diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-07 14:04:00 +0200 |
---|---|---|
committer | Morten Tokle <mortent@oath.com> | 2018-06-11 14:36:50 +0200 |
commit | 3430573724c0b9281c75298c4a6a3e976f6ed5cb (patch) | |
tree | 4dd40b374ab2390bb6159f6d2d9479f030678478 /vespa-athenz/src | |
parent | 45e49e44fc9f37d95c47047228cb675008e192c4 (diff) |
Use dns suffix and zts uri from config
Diffstat (limited to 'vespa-athenz/src')
3 files changed, 13 insertions, 7 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java index 60be42544c7..7c64d048944 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java @@ -74,6 +74,7 @@ public class SignedIdentityDocument { return providerUniqueId; } + @Deprecated public String dnsSuffix() { return dnsSuffix; } @@ -82,6 +83,7 @@ public class SignedIdentityDocument { return providerService; } + @Deprecated public URI ztsEndpoint() { return ztsEndpoint; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index b99001476ea..1136106ce19 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -35,6 +35,7 @@ class AthenzCredentialsService { private final ServiceIdentityProvider nodeIdentityProvider; private final File trustStoreJks; private final String hostname; + private final InstanceCsrGenerator instanceCsrGenerator; AthenzCredentialsService(IdentityConfig identityConfig, ServiceIdentityProvider nodeIdentityProvider, @@ -44,13 +45,13 @@ class AthenzCredentialsService { this.nodeIdentityProvider = nodeIdentityProvider; this.trustStoreJks = trustStoreJks; this.hostname = hostname; + this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix()); } AthenzCredentials registerInstance() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); IdentityDocumentClient identityDocumentClient = createIdentityDocumentClient(identityConfig, nodeIdentityProvider); SignedIdentityDocument document = identityDocumentClient.getTenantIdentityDocument(hostname); - InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(document.dnsSuffix()); AthenzService tenantIdentity = new AthenzService(identityConfig.domain(), identityConfig.service()); Pkcs10Csr csr = instanceCsrGenerator.generateCsr( tenantIdentity, @@ -75,7 +76,6 @@ class AthenzCredentialsService { AthenzCredentials updateCredentials(SignedIdentityDocument document, SSLContext sslContext) { AthenzService tenantIdentity = new AthenzService(identityConfig.domain(), identityConfig.service()); KeyPair newKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(document.dnsSuffix()); Pkcs10Csr csr = instanceCsrGenerator.generateCsr( tenantIdentity, document.providerUniqueId(), diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 3dc883f347f..ce0743021ff 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -24,6 +24,7 @@ import com.yahoo.vespa.defaults.Defaults; import javax.net.ssl.SSLContext; import java.io.File; +import java.net.URI; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Clock; @@ -57,11 +58,12 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen private final Clock clock; private final AthenzService identity; private final ServiceIdentityProviderListenerHelper listenerHelper; + private final String dnsSuffix; + private final URI ztsEndpoint; private final LoadingCache<AthenzRole, SSLContext> roleSslContextCache; private final static Duration roleSslContextExpiry = Duration.ofHours(24); - // TODO IdentityConfig should contain ZTS uri and dns suffix @Inject public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) { this(config, @@ -87,6 +89,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen this.clock = clock; this.identity = new AthenzService(config.domain(), config.service()); this.listenerHelper = new ServiceIdentityProviderListenerHelper(this.identity); + this.dnsSuffix = config.athenzDnsSuffix(); + this.ztsEndpoint = URI.create(config.ztsUrl()); registerInstance(); roleSslContextCache = CacheBuilder.newBuilder() .refreshAfterWrite(roleSslContextExpiry.dividedBy(2).toMinutes(), TimeUnit.MINUTES) @@ -153,8 +157,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen PrivateKey privateKey = credentials.getKeyPair().getPrivate(); X509Certificate roleCertificate = ztsClient.getRoleCertificate( role, - credentials.getIdentityDocument().dnsSuffix(), - credentials.getIdentityDocument().ztsEndpoint(), + dnsSuffix, + ztsEndpoint, identity, privateKey, credentials.getIdentitySslContext()); @@ -169,7 +173,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen return ztsClient .getRoleToken( new AthenzDomain(domain), - credentials.getIdentityDocument().ztsEndpoint(), + ztsEndpoint, credentials.getIdentitySslContext()) .getRawToken(); } @@ -180,7 +184,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen .getRoleToken( new AthenzDomain(domain), role, - credentials.getIdentityDocument().ztsEndpoint(), + ztsEndpoint, credentials.getIdentitySslContext()) .getRawToken(); } |