summaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorMorten Tokle <mortent@oath.com>2018-10-05 12:27:50 +0200
committerMorten Tokle <mortent@oath.com>2018-10-05 12:27:50 +0200
commitac951c8a7359da2ea99a80cd4bd1d3dfe23b5376 (patch)
tree5278a332b61fa45f0704e07c3ddbbb7342c26171 /vespa-athenz
parentab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 (diff)
Implement role CSR requirements
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java21
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java16
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java6
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java23
4 files changed, 32 insertions, 34 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 7d4901f163a..dc82ed7fcb9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -24,7 +24,6 @@ import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identity.ServiceIdentitySslSocketFactory;
import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
-import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
import org.apache.http.HttpResponse;
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.config.RequestConfig;
@@ -40,7 +39,6 @@ import org.eclipse.jetty.http.HttpStatus;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
-import javax.security.auth.x500.X500Principal;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
@@ -50,9 +48,6 @@ import java.time.Duration;
import java.util.List;
import java.util.function.Supplier;
-import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
-import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME;
import static java.util.stream.Collectors.toList;
/**
@@ -163,15 +158,7 @@ public class DefaultZtsClient implements ZtsClient {
}
@Override
- public X509Certificate getRoleCertificate(AthenzRole role,
- Duration expiry,
- KeyPair keyPair,
- String cloud) {
- X500Principal principal = new X500Principal(String.format("cn=%s:role.%s", role.domain().getName(), role.roleName()));
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
- .addSubjectAlternativeName(DNS_NAME, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace('.', '-'), cloud))
- .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), cloud))
- .build();
+ public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry) {
RoleCertificateRequestEntity requestEntity = new RoleCertificateRequestEntity(csr, expiry);
URI uri = ztsUrl.resolve(String.format("domain/%s/role/%s/token", role.domain().getName(), role.roleName()));
HttpUriRequest request = RequestBuilder.post(uri)
@@ -184,10 +171,8 @@ public class DefaultZtsClient implements ZtsClient {
}
@Override
- public X509Certificate getRoleCertificate(AthenzRole role,
- KeyPair keyPair,
- String cloud) {
- return getRoleCertificate(role, null, keyPair, cloud);
+ public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr) {
+ return getRoleCertificate(role, csr, null);
}
@Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index 5c0e21bfa97..2ef6039ddc8 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -1,7 +1,6 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.client.zts;
-import com.yahoo.athenz.zts.TenantDomains;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzRole;
@@ -84,27 +83,20 @@ public interface ZtsClient extends AutoCloseable {
* Fetch role certificate for the target domain and role
*
* @param role Target role
+ * @param csr Certificate signing request matching role
* @param expiry Certificate expiry
- * @param keyPair Key pair which will be used to generate CSR (certificate signing request)
- * @param cloud The cloud suffix used in DNS SAN entries
* @return A role certificate
*/
- X509Certificate getRoleCertificate(AthenzRole role,
- Duration expiry,
- KeyPair keyPair,
- String cloud);
+ X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry);
/**
* Fetch role certificate for the target domain and role
*
* @param role Target role
- * @param keyPair Key pair which will be used to generate CSR (certificate signing request)
- * @param cloud The cloud suffix used in DNS SAN entries
+ * @param csr Certificate signing request matching role
* @return A role certificate
*/
- X509Certificate getRoleCertificate(AthenzRole role,
- KeyPair keyPair,
- String cloud);
+ X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr);
/**
* For a given provider, get a list of tenant domains that the user is a member of
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index 9b4bdd35e8e..00fb3f80bee 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -22,6 +22,7 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identity.SiaIdentityProvider;
import com.yahoo.security.KeyStoreType;
import com.yahoo.security.SslContextBuilder;
+import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
import com.yahoo.vespa.athenz.utils.SiaUtils;
import com.yahoo.vespa.defaults.Defaults;
@@ -69,6 +70,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
private final LoadingCache<AthenzRole, SSLContext> roleSslContextCache;
private final LoadingCache<AthenzRole, ZToken> roleSpecificRoleTokenCache;
private final LoadingCache<AthenzDomain, ZToken> domainSpecificRoleTokenCache;
+ private final InstanceCsrGenerator instanceCsrGenerator;
@Inject
public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) {
@@ -100,6 +102,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
roleSslContextCache = createCache(ROLE_SSL_CONTEXT_EXPIRY, this::createRoleSslContext);
roleSpecificRoleTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createRoleToken);
domainSpecificRoleTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createRoleToken);
+ this.instanceCsrGenerator = new InstanceCsrGenerator(config.athenzDnsSuffix(), config.configserverIdentityName());
registerInstance();
}
@@ -174,8 +177,9 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
}
private SSLContext createRoleSslContext(AthenzRole role) {
+ Pkcs10Csr csr = instanceCsrGenerator.generateRoleCsr(identity, role, credentials.getIdentityDocument().providerUniqueId(), credentials.getKeyPair());
try (ZtsClient client = createZtsClient()) {
- X509Certificate roleCertificate = client.getRoleCertificate(role, credentials.getKeyPair(), dnsSuffix);
+ X509Certificate roleCertificate = client.getRoleCertificate(role, csr);
return new SslContextBuilder()
.withKeyStore(credentials.getKeyPair().getPrivate(), roleCertificate)
.withTrustStore(getDefaultTrustStoreLocation().toPath(), KeyStoreType.JKS)
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
index cb97c4fb99c..6b6426c0bad 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
@@ -2,18 +2,20 @@
package com.yahoo.vespa.athenz.identityprovider.client;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzRole;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
-import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
import com.yahoo.vespa.athenz.tls.SubjectAlternativeName;
import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.util.Set;
+import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS;
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME;
/**
* Generates a {@link Pkcs10Csr} for an instance.
@@ -37,7 +39,7 @@ public class InstanceCsrGenerator {
X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName()));
// Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
// and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
- Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
+ Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA)
.addSubjectAlternativeName(
DNS_NAME,
String.format(
@@ -45,8 +47,23 @@ public class InstanceCsrGenerator {
instanceIdentity.getName(),
instanceIdentity.getDomainName().replace(".", "-"),
dnsSuffix))
- .addSubjectAlternativeName(DNS_NAME, String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix));
+ .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId));
ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip)));
return pkcs10CsrBuilder.build();
}
+
+ public Pkcs10Csr generateRoleCsr(AthenzIdentity identity,
+ AthenzRole role,
+ VespaUniqueInstanceId instanceId,
+ KeyPair keyPair) {
+ X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
+ return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
+ .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId))
+ .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
+ .build();
+ }
+
+ private String getIdentitySAN(VespaUniqueInstanceId instanceId) {
+ return String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix);
+ }
}