diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-26 15:15:53 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-26 15:15:53 +0200 |
commit | aca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch) | |
tree | 457edb12eda58d61feab5812fe4ebed72763b6e9 /vespa-athenz | |
parent | f49fbf259ea28bf3025580f875885762f12dc651 (diff) |
Include instance hostname in Athenz node certificates
Diffstat (limited to 'vespa-athenz')
7 files changed, 24 insertions, 4 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 7116bf72ec4..13150158dad 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -67,9 +67,10 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, + String hostname, Pkcs10Csr csr) { InstanceRegisterInformation payload = - new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, csr); + new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, hostname, csr); HttpUriRequest request = RequestBuilder.post() .setUri(ztsUrl.resolve("instance/")) .setEntity(toJsonStringEntity(payload)) @@ -81,8 +82,9 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, + String hostname, Pkcs10Csr csr) { - InstanceRefreshInformation payload = new InstanceRefreshInformation(csr); + InstanceRefreshInformation payload = new InstanceRefreshInformation(csr, hostname); URI uri = ztsUrl.resolve( String.format("instance/%s/%s/%s/%s", providerIdentity.getFullName(), diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index c09ad8f48a0..4f44dba4864 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -29,6 +29,7 @@ public interface ZtsClient extends AutoCloseable { */ InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, + String hostname, String attestationData, Pkcs10Csr csr); @@ -40,6 +41,7 @@ public interface ZtsClient extends AutoCloseable { InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, + String hostname, Pkcs10Csr csr); /** diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java index f6c359c09a8..5d101ed31e6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java @@ -18,8 +18,11 @@ public class InstanceRefreshInformation { @JsonProperty("csr") @JsonSerialize(using = Pkcs10CsrSerializer.class) private final Pkcs10Csr csr; + @JsonProperty("hostname") + private final String hostname; - public InstanceRefreshInformation(Pkcs10Csr csr) { + public InstanceRefreshInformation(Pkcs10Csr csr, String hostname) { this.csr = csr; + this.hostname = hostname; } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java index cd272ccf685..c5175f19b44 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java @@ -25,17 +25,21 @@ public class InstanceRegisterInformation { private final String service; @JsonProperty("attestationData") private final String attestationData; + @JsonProperty("hostname") + private final String hostname; @JsonProperty("csr") private final String csr; public InstanceRegisterInformation(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, + String hostname, Pkcs10Csr csr) { this.provider = providerIdentity.getFullName(); this.domain = instanceIdentity.getDomain().getName(); this.service = instanceIdentity.getName(); this.attestationData = attestationData; this.csr = Pkcs10CsrUtils.toPem(csr); + this.hostname = hostname; } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index eccf1088cce..8e0bdb9b19c 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -75,6 +75,7 @@ class AthenzCredentialsService { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( tenantIdentity, document.providerUniqueId(), + /*hostname*/null, // no hostname in tenant certificates document.ipAddresses(), keyPair); @@ -83,6 +84,7 @@ class AthenzCredentialsService { ztsClient.registerInstance( configserverIdentity, tenantIdentity, + /*hostname*/null, EntityBindingsMapper.toAttestationData(document), csr); X509Certificate certificate = instanceIdentity.certificate(); @@ -96,6 +98,7 @@ class AthenzCredentialsService { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( tenantIdentity, document.providerUniqueId(), + /*hostname*/null, // no hostname in tenant certificates document.ipAddresses(), newKeyPair); @@ -104,6 +107,7 @@ class AthenzCredentialsService { ztsClient.refreshInstance( configserverIdentity, tenantIdentity, + /*hostname*/null, document.providerUniqueId().asDottedString(), csr); X509Certificate certificate = instanceIdentity.certificate(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index f73a52b373b..dff753b9126 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -34,11 +34,13 @@ public class CsrGenerator { public Pkcs10Csr generateInstanceCsr(AthenzIdentity instanceIdentity, VespaUniqueInstanceId instanceId, + String hostname, Set<String> ipAddresses, KeyPair keyPair) { X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName())); // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> + // and SAN dnsname <hostname> (note: ZTS will verify that there is a DNS A record with hostname having the remote ip) Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( DNS_NAME, @@ -48,6 +50,9 @@ public class CsrGenerator { instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); + if (hostname != null) { + pkcs10CsrBuilder.addSubjectAlternativeName(DNS_NAME, hostname); + } ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); return pkcs10CsrBuilder.build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java index 8b6d2f06777..3b2129821a3 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -31,7 +31,7 @@ public class InstanceCsrGeneratorTest { VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node"); KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, Collections.emptySet(), keyPair); + Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, "myhostname", Collections.emptySet(), keyPair); assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject()); } } |