diff options
author | Andreas Eriksen <andreer@yahooinc.com> | 2023-06-22 11:33:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-22 11:33:43 +0200 |
commit | f403069d4be06425dfc101fc7468c0cb2f7afb4f (patch) | |
tree | 3d28ccd708e024997fb1c1d1f816868f9733ef1c /controller-api | |
parent | aa981de24a14dba41fcb370d550fdf053b5433f8 (diff) |
randomized endpoint cert pool (#27488)
* randomized endpoint cert pool
* test name format
* recordify EndpointCertificateMetadata
* save randomized id to cert
* assigned randomized endpoint cert to app when flag is set
* remove assigned certs from ready pool
* skip validation of SANs for randomized certs
* remove unused clock
* reminder to assign randomized certs at application level
* remove getters, move comments to record constructor
* camel case field name
* CertPoolMaintainer -> CertificatePoolMaintainer
* fix enum names
* randomIdentifier -> generateRandomId
* Wire maintainer
* Add PooledCertificateSerializer
* Use PooledCertificate
* Remove unused enum
* exclude all cert pool ids from cleanup
* don't set randomizedId in mock
* use SecureRandom for id generation
* fix NodesV2ApiTest
* add cert request method without applicationId
* remove unused import
* assert on generated key names, remove unused clock
* remove unused import
* don't use : in ckms prefix!
* entirely remove application id from cert provider interface
* use correct key prefix in handler too
* Assign certificate to application from pool
* PooledCertificate -> UnassignedCertificate
* Read/write AssignedCertificate everywhere
---------
Co-authored-by: Martin Polden <mpolden@mpolden.no>
Diffstat (limited to 'controller-api')
3 files changed, 43 insertions, 139 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java index b423fcb83f8..02afbb6ace6 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.controller.api.integration.certificates; import java.util.List; -import java.util.Objects; import java.util.Optional; /** @@ -12,76 +11,25 @@ import java.util.Optional; * * @author andreer */ -public class EndpointCertificateMetadata { +public record EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, + String rootRequestId, // The id of the first request made for this certificate. Should not change. + Optional<String> leafRequestId, // The id of the last known request made for this certificate. Changes on refresh, may be outdated! + List<String> requestedDnsSans, String issuer, Optional<Long> expiry, + Optional<Long> lastRefreshed, Optional<String> randomizedId) { - private final String keyName; - private final String certName; - private final int version; - private final long lastRequested; - private final String rootRequestId; - private final Optional<String> leafRequestId; - private final List<String> requestedDnsSans; - private final String issuer; - private final Optional<Long> expiry; - private final Optional<Long> lastRefreshed; - - public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, String rootRequestId, Optional<String> leafRequestId, List<String> requestedDnsSans, String issuer, Optional<Long> expiry, Optional<Long> lastRefreshed) { - this.keyName = keyName; - this.certName = certName; - this.version = version; - this.lastRequested = lastRequested; - this.rootRequestId = rootRequestId; - this.leafRequestId = leafRequestId; - this.requestedDnsSans = requestedDnsSans; - this.issuer = issuer; - this.expiry = expiry; - this.lastRefreshed = lastRefreshed; - } - - public String keyName() { - return keyName; - } - - public String certName() { - return certName; - } - - public int version() { - return version; - } - - public long lastRequested() { - return lastRequested; - } - - /** - * @return The request id of the first request made for this certificate. Should not change. - */ - public String rootRequestId() { - return rootRequestId; - } - - /** - * @return The request id of the last known request made for this certificate. Changes on refresh, may be outdated! - */ - public Optional<String> leafRequestId() { - return leafRequestId; - } - - public List<String> requestedDnsSans() { - return requestedDnsSans; - } - - public String issuer() { - return issuer; - } - - public Optional<Long> expiry() { - return expiry; - } - - public Optional<Long> lastRefreshed() { - return lastRefreshed; + public EndpointCertificateMetadata withRandomizedId(String randomizedId) { + return new EndpointCertificateMetadata( + this.keyName, + this.certName, + this.version, + this.lastRequested, + this.rootRequestId, + this.leafRequestId, + this.requestedDnsSans, + this.issuer, + this.expiry, + this.lastRefreshed, + Optional.of(randomizedId)); } public EndpointCertificateMetadata withKeyName(String keyName) { @@ -95,7 +43,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - this.lastRefreshed); + this.lastRefreshed, + this.randomizedId); } public EndpointCertificateMetadata withCertName(String certName) { @@ -109,7 +58,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - this.lastRefreshed); + this.lastRefreshed, + this.randomizedId); } public EndpointCertificateMetadata withVersion(int version) { @@ -123,7 +73,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - this.lastRefreshed); + this.lastRefreshed, + this.randomizedId); } public EndpointCertificateMetadata withLastRequested(long lastRequested) { @@ -137,7 +88,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - this.lastRefreshed); + this.lastRefreshed, + this.randomizedId); } public EndpointCertificateMetadata withLastRefreshed(long lastRefreshed) { @@ -151,7 +103,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - Optional.of(lastRefreshed)); + Optional.of(lastRefreshed), + this.randomizedId); } public EndpointCertificateMetadata withRootRequestId(String rootRequestId) { @@ -165,7 +118,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - lastRefreshed); + this.lastRefreshed, + this.randomizedId); } public EndpointCertificateMetadata withLeafRequestId(Optional<String> leafRequestId) { @@ -179,45 +133,8 @@ public class EndpointCertificateMetadata { this.requestedDnsSans, this.issuer, this.expiry, - lastRefreshed); - } - - @Override - public String toString() { - return "EndpointCertificateMetadata{" + - "keyName='" + keyName + '\'' + - ", certName='" + certName + '\'' + - ", version=" + version + - ", lastRequested=" + lastRequested + - ", rootRequestId=" + rootRequestId + - ", leafRequestId=" + leafRequestId + - ", requestedDnsSans=" + requestedDnsSans + - ", issuer=" + issuer + - ", expiry=" + expiry + - ", lastRefreshed=" + lastRefreshed + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - EndpointCertificateMetadata that = (EndpointCertificateMetadata) o; - return version == that.version && - lastRequested == that.lastRequested && - keyName.equals(that.keyName) && - certName.equals(that.certName) && - rootRequestId.equals(that.rootRequestId) && - leafRequestId.equals(that.leafRequestId) && - requestedDnsSans.equals(that.requestedDnsSans) && - issuer.equals(that.issuer) && - expiry.equals(that.expiry) && - lastRefreshed.equals(that.lastRefreshed); - } - - @Override - public int hashCode() { - return Objects.hash(keyName, certName, version, lastRequested, rootRequestId, leafRequestId, requestedDnsSans, issuer, expiry, lastRefreshed); + this.lastRefreshed, + this.randomizedId); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java index 7ae03d7ce6b..a0448e41b68 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java @@ -1,9 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.certificates; -import com.yahoo.config.provision.ApplicationId; - -import java.time.Clock; import java.time.Instant; import java.util.Collections; import java.util.HashMap; @@ -11,7 +8,6 @@ import java.util.List; import java.util.Map; import java.util.Optional; import java.util.UUID; -import java.util.stream.Collectors; /** * @author tokle @@ -19,29 +15,23 @@ import java.util.stream.Collectors; */ public class EndpointCertificateMock implements EndpointCertificateProvider { - private final Map<ApplicationId, List<String>> dnsNames = new HashMap<>(); + private final Map<String, List<String>> dnsNames = new HashMap<>(); private final Map<String, EndpointCertificateMetadata> providerMetadata = new HashMap<>(); - private final Clock clock; - - public EndpointCertificateMock(Clock clock) { - this.clock = clock; - } - public List<String> dnsNamesOf(ApplicationId application) { - return Collections.unmodifiableList(dnsNames.getOrDefault(application, List.of())); + public List<String> dnsNamesOf(String rootRequestId) { + return Collections.unmodifiableList(dnsNames.getOrDefault(rootRequestId, List.of())); } @Override - public EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata) { - this.dnsNames.put(applicationId, dnsNames); - String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(), - applicationId.application(), applicationId.instance()); + public EndpointCertificateMetadata requestCaSignedCertificate(String key, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider) { + String endpointCertificatePrefix = "vespa.tls.%s".formatted(key); long epochSecond = Instant.now().getEpochSecond(); long inAnHour = epochSecond + 3600; String requestId = UUID.randomUUID().toString(); + this.dnsNames.put(requestId, dnsNames); int version = currentMetadata.map(c -> currentMetadata.get().version()+1).orElse(0); EndpointCertificateMetadata metadata = new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", version, 0, - currentMetadata.map(EndpointCertificateMetadata::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond)); + currentMetadata.map(EndpointCertificateMetadata::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond), Optional.empty()); currentMetadata.ifPresent(c -> providerMetadata.remove(c.leafRequestId().orElseThrow())); providerMetadata.put(requestId, metadata); return metadata; @@ -70,8 +60,8 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { } @Override - public void deleteCertificate(ApplicationId applicationId, String requestId) { - dnsNames.remove(applicationId); + public void deleteCertificate(String requestId) { + dnsNames.remove(requestId); providerMetadata.remove(requestId); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java index 26db25bd848..7c5268ea353 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java @@ -1,9 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.certificates; -import com.yahoo.config.provision.ApplicationId; - -import java.io.IOException; import java.util.List; import java.util.Optional; @@ -14,11 +11,11 @@ import java.util.Optional; */ public interface EndpointCertificateProvider { - EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata); + EndpointCertificateMetadata requestCaSignedCertificate(String endpointCertificatePrefix, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider); List<EndpointCertificateRequestMetadata> listCertificates(); - void deleteCertificate(ApplicationId applicationId, String requestId); + void deleteCertificate(String requestId); EndpointCertificateDetails certificateDetails(String requestId); } |