summaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorValerij Fredriksen <valerijf@yahooinc.com>2022-05-18 09:52:22 +0200
committerValerij Fredriksen <valerijf@yahooinc.com>2022-05-18 10:00:05 +0200
commite1146608d64d0ec5798f35670d85147d4f3cb9a4 (patch)
tree52045275ed6930abb658bcd3f59cae44977d37c8 /vespa-athenz
parentfa46c60b0203b0d8b869a338f497662b8f03444f (diff)
ZmsClient: Add method to update service public key
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java16
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java3
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java32
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java8
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java2
5 files changed, 55 insertions, 6 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 8ffb9331ddb..a4045016b78 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.client.zms;
+import com.yahoo.athenz.auth.util.Crypto;
+import com.yahoo.security.KeyUtils;
import com.yahoo.vespa.athenz.api.AthenzAssertion;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzGroup;
@@ -23,6 +25,7 @@ import com.yahoo.vespa.athenz.client.zms.bindings.ResponseListEntity;
import com.yahoo.vespa.athenz.client.zms.bindings.RoleEntity;
import com.yahoo.vespa.athenz.client.zms.bindings.ServiceEntity;
import com.yahoo.vespa.athenz.client.zms.bindings.ServiceListResponseEntity;
+import com.yahoo.vespa.athenz.client.zms.bindings.ServicePublicKeyEntity;
import com.yahoo.vespa.athenz.client.zms.bindings.StatisticsEntity;
import com.yahoo.vespa.athenz.client.zms.bindings.TenancyRequestEntity;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
@@ -35,6 +38,7 @@ import org.apache.http.message.BasicHeader;
import javax.net.ssl.SSLContext;
import java.net.URI;
+import java.security.PublicKey;
import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
@@ -356,6 +360,18 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
}
@Override
+ public void updateServicePublicKey(AthenzService athenzService, String publicKeyId, PublicKey publicKey) {
+ URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/publickey/%s",
+ athenzService.getDomainName(), athenzService.getName(), publicKeyId));
+
+ ServicePublicKeyEntity entity = new ServicePublicKeyEntity(publicKeyId, Crypto.ybase64EncodeString(KeyUtils.toPem(publicKey)));
+ HttpUriRequest request = RequestBuilder.put(uri)
+ .setEntity(toJsonStringEntity(entity))
+ .build();
+ execute(request, response -> readEntity(response, Void.class));
+ }
+
+ @Override
public void deleteService(AthenzService athenzService) {
URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s", athenzService.getDomainName(), athenzService.getName()));
execute(RequestBuilder.delete(uri).build(), response -> readEntity(response, Void.class));
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 80a0ddff204..e15af58cb76 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -12,6 +12,7 @@ import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.api.OAuthCredentials;
import java.io.Closeable;
+import java.security.PublicKey;
import java.time.Instant;
import java.util.List;
import java.util.Map;
@@ -70,6 +71,8 @@ public interface ZmsClient extends Closeable {
void createOrUpdateService(AthenzService athenzService);
+ void updateServicePublicKey(AthenzService athenzService, String publicKeyId, PublicKey publicKey);
+
void deleteService(AthenzService athenzService);
void createRole(AthenzRole role, Map<String, Object> properties);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java
new file mode 100644
index 00000000000..4767b584661
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java
@@ -0,0 +1,32 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.client.zms.bindings;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonGetter;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author freva
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ServicePublicKeyEntity {
+ public final String id;
+ public final String key;
+
+ @JsonCreator
+ public ServicePublicKeyEntity(@JsonProperty("id") String id, @JsonProperty("key") String key) {
+ this.id = id;
+ this.key = key;
+ }
+
+ @JsonGetter("id")
+ public String name() {
+ return id;
+ }
+
+ @JsonGetter("key")
+ public String key() {
+ return key;
+ }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 0c73891bdae..13a61d65d78 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -38,7 +38,6 @@ import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.List;
-import java.util.Objects;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.stream.Collectors;
@@ -230,7 +229,7 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
return URI.create(ztsUrl.toString() + '/');
}
public static class Builder {
- private URI ztsUrl;
+ private final URI ztsUrl;
private ErrorHandler errorHandler = ErrorHandler.empty();
private HostnameVerifier hostnameVerifier = null;
private Supplier<SSLContext> sslContextSupplier = null;
@@ -260,9 +259,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
}
public DefaultZtsClient build() {
- if (Objects.isNull(sslContextSupplier)) {
- throw new IllegalArgumentException("No ssl context or identity provider available to set up zts client");
- }
+ if (sslContextSupplier == null)
+ throw new IllegalArgumentException("No SSL context or identity provider available to set up ZTS client");
return new DefaultZtsClient(ztsUrl, sslContextSupplier, hostnameVerifier, errorHandler);
}
}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java
index e440d79a159..bc50bcb2bb6 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java
@@ -24,7 +24,7 @@ public class AthenzIdentityVerifier implements HostnameVerifier {
private final Set<AthenzIdentity> allowedIdentities;
public AthenzIdentityVerifier(Set<AthenzIdentity> allowedIdentities) {
- this.allowedIdentities = allowedIdentities;
+ this.allowedIdentities = Set.copyOf(allowedIdentities);
}
@Override