Add SAN URI with cluster type in instance certificates

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:22:44 +0100
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-02-03 12:23:24 +0100
commit: 90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree: 0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
parent: e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)
1 files changed, 14 insertions, 3 deletions
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
index aa4c3e68094..09fefdff0bd 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
@@ -1,17 +1,22 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.client;
 
+import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.SubjectAlternativeName;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
-import com.yahoo.security.Pkcs10Csr;
 import org.junit.jupiter.api.Test;
 
 import javax.security.auth.x500.X500Principal;
 import java.security.KeyPair;
 import java.util.Collections;
+import java.util.Set;
 
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.URI;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
@@ -24,14 +29,20 @@ public class InstanceCsrGeneratorTest {
     private static final String ATHENZ_SERVICE = "foo.bar";
 
     @Test
-    void it_generates_csr_with_correct_subject() {
+    void generates_correct_subject_and_alternative_names() {
         CsrGenerator csrGenerator = new CsrGenerator(DNS_SUFFIX, PROVIDER_SERVICE);
 
         AthenzService service = new AthenzService(ATHENZ_SERVICE);
         VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node");
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
 
-        Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, Collections.emptySet(), "container", keyPair);
+        Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, Collections.emptySet(), ClusterSpec.Type.container, keyPair);
         assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject());
+        var actualSans = Set.copyOf(csr.getSubjectAlternativeNames());
+        var expectedSans = Set.of(
+                new SubjectAlternativeName(DNS, "bar.foo.prod-us-north-1.vespa.yahoo.cloud"),
+                new SubjectAlternativeName(DNS, "0.default.default.foo-app.vespa.us-north-1.prod.node.instanceid.athenz.prod-us-north-1.vespa.yahoo.cloud"),
+                new SubjectAlternativeName(URI, "vespa://cluster-type/container"));
+      assertEquals(expectedSans, actualSans);
     }
 }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:22:44 +0100
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-02-03 12:23:24 +0100
commit	90892ba4d2a302b1a262fdd1198fac8c6724e44f (patch)
tree	0eaa5c41368af736cd3bdb0a36f4b74f4370b886 /vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
parent	e09b191faf77bb95b923bb709b2181a0a3ee2c81 (diff)