diff options
author | Ola Aunrønning <olaa@yahooinc.com> | 2023-04-28 14:42:45 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-28 14:42:45 +0200 |
commit | d8f8731f6e91337f241912f71cab12e5c3febf00 (patch) | |
tree | 0bb99a62c37789162ee542a17cb4834d8115523a /vespa-athenz/src/main | |
parent | 0d2f9fd89a897e9587fdf8a819ea69cc27c4396f (diff) | |
parent | de1678876b636f456e42fddf8321f8e941faeceb (diff) |
Merge pull request #26908 from vespa-engine/olaa/athenzcredsmaintainer-fetch-roles
AthenzCredentialsMaintainer maintains role certificates
Diffstat (limited to 'vespa-athenz/src/main')
2 files changed, 37 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java index a3c2f0264d3..522f40bc37d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.api; +import java.util.List; import java.util.Optional; import java.util.OptionalInt; @@ -12,4 +13,5 @@ import java.util.OptionalInt; public interface IdentityDocumentClient { SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion); Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion); + List<String> getNodeRoles(String hostname); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java index f95a3335c24..81aa6e5bd2a 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java @@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.RoleListEntity; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.CloseableHttpResponse; @@ -23,6 +24,7 @@ import java.io.IOException; import java.io.UncheckedIOException; import java.net.URI; import java.time.Duration; +import java.util.List; import java.util.Optional; import java.util.function.Supplier; @@ -66,6 +68,39 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient { return getIdentityDocument(host, "tenant", documentVersion); } + @Override + public List<String> getNodeRoles(String hostname) { + try (var client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) { + var uri = configserverUri + .resolve(IDENTITY_DOCUMENT_API) + .resolve("roles/") + .resolve(hostname); + + var request = RequestBuilder.get() + .setUri(uri) + .addHeader("Connection", "close") + .addHeader("Accept", "application/json") + .build(); + try (var response = client.execute(request)) { + String responseContent = EntityUtils.toString(response.getEntity()); + int statusCode = response.getStatusLine().getStatusCode(); + if (statusCode >= 200 && statusCode <= 299) { + var rolesEntity = objectMapper.readValue(responseContent, RoleListEntity.class); + return rolesEntity.roles(); + } else { + throw new RuntimeException( + String.format( + "Failed to retrieve roles for host %s: %d - %s", + hostname, + statusCode, + responseContent)); + } + } + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + private Optional<SignedIdentityDocument> getIdentityDocument(String host, String type, int documentVersion) { try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) { |