Include ipaddress SAN in CSR

author: Morten Tokle <mortent@oath.com> 2018-04-26 12:37:48 +0200
committer: Morten Tokle <mortent@oath.com> 2018-04-26 12:37:48 +0200
commit: 76ac43a8f476d3fd10a994904be6872054a9f223 (patch)
tree: 1cba130fcb8d2b31e93413f7e3e979948c4eae23 /vespa-athenz
parent: 965a59df674215cc21cc6036c114ca420835d514 (diff)
4 files changed, 72 insertions, 14 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java
index 0224761fad8..127a9de16ca 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java
@@ -1,14 +1,17 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api.bindings;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import java.time.Instant;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * @author bjorncs
  */
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class IdentityDocument {
 
     @JsonProperty("provider-unique-id")
@@ -19,41 +22,50 @@ public class IdentityDocument {
     public final String instanceHostname;
     @JsonProperty("created-at")
     public final Instant createdAt;
+    @JsonProperty("ip-addresses")
+    public final Set<String> ipAddresses;
 
     public IdentityDocument(
                             @JsonProperty("provider-unique-id") ProviderUniqueId providerUniqueId,
                             @JsonProperty("configserver-hostname") String configServerHostname,
                             @JsonProperty("instance-hostname") String instanceHostname,
-                            @JsonProperty("created-at") Instant createdAt) {
+                            @JsonProperty("created-at") Instant createdAt,
+                            @JsonProperty("ip-addresses") Set<String> ipAddresses) {
         this.providerUniqueId = providerUniqueId;
         this.configServerHostname = configServerHostname;
         this.instanceHostname = instanceHostname;
         this.createdAt = createdAt;
+        this.ipAddresses = ipAddresses;
     }
 
+
     @Override
     public String toString() {
         return "IdentityDocument{" +
-                "providerUniqueId=" + providerUniqueId +
-                ", configServerHostname='" + configServerHostname + '\'' +
-                ", instanceHostname='" + instanceHostname + '\'' +
-                ", createdAt=" + createdAt +
-                '}';
+               "providerUniqueId=" + providerUniqueId +
+               ", configServerHostname='" + configServerHostname + '\'' +
+               ", instanceHostname='" + instanceHostname + '\'' +
+               ", createdAt=" + createdAt +
+               ", ipAddresses=" + ipAddresses +
+               '}';
     }
 
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         IdentityDocument that = (IdentityDocument) o;
-        return  Objects.equals(providerUniqueId, that.providerUniqueId) &&
-                Objects.equals(configServerHostname, that.configServerHostname) &&
-                Objects.equals(instanceHostname, that.instanceHostname) &&
-                Objects.equals(createdAt, that.createdAt);
+        return Objects.equals(providerUniqueId, that.providerUniqueId) &&
+               Objects.equals(configServerHostname, that.configServerHostname) &&
+               Objects.equals(instanceHostname, that.instanceHostname) &&
+               Objects.equals(createdAt, that.createdAt) &&
+               Objects.equals(ipAddresses, that.ipAddresses);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt);
+
+        return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt, ipAddresses);
     }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java
index f03fb01c671..6ddbb4af620 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.api.bindings;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
@@ -16,6 +17,7 @@ import java.util.Objects;
 /**
  * @author bjorncs
  */
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class SignedIdentityDocument {
 
     public static final int DEFAULT_KEY_VERSION = 0;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index e221ad792b3..f355f96124b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -10,6 +10,7 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
 import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
 import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils;
 import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
+import com.yahoo.vespa.athenz.tls.SubjectAlternativeName;
 
 import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
@@ -17,6 +18,9 @@ import java.io.UncheckedIOException;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
+import java.util.Set;
+
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS;
 
 /**
  * @author bjorncs
@@ -48,6 +52,7 @@ class AthenzCredentialsService {
                                   identityConfig.service(),
                                   document.dnsSuffix,
                                   document.providerUniqueId,
+                                  document.identityDocument.ipAddresses,
                                   keyPair);
         InstanceRegisterInformation instanceRegisterInformation =
                 new InstanceRegisterInformation(document.providerService,
@@ -67,6 +72,7 @@ class AthenzCredentialsService {
                                   identityConfig.service(),
                                   document.dnsSuffix,
                                   document.providerUniqueId,
+                                  document.identityDocument.ipAddresses,
                                   newKeyPair);
         InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(Pkcs10CsrUtils.toPem(csr));
         InstanceIdentity instanceIdentity =
@@ -101,18 +107,22 @@ class AthenzCredentialsService {
                                        String identityService,
                                        String dnsSuffix,
                                        String providerUniqueId,
+                                       Set<String> ipAddresses,
                                        KeyPair keyPair) {
         X500Principal subject = new X500Principal(String.format("CN=%s.%s", identityDomain, identityService));
         // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
         // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
-        return Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
+        Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
                 .addSubjectAlternativeName(String.format("%s.%s.%s",
                                                          identityService,
                                                          identityDomain.replace(".", "-"),
                                                          dnsSuffix))
                 .addSubjectAlternativeName(String.format("%s.instanceid.athenz.%s",
                                                          providerUniqueId,
-                                                         dnsSuffix))
-                .build();
+                                                         dnsSuffix));
+        if(ipAddresses != null) {
+            ipAddresses.forEach(ipaddress ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ipaddress)));
+        }
+        return pkcs10CsrBuilder.build();
     }
 }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java
new file mode 100644
index 00000000000..cfc6e33b911
--- /dev/null
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java
@@ -0,0 +1,34 @@
+package com.yahoo.vespa.athenz.api.bindings;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.google.common.collect.ImmutableSet;
+import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
+import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.bindings.ProviderUniqueId;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.time.Instant;
+
+import static org.junit.Assert.assertEquals;
+
+public class IdentityDocumentTest {
+
+    @Test
+    public void test_serialization_deserialization() throws IOException {
+        IdentityDocument document = new IdentityDocument(
+                ProviderUniqueId.fromVespaUniqueInstanceId(
+                        VespaUniqueInstanceId.fromDottedString("1.clusterId.instance.application.tenant.region.environment")),
+                "cfg.prod.xyz",
+                "foo.bar",
+                Instant.now(),
+                ImmutableSet.of("127.0.0.1", "::1"));
+
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.registerModule(new JavaTimeModule());
+        String documentString = mapper.writeValueAsString(document);
+        IdentityDocument deserializedDocument = mapper.readValue(documentString, IdentityDocument.class);
+        assertEquals(document, deserializedDocument);
+    }
+}
author	Morten Tokle <mortent@oath.com>	2018-04-26 12:37:48 +0200
committer	Morten Tokle <mortent@oath.com>	2018-04-26 12:37:48 +0200
commit	76ac43a8f476d3fd10a994904be6872054a9f223 (patch)
tree	1cba130fcb8d2b31e93413f7e3e979948c4eae23 /vespa-athenz
parent	965a59df674215cc21cc6036c114ca420835d514 (diff)