Use dns suffix and zts uri from config

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-06-07 14:04:00 +0200
committer: Morten Tokle <mortent@oath.com> 2018-06-11 14:36:50 +0200
commit: 3430573724c0b9281c75298c4a6a3e976f6ed5cb (patch)
tree: 4dd40b374ab2390bb6159f6d2d9479f030678478 /vespa-athenz
parent: 45e49e44fc9f37d95c47047228cb675008e192c4 (diff)
3 files changed, 13 insertions, 7 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
index 60be42544c7..7c64d048944 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
@@ -74,6 +74,7 @@ public class SignedIdentityDocument {
         return providerUniqueId;
     }
 
+    @Deprecated
     public String dnsSuffix() {
         return dnsSuffix;
     }
@@ -82,6 +83,7 @@ public class SignedIdentityDocument {
         return providerService;
     }
 
+    @Deprecated
     public URI ztsEndpoint() {
         return ztsEndpoint;
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index b99001476ea..1136106ce19 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -35,6 +35,7 @@ class AthenzCredentialsService {
     private final ServiceIdentityProvider nodeIdentityProvider;
     private final File trustStoreJks;
     private final String hostname;
+    private final InstanceCsrGenerator instanceCsrGenerator;
 
     AthenzCredentialsService(IdentityConfig identityConfig,
                              ServiceIdentityProvider nodeIdentityProvider,
@@ -44,13 +45,13 @@ class AthenzCredentialsService {
         this.nodeIdentityProvider = nodeIdentityProvider;
         this.trustStoreJks = trustStoreJks;
         this.hostname = hostname;
+        this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix());
     }
 
     AthenzCredentials registerInstance() {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         IdentityDocumentClient identityDocumentClient = createIdentityDocumentClient(identityConfig, nodeIdentityProvider);
         SignedIdentityDocument document = identityDocumentClient.getTenantIdentityDocument(hostname);
-        InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(document.dnsSuffix());
         AthenzService tenantIdentity = new AthenzService(identityConfig.domain(), identityConfig.service());
         Pkcs10Csr csr = instanceCsrGenerator.generateCsr(
                 tenantIdentity,
@@ -75,7 +76,6 @@ class AthenzCredentialsService {
     AthenzCredentials updateCredentials(SignedIdentityDocument document, SSLContext sslContext) {
         AthenzService tenantIdentity = new AthenzService(identityConfig.domain(), identityConfig.service());
         KeyPair newKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
-        InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(document.dnsSuffix());
         Pkcs10Csr csr = instanceCsrGenerator.generateCsr(
                 tenantIdentity,
                 document.providerUniqueId(),
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index 3dc883f347f..ce0743021ff 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -24,6 +24,7 @@ import com.yahoo.vespa.defaults.Defaults;
 
 import javax.net.ssl.SSLContext;
 import java.io.File;
+import java.net.URI;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -57,11 +58,12 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     private final Clock clock;
     private final AthenzService identity;
     private final ServiceIdentityProviderListenerHelper listenerHelper;
+    private final String dnsSuffix;
+    private final URI ztsEndpoint;
 
     private final LoadingCache<AthenzRole, SSLContext> roleSslContextCache;
     private final static Duration roleSslContextExpiry = Duration.ofHours(24);
 
-    // TODO IdentityConfig should contain ZTS uri and dns suffix
     @Inject
     public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) {
         this(config,
@@ -87,6 +89,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         this.clock = clock;
         this.identity = new AthenzService(config.domain(), config.service());
         this.listenerHelper = new ServiceIdentityProviderListenerHelper(this.identity);
+        this.dnsSuffix = config.athenzDnsSuffix();
+        this.ztsEndpoint = URI.create(config.ztsUrl());
         registerInstance();
         roleSslContextCache = CacheBuilder.newBuilder()
                 .refreshAfterWrite(roleSslContextExpiry.dividedBy(2).toMinutes(), TimeUnit.MINUTES)
@@ -153,8 +157,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         PrivateKey privateKey = credentials.getKeyPair().getPrivate();
         X509Certificate roleCertificate = ztsClient.getRoleCertificate(
                 role,
-                credentials.getIdentityDocument().dnsSuffix(),
-                credentials.getIdentityDocument().ztsEndpoint(),
+                dnsSuffix,
+                ztsEndpoint,
                 identity,
                 privateKey,
                 credentials.getIdentitySslContext());
@@ -169,7 +173,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         return ztsClient
                 .getRoleToken(
                         new AthenzDomain(domain),
-                        credentials.getIdentityDocument().ztsEndpoint(),
+                        ztsEndpoint,
                         credentials.getIdentitySslContext())
                 .getRawToken();
     }
@@ -180,7 +184,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
                 .getRoleToken(
                         new AthenzDomain(domain),
                         role,
-                        credentials.getIdentityDocument().ztsEndpoint(),
+                        ztsEndpoint,
                         credentials.getIdentitySslContext())
                 .getRawToken();
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-06-07 14:04:00 +0200
committer	Morten Tokle <mortent@oath.com>	2018-06-11 14:36:50 +0200
commit	3430573724c0b9281c75298c4a6a3e976f6ed5cb (patch)
tree	4dd40b374ab2390bb6159f6d2d9479f030678478 /vespa-athenz
parent	45e49e44fc9f37d95c47047228cb675008e192c4 (diff)