Replace 'Authentication' with 'Identification' for AuthenticationFilter and friends

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-04-25 14:41:10 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-04-25 14:41:50 +0200
commit: e516e1a12fb7e6e7501a21501d9c9860b864c6cb (patch)
tree: fa6d5016c71ac65fc3662845319bd7de3bdf2d55 /node-repository/src/main
parent: 2d8b50d55c41ca86728eda75dc133aef6a5b5cd8 (diff)
3 files changed, 27 insertions, 30 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index ab6bb229dd8..09e002b580d 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -14,9 +14,6 @@ import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
 import com.yahoo.yolean.chain.After;
 
 import java.net.URI;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.List;
 import java.util.Optional;
 import java.util.function.BiConsumer;
 import java.util.function.BiPredicate;
@@ -25,12 +22,12 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 /**
- * Authorization filter for all paths in config server. It assumes that {@link AuthenticationFilter} is part of filter chain.
+ * Authorization filter for all paths in config server. It assumes that {@link NodeIdentifierFilter} is part of filter chain.
  *
  * @author mpolden
  * @author bjorncs
  */
-@After("AuthenticationFilter")
+@After("NodeIdentifierFilter")
 public class AuthorizationFilter implements SecurityRequestFilter {
 
     private static final Logger log = Logger.getLogger(AuthorizationFilter.class.getName());
@@ -68,12 +65,12 @@ public class AuthorizationFilter implements SecurityRequestFilter {
         try {
             NodePrincipal hostIdentity = (NodePrincipal) request.getUserPrincipal();
             if (hostIdentity == null)
-                return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. AuthenticationFilter has not been applied.")));
+                return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. NodeIdentifierFilter has not been applied.")));
             if (!authorizer.test(hostIdentity, request.getUri()))
                 return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials")));
             request.setUserPrincipal(hostIdentity);
             return Optional.empty();
-        } catch (HostAuthenticator.AuthenticationException e) {
+        } catch (NodeIdentifier.NodeIdentifierException e) {
             return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials: " + e.getMessage())));
         }
     }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java
index d564e02727c..0908776378a 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java
@@ -19,7 +19,7 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
  *
  * @author bjorncs
  */
-class HostAuthenticator {
+class NodeIdentifier {
 
     private static final String TENANT_DOCKER_HOST_IDENTITY = "vespa.vespa.tenant-host";
     private static final String TENANT_DOCKER_CONTAINER_IDENTITY = "vespa.vespa.tenant";
@@ -28,16 +28,16 @@ class HostAuthenticator {
     private final Zone zone;
     private final NodeRepository nodeRepository;
 
-    HostAuthenticator(Zone zone, NodeRepository nodeRepository) {
+    NodeIdentifier(Zone zone, NodeRepository nodeRepository) {
         this.zone = zone;
         this.nodeRepository = nodeRepository;
     }
 
-    NodePrincipal authenticate(List<X509Certificate> certificateChain) throws AuthenticationException {
+    NodePrincipal resolveNode(List<X509Certificate> certificateChain) throws NodeIdentifierException {
         X509Certificate clientCertificate = certificateChain.get(0);
         String subjectCommonName = X509CertificateUtils.getSubjectCommonNames(clientCertificate).stream()
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Certificate subject common name is missing!"));
+                .orElseThrow(() -> new NodeIdentifierException("Certificate subject common name is missing!"));
         if (isAthenzIssued(clientCertificate)) {
             List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(clientCertificate);
             switch (subjectCommonName) {
@@ -57,7 +57,7 @@ class HostAuthenticator {
     private boolean isAthenzIssued(X509Certificate certificate) {
         String issuerCommonName = X509CertificateUtils.getIssuerCommonNames(certificate).stream()
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Certificate issuer common name is missing!"));
+                .orElseThrow(() -> new NodeIdentifierException("Certificate issuer common name is missing!"));
         return issuerCommonName.equals("Yahoo Athenz CA") || issuerCommonName.equals("Athenz AWS CA");
     }
 
@@ -72,15 +72,15 @@ class HostAuthenticator {
                 .filter(node -> node.openStackId().equals(openstackId))
                 .map(Node::hostname)
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId)));
+                .orElseThrow(() -> new NodeIdentifierException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId)));
     }
 
     private String getHostFromVespaCertificate(List<SubjectAlternativeName> sans) {
         VespaUniqueInstanceId instanceId = VespaUniqueInstanceId.fromDottedString(getUniqueInstanceId(sans));
         if (!zone.environment().value().equals(instanceId.environment()))
-            throw new AuthenticationException("Invalid environment: " + instanceId.environment());
+            throw new NodeIdentifierException("Invalid environment: " + instanceId.environment());
         if (!zone.region().value().equals(instanceId.region()))
-            throw new AuthenticationException("Invalid region(): " + instanceId.region());
+            throw new NodeIdentifierException("Invalid region(): " + instanceId.region());
         List<Node> applicationNodes =
                 nodeRepository.getNodes(ApplicationId.from(instanceId.tenant(), instanceId.application(), instanceId.instance()));
         return applicationNodes.stream()
@@ -91,7 +91,7 @@ class HostAuthenticator {
                                 .orElse(false))
                 .map(Node::hostname)
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Could not find any node with instance id: " + instanceId.asDottedString()));
+                .orElseThrow(() -> new NodeIdentifierException("Could not find any node with instance id: " + instanceId.asDottedString()));
     }
 
     private static String getUniqueInstanceId(List<SubjectAlternativeName> sans) {
@@ -101,11 +101,11 @@ class HostAuthenticator {
                 .filter(dnsName -> (dnsName.endsWith("yahoo.cloud") || dnsName.endsWith("oath.cloud")) && dnsName.contains(INSTANCE_ID_DELIMITER))
                 .map(dnsName -> dnsName.substring(0, dnsName.indexOf(INSTANCE_ID_DELIMITER)))
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Could not find unique instance id from SAN addresses: " + sans));
+                .orElseThrow(() -> new NodeIdentifierException("Could not find unique instance id from SAN addresses: " + sans));
     }
 
-    static class AuthenticationException extends RuntimeException {
-        AuthenticationException(String message) {
+    static class NodeIdentifierException extends RuntimeException {
+        NodeIdentifierException(String message) {
             super(message);
         }
     }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java
index eed22535842..1ff8958a993 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java
@@ -16,21 +16,21 @@ import java.util.Optional;
 import java.util.logging.Logger;
 
 /**
- * A filter that authenticates the remote host based on the subject and subject alternative names in client certificate.
- * A {@link NodePrincipal} object is assigned to user principal field if authentication is successful.
+ * A filter that identifies the remote node based on the subject and subject alternative names in client certificate.
+ * A {@link NodePrincipal} object is assigned to user principal field if identification is successful.
  *
  * @author bjorncs
  */
-@Provides("AuthenticationFilter")
-public class AuthenticationFilter extends JsonSecurityRequestFilterBase {
+@Provides("NodeIdentifierFilter")
+public class NodeIdentifierFilter extends JsonSecurityRequestFilterBase {
 
-    private static final Logger log = Logger.getLogger(AuthenticationFilter.class.getName());
+    private static final Logger log = Logger.getLogger(NodeIdentifierFilter.class.getName());
 
-    private final HostAuthenticator authenticator;
+    private final NodeIdentifier nodeIdentifier;
 
     @Inject
-    public AuthenticationFilter(Zone zone, NodeRepository nodeRepository) {
-        this.authenticator = new HostAuthenticator(zone, nodeRepository);
+    public NodeIdentifierFilter(Zone zone, NodeRepository nodeRepository) {
+        this.nodeIdentifier = new NodeIdentifier(zone, nodeRepository);
     }
 
     @Override
@@ -39,11 +39,11 @@ public class AuthenticationFilter extends JsonSecurityRequestFilterBase {
         if (clientCertificateChain.isEmpty())
             return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 0, "Missing client certificate"));
         try {
-            NodePrincipal identity = authenticator.authenticate(clientCertificateChain);
+            NodePrincipal identity = nodeIdentifier.resolveNode(clientCertificateChain);
             request.setUserPrincipal(identity);
             return Optional.empty();
-        } catch (HostAuthenticator.AuthenticationException e) {
-            log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e);
+        } catch (NodeIdentifier.NodeIdentifierException e) {
+            log.log(LogLevel.WARNING, "Node identification failed: " + e.getMessage(), e);
             return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 1, e.getMessage()));
         }
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-04-25 14:41:10 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-04-25 14:41:50 +0200
commit	e516e1a12fb7e6e7501a21501d9c9860b864c6cb (patch)
tree	fa6d5016c71ac65fc3662845319bd7de3bdf2d55 /node-repository/src/main
parent	2d8b50d55c41ca86728eda75dc133aef6a5b5cd8 (diff)