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java b/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java
deleted file mode 100644
index 637a643cf63..00000000000
--- a/controller-api/src/test/java/com/yahoo/vespa/athenz/api/AthenzDomainTest.java
+++ /dev/null
@@ -1,55 +0,0 @@
-package com.yahoo.vespa.athenz.api;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Test;
-
-import java.util.concurrent.Callable;
-import java.util.function.Supplier;
-
-import static org.hamcrest.CoreMatchers.containsString;
-import static org.hamcrest.CoreMatchers.startsWith;
-import static org.junit.Assert.*;
-
-/**
- * @author bjorncs
- */
-public class AthenzDomainTest {
-
-    @Test
-    public void domain_can_be_constructed_from_valid_string() {
-        new AthenzDomain("home.john.my-app");
-    }
-
-    @Test
-    public void invalid_domain_throws_exception() {
-        assertInvalid(() -> new AthenzDomain("endswithdot."));
-        assertInvalid(() -> new AthenzDomain(".startswithdot"));
-    }
-
-    @Test
-    public void parent_domain_is_without_name_suffix() {
-        assertEquals(new AthenzDomain("home.john"), new AthenzDomain("home.john.myapp").getParent());
-    }
-
-    @Test
-    public void domain_name_suffix_is_the_suffix_after_last_dot() {
-        assertEquals("myapp", new AthenzDomain("home.john.myapp").getNameSuffix());
-    }
-
-    @Test
-    public void domain_without_dot_is_toplevel() {
-        assertTrue(new AthenzDomain("toplevel").isTopLevelDomain());
-        assertFalse(new AthenzDomain("not.toplevel").isTopLevelDomain());
-    }
-
-    private static void assertInvalid(Supplier<AthenzDomain> domainCreator) {
-        try {
-            AthenzDomain domain = domainCreator.get();
-            fail("Expected IllegalArgumentException for domain: " + domain.getName());
-        } catch (IllegalArgumentException e) {
-            assertThat(e.getMessage(), startsWith("Not a valid domain name"));
-        }
-    }
-
-
-}
-\ No newline at end of file
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java
deleted file mode 100644
index 88da28fb273..00000000000
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifierTest.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.asn1.x509.Extension;
-import org.bouncycastle.cert.CertIOException;
-import org.bouncycastle.cert.X509v3CertificateBuilder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.junit.Test;
-
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import java.math.BigInteger;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.util.Date;
-
-import static java.util.Collections.singleton;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-/**
- * @author bjorncs
- */
-public class AthenzIdentityVerifierTest {
-
-    @Test
-    public void verifies_certificate_with_athenz_service_as_common_name() throws Exception {
-        AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice");
-        AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory");
-        KeyPair keyPair = createKeyPair();
-        AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity));
-        assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity))));
-        assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity))));
-    }
-
-    private static KeyPair createKeyPair() throws NoSuchAlgorithmException {
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(512);
-        return keyGen.generateKeyPair();
-    }
-
-    private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, AthenzIdentity identity)
-            throws OperatorCreationException, CertIOException, CertificateException {
-        ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(keyPair.getPrivate());
-        X500Name x500Name = new X500Name("CN="+ identity.getFullName());
-        Instant now = Instant.now();
-        Date notBefore = Date.from(now);
-        Date notAfter = Date.from(now.plus(Duration.ofDays(30)));
-
-        X509v3CertificateBuilder certificateBuilder =
-                new JcaX509v3CertificateBuilder(
-                        x500Name, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic()
-                )
-                        .addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
-
-        return new JcaX509CertificateConverter()
-                .setProvider(new BouncyCastleProvider())
-                .getCertificate(certificateBuilder.build(contentSigner));
-
-    }
-
-    private static SSLSession createSslSessionMock(X509Certificate certificate) throws SSLPeerUnverifiedException {
-        SSLSession sslSession = mock(SSLSession.class);
-        when(sslSession.getPeerCertificates()).thenReturn(new Certificate[]{certificate});
-        return sslSession;
-    }
-
-}
-\ No newline at end of file
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java
deleted file mode 100644
index f257255a07e..00000000000
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzUtilsTest.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package com.yahoo.vespa.hosted.controller.api.integration.athenz;
-
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import org.junit.Test;
-
-import static org.junit.Assert.assertEquals;
-
-/**
- * @author bjorncs
- */
-public class AthenzUtilsTest {
-
-    @Test
-    public void athenz_identity_is_parsed_from_dot_separated_string() {
-        AthenzIdentity expectedIdentity = new AthenzService(new AthenzDomain("my.subdomain"), "myservicename");
-        String fullName = expectedIdentity.getFullName();
-        AthenzIdentity actualIdentity = AthenzUtils.createAthenzIdentity(fullName);
-        assertEquals(expectedIdentity, actualIdentity);
-    }
-
-}
-\ No newline at end of file
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-01-16 16:14:26 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-01-17 12:35:44 +0100
commit	96f5cb0fe8b72b5c322f6d8b022a51ec4ef8788d (patch)
tree	b4b46d136f92b9832788ac414de5cc38317dea85 /controller-api
parent	ac0e0340fd7989ae4410aaf7e33eb2e1e848a88b (diff)