diff options
author | Morten Tokle <mortent@oath.com> | 2018-04-26 12:37:48 +0200 |
---|---|---|
committer | Morten Tokle <mortent@oath.com> | 2018-04-26 12:37:48 +0200 |
commit | 76ac43a8f476d3fd10a994904be6872054a9f223 (patch) | |
tree | 1cba130fcb8d2b31e93413f7e3e979948c4eae23 /vespa-athenz | |
parent | 965a59df674215cc21cc6036c114ca420835d514 (diff) |
Include ipaddress SAN in CSR
Diffstat (limited to 'vespa-athenz')
4 files changed, 72 insertions, 14 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java index 0224761fad8..127a9de16ca 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java @@ -1,14 +1,17 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.api.bindings; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; import java.time.Instant; import java.util.Objects; +import java.util.Set; /** * @author bjorncs */ +@JsonIgnoreProperties(ignoreUnknown = true) public class IdentityDocument { @JsonProperty("provider-unique-id") @@ -19,41 +22,50 @@ public class IdentityDocument { public final String instanceHostname; @JsonProperty("created-at") public final Instant createdAt; + @JsonProperty("ip-addresses") + public final Set<String> ipAddresses; public IdentityDocument( @JsonProperty("provider-unique-id") ProviderUniqueId providerUniqueId, @JsonProperty("configserver-hostname") String configServerHostname, @JsonProperty("instance-hostname") String instanceHostname, - @JsonProperty("created-at") Instant createdAt) { + @JsonProperty("created-at") Instant createdAt, + @JsonProperty("ip-addresses") Set<String> ipAddresses) { this.providerUniqueId = providerUniqueId; this.configServerHostname = configServerHostname; this.instanceHostname = instanceHostname; this.createdAt = createdAt; + this.ipAddresses = ipAddresses; } + @Override public String toString() { return "IdentityDocument{" + - "providerUniqueId=" + providerUniqueId + - ", configServerHostname='" + configServerHostname + '\'' + - ", instanceHostname='" + instanceHostname + '\'' + - ", createdAt=" + createdAt + - '}'; + "providerUniqueId=" + providerUniqueId + + ", configServerHostname='" + configServerHostname + '\'' + + ", instanceHostname='" + instanceHostname + '\'' + + ", createdAt=" + createdAt + + ", ipAddresses=" + ipAddresses + + '}'; } + @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; IdentityDocument that = (IdentityDocument) o; - return Objects.equals(providerUniqueId, that.providerUniqueId) && - Objects.equals(configServerHostname, that.configServerHostname) && - Objects.equals(instanceHostname, that.instanceHostname) && - Objects.equals(createdAt, that.createdAt); + return Objects.equals(providerUniqueId, that.providerUniqueId) && + Objects.equals(configServerHostname, that.configServerHostname) && + Objects.equals(instanceHostname, that.instanceHostname) && + Objects.equals(createdAt, that.createdAt) && + Objects.equals(ipAddresses, that.ipAddresses); } @Override public int hashCode() { - return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt); + + return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt, ipAddresses); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java index f03fb01c671..6ddbb4af620 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.api.bindings; import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; @@ -16,6 +17,7 @@ import java.util.Objects; /** * @author bjorncs */ +@JsonIgnoreProperties(ignoreUnknown = true) public class SignedIdentityDocument { public static final int DEFAULT_KEY_VERSION = 0; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index e221ad792b3..f355f96124b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -10,6 +10,7 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; import javax.security.auth.x500.X500Principal; import java.io.IOException; @@ -17,6 +18,9 @@ import java.io.UncheckedIOException; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Clock; +import java.util.Set; + +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; /** * @author bjorncs @@ -48,6 +52,7 @@ class AthenzCredentialsService { identityConfig.service(), document.dnsSuffix, document.providerUniqueId, + document.identityDocument.ipAddresses, keyPair); InstanceRegisterInformation instanceRegisterInformation = new InstanceRegisterInformation(document.providerService, @@ -67,6 +72,7 @@ class AthenzCredentialsService { identityConfig.service(), document.dnsSuffix, document.providerUniqueId, + document.identityDocument.ipAddresses, newKeyPair); InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(Pkcs10CsrUtils.toPem(csr)); InstanceIdentity instanceIdentity = @@ -101,18 +107,22 @@ class AthenzCredentialsService { String identityService, String dnsSuffix, String providerUniqueId, + Set<String> ipAddresses, KeyPair keyPair) { X500Principal subject = new X500Principal(String.format("CN=%s.%s", identityDomain, identityService)); // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - return Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) .addSubjectAlternativeName(String.format("%s.%s.%s", identityService, identityDomain.replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName(String.format("%s.instanceid.athenz.%s", providerUniqueId, - dnsSuffix)) - .build(); + dnsSuffix)); + if(ipAddresses != null) { + ipAddresses.forEach(ipaddress -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ipaddress))); + } + return pkcs10CsrBuilder.build(); } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java new file mode 100644 index 00000000000..cfc6e33b911 --- /dev/null +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java @@ -0,0 +1,34 @@ +package com.yahoo.vespa.athenz.api.bindings; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import com.google.common.collect.ImmutableSet; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocument; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.ProviderUniqueId; +import org.junit.Test; + +import java.io.IOException; +import java.time.Instant; + +import static org.junit.Assert.assertEquals; + +public class IdentityDocumentTest { + + @Test + public void test_serialization_deserialization() throws IOException { + IdentityDocument document = new IdentityDocument( + ProviderUniqueId.fromVespaUniqueInstanceId( + VespaUniqueInstanceId.fromDottedString("1.clusterId.instance.application.tenant.region.environment")), + "cfg.prod.xyz", + "foo.bar", + Instant.now(), + ImmutableSet.of("127.0.0.1", "::1")); + + ObjectMapper mapper = new ObjectMapper(); + mapper.registerModule(new JavaTimeModule()); + String documentString = mapper.writeValueAsString(document); + IdentityDocument deserializedDocument = mapper.readValue(documentString, IdentityDocument.class); + assertEquals(document, deserializedDocument); + } +} |