Add SAN URI with cluster type in instance certificates

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:22:44 +0100
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:23:24 +0100
commit: 90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree: 0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /vespa-athenz/src/main
parent: e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)
4 files changed, 15 insertions, 10 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
index 0949192b884..ddec80cda9d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.athenz.identityprovider.api;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
 
@@ -14,6 +15,7 @@ import java.io.UncheckedIOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.util.Optional;
 
 import static com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId.fromDottedString;
 
@@ -48,7 +50,7 @@ public class EntityBindingsMapper {
                 entity.createdAt(),
                 entity.ipAddresses(),
                 IdentityType.fromId(entity.identityType()),
-                entity.clusterType());
+                ClusterSpec.Type.from(entity.clusterType()));
     }
 
     public static SignedIdentityDocumentEntity toSignedIdentityDocumentEntity(SignedIdentityDocument model) {
@@ -63,7 +65,7 @@ public class EntityBindingsMapper {
                 model.createdAt(),
                 model.ipAddresses(),
                 model.identityType().id(),
-                model.clusterType());
+                Optional.ofNullable(model.clusterType()).map(ClusterSpec.Type::name).orElse(null));
     }
 
     public static SignedIdentityDocument readSignedIdentityDocumentFromFile(Path file) {
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
index c2d8ece84a5..0fe09f47d80 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api;
 
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.vespa.athenz.api.AthenzService;
 
 import java.time.Instant;
@@ -14,7 +15,7 @@ import java.util.Set;
 public record SignedIdentityDocument(String signature, int signingKeyVersion, VespaUniqueInstanceId providerUniqueId,
                                      AthenzService providerService, int documentVersion, String configServerHostname,
                                      String instanceHostname, Instant createdAt, Set<String> ipAddresses,
-                                     IdentityType identityType, String clusterType) {
+                                     IdentityType identityType, ClusterSpec.Type clusterType) {
     public static final int DEFAULT_DOCUMENT_VERSION = 2;
 
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index bafeab805bd..8deecb9d549 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.client;
 
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.security.Pkcs10CsrBuilder;
 import com.yahoo.security.SubjectAlternativeName;
@@ -36,7 +37,7 @@ public class CsrGenerator {
     public Pkcs10Csr generateInstanceCsr(AthenzIdentity instanceIdentity,
                                          VespaUniqueInstanceId instanceId,
                                          Set<String> ipAddresses,
-                                         String clusterType,
+                                         ClusterSpec.Type clusterType,
                                          KeyPair keyPair) {
         X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName()));
         // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
@@ -50,7 +51,7 @@ public class CsrGenerator {
                                 instanceIdentity.getDomainName().replace(".", "-"),
                                 dnsSuffix))
                 .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
-        if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType));
+        if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.name()));
         ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
         return pkcs10CsrBuilder.build();
     }
@@ -58,13 +59,13 @@ public class CsrGenerator {
     public Pkcs10Csr generateRoleCsr(AthenzIdentity identity,
                                      AthenzRole role,
                                      VespaUniqueInstanceId instanceId,
-                                     String clusterType,
+                                     ClusterSpec.Type clusterType,
                                      KeyPair keyPair) {
         X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
         var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
                 .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix));
-        if (clusterType != null) b.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType));
+        if (clusterType != null) b.addSubjectAlternativeName(URI, "vespa://cluster-type/%s".formatted(clusterType.name()));
         return b.build();
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
index 13bea80dfed..6aa22263a7e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.client;
 
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.security.SignatureUtils;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
@@ -34,7 +35,7 @@ public class IdentityDocumentSigner {
                                     Instant createdAt,
                                     Set<String> ipAddresses,
                                     IdentityType identityType,
-                                    String clusterType,
+                                    ClusterSpec.Type clusterType,
                                     PrivateKey privateKey) {
         try {
             Signature signer = SignatureUtils.createSigner(privateKey);
@@ -70,7 +71,7 @@ public class IdentityDocumentSigner {
                                       Instant createdAt,
                                       Set<String> ipAddresses,
                                       IdentityType identityType,
-                                      String clusterType) throws SignatureException {
+                                      ClusterSpec.Type clusterType) throws SignatureException {
         signer.update(providerUniqueId.asDottedString().getBytes(UTF_8));
         signer.update(providerService.getFullName().getBytes(UTF_8));
         signer.update(configServerHostname.getBytes(UTF_8));
@@ -82,6 +83,6 @@ public class IdentityDocumentSigner {
             signer.update(ipAddress.getBytes(UTF_8));
         }
         signer.update(identityType.id().getBytes(UTF_8));
-        if (clusterType != null) signer.update(clusterType.getBytes(UTF_8));
+        if (clusterType != null) signer.update(clusterType.name().getBytes(UTF_8));
     }
 }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:22:44 +0100
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:23:24 +0100
commit	90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree	0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /vespa-athenz/src/main
parent	e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)