diff options
author | Håkon Hallingstad <hakon@oath.com> | 2018-05-10 00:07:14 +0200 |
---|---|---|
committer | Håkon Hallingstad <hakon@oath.com> | 2018-05-10 00:07:14 +0200 |
commit | ccb6a9afa346d6dfa1d3a884343effcabfd99b46 (patch) | |
tree | d92df12a12be25a664bdc4b3a26897cd1a9f7c00 /node-admin | |
parent | d43e41ae60f20b2b7103df2e3ec828b0cd66c248 (diff) |
Use config server identity instead of SIA identity when verifying CN of peer config server certificate
Diffstat (limited to 'node-admin')
2 files changed, 37 insertions, 43 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java index 24f6890857a..25ec4fbd1dd 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java @@ -22,6 +22,7 @@ import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.StringEntity; +import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.UnsupportedEncodingException; @@ -57,41 +58,31 @@ public class ConfigServerApiImpl implements ConfigServerApi { */ private volatile SelfCloseableHttpClient client; - /** - * Creates an api for talking to the config servers with a fixed socket factory. - * - * <p>This may be used to avoid requiring background certificate signing requests (CSR) - * against the config server when client validation is enabled in the config server. - */ - public static ConfigServerApiImpl createWithSocketFactory( - List<URI> configServerHosts, - SSLConnectionSocketFactory socketFactory) { - return new ConfigServerApiImpl(configServerHosts, new SelfCloseableHttpClient(socketFactory)); - } - - public static ConfigServerApiImpl create(ConfigServerInfo configServerInfo, - SiaIdentityProvider identityProvider) { - return new ConfigServerApiImpl(configServerInfo.getConfigServerUris(), identityProvider); + public static ConfigServerApiImpl create(ConfigServerInfo info, SiaIdentityProvider provider) { + return new ConfigServerApiImpl( + info.getConfigServerUris(), + new AthenzIdentityVerifier(singleton(info.getAthenzIdentity().get())), + provider); } - public static ConfigServerApiImpl createFor(ConfigServerInfo configServerInfo, - SiaIdentityProvider identityProvider, - HostName configServer) { - URI uri = configServerInfo.getConfigServerUri(configServer.value()); - return new ConfigServerApiImpl(Collections.singletonList(uri), identityProvider); + public static ConfigServerApiImpl createFor(ConfigServerInfo info, + SiaIdentityProvider provider, + HostName configServerHostname) { + return new ConfigServerApiImpl( + Collections.singleton(info.getConfigServerUri(configServerHostname.value())), + new AthenzIdentityVerifier(singleton(info.getAthenzIdentity().get())), + provider); } - static ConfigServerApiImpl createForTestingWithClient(List<URI> configServerHosts, - SelfCloseableHttpClient client) { - return new ConfigServerApiImpl(configServerHosts, client); - } - - private ConfigServerApiImpl(Collection<URI> configServers, SiaIdentityProvider identityProvider) { - this(configServers, createClient(identityProvider)); + private ConfigServerApiImpl(Collection<URI> configServers, + HostnameVerifier verifier, + SiaIdentityProvider identityProvider) { + this(configServers, createClient(identityProvider.getIdentitySslContext(), verifier)); - // The same object MUST be passed to both addIdentityListener and removeIdentityListener, - // as two method references aren't equal. - ServiceIdentityProvider.Listener listener = this::setClient; + // Register callback for updates to the SSLContext + ServiceIdentityProvider.Listener listener = (SSLContext sslContext, AthenzService identity) -> { + this.client = createClient(sslContext, verifier); + }; identityProvider.addIdentityListener(listener); this.runOnClose = () -> identityProvider.removeIdentityListener(listener); } @@ -101,6 +92,17 @@ public class ConfigServerApiImpl implements ConfigServerApi { this.client = client; } + public static ConfigServerApiImpl createForTestingWithSocketFactory( + List<URI> configServerHosts, + SSLConnectionSocketFactory socketFactory) { + return new ConfigServerApiImpl(configServerHosts, new SelfCloseableHttpClient(socketFactory)); + } + + static ConfigServerApiImpl createForTestingWithClient(List<URI> configServerHosts, + SelfCloseableHttpClient client) { + return new ConfigServerApiImpl(configServerHosts, client); + } + interface CreateRequest { HttpUriRequest createRequest(URI configServerUri) throws JsonProcessingException, UnsupportedEncodingException; } @@ -204,18 +206,10 @@ public class ConfigServerApiImpl implements ConfigServerApi { request.setHeader(HttpHeaders.CONTENT_TYPE, "application/json"); } - private void setClient(SSLContext sslContext, AthenzService identity) { - this.client = createClient(sslContext, identity); - } - - private static SelfCloseableHttpClient createClient(SSLContext sslContext, AthenzService identity) { - AthenzIdentityVerifier identityVerifier = new AthenzIdentityVerifier(singleton(identity)); - SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, identityVerifier); - return new SelfCloseableHttpClient(socketFactory); - } - - private static SelfCloseableHttpClient createClient(SiaIdentityProvider identityProvider) { - return createClient(identityProvider.getIdentitySslContext(), identityProvider.identity()); + private static SelfCloseableHttpClient createClient( + SSLContext sslContext, HostnameVerifier configServerVerifier) { + return new SelfCloseableHttpClient( + new SSLConnectionSocketFactory(sslContext, configServerVerifier)); } // Shuffle config server URIs to balance load diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java index ae5ba9681e6..045b1116740 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java @@ -67,7 +67,7 @@ public class RealNodeRepositoryTest { try { final int port = findRandomOpenPort(); container = JDisc.fromServicesXml(ContainerConfig.servicesXmlV2(port), Networking.enable); - ConfigServerApi configServerApi = ConfigServerApiImpl.createWithSocketFactory( + ConfigServerApi configServerApi = ConfigServerApiImpl.createForTestingWithSocketFactory( Collections.singletonList(URI.create("http://127.0.0.1:" + port)), SSLConnectionSocketFactory.getSocketFactory()); waitForJdiscContainerToServe(configServerApi); |