diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-28 21:40:05 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-28 21:40:05 +0200 |
commit | 8b37b6ed1eafc8d8967e4732ea978ed1806eca71 (patch) | |
tree | 3c401b108b9095f8cae4c580737a85f9077042c8 /vespa-athenz | |
parent | ec8efebdb70dd4c07288b0b9c6398af6635dced4 (diff) |
Revert "Include instance hostname in Athenz node certificates"
This reverts commit aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac.
Diffstat (limited to 'vespa-athenz')
7 files changed, 4 insertions, 24 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 13150158dad..7116bf72ec4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -67,10 +67,9 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, - String hostname, Pkcs10Csr csr) { InstanceRegisterInformation payload = - new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, hostname, csr); + new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, csr); HttpUriRequest request = RequestBuilder.post() .setUri(ztsUrl.resolve("instance/")) .setEntity(toJsonStringEntity(payload)) @@ -82,9 +81,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, - String hostname, Pkcs10Csr csr) { - InstanceRefreshInformation payload = new InstanceRefreshInformation(csr, hostname); + InstanceRefreshInformation payload = new InstanceRefreshInformation(csr); URI uri = ztsUrl.resolve( String.format("instance/%s/%s/%s/%s", providerIdentity.getFullName(), diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 4f44dba4864..c09ad8f48a0 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -29,7 +29,6 @@ public interface ZtsClient extends AutoCloseable { */ InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, - String hostname, String attestationData, Pkcs10Csr csr); @@ -41,7 +40,6 @@ public interface ZtsClient extends AutoCloseable { InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, - String hostname, Pkcs10Csr csr); /** diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java index 5d101ed31e6..f6c359c09a8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java @@ -18,11 +18,8 @@ public class InstanceRefreshInformation { @JsonProperty("csr") @JsonSerialize(using = Pkcs10CsrSerializer.class) private final Pkcs10Csr csr; - @JsonProperty("hostname") - private final String hostname; - public InstanceRefreshInformation(Pkcs10Csr csr, String hostname) { + public InstanceRefreshInformation(Pkcs10Csr csr) { this.csr = csr; - this.hostname = hostname; } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java index c5175f19b44..cd272ccf685 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java @@ -25,21 +25,17 @@ public class InstanceRegisterInformation { private final String service; @JsonProperty("attestationData") private final String attestationData; - @JsonProperty("hostname") - private final String hostname; @JsonProperty("csr") private final String csr; public InstanceRegisterInformation(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, - String hostname, Pkcs10Csr csr) { this.provider = providerIdentity.getFullName(); this.domain = instanceIdentity.getDomain().getName(); this.service = instanceIdentity.getName(); this.attestationData = attestationData; this.csr = Pkcs10CsrUtils.toPem(csr); - this.hostname = hostname; } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 8e0bdb9b19c..eccf1088cce 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -75,7 +75,6 @@ class AthenzCredentialsService { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( tenantIdentity, document.providerUniqueId(), - /*hostname*/null, // no hostname in tenant certificates document.ipAddresses(), keyPair); @@ -84,7 +83,6 @@ class AthenzCredentialsService { ztsClient.registerInstance( configserverIdentity, tenantIdentity, - /*hostname*/null, EntityBindingsMapper.toAttestationData(document), csr); X509Certificate certificate = instanceIdentity.certificate(); @@ -98,7 +96,6 @@ class AthenzCredentialsService { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( tenantIdentity, document.providerUniqueId(), - /*hostname*/null, // no hostname in tenant certificates document.ipAddresses(), newKeyPair); @@ -107,7 +104,6 @@ class AthenzCredentialsService { ztsClient.refreshInstance( configserverIdentity, tenantIdentity, - /*hostname*/null, document.providerUniqueId().asDottedString(), csr); X509Certificate certificate = instanceIdentity.certificate(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index dff753b9126..f73a52b373b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -34,13 +34,11 @@ public class CsrGenerator { public Pkcs10Csr generateInstanceCsr(AthenzIdentity instanceIdentity, VespaUniqueInstanceId instanceId, - String hostname, Set<String> ipAddresses, KeyPair keyPair) { X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName())); // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - // and SAN dnsname <hostname> (note: ZTS will verify that there is a DNS A record with hostname having the remote ip) Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( DNS_NAME, @@ -50,9 +48,6 @@ public class CsrGenerator { instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); - if (hostname != null) { - pkcs10CsrBuilder.addSubjectAlternativeName(DNS_NAME, hostname); - } ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); return pkcs10CsrBuilder.build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java index 3b2129821a3..8b6d2f06777 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -31,7 +31,7 @@ public class InstanceCsrGeneratorTest { VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node"); KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, "myhostname", Collections.emptySet(), keyPair); + Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, Collections.emptySet(), keyPair); assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject()); } } |