diff options
| author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-04-20 11:22:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-20 11:22:59 +0200 |
| commit | e590767e3bb6346b1edf65f3a2e0e66c33608a77 (patch) | |
| tree | 470df7bda6f680e970f96ba7c1eb66dde95dcd6a /vespa-athenz | |
| parent | 96e3c8474e8904591547f6c255764d92d748c5a0 (diff) | |
| parent | 97b5dc407f526da94405cd3a3cde88d617f7685b (diff) | |
Merge pull request #5642 from vespa-engine/bjorncs/identity-document-api
Bjorncs/identity document api
Diffstat (limited to 'vespa-athenz')
8 files changed, 285 insertions, 33 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java new file mode 100644 index 00000000000..0224761fad8 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java @@ -0,0 +1,59 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.time.Instant; +import java.util.Objects; + +/** + * @author bjorncs + */ +public class IdentityDocument { + + @JsonProperty("provider-unique-id") + public final ProviderUniqueId providerUniqueId; + @JsonProperty("configserver-hostname") + public final String configServerHostname; + @JsonProperty("instance-hostname") + public final String instanceHostname; + @JsonProperty("created-at") + public final Instant createdAt; + + public IdentityDocument( + @JsonProperty("provider-unique-id") ProviderUniqueId providerUniqueId, + @JsonProperty("configserver-hostname") String configServerHostname, + @JsonProperty("instance-hostname") String instanceHostname, + @JsonProperty("created-at") Instant createdAt) { + this.providerUniqueId = providerUniqueId; + this.configServerHostname = configServerHostname; + this.instanceHostname = instanceHostname; + this.createdAt = createdAt; + } + + @Override + public String toString() { + return "IdentityDocument{" + + "providerUniqueId=" + providerUniqueId + + ", configServerHostname='" + configServerHostname + '\'' + + ", instanceHostname='" + instanceHostname + '\'' + + ", createdAt=" + createdAt + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + IdentityDocument that = (IdentityDocument) o; + return Objects.equals(providerUniqueId, that.providerUniqueId) && + Objects.equals(configServerHostname, that.configServerHostname) && + Objects.equals(instanceHostname, that.instanceHostname) && + Objects.equals(createdAt, that.createdAt); + } + + @Override + public int hashCode() { + return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java new file mode 100644 index 00000000000..80aaa72d4bf --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java @@ -0,0 +1,32 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; + +/** + * @author bjorncs + */ +@Path("/identity-document") +public interface IdentityDocumentApi { + + @GET + @Produces(MediaType.APPLICATION_JSON) + @Deprecated + SignedIdentityDocument getIdentityDocument(@QueryParam("hostname") String hostname); + + @GET + @Produces(MediaType.APPLICATION_JSON) + @Path("/node/{host}") + SignedIdentityDocument getNodeIdentityDocument(@PathParam("host") String host); + + + @GET + @Produces(MediaType.APPLICATION_JSON) + @Path("/tenant/{host}") + SignedIdentityDocument getTenantIdentityDocument(@PathParam("host") String host); +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/ProviderUniqueId.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/ProviderUniqueId.java new file mode 100644 index 00000000000..81064b0c927 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/ProviderUniqueId.java @@ -0,0 +1,86 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.fasterxml.jackson.annotation.JsonProperty; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; + +import java.util.Objects; + +/** + * @author bjorncs + */ +public class ProviderUniqueId { + + @JsonProperty("tenant") + public final String tenant; + @JsonProperty("application") + public final String application; + @JsonProperty("environment") + public final String environment; + @JsonProperty("region") + public final String region; + @JsonProperty("instance") + public final String instance; + @JsonProperty("cluster-id") + public final String clusterId; + @JsonProperty("cluster-index") + public final int clusterIndex; + + public ProviderUniqueId(@JsonProperty("tenant") String tenant, + @JsonProperty("application") String application, + @JsonProperty("environment") String environment, + @JsonProperty("region") String region, + @JsonProperty("instance") String instance, + @JsonProperty("cluster-id") String clusterId, + @JsonProperty("cluster-index") int clusterIndex) { + this.tenant = tenant; + this.application = application; + this.environment = environment; + this.region = region; + this.instance = instance; + this.clusterId = clusterId; + this.clusterIndex = clusterIndex; + } + + public VespaUniqueInstanceId toVespaUniqueInstanceId() { + return new VespaUniqueInstanceId(clusterIndex, clusterId, instance, application, tenant, region, environment); + } + + public static ProviderUniqueId fromVespaUniqueInstanceId(VespaUniqueInstanceId instanceId) { + return new ProviderUniqueId( + instanceId.tenant(), instanceId.application(), instanceId.environment(), instanceId.region(), + instanceId.instance(), instanceId.clusterId(), instanceId.clusterIndex()); + } + + @Override + public String toString() { + return "ProviderUniqueId{" + + "tenant='" + tenant + '\'' + + ", application='" + application + '\'' + + ", environment='" + environment + '\'' + + ", region='" + region + '\'' + + ", instance='" + instance + '\'' + + ", clusterId='" + clusterId + '\'' + + ", clusterIndex=" + clusterIndex + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + ProviderUniqueId that = (ProviderUniqueId) o; + return clusterIndex == that.clusterIndex && + Objects.equals(tenant, that.tenant) && + Objects.equals(application, that.application) && + Objects.equals(environment, that.environment) && + Objects.equals(region, that.region) && + Objects.equals(instance, that.instance) && + Objects.equals(clusterId, that.clusterId); + } + + @Override + public int hashCode() { + return Objects.hash(tenant, application, environment, region, instance, clusterId, clusterIndex); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java new file mode 100644 index 00000000000..f03fb01c671 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java @@ -0,0 +1,97 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.net.URI; +import java.util.Base64; +import java.util.Objects; + +/** + * @author bjorncs + */ +public class SignedIdentityDocument { + + public static final int DEFAULT_KEY_VERSION = 0; + public static final int DEFAULT_DOCUMENT_VERSION = 1; + + private static final ObjectMapper mapper = createObjectMapper(); + + @JsonProperty("identity-document")public final String rawIdentityDocument; + @JsonIgnore public final IdentityDocument identityDocument; + @JsonProperty("signature") public final String signature; + @JsonProperty("signing-key-version") public final int signingKeyVersion; + @JsonProperty("provider-unique-id") public final String providerUniqueId; // String representation + @JsonProperty("dns-suffix") public final String dnsSuffix; + @JsonProperty("provider-service") public final String providerService; + @JsonProperty("zts-endpoint") public final URI ztsEndpoint; + @JsonProperty("document-version") public final int documentVersion; + + @JsonCreator + public SignedIdentityDocument(@JsonProperty("identity-document") String rawIdentityDocument, + @JsonProperty("signature") String signature, + @JsonProperty("signing-key-version") int signingKeyVersion, + @JsonProperty("provider-unique-id") String providerUniqueId, + @JsonProperty("dns-suffix") String dnsSuffix, + @JsonProperty("provider-service") String providerService, + @JsonProperty("zts-endpoint") URI ztsEndpoint, + @JsonProperty("document-version") int documentVersion) { + this.rawIdentityDocument = rawIdentityDocument; + this.identityDocument = parseIdentityDocument(rawIdentityDocument); + this.signature = signature; + this.signingKeyVersion = signingKeyVersion; + this.providerUniqueId = providerUniqueId; + this.dnsSuffix = dnsSuffix; + this.providerService = providerService; + this.ztsEndpoint = ztsEndpoint; + this.documentVersion = documentVersion; + } + + private static IdentityDocument parseIdentityDocument(String rawIdentityDocument) { + try { + return mapper.readValue(Base64.getDecoder().decode(rawIdentityDocument), IdentityDocument.class); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + private static ObjectMapper createObjectMapper() { + ObjectMapper mapper = new ObjectMapper(); + mapper.registerModule(new JavaTimeModule()); + return mapper; + } + + @Override + public String toString() { + return "SignedIdentityDocument{" + + "rawIdentityDocument='" + rawIdentityDocument + '\'' + + ", identityDocument=" + identityDocument + + ", signature='" + signature + '\'' + + ", signingKeyVersion=" + signingKeyVersion + + ", documentVersion=" + documentVersion + + '}'; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + SignedIdentityDocument that = (SignedIdentityDocument) o; + return signingKeyVersion == that.signingKeyVersion && + documentVersion == that.documentVersion && + Objects.equals(rawIdentityDocument, that.rawIdentityDocument) && + Objects.equals(identityDocument, that.identityDocument) && + Objects.equals(signature, that.signature); + } + + @Override + public int hashCode() { + return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, documentVersion); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/package-info.java new file mode 100644 index 00000000000..462cde4a543 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/package-info.java @@ -0,0 +1,8 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author bjorncs + */ +@ExportPackage +package com.yahoo.vespa.athenz.identityprovider.api.bindings; + +import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java index 8b1efbc7899..e423139d776 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java @@ -1,6 +1,8 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.client; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocument; + import java.security.KeyPair; import java.security.cert.X509Certificate; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 0b647f6174d..e221ad792b3 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.container.core.identity.IdentityConfig; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocument; import com.yahoo.vespa.athenz.tls.KeyAlgorithm; import com.yahoo.vespa.athenz.tls.KeyUtils; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/SignedIdentityDocument.java deleted file mode 100644 index 6e6a9eaee75..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/SignedIdentityDocument.java +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.identityprovider.client; - -import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import com.fasterxml.jackson.annotation.JsonInclude; -import com.fasterxml.jackson.annotation.JsonProperty; - -import java.net.URI; - -/** - * @author bjorncs - */ -// TODO Most of these value should ideally be config provided by config-model -@JsonIgnoreProperties(ignoreUnknown = true) -@JsonInclude(JsonInclude.Include.NON_NULL) -class SignedIdentityDocument { - public final String providerUniqueId; - public final String dnsSuffix; - public final String providerService; - public final URI ztsEndpoint; - - public SignedIdentityDocument(@JsonProperty("provider-unique-id") String providerUniqueId, - @JsonProperty("dns-suffix") String dnsSuffix, - @JsonProperty("provider-service") String providerService, - @JsonProperty("zts-endpoint") URI ztsEndpoint) { - this.providerUniqueId = providerUniqueId; - this.dnsSuffix = dnsSuffix; - this.providerService = providerService; - this.ztsEndpoint = ztsEndpoint; - } - -} - |