Use mutual TLS auth when communicating with ZTS

- Remove instance register/refresh from ad-hoc ZtsClient implementation
- Deprecate ad-hoc ZtsClient

1 files changed, 10 insertions, 57 deletions

diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index 8b87c93f051..48781aad651 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -5,35 +5,18 @@ import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.test.ManualClock;
-import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
-import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
-import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
-import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
-import com.yahoo.vespa.athenz.tls.KeyStoreUtils;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
 
-import java.io.File;
-import java.io.IOException;
-import java.net.URI;
-import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.Collections;
 import java.util.Date;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.function.Supplier;
 
-import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
 import static org.mockito.Matchers.any;
-import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -70,30 +53,24 @@ public class AthenzIdentityProviderImplTest {
     }
 
     @Test
-    public void metrics_updated_on_refresh() throws IOException {
-        IdentityDocumentClient identityDocumentClient = mock(IdentityDocumentClient.class);
-        ZtsClient ztsClient = mock(ZtsClient.class);
+    public void metrics_updated_on_refresh() {
         ManualClock clock = new ManualClock(Instant.EPOCH);
         Metric metric = mock(Metric.class);
 
-        when(identityDocumentClient.getTenantIdentityDocument(any())).thenReturn(getIdentityDocument());
-        when(ztsClient.sendInstanceRegisterRequest(any(), any())).then(new Answer<InstanceIdentity>() {
-            @Override
-            public InstanceIdentity answer(InvocationOnMock invocationOnMock) throws Throwable {
-                return new InstanceIdentity(getCertificate(getExpirationSupplier(clock)), "TOKEN");
-            }
-        });
+        AthenzCredentialsService athenzCredentialsService = mock(AthenzCredentialsService.class);
 
-        when(ztsClient.sendInstanceRefreshRequest(anyString(), anyString(), anyString(), anyString(), any(), any(), any()))
+        X509Certificate certificate = getCertificate(getExpirationSupplier(clock));
+
+        when(athenzCredentialsService.registerInstance())
+                .thenReturn(new AthenzCredentials(null, certificate, null, null, null));
+
+        when(athenzCredentialsService.updateCredentials(any(), any()))
                 .thenThrow(new RuntimeException("#1"))
                 .thenThrow(new RuntimeException("#2"))
-                .thenReturn(new InstanceIdentity(getCertificate(getExpirationSupplier(clock)), "TOKEN"));
-
-        AthenzCredentialsService credentialService =
-                new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentClient, ztsClient, createDummyTrustStore(), "localhost");
+                .thenReturn(new AthenzCredentials(null, certificate, null, null, null));
 
         AthenzIdentityProviderImpl identityProvider =
-                new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, credentialService, mock(ScheduledExecutorService.class), clock);
+                new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, athenzCredentialsService, mock(ScheduledExecutorService.class), clock);
 
         identityProvider.reportMetrics();
         verify(metric).set(eq(AthenzIdentityProviderImpl.CERTIFICATE_EXPIRY_METRIC_NAME), eq(certificateValidity.getSeconds()), any());
@@ -128,28 +105,4 @@ public class AthenzIdentityProviderImplTest {
         return x509Certificate;
     }
 
-    private File createDummyTrustStore() throws IOException {
-        File file = tempDir.newFile();
-        KeyStore keyStore = KeyStoreBuilder.withType(JKS).build();
-        KeyStoreUtils.writeKeyStoreToFile(keyStore, file);
-        return file;
-    }
-
-    private static SignedIdentityDocument getIdentityDocument() {
-        VespaUniqueInstanceId instanceId = new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", "us-north-1", "dev", IdentityType.TENANT);
-        return new SignedIdentityDocument(
-                new IdentityDocument(instanceId, "localhost", "x.y.com", Instant.EPOCH, Collections.emptySet()),
-                "dummysignature",
-                0,
-                instanceId,
-                "dev-us-north-1.vespa.cloud",
-                new AthenzService("vespa.vespa.provider_dev_us-north-1"),
-                URI.create("https://zts:4443/zts/v1"),
-                1,
-                "localhost",
-                "x.y.com",
-                Instant.EPOCH,
-                Collections.emptySet(),
-                IdentityType.TENANT);
-    }
 }