diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-25 14:41:10 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-25 14:41:50 +0200 |
commit | e516e1a12fb7e6e7501a21501d9c9860b864c6cb (patch) | |
tree | fa6d5016c71ac65fc3662845319bd7de3bdf2d55 /node-repository | |
parent | 2d8b50d55c41ca86728eda75dc133aef6a5b5cd8 (diff) |
Replace 'Authentication' with 'Identification' for AuthenticationFilter and friends
Diffstat (limited to 'node-repository')
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java | 11 | ||||
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java) | 24 | ||||
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java) | 22 | ||||
-rw-r--r-- | node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java | 2 | ||||
-rw-r--r-- | node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java (renamed from node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java) | 22 |
5 files changed, 39 insertions, 42 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index ab6bb229dd8..09e002b580d 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -14,9 +14,6 @@ import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; import com.yahoo.yolean.chain.After; import java.net.URI; -import java.security.Principal; -import java.security.cert.X509Certificate; -import java.util.List; import java.util.Optional; import java.util.function.BiConsumer; import java.util.function.BiPredicate; @@ -25,12 +22,12 @@ import java.util.stream.Collectors; import java.util.stream.Stream; /** - * Authorization filter for all paths in config server. It assumes that {@link AuthenticationFilter} is part of filter chain. + * Authorization filter for all paths in config server. It assumes that {@link NodeIdentifierFilter} is part of filter chain. * * @author mpolden * @author bjorncs */ -@After("AuthenticationFilter") +@After("NodeIdentifierFilter") public class AuthorizationFilter implements SecurityRequestFilter { private static final Logger log = Logger.getLogger(AuthorizationFilter.class.getName()); @@ -68,12 +65,12 @@ public class AuthorizationFilter implements SecurityRequestFilter { try { NodePrincipal hostIdentity = (NodePrincipal) request.getUserPrincipal(); if (hostIdentity == null) - return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. AuthenticationFilter has not been applied."))); + return Optional.of(ErrorResponse.internalServerError(createErrorMessage(request, "Principal is missing. NodeIdentifierFilter has not been applied."))); if (!authorizer.test(hostIdentity, request.getUri())) return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials"))); request.setUserPrincipal(hostIdentity); return Optional.empty(); - } catch (HostAuthenticator.AuthenticationException e) { + } catch (NodeIdentifier.NodeIdentifierException e) { return Optional.of(ErrorResponse.forbidden(createErrorMessage(request, "Invalid credentials: " + e.getMessage()))); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java index d564e02727c..0908776378a 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticator.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java @@ -19,7 +19,7 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; * * @author bjorncs */ -class HostAuthenticator { +class NodeIdentifier { private static final String TENANT_DOCKER_HOST_IDENTITY = "vespa.vespa.tenant-host"; private static final String TENANT_DOCKER_CONTAINER_IDENTITY = "vespa.vespa.tenant"; @@ -28,16 +28,16 @@ class HostAuthenticator { private final Zone zone; private final NodeRepository nodeRepository; - HostAuthenticator(Zone zone, NodeRepository nodeRepository) { + NodeIdentifier(Zone zone, NodeRepository nodeRepository) { this.zone = zone; this.nodeRepository = nodeRepository; } - NodePrincipal authenticate(List<X509Certificate> certificateChain) throws AuthenticationException { + NodePrincipal resolveNode(List<X509Certificate> certificateChain) throws NodeIdentifierException { X509Certificate clientCertificate = certificateChain.get(0); String subjectCommonName = X509CertificateUtils.getSubjectCommonNames(clientCertificate).stream() .findFirst() - .orElseThrow(() -> new AuthenticationException("Certificate subject common name is missing!")); + .orElseThrow(() -> new NodeIdentifierException("Certificate subject common name is missing!")); if (isAthenzIssued(clientCertificate)) { List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(clientCertificate); switch (subjectCommonName) { @@ -57,7 +57,7 @@ class HostAuthenticator { private boolean isAthenzIssued(X509Certificate certificate) { String issuerCommonName = X509CertificateUtils.getIssuerCommonNames(certificate).stream() .findFirst() - .orElseThrow(() -> new AuthenticationException("Certificate issuer common name is missing!")); + .orElseThrow(() -> new NodeIdentifierException("Certificate issuer common name is missing!")); return issuerCommonName.equals("Yahoo Athenz CA") || issuerCommonName.equals("Athenz AWS CA"); } @@ -72,15 +72,15 @@ class HostAuthenticator { .filter(node -> node.openStackId().equals(openstackId)) .map(Node::hostname) .findFirst() - .orElseThrow(() -> new AuthenticationException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId))); + .orElseThrow(() -> new NodeIdentifierException(String.format("Cannot find node with openstack-id '%s' in node repository", openstackId))); } private String getHostFromVespaCertificate(List<SubjectAlternativeName> sans) { VespaUniqueInstanceId instanceId = VespaUniqueInstanceId.fromDottedString(getUniqueInstanceId(sans)); if (!zone.environment().value().equals(instanceId.environment())) - throw new AuthenticationException("Invalid environment: " + instanceId.environment()); + throw new NodeIdentifierException("Invalid environment: " + instanceId.environment()); if (!zone.region().value().equals(instanceId.region())) - throw new AuthenticationException("Invalid region(): " + instanceId.region()); + throw new NodeIdentifierException("Invalid region(): " + instanceId.region()); List<Node> applicationNodes = nodeRepository.getNodes(ApplicationId.from(instanceId.tenant(), instanceId.application(), instanceId.instance())); return applicationNodes.stream() @@ -91,7 +91,7 @@ class HostAuthenticator { .orElse(false)) .map(Node::hostname) .findFirst() - .orElseThrow(() -> new AuthenticationException("Could not find any node with instance id: " + instanceId.asDottedString())); + .orElseThrow(() -> new NodeIdentifierException("Could not find any node with instance id: " + instanceId.asDottedString())); } private static String getUniqueInstanceId(List<SubjectAlternativeName> sans) { @@ -101,11 +101,11 @@ class HostAuthenticator { .filter(dnsName -> (dnsName.endsWith("yahoo.cloud") || dnsName.endsWith("oath.cloud")) && dnsName.contains(INSTANCE_ID_DELIMITER)) .map(dnsName -> dnsName.substring(0, dnsName.indexOf(INSTANCE_ID_DELIMITER))) .findFirst() - .orElseThrow(() -> new AuthenticationException("Could not find unique instance id from SAN addresses: " + sans)); + .orElseThrow(() -> new NodeIdentifierException("Could not find unique instance id from SAN addresses: " + sans)); } - static class AuthenticationException extends RuntimeException { - AuthenticationException(String message) { + static class NodeIdentifierException extends RuntimeException { + NodeIdentifierException(String message) { super(message); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java index eed22535842..1ff8958a993 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthenticationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.java @@ -16,21 +16,21 @@ import java.util.Optional; import java.util.logging.Logger; /** - * A filter that authenticates the remote host based on the subject and subject alternative names in client certificate. - * A {@link NodePrincipal} object is assigned to user principal field if authentication is successful. + * A filter that identifies the remote node based on the subject and subject alternative names in client certificate. + * A {@link NodePrincipal} object is assigned to user principal field if identification is successful. * * @author bjorncs */ -@Provides("AuthenticationFilter") -public class AuthenticationFilter extends JsonSecurityRequestFilterBase { +@Provides("NodeIdentifierFilter") +public class NodeIdentifierFilter extends JsonSecurityRequestFilterBase { - private static final Logger log = Logger.getLogger(AuthenticationFilter.class.getName()); + private static final Logger log = Logger.getLogger(NodeIdentifierFilter.class.getName()); - private final HostAuthenticator authenticator; + private final NodeIdentifier nodeIdentifier; @Inject - public AuthenticationFilter(Zone zone, NodeRepository nodeRepository) { - this.authenticator = new HostAuthenticator(zone, nodeRepository); + public NodeIdentifierFilter(Zone zone, NodeRepository nodeRepository) { + this.nodeIdentifier = new NodeIdentifier(zone, nodeRepository); } @Override @@ -39,11 +39,11 @@ public class AuthenticationFilter extends JsonSecurityRequestFilterBase { if (clientCertificateChain.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 0, "Missing client certificate")); try { - NodePrincipal identity = authenticator.authenticate(clientCertificateChain); + NodePrincipal identity = nodeIdentifier.resolveNode(clientCertificateChain); request.setUserPrincipal(identity); return Optional.empty(); - } catch (HostAuthenticator.AuthenticationException e) { - log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e); + } catch (NodeIdentifier.NodeIdentifierException e) { + log.log(LogLevel.WARNING, "Node identification failed: " + e.getMessage(), e); return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, 1, e.getMessage())); } } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java index 99a72d89801..c91aef36b5d 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java @@ -31,7 +31,7 @@ public class AuthorizationFilterTest { // These are just rudimentary tests of the filter. See AuthorizerTest for more exhaustive tests tester.assertRequest(new Request(Method.GET, "/"), 500, "{\"error-code\":\"INTERNAL_SERVER_ERROR\",\"message\":\"GET / denied for " + - "remote-addr: Principal is missing. AuthenticationFilter has not been applied.\"}"); + "remote-addr: Principal is missing. NodeIdentifierFilter has not been applied.\"}"); tester.assertRequest(new Request(Method.GET, "/").commonName("foo"), 403, "{\"error-code\":\"FORBIDDEN\",\"message\":\"GET / " + diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java index e6e7880c67c..de2aaf68788 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/HostAuthenticatorTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java @@ -41,7 +41,7 @@ import static org.junit.Assert.assertEquals; /** * @author bjorncs */ -public class HostAuthenticatorTest { +public class NodeIdentifierTest { private static final String HOSTNAME = "myhostname"; private static final String OPENSTACK_ID = "OPENSTACK-ID"; private static final String AWS_INSTANCE_ID = "i-abcdef123456"; @@ -58,8 +58,8 @@ public class HostAuthenticatorTest { .fromKeypair( KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) .build(); - HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); assertTrue(identity.getHostname().isPresent()); assertEquals(HOSTNAME, identity.getHostname().get()); assertEquals(HOSTNAME, identity.getHostIdentityName()); @@ -78,8 +78,8 @@ public class HostAuthenticatorTest { .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.provider-name.ostk.yahoo.cloud") .build(); - HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); assertTrue(identity.getHostname().isPresent()); assertEquals(HOSTNAME, identity.getHostname().get()); assertEquals(identityName, identity.getHostIdentityName()); @@ -98,8 +98,8 @@ public class HostAuthenticatorTest { .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) .addSubjectAlternativeName(AWS_INSTANCE_ID + ".instanceid.athenz.aws.oath.cloud") .build(); - HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); assertTrue(identity.getHostname().isPresent()); assertEquals(HOSTNAME, identity.getHostname().get()); assertEquals(identityName, identity.getHostIdentityName()); @@ -125,8 +125,8 @@ public class HostAuthenticatorTest { .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) .addSubjectAlternativeName(vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.provider-name.vespa.yahoo.cloud") .build(); - HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); assertTrue(identity.getHostname().isPresent()); assertEquals(HOSTNAME, identity.getHostname().get()); assertEquals(identityName, identity.getHostIdentityName()); @@ -142,8 +142,8 @@ public class HostAuthenticatorTest { X509Certificate certificate = X509CertificateBuilder .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) .build(); - HostAuthenticator authenticator = new HostAuthenticator(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = authenticator.authenticate(singletonList(certificate)); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); assertFalse(identity.getHostname().isPresent()); assertEquals(identityName, identity.getHostIdentityName()); } |