Use TLS with Athenz in ConfigServerRestExecutor

author: Bjørn Christian Seime <bjorncs@oath.com> 2017-12-19 13:44:07 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-01-03 13:54:31 +0100
commit: f38d5f1486657c8170d575ebb43979961bddeff8 (patch)
tree: f1cb8a73eff0ff10f4688df88980b8778e1a1f3f /controller-server
parent: b3ae7caa9d7ed625d41328e6327e9a5ae87ed835 (diff)
2 files changed, 33 insertions, 8 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
index e8689a06162..937c93a2f5c 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
@@ -3,10 +3,13 @@ package com.yahoo.vespa.hosted.controller.proxy;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Inject;
 import com.yahoo.config.provision.Environment;
-import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId;
 import com.yahoo.io.IOUtils;
 import com.yahoo.jdisc.http.HttpRequest.Method;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider;
+import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
 import org.apache.http.Header;
@@ -34,8 +37,11 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
+import static java.util.Collections.singleton;
+
 /**
  * @author Haakon Dybdahl
+ * @author bjorncs
  */
 @SuppressWarnings("unused") // Injected
 public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
@@ -43,9 +49,13 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
     private static final Duration PROXY_REQUEST_TIMEOUT = Duration.ofSeconds(10);
 
     private final ZoneRegistry zoneRegistry;
+    private final AthenzSslContextProvider sslContextProvider;
 
-    public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry) {
+    @Inject
+    public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry,
+                                        AthenzSslContextProvider sslContextProvider) {
         this.zoneRegistry = zoneRegistry;
+        this.sslContextProvider = sslContextProvider;
     }
 
     @Override
@@ -57,10 +67,10 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
         ZoneId zoneId = ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion());
 
         // Make a local copy of the list as we want to manipulate it in case of ping problems.
-        List<URI> allServers = new ArrayList<>(zoneRegistry.getConfigServerUris(zoneId));
+        List<URI> allServers = new ArrayList<>(zoneRegistry.getConfigServerSecureUris(zoneId));
 
         StringBuilder errorBuilder = new StringBuilder();
-        if (queueFirstServerIfDown(allServers)) {
+        if (queueFirstServerIfDown(allServers, proxyRequest)) {
             errorBuilder.append("Change ordering due to failed ping.");
         }
         for (URI uri : allServers) {
@@ -115,7 +125,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
                 .setConnectionRequestTimeout((int) PROXY_REQUEST_TIMEOUT.toMillis())
                 .setSocketTimeout((int) PROXY_REQUEST_TIMEOUT.toMillis()).build();
         try (
-                CloseableHttpClient client = createHttpClient(config);
+                CloseableHttpClient client = createHttpClient(config, sslContextProvider, zoneRegistry, proxyRequest);
                 CloseableHttpResponse response = client.execute(requestBase);
         ) {
             if (response.getStatusLine().getStatusCode() / 100 == 5) {
@@ -202,7 +212,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
      * if it is not responding, we try the other servers first. False positive/negatives are not critical,
      * but will increase latency to some extent.
      */
-    private boolean queueFirstServerIfDown(List<URI> allServers) {
+    private boolean queueFirstServerIfDown(List<URI> allServers, ProxyRequest proxyRequest) {
         if (allServers.size() < 2) {
             return false;
         }
@@ -215,7 +225,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
                 .setConnectionRequestTimeout(timeout)
                 .setSocketTimeout(timeout).build();
         try (
-                CloseableHttpClient client = createHttpClient(config);
+                CloseableHttpClient client = createHttpClient(config, sslContextProvider, zoneRegistry, proxyRequest);
                 CloseableHttpResponse response = client.execute(httpget);
 
         ) {
@@ -232,9 +242,19 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
         return true;
     }
 
-    private static CloseableHttpClient createHttpClient(RequestConfig config) {
+    private static CloseableHttpClient createHttpClient(RequestConfig config,
+                                                        AthenzSslContextProvider sslContextProvider,
+                                                        ZoneRegistry zoneRegistry,
+                                                        ProxyRequest proxyRequest) {
+        AthenzIdentityVerifier hostnameVerifier =
+                new AthenzIdentityVerifier(
+                        singleton(
+                                zoneRegistry.getConfigserverAthenzService(
+                                        ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getEnvironment()))));
         return HttpClientBuilder.create()
                 .setUserAgent("config-server-client")
+                .setSslcontext(sslContextProvider.get())
+                .setHostnameVerifier(hostnameVerifier)
                 .setDefaultRequestConfig(config)
                 .build();
     }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ProxyRequest.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ProxyRequest.java
index 6854d583222..a20043a787f 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ProxyRequest.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ProxyRequest.java
@@ -1,6 +1,7 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.proxy;
 
+import com.yahoo.config.provision.ZoneId;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.net.HostName;
 
@@ -89,6 +90,10 @@ public class ProxyRequest {
         return environment;
     }
 
+    public ZoneId getZoneId() {
+        return ZoneId.from(environment, region);
+    }
+
     public String getConfigServerRequest() {
         return configServerRequest;
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-12-19 13:44:07 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-01-03 13:54:31 +0100
commit	f38d5f1486657c8170d575ebb43979961bddeff8 (patch)
tree	f1cb8a73eff0ff10f4688df88980b8778e1a1f3f /controller-server
parent	b3ae7caa9d7ed625d41328e6327e9a5ae87ed835 (diff)