Replace 'Authentication' with 'Identification' for AuthenticationFilter and friends

5 files changed, 39 insertions, 42 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index ab6bb229dd8..09e002b580d 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -14,9 +14,6 @@ import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
 import com.yahoo.yolean.chain.After;
 
 import java.net.URI;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.List;
 import java.util.Optional;
 import java.util.function.BiConsumer;
 import java.util.function.BiPredicate;
@@ -25,12 +22,12 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 /**
- * Authorization filter for all paths in config server. It assumes that {@link AuthenticationFilter} is part of filter chain.
+ * Authorization filter for all paths in config server. It assumes that {@link NodeIdentifierFilter} is part of filter chain.
  *
  * @author mpolden
  * @author bjorncs
  */
-@After("AuthenticationFilter")
+@After("NodeIdentifierFilter")
 public class AuthorizationFilter implements SecurityRequestFilter {
 
     private static final Logger log = Logger.getLogger(AuthorizationFilter.class.getName());
@@ -68,12 +65,12 @@ public class AuthorizationFilter implements SecurityRequestFilter {
         try {
             NodePrincipal hostIdentity = (NodePrincipal) request.getUserPrincipal();
             if (hostIdentity == null)
-                return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. AuthenticationFilter has not been applied.")));
+                return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. NodeIdentifierFilter has not been applied.")));
             if (!authorizer.test(hostIdentity, request.getUri()))
                 return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials")));
             request.setUserPrincipal(hostIdentity);
             return Optional.empty();
-        } catch (HostAuthenticator.AuthenticationException e) {
+        } catch (NodeIdentifier.NodeIdentifierException e) {
             return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials: " + e.getMessage())));
         }
     }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java
index d564e02727c..0908776378a 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java
@@ -19,7 +19,7 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
  *
  * @author bjorncs
  */
-class HostAuthenticator {
+class NodeIdentifier {
 
     private static final String TENANT_DOCKER_HOST_IDENTITY = "vespa.vespa.tenant-host";
     private static final String TENANT_DOCKER_CONTAINER_IDENTITY = "vespa.vespa.tenant";
@@ -28,16 +28,16 @@ class HostAuthenticator {
     private final Zone zone;
     private final NodeRepository nodeRepository;
 
-    HostAuthenticator(Zone zone, NodeRepository nodeRepository) {
+    NodeIdentifier(Zone zone, NodeRepository nodeRepository) {
         this.zone = zone;
         this.nodeRepository = nodeRepository;
     }
 
-    NodePrincipal authenticate(List<X509Certificate> certificateChain) throws AuthenticationException {
+    NodePrincipal resolveNode(List<X509Certificate> certificateChain) throws NodeIdentifierException {
         X509Certificate clientCertificate = certificateChain.get(0);
         String subjectCommonName = X509CertificateUtils.getSubjectCommonNames(clientCertificate).stream()
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Certificate subject common name is missing!"));
+                .orElseThrow(() -> new NodeIdentifierException("Certificate subject common name is missing!"));
         if (isAthenzIssued(clientCertificate)) {
             List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(clientCertificate);
             switch (subjectCommonName) {
@@ -57,7 +57,7 @@ class HostAuthenticator {
     private boolean isAthenzIssued(X509Certificate certificate) {
         String issuerCommonName = X509CertificateUtils.getIssuerCommonNames(certificate).stream()
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Certificate issuer common name is missing!"));
+                .orElseThrow(() -> new NodeIdentifierException("Certificate issuer common name is missing!"));
         return issuerCommonName.equals("Yahoo Athenz CA") || issuerCommonName.equals("Athenz AWS CA");
     }
 
@@ -72,15 +72,15 @@ class HostAuthenticator {
                 .filter(node -> node.openStackId().equals(openstackId))
                 .map(Node::hostname)
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId)));
+                .orElseThrow(() -> new NodeIdentifierException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId)));
     }
 
     private String getHostFromVespaCertificate(List<SubjectAlternativeName> sans) {
         VespaUniqueInstanceId instanceId = VespaUniqueInstanceId.fromDottedString(getUniqueInstanceId(sans));
         if (!zone.environment().value().equals(instanceId.environment()))
-            throw new AuthenticationException("Invalid environment: " + instanceId.environment());
+            throw new NodeIdentifierException("Invalid environment: " + instanceId.environment());
         if (!zone.region().value().equals(instanceId.region()))
-            throw new AuthenticationException("Invalid region(): " + instanceId.region());
+            throw new NodeIdentifierException("Invalid region(): " + instanceId.region());
         List<Node> applicationNodes =
                 nodeRepository.getNodes(ApplicationId.from(instanceId.tenant(), instanceId.application(), instanceId.instance()));
         return applicationNodes.stream()
@@ -91,7 +91,7 @@ class HostAuthenticator {
                                 .orElse(false))
                 .map(Node::hostname)
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Could not find any node with instance id: " + instanceId.asDottedString()));
+                .orElseThrow(() -> new NodeIdentifierException("Could not find any node with instance id: " + instanceId.asDottedString()));
     }
 
     private static String getUniqueInstanceId(List<SubjectAlternativeName> sans) {
@@ -101,11 +101,11 @@ class HostAuthenticator {
                 .filter(dnsName -> (dnsName.endsWith("yahoo.cloud") || dnsName.endsWith("oath.cloud")) && dnsName.contains(INSTANCE_ID_DELIMITER))
                 .map(dnsName -> dnsName.substring(0, dnsName.indexOf(INSTANCE_ID_DELIMITER)))
                 .findFirst()
-                .orElseThrow(() -> new AuthenticationException("Could not find unique instance id from SAN addresses: " + sans));
+                .orElseThrow(() -> new NodeIdentifierException("Could not find unique instance id from SAN addresses: " + sans));
     }
 
-    static class AuthenticationException extends RuntimeException {
-        AuthenticationException(String message) {
+    static class NodeIdentifierException extends RuntimeException {
+        NodeIdentifierException(String message) {
             super(message);
         }
     }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java
index eed22535842..1ff8958a993 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java
@@ -16,21 +16,21 @@ import java.util.Optional;
 import java.util.logging.Logger;
 
 /**
- * A filter that authenticates the remote host based on the subject and subject alternative names in client certificate.
- * A {@link NodePrincipal} object is assigned to user principal field if authentication is successful.
+ * A filter that identifies the remote node based on the subject and subject alternative names in client certificate.
+ * A {@link NodePrincipal} object is assigned to user principal field if identification is successful.
  *
  * @author bjorncs
  */
-@Provides("AuthenticationFilter")
-public class AuthenticationFilter extends JsonSecurityRequestFilterBase {
+@Provides("NodeIdentifierFilter")
+public class NodeIdentifierFilter extends JsonSecurityRequestFilterBase {
 
-    private static final Logger log = Logger.getLogger(AuthenticationFilter.class.getName());
+    private static final Logger log = Logger.getLogger(NodeIdentifierFilter.class.getName());
 
-    private final HostAuthenticator authenticator;
+    private final NodeIdentifier nodeIdentifier;
 
     @Inject
-    public AuthenticationFilter(Zone zone, NodeRepository nodeRepository) {
-        this.authenticator = new HostAuthenticator(zone, nodeRepository);
+    public NodeIdentifierFilter(Zone zone, NodeRepository nodeRepository) {
+        this.nodeIdentifier = new NodeIdentifier(zone, nodeRepository);
     }
 
     @Override
@@ -39,11 +39,11 @@ public class AuthenticationFilter extends JsonSecurityRequestFilterBase {
         if (clientCertificateChain.isEmpty())
             return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 0, "Missing client certificate"));
         try {
-            NodePrincipal identity = authenticator.authenticate(clientCertificateChain);
+            NodePrincipal identity = nodeIdentifier.resolveNode(clientCertificateChain);
             request.setUserPrincipal(identity);
             return Optional.empty();
-        } catch (HostAuthenticator.AuthenticationException e) {
-            log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e);
+        } catch (NodeIdentifier.NodeIdentifierException e) {
+            log.log(LogLevel.WARNING, "Node identification failed: " + e.getMessage(), e);
             return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 1, e.getMessage()));
         }
     }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
index 99a72d89801..c91aef36b5d 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java
@@ -31,7 +31,7 @@ public class AuthorizationFilterTest {
         // These are just rudimentary tests of the filter. See AuthorizerTest for more exhaustive tests
         tester.assertRequest(new Request(Method.GET, "/"), 500,
                              "{\"error-code\":\"INTERNAL_SERVER_ERROR\",\"message\":\"GET / denied for " +
-                             "remote-addr: Principal is missing. AuthenticationFilter has not been applied.\"}");
+                             "remote-addr: Principal is missing. NodeIdentifierFilter has not been applied.\"}");
 
         tester.assertRequest(new Request(Method.GET, "/").commonName("foo"), 403,
                              "{\"error-code\":\"FORBIDDEN\",\"message\":\"GET / " +
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java
index e6e7880c67c..de2aaf68788 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java
@@ -41,7 +41,7 @@ import static org.junit.Assert.assertEquals;
 /**
  * @author bjorncs
  */
-public class HostAuthenticatorTest {
+public class NodeIdentifierTest {
     private static final String HOSTNAME = "myhostname";
     private static final String OPENSTACK_ID = "OPENSTACK-ID";
     private static final String AWS_INSTANCE_ID = "i-abcdef123456";
@@ -58,8 +58,8 @@ public class HostAuthenticatorTest {
                 .fromKeypair(
                         KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1)
                 .build();
-        HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository());
-        NodePrincipal identity = authenticator.authenticate(singletonList(certificate));
+        NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository());
+        NodePrincipal identity = identifier.resolveNode(singletonList(certificate));
         assertTrue(identity.getHostname().isPresent());
         assertEquals(HOSTNAME, identity.getHostname().get());
         assertEquals(HOSTNAME, identity.getHostIdentityName());
@@ -78,8 +78,8 @@ public class HostAuthenticatorTest {
                 .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1)
                 .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.provider-name.ostk.yahoo.cloud")
                 .build();
-        HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository());
-        NodePrincipal identity = authenticator.authenticate(singletonList(certificate));
+        NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository());
+        NodePrincipal identity = identifier.resolveNode(singletonList(certificate));
         assertTrue(identity.getHostname().isPresent());
         assertEquals(HOSTNAME, identity.getHostname().get());
         assertEquals(identityName, identity.getHostIdentityName());
@@ -98,8 +98,8 @@ public class HostAuthenticatorTest {
                 .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1)
                 .addSubjectAlternativeName(AWS_INSTANCE_ID + ".instanceid.athenz.aws.oath.cloud")
                 .build();
-        HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository());
-        NodePrincipal identity = authenticator.authenticate(singletonList(certificate));
+        NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository());
+        NodePrincipal identity = identifier.resolveNode(singletonList(certificate));
         assertTrue(identity.getHostname().isPresent());
         assertEquals(HOSTNAME, identity.getHostname().get());
         assertEquals(identityName, identity.getHostIdentityName());
@@ -125,8 +125,8 @@ public class HostAuthenticatorTest {
                 .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1)
                 .addSubjectAlternativeName(vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.provider-name.vespa.yahoo.cloud")
                 .build();
-        HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository());
-        NodePrincipal identity = authenticator.authenticate(singletonList(certificate));
+        NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository());
+        NodePrincipal identity = identifier.resolveNode(singletonList(certificate));
         assertTrue(identity.getHostname().isPresent());
         assertEquals(HOSTNAME, identity.getHostname().get());
         assertEquals(identityName, identity.getHostIdentityName());
@@ -142,8 +142,8 @@ public class HostAuthenticatorTest {
         X509Certificate certificate = X509CertificateBuilder
                 .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1)
                 .build();
-        HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository());
-        NodePrincipal identity = authenticator.authenticate(singletonList(certificate));
+        NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository());
+        NodePrincipal identity = identifier.resolveNode(singletonList(certificate));
         assertFalse(identity.getHostname().isPresent());
         assertEquals(identityName, identity.getHostIdentityName());
     }