diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-08 17:01:01 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-11 10:46:04 +0200 |
commit | b0f28c16747b19952bb1d5f6204c5547f4c93801 (patch) | |
tree | 5e76ad6088a3bacb7901f88a872a793327141dcd /node-repository | |
parent | 3bb80fde3cbe2220c35a3afc0f2048681ecac18c (diff) |
Identity ZTS in NodeIdentifier
Diffstat (limited to 'node-repository')
2 files changed, 17 insertions, 0 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java index 9f9c4bd3c2c..e78bcb6b5e8 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java @@ -29,6 +29,8 @@ class NodeIdentifier { static final String PROXY_HOST_IDENTITY = "vespa.vespa.proxy"; static final String CONFIGSERVER_HOST_IDENTITY = "vespa.vespa.configserver"; static final String TENANT_DOCKER_CONTAINER_IDENTITY = "vespa.vespa.tenant"; + static final String ZTS_ON_PREM_IDENTITY = "zts.athens.yahoo.com"; + static final String ZTS_AWS_IDENTITY = "zts.athenz.ouroath.com"; private static final String INSTANCE_ID_DELIMITER = ".instanceid.athenz."; private final Zone zone; @@ -60,6 +62,9 @@ class NodeIdentifier { default: return NodePrincipal.withAthenzIdentity(subjectCommonName, certificateChain); } + } else if (subjectCommonName.equals(ZTS_ON_PREM_IDENTITY) || subjectCommonName.equals(ZTS_AWS_IDENTITY)) { + // ZTS treated as a node principal even though its not a Vespa node + return NodePrincipal.withLegacyIdentity(subjectCommonName, certificateChain); } else { // self-signed where common name is hostname // TODO Remove this branch once self-signed certificates are gone return NodePrincipal.withLegacyIdentity(subjectCommonName, certificateChain); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java index 02588099832..9c441e82a84 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java @@ -36,6 +36,7 @@ import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier. import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.PROXY_HOST_IDENTITY; import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.TENANT_DOCKER_CONTAINER_IDENTITY; import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.TENANT_DOCKER_HOST_IDENTITY; +import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.ZTS_AWS_IDENTITY; import static java.util.Collections.emptySet; import static java.util.Collections.singleton; import static java.util.Collections.singletonList; @@ -149,6 +150,17 @@ public class NodeIdentifierTest { } @Test + public void accepts_zts_certificate() { + X509Certificate certificate = X509CertificateBuilder + .fromKeypair(KEYPAIR, new X500Principal("CN=" + ZTS_AWS_IDENTITY), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) + .build(); + NodeIdentifier identifier = new NodeIdentifier(ZONE, new NodeRepositoryTester().nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); + assertEquals(ZTS_AWS_IDENTITY, identity.getHostIdentityName()); + assertEquals(NodePrincipal.Type.LEGACY, identity.getType()); + } + + @Test public void accepts_docker_container_certificate() { String clusterId = "clusterid"; int clusterIndex = 0; |