randomized endpoint cert pool (#27488)

* randomized endpoint cert pool * test name format * recordify EndpointCertificateMetadata * save randomized id to cert * assigned randomized endpoint cert to app when flag is set * remove assigned certs from ready pool * skip validation of SANs for randomized certs * remove unused clock * reminder to assign randomized certs at application level * remove getters, move comments to record constructor * camel case field name * CertPoolMaintainer -> CertificatePoolMaintainer * fix enum names * randomIdentifier -> generateRandomId * Wire maintainer * Add PooledCertificateSerializer * Use PooledCertificate * Remove unused enum * exclude all cert pool ids from cleanup * don't set randomizedId in mock * use SecureRandom for id generation * fix NodesV2ApiTest * add cert request method without applicationId * remove unused import * assert on generated key names, remove unused clock * remove unused import * don't use : in ckms prefix! * entirely remove application id from cert provider interface * use correct key prefix in handler too * Assign certificate to application from pool * PooledCertificate -> UnassignedCertificate * Read/write AssignedCertificate everywhere --------- Co-authored-by: Martin Polden <mpolden@mpolden.no>
author: Andreas Eriksen <andreer@yahooinc.com> 2023-06-22 11:33:43 +0200
committer: GitHub <noreply@github.com> 2023-06-22 11:33:43 +0200
commit: f403069d4be06425dfc101fc7468c0cb2f7afb4f (patch)
tree: 3d28ccd708e024997fb1c1d1f816868f9733ef1c /controller-api
parent: aa981de24a14dba41fcb370d550fdf053b5433f8 (diff)
3 files changed, 43 insertions, 139 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
index b423fcb83f8..02afbb6ace6 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.hosted.controller.api.integration.certificates;
 
 import java.util.List;
-import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -12,76 +11,25 @@ import java.util.Optional;
  *
  * @author andreer
  */
-public class EndpointCertificateMetadata {
+public record EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested,
+                                          String rootRequestId, // The id of the first request made for this certificate. Should not change.
+                                          Optional<String> leafRequestId, // The id of the last known request made for this certificate. Changes on refresh, may be outdated!
+                                          List<String> requestedDnsSans, String issuer, Optional<Long> expiry,
+                                          Optional<Long> lastRefreshed, Optional<String> randomizedId) {
 
-    private final String keyName;
-    private final String certName;
-    private final int version;
-    private final long lastRequested;
-    private final String rootRequestId;
-    private final Optional<String> leafRequestId;
-    private final List<String> requestedDnsSans;
-    private final String issuer;
-    private final Optional<Long> expiry;
-    private final Optional<Long> lastRefreshed;
-
-    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, String rootRequestId, Optional<String> leafRequestId, List<String> requestedDnsSans, String issuer, Optional<Long> expiry, Optional<Long> lastRefreshed) {
-        this.keyName = keyName;
-        this.certName = certName;
-        this.version = version;
-        this.lastRequested = lastRequested;
-        this.rootRequestId = rootRequestId;
-        this.leafRequestId = leafRequestId;
-        this.requestedDnsSans = requestedDnsSans;
-        this.issuer = issuer;
-        this.expiry = expiry;
-        this.lastRefreshed = lastRefreshed;
-    }
-
-    public String keyName() {
-        return keyName;
-    }
-
-    public String certName() {
-        return certName;
-    }
-
-    public int version() {
-        return version;
-    }
-
-    public long lastRequested() {
-        return lastRequested;
-    }
-
-    /**
-     * @return The request id of the first request made for this certificate. Should not change.
-     */
-    public String rootRequestId() {
-        return rootRequestId;
-    }
-
-    /**
-     * @return The request id of the last known request made for this certificate. Changes on refresh, may be outdated!
-     */
-    public Optional<String> leafRequestId() {
-        return leafRequestId;
-    }
-
-    public List<String> requestedDnsSans() {
-        return requestedDnsSans;
-    }
-
-    public String issuer() {
-        return issuer;
-    }
-
-    public Optional<Long> expiry() {
-        return expiry;
-    }
-
-    public Optional<Long> lastRefreshed() {
-        return lastRefreshed;
+    public EndpointCertificateMetadata withRandomizedId(String randomizedId) {
+        return new EndpointCertificateMetadata(
+                this.keyName,
+                this.certName,
+                this.version,
+                this.lastRequested,
+                this.rootRequestId,
+                this.leafRequestId,
+                this.requestedDnsSans,
+                this.issuer,
+                this.expiry,
+                this.lastRefreshed,
+                Optional.of(randomizedId));
     }
 
     public EndpointCertificateMetadata withKeyName(String keyName) {
@@ -95,7 +43,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                this.lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withCertName(String certName) {
@@ -109,7 +58,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                this.lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withVersion(int version) {
@@ -123,7 +73,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                this.lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withLastRequested(long lastRequested) {
@@ -137,7 +88,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                this.lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withLastRefreshed(long lastRefreshed) {
@@ -151,7 +103,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                Optional.of(lastRefreshed));
+                Optional.of(lastRefreshed),
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withRootRequestId(String rootRequestId) {
@@ -165,7 +118,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
     public EndpointCertificateMetadata withLeafRequestId(Optional<String> leafRequestId) {
@@ -179,45 +133,8 @@ public class EndpointCertificateMetadata {
                 this.requestedDnsSans,
                 this.issuer,
                 this.expiry,
-                lastRefreshed);
-    }
-
-    @Override
-    public String toString() {
-        return "EndpointCertificateMetadata{" +
-                "keyName='" + keyName + '\'' +
-                ", certName='" + certName + '\'' +
-                ", version=" + version +
-                ", lastRequested=" + lastRequested +
-                ", rootRequestId=" + rootRequestId +
-                ", leafRequestId=" + leafRequestId +
-                ", requestedDnsSans=" + requestedDnsSans +
-                ", issuer=" + issuer +
-                ", expiry=" + expiry +
-                ", lastRefreshed=" + lastRefreshed +
-                '}';
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        EndpointCertificateMetadata that = (EndpointCertificateMetadata) o;
-        return version == that.version &&
-                lastRequested == that.lastRequested &&
-                keyName.equals(that.keyName) &&
-                certName.equals(that.certName) &&
-                rootRequestId.equals(that.rootRequestId) &&
-                leafRequestId.equals(that.leafRequestId) &&
-                requestedDnsSans.equals(that.requestedDnsSans) &&
-                issuer.equals(that.issuer) &&
-                expiry.equals(that.expiry) &&
-                lastRefreshed.equals(that.lastRefreshed);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(keyName, certName, version, lastRequested, rootRequestId, leafRequestId, requestedDnsSans, issuer, expiry, lastRefreshed);
+                this.lastRefreshed,
+                this.randomizedId);
     }
 
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
index 7ae03d7ce6b..a0448e41b68 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
@@ -1,9 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.certificates;
 
-import com.yahoo.config.provision.ApplicationId;
-
-import java.time.Clock;
 import java.time.Instant;
 import java.util.Collections;
 import java.util.HashMap;
@@ -11,7 +8,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
-import java.util.stream.Collectors;
 
 /**
  * @author tokle
@@ -19,29 +15,23 @@ import java.util.stream.Collectors;
  */
 public class EndpointCertificateMock implements EndpointCertificateProvider {
 
-    private final Map<ApplicationId, List<String>> dnsNames = new HashMap<>();
+    private final Map<String, List<String>> dnsNames = new HashMap<>();
     private final Map<String, EndpointCertificateMetadata> providerMetadata = new HashMap<>();
-    private final Clock clock;
-
-    public EndpointCertificateMock(Clock clock) {
-        this.clock = clock;
-    }
 
-    public List<String> dnsNamesOf(ApplicationId application) {
-        return Collections.unmodifiableList(dnsNames.getOrDefault(application, List.of()));
+    public List<String> dnsNamesOf(String rootRequestId) {
+        return Collections.unmodifiableList(dnsNames.getOrDefault(rootRequestId, List.of()));
     }
 
     @Override
-    public EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata) {
-        this.dnsNames.put(applicationId, dnsNames);
-        String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(),
-                applicationId.application(), applicationId.instance());
+    public EndpointCertificateMetadata requestCaSignedCertificate(String key, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider) {
+        String endpointCertificatePrefix = "vespa.tls.%s".formatted(key);
         long epochSecond = Instant.now().getEpochSecond();
         long inAnHour = epochSecond + 3600;
         String requestId = UUID.randomUUID().toString();
+        this.dnsNames.put(requestId, dnsNames);
         int version = currentMetadata.map(c -> currentMetadata.get().version()+1).orElse(0);
         EndpointCertificateMetadata metadata = new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", version, 0,
-                currentMetadata.map(EndpointCertificateMetadata::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond));
+                currentMetadata.map(EndpointCertificateMetadata::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond), Optional.empty());
         currentMetadata.ifPresent(c -> providerMetadata.remove(c.leafRequestId().orElseThrow()));
         providerMetadata.put(requestId, metadata);
         return metadata;
@@ -70,8 +60,8 @@ public class EndpointCertificateMock implements EndpointCertificateProvider {
     }
 
     @Override
-    public void deleteCertificate(ApplicationId applicationId, String requestId) {
-        dnsNames.remove(applicationId);
+    public void deleteCertificate(String requestId) {
+        dnsNames.remove(requestId);
         providerMetadata.remove(requestId);
     }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java
index 26db25bd848..7c5268ea353 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java
@@ -1,9 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration.certificates;
 
-import com.yahoo.config.provision.ApplicationId;
-
-import java.io.IOException;
 import java.util.List;
 import java.util.Optional;
 
@@ -14,11 +11,11 @@ import java.util.Optional;
  */
 public interface EndpointCertificateProvider  {
 
-    EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata);
+    EndpointCertificateMetadata requestCaSignedCertificate(String endpointCertificatePrefix, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider);
 
     List<EndpointCertificateRequestMetadata> listCertificates();
 
-    void deleteCertificate(ApplicationId applicationId, String requestId);
+    void deleteCertificate(String requestId);
 
     EndpointCertificateDetails certificateDetails(String requestId);
 }
author	Andreas Eriksen <andreer@yahooinc.com>	2023-06-22 11:33:43 +0200
committer	GitHub <noreply@github.com>	2023-06-22 11:33:43 +0200
commit	f403069d4be06425dfc101fc7468c0cb2f7afb4f (patch)
tree	3d28ccd708e024997fb1c1d1f816868f9733ef1c /controller-api
parent	aa981de24a14dba41fcb370d550fdf053b5433f8 (diff)