diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-07 10:57:22 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-07 10:57:22 +0100 |
commit | 97d4ece6766db04fe0306d78ce6af7a9e582ce46 (patch) | |
tree | 808c9854eb691acdb8d6c257911f4162627336d6 /vespa-athenz/src | |
parent | 0a44cf455dd74557f1dd769954f5e66e52089330 (diff) |
Ignore cluster type in identity document signature
Diffstat (limited to 'vespa-athenz/src')
2 files changed, 15 insertions, 13 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java index bfc1b3aad46..14d06fe83f2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.yahoo.security.SignatureUtils; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.identityprovider.api.ClusterType; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; @@ -28,6 +27,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; */ public class IdentityDocumentSigner { + // Cluster type is ignored due to old Vespa versions not forwarding unknown fields in signed identity document public String generateSignature(VespaUniqueInstanceId providerUniqueId, AthenzService providerService, String configServerHostname, @@ -35,14 +35,13 @@ public class IdentityDocumentSigner { Instant createdAt, Set<String> ipAddresses, IdentityType identityType, - ClusterType clusterType, PrivateKey privateKey) { try { Signature signer = SignatureUtils.createSigner(privateKey); signer.initSign(privateKey); writeToSigner( signer, providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, - ipAddresses, identityType, clusterType); + ipAddresses, identityType); byte[] signature = signer.sign(); return Base64.getEncoder().encodeToString(signature); } catch (GeneralSecurityException e) { @@ -56,7 +55,7 @@ public class IdentityDocumentSigner { signer.initVerify(publicKey); writeToSigner( signer, doc.providerUniqueId(), doc.providerService(), doc.configServerHostname(), - doc.instanceHostname(), doc.createdAt(), doc.ipAddresses(), doc.identityType(), doc.clusterType()); + doc.instanceHostname(), doc.createdAt(), doc.ipAddresses(), doc.identityType()); return signer.verify(Base64.getDecoder().decode(doc.signature())); } catch (GeneralSecurityException e) { throw new RuntimeException(e); @@ -70,8 +69,7 @@ public class IdentityDocumentSigner { String instanceHostname, Instant createdAt, Set<String> ipAddresses, - IdentityType identityType, - ClusterType clusterType) throws SignatureException { + IdentityType identityType) throws SignatureException { signer.update(providerUniqueId.asDottedString().getBytes(UTF_8)); signer.update(providerService.getFullName().getBytes(UTF_8)); signer.update(configServerHostname.getBytes(UTF_8)); @@ -83,6 +81,5 @@ public class IdentityDocumentSigner { signer.update(ipAddress.getBytes(UTF_8)); } signer.update(identityType.id().getBytes(UTF_8)); - if (clusterType != null) signer.update(clusterType.toConfigValue().getBytes(UTF_8)); } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java index f53518d9a07..0b8ff4277f1 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java @@ -17,6 +17,7 @@ import java.util.HashSet; import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.TENANT; import static com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION; +import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; /** @@ -41,7 +42,7 @@ public class IdentityDocumentSignerTest { IdentityDocumentSigner signer = new IdentityDocumentSigner(); String signature = signer.generateSignature(id, providerService, configserverHostname, instanceHostname, createdAt, - ipAddresses, identityType, clusterType, keyPair.getPrivate()); + ipAddresses, identityType, keyPair.getPrivate()); SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument( signature, KEY_VERSION, id, providerService, DEFAULT_DOCUMENT_VERSION, configserverHostname, @@ -51,17 +52,21 @@ public class IdentityDocumentSignerTest { } @Test - void handles_missing_cluster_type() { + void ignores_cluster_type() { IdentityDocumentSigner signer = new IdentityDocumentSigner(); String signature = signer.generateSignature(id, providerService, configserverHostname, instanceHostname, createdAt, - ipAddresses, identityType, /*clusterType*/null, keyPair.getPrivate()); + ipAddresses, identityType, keyPair.getPrivate()); - SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument( + var docWithoutClusterType = new SignedIdentityDocument( + signature, KEY_VERSION, id, providerService, DEFAULT_DOCUMENT_VERSION, configserverHostname, + instanceHostname, createdAt, ipAddresses, identityType, null); + var docWithClusterType = new SignedIdentityDocument( signature, KEY_VERSION, id, providerService, DEFAULT_DOCUMENT_VERSION, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, /*clusterType*/null); + instanceHostname, createdAt, ipAddresses, identityType, clusterType); - assertTrue(signer.hasValidSignature(signedIdentityDocument, keyPair.getPublic())); + assertTrue(signer.hasValidSignature(docWithoutClusterType, keyPair.getPublic())); + assertEquals(docWithClusterType.signature(), docWithoutClusterType.signature()); } }
\ No newline at end of file |