signing key version as string

author: Morten Tokle <mortent@vespa.ai> 2024-06-20 23:02:58 +0200
committer: Morten Tokle <mortent@vespa.ai> 2024-06-20 23:02:58 +0200
commit: 8e4bf1dde69ef0776505c1b6ea741dfabcafadfc (patch)
tree: 6f4602da95f43a73d79f5cbc526ed854ffb96fde /vespa-athenz/src
parent: 8f11e7f31dcc1810895a5f9c970c783f538c5c19 (diff)
10 files changed, 91 insertions, 52 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/DefaultSignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/DefaultSignedIdentityDocument.java
deleted file mode 100644
index 9f37e3f4613..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/DefaultSignedIdentityDocument.java
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.identityprovider.api;
-
-public record DefaultSignedIdentityDocument(String signature, int signingKeyVersion, int documentVersion,
-                                            String data, IdentityDocument identityDocument) implements SignedIdentityDocument {
-
-    public DefaultSignedIdentityDocument {
-        identityDocument = EntityBindingsMapper.fromIdentityDocumentData(data);
-    }
-
-    public DefaultSignedIdentityDocument(String signature, int signingKeyVersion, int documentVersion, String data) {
-        this(signature,signingKeyVersion,documentVersion, data, null);
-    }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
index ac620d2f6d4..123995721e9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
@@ -5,9 +5,10 @@ import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.identityprovider.api.bindings.DefaultSignedIdentityDocumentEntity;
+import com.yahoo.vespa.athenz.identityprovider.api.bindings.V4SignedIdentityDocumentEntity;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentEntity;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
+import com.yahoo.vespa.athenz.identityprovider.api.bindings.V5SignedIdentityDocumentEntity;
 import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.yolean.Exceptions;
 
@@ -52,22 +53,32 @@ public class EntityBindingsMapper {
     }
 
     public static SignedIdentityDocument toSignedIdentityDocument(SignedIdentityDocumentEntity entity) {
-        if (entity instanceof DefaultSignedIdentityDocumentEntity docEntity) {
-            return new DefaultSignedIdentityDocument(docEntity.signature(),
-                                                     docEntity.signingKeyVersion(),
-                                                     docEntity.documentVersion(),
-                                                     docEntity.data());
+        if (entity instanceof V4SignedIdentityDocumentEntity docEntity) {
+            return new V4SignedIdentityDocument(docEntity.signature(),
+                    docEntity.signingKeyVersion(),
+                    docEntity.documentVersion(),
+                    docEntity.data());
+        } else if (entity instanceof V5SignedIdentityDocumentEntity docEntity) {
+            return new V5SignedIdentityDocument(docEntity.signature(),
+                    docEntity.signingKeyVersion(),
+                    docEntity.documentVersion(),
+                    docEntity.data());
         } else {
             throw new IllegalArgumentException("Unknown signed identity document type: " + entity.getClass().getName());
         }
     }
 
     public static SignedIdentityDocumentEntity toSignedIdentityDocumentEntity(SignedIdentityDocument model) {
-        if (model instanceof DefaultSignedIdentityDocument defaultModel){
-            return new DefaultSignedIdentityDocumentEntity(defaultModel.signature(),
-                                                           defaultModel.signingKeyVersion(),
-                                                           defaultModel.documentVersion(),
-                                                           defaultModel.data());
+        if (model instanceof V4SignedIdentityDocument defaultModel) {
+            return new V4SignedIdentityDocumentEntity(defaultModel.signature(),
+                    defaultModel.v4SigningKeyVersion(),
+                    defaultModel.documentVersion(),
+                    defaultModel.data());
+        } else if (model instanceof V5SignedIdentityDocument defaultModel){
+                return new V5SignedIdentityDocumentEntity(defaultModel.signature(),
+                        defaultModel.signingKeyVersion(),
+                        defaultModel.documentVersion(),
+                        defaultModel.data());
         } else {
             throw new IllegalArgumentException("Unsupported model type: " + model.getClass().getName());
         }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
index 39629d878db..56b67694af7 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
@@ -8,12 +8,14 @@ package com.yahoo.vespa.athenz.identityprovider.api;
  */
 public interface SignedIdentityDocument {
 
-    int DEFAULT_DOCUMENT_VERSION = 4;
+    int LEGACY_DOCUMENT_VERSION = 4;
+    int DEFAULT_DOCUMENT_VERSION = 5;
 
     default boolean outdated() { return documentVersion() < DEFAULT_DOCUMENT_VERSION; }
 
     IdentityDocument identityDocument();
     String signature();
-    int signingKeyVersion();
+    String signingKeyVersion();
     int documentVersion();
+    String data();
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V4SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V4SignedIdentityDocument.java
new file mode 100644
index 00000000000..36836786da3
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V4SignedIdentityDocument.java
@@ -0,0 +1,19 @@
+// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.api;
+
+public record V4SignedIdentityDocument(String signature, int v4SigningKeyVersion, int documentVersion,
+                                            String data, IdentityDocument identityDocument) implements SignedIdentityDocument {
+
+    public V4SignedIdentityDocument {
+        identityDocument = EntityBindingsMapper.fromIdentityDocumentData(data);
+    }
+
+    public V4SignedIdentityDocument(String signature, int v4SigningKeyVersion, int documentVersion, String data) {
+        this(signature, v4SigningKeyVersion, documentVersion, data, null);
+    }
+
+    @Override
+    public String signingKeyVersion() {
+        return Integer.toString(v4SigningKeyVersion);
+    }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V5SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V5SignedIdentityDocument.java
new file mode 100644
index 00000000000..644ca2eafb4
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/V5SignedIdentityDocument.java
@@ -0,0 +1,16 @@
+// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.vespa.athenz.identityprovider.api;
+
+public record V5SignedIdentityDocument(String signature, String signingKeyVersion, int documentVersion,
+                                           String data, IdentityDocument identityDocument) implements SignedIdentityDocument {
+
+
+    public V5SignedIdentityDocument {
+        identityDocument = EntityBindingsMapper.fromIdentityDocumentData(data);
+    }
+
+    public V5SignedIdentityDocument(String signature, String signingKeyVersion, int documentVersion, String data) {
+        this(signature,signingKeyVersion,documentVersion, data, null);
+    }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
index d909849e9ce..dc2daa530e8 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
@@ -9,6 +9,7 @@ import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.annotation.JsonTypeIdResolver;
 import com.fasterxml.jackson.databind.jsontype.TypeIdResolver;
 import com.fasterxml.jackson.databind.type.TypeFactory;
+import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -54,7 +55,12 @@ class SignedIdentityDocumentEntityTypeResolver implements TypeIdResolver {
     @Override
     public JavaType typeFromId(DatabindContext databindContext, String s) throws IOException {
         try {
-            Class<? extends SignedIdentityDocumentEntity> cls = DefaultSignedIdentityDocumentEntity.class;
+            int version = Integer.parseInt(s);
+            Class<? extends SignedIdentityDocumentEntity> cls = switch (version) {
+                case SignedIdentityDocument.LEGACY_DOCUMENT_VERSION -> V4SignedIdentityDocumentEntity.class;
+                case SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION -> V5SignedIdentityDocumentEntity.class;
+                default -> throw new IllegalArgumentException("Unknown document version: " + version);
+            };
             return TypeFactory.defaultInstance().constructSpecializedType(javaType,cls);
         } catch (NumberFormatException e) {
             throw new IllegalArgumentException("Unable to deserialize document with version: \"%s\"".formatted(s));
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/DefaultSignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/V4SignedIdentityDocumentEntity.java
index 74fd43feb35..9c6af38377a 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/DefaultSignedIdentityDocumentEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/V4SignedIdentityDocumentEntity.java
@@ -3,7 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.api.bindings;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
-public record DefaultSignedIdentityDocumentEntity(
+public record V4SignedIdentityDocumentEntity(
         @JsonProperty("signature") String signature,
         @JsonProperty("signing-key-version") int signingKeyVersion,
         @JsonProperty("document-version") int documentVersion,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/V5SignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/V5SignedIdentityDocumentEntity.java
new file mode 100644
index 00000000000..eece4b5f066
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/V5SignedIdentityDocumentEntity.java
@@ -0,0 +1,12 @@
+// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.api.bindings;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public record V5SignedIdentityDocumentEntity(
+        @JsonProperty("signature") String signature,
+        @JsonProperty("signing-key-version") String signingKeyVersion,
+        @JsonProperty("document-version") int documentVersion,
+        @JsonProperty("data") String data)
+        implements SignedIdentityDocumentEntity {
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
index 43f32a3bae7..392faaaa339 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
@@ -2,23 +2,14 @@
 package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.yahoo.security.SignatureUtils;
-import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.athenz.identityprovider.api.DefaultSignedIdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
+import com.yahoo.vespa.athenz.identityprovider.api.V4SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 
-import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Signature;
-import java.security.SignatureException;
-import java.time.Instant;
 import java.util.Base64;
-import java.util.Set;
-import java.util.TreeSet;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
@@ -42,17 +33,13 @@ public class IdentityDocumentSigner {
     }
 
     public boolean hasValidSignature(SignedIdentityDocument doc, PublicKey publicKey) {
-        if (doc instanceof DefaultSignedIdentityDocument signedDoc) {
-            try {
-                Signature signer = SignatureUtils.createVerifier(publicKey);
-                signer.initVerify(publicKey);
-                signer.update(signedDoc.data().getBytes(UTF_8));
-                return signer.verify(Base64.getDecoder().decode(doc.signature()));
-            } catch (GeneralSecurityException e) {
-                throw new RuntimeException(e);
-            }
-        } else {
-            throw new IllegalArgumentException("Unknown identity document type: " + doc.getClass().getName());
+        try {
+            Signature signer = SignatureUtils.createVerifier(publicKey);
+            signer.initVerify(publicKey);
+            signer.update(doc.data().getBytes(UTF_8));
+            return signer.verify(Base64.getDecoder().decode(doc.signature()));
+        } catch (GeneralSecurityException e) {
+            throw new RuntimeException(e);
         }
     }
 }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java
index 3845d9db5b2..3479350cf26 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java
@@ -6,7 +6,7 @@ import com.yahoo.security.KeyUtils;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.ClusterType;
-import com.yahoo.vespa.athenz.identityprovider.api.DefaultSignedIdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.V4SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
@@ -53,7 +53,7 @@ public class IdentityDocumentSignerTest {
         String signature =
         signer.generateSignature(data, keyPair.getPrivate());
 
-        SignedIdentityDocument signedIdentityDocument = new DefaultSignedIdentityDocument(
+        SignedIdentityDocument signedIdentityDocument = new V4SignedIdentityDocument(
                 signature, KEY_VERSION, DEFAULT_DOCUMENT_VERSION, data);
 
         assertTrue(signer.hasValidSignature(signedIdentityDocument, keyPair.getPublic()));
author	Morten Tokle <mortent@vespa.ai>	2024-06-20 23:02:58 +0200
committer	Morten Tokle <mortent@vespa.ai>	2024-06-20 23:02:58 +0200
commit	8e4bf1dde69ef0776505c1b6ea741dfabcafadfc (patch)
tree	6f4602da95f43a73d79f5cbc526ed854ffb96fde /vespa-athenz/src
parent	8f11e7f31dcc1810895a5f9c970c783f538c5c19 (diff)