aboutsummaryrefslogtreecommitdiffstats
path: root/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts
diff options
context:
space:
mode:
authorMorten Tokle <mortent@oath.com>2018-10-05 12:27:50 +0200
committerMorten Tokle <mortent@oath.com>2018-10-05 12:27:50 +0200
commitac951c8a7359da2ea99a80cd4bd1d3dfe23b5376 (patch)
tree5278a332b61fa45f0704e07c3ddbbb7342c26171 /vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts
parentab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 (diff)
Implement role CSR requirements
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java21
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java16
2 files changed, 7 insertions, 30 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 7d4901f163a..dc82ed7fcb9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -24,7 +24,6 @@ import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identity.ServiceIdentitySslSocketFactory;
import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
-import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
import org.apache.http.HttpResponse;
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.config.RequestConfig;
@@ -40,7 +39,6 @@ import org.eclipse.jetty.http.HttpStatus;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
-import javax.security.auth.x500.X500Principal;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
@@ -50,9 +48,6 @@ import java.time.Duration;
import java.util.List;
import java.util.function.Supplier;
-import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
-import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME;
import static java.util.stream.Collectors.toList;
/**
@@ -163,15 +158,7 @@ public class DefaultZtsClient implements ZtsClient {
}
@Override
- public X509Certificate getRoleCertificate(AthenzRole role,
- Duration expiry,
- KeyPair keyPair,
- String cloud) {
- X500Principal principal = new X500Principal(String.format("cn=%s:role.%s", role.domain().getName(), role.roleName()));
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
- .addSubjectAlternativeName(DNS_NAME, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace('.', '-'), cloud))
- .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), cloud))
- .build();
+ public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry) {
RoleCertificateRequestEntity requestEntity = new RoleCertificateRequestEntity(csr, expiry);
URI uri = ztsUrl.resolve(String.format("domain/%s/role/%s/token", role.domain().getName(), role.roleName()));
HttpUriRequest request = RequestBuilder.post(uri)
@@ -184,10 +171,8 @@ public class DefaultZtsClient implements ZtsClient {
}
@Override
- public X509Certificate getRoleCertificate(AthenzRole role,
- KeyPair keyPair,
- String cloud) {
- return getRoleCertificate(role, null, keyPair, cloud);
+ public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr) {
+ return getRoleCertificate(role, csr, null);
}
@Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index 5c0e21bfa97..2ef6039ddc8 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -1,7 +1,6 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.client.zts;
-import com.yahoo.athenz.zts.TenantDomains;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzRole;
@@ -84,27 +83,20 @@ public interface ZtsClient extends AutoCloseable {
* Fetch role certificate for the target domain and role
*
* @param role Target role
+ * @param csr Certificate signing request matching role
* @param expiry Certificate expiry
- * @param keyPair Key pair which will be used to generate CSR (certificate signing request)
- * @param cloud The cloud suffix used in DNS SAN entries
* @return A role certificate
*/
- X509Certificate getRoleCertificate(AthenzRole role,
- Duration expiry,
- KeyPair keyPair,
- String cloud);
+ X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry);
/**
* Fetch role certificate for the target domain and role
*
* @param role Target role
- * @param keyPair Key pair which will be used to generate CSR (certificate signing request)
- * @param cloud The cloud suffix used in DNS SAN entries
+ * @param csr Certificate signing request matching role
* @return A role certificate
*/
- X509Certificate getRoleCertificate(AthenzRole role,
- KeyPair keyPair,
- String cloud);
+ X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr);
/**
* For a given provider, get a list of tenant domains that the user is a member of