Fix credentials paths for hosted

3 files changed, 49 insertions, 11 deletions

diff --git a/vespa-osgi-testrunner/pom.xml b/vespa-osgi-testrunner/pom.xml
index d89fbe1cf89..09ee87b6294 100644
--- a/vespa-osgi-testrunner/pom.xml
+++ b/vespa-osgi-testrunner/pom.xml
@@ -100,6 +100,12 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+            <groupId>com.yahoo.vespa</groupId>
+            <artifactId>vespa-athenz</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
             <groupId>org.apache.felix</groupId>
             <artifactId>org.apache.felix.framework</artifactId>
             <scope>provided</scope>
diff --git a/vespa-osgi-testrunner/src/main/java/com/yahoo/vespa/testrunner/VespaCliTestRunner.java b/vespa-osgi-testrunner/src/main/java/com/yahoo/vespa/testrunner/VespaCliTestRunner.java
index cf2a1700f28..e30931057f2 100644
--- a/vespa-osgi-testrunner/src/main/java/com/yahoo/vespa/testrunner/VespaCliTestRunner.java
+++ b/vespa-osgi-testrunner/src/main/java/com/yahoo/vespa/testrunner/VespaCliTestRunner.java
@@ -6,6 +6,8 @@ import com.yahoo.component.annotation.Inject;
 import com.yahoo.slime.Cursor;
 import com.yahoo.slime.Slime;
 import com.yahoo.slime.SlimeUtils;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
 
 import java.io.BufferedReader;
@@ -15,6 +17,7 @@ import java.io.UncheckedIOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Collection;
+import java.util.List;
 import java.util.Optional;
 import java.util.SortedMap;
 import java.util.concurrent.CompletableFuture;
@@ -23,6 +26,7 @@ import java.util.concurrent.atomic.AtomicReference;
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import static com.yahoo.vespa.testrunner.TestRunner.Status.ERROR;
@@ -44,17 +48,19 @@ public class VespaCliTestRunner implements TestRunner {
     private final Path artifactsPath;
     private final Path testsPath;
     private final AtomicReference<Status> status = new AtomicReference<>(Status.NOT_STARTED);
+    private final Path vespaHome;
 
     private Path vespaCliRoot = null;
 
     @Inject
     public VespaCliTestRunner(VespaCliTestRunnerConfig config) {
-        this(config.artifactsPath(), config.testsPath());
+        this(config.artifactsPath(), config.testsPath(), Path.of(Defaults.getDefaults().vespaHome()));
     }
 
-    VespaCliTestRunner(Path artifactsPath, Path testsPath) {
+    VespaCliTestRunner(Path artifactsPath, Path testsPath, Path vespaHome) {
         this.artifactsPath = artifactsPath;
         this.testsPath = testsPath;
+        this.vespaHome = vespaHome;
     }
 
     @Override
@@ -126,14 +132,35 @@ public class VespaCliTestRunner implements TestRunner {
         builder.environment().put("VESPA_CLI_HOME", ensureDirectoryForVespaCli("cli-home").toString());
         builder.environment().put("VESPA_CLI_CACHE_DIR", ensureDirectoryForVespaCli("cli-cache").toString());
         builder.environment().put("VESPA_CLI_ENDPOINTS", toEndpointsConfig(config));
-        Path certRoot = certificateRoot(config);
-        builder.environment().put("VESPA_CLI_DATA_PLANE_KEY_FILE", certRoot.resolve("key").toAbsolutePath().toString());
-        builder.environment().put("VESPA_CLI_DATA_PLANE_CERT_FILE", certRoot.resolve("cert").toAbsolutePath().toString());
+        Credentials credentials = getCredentials(config);
+        builder.environment().put("VESPA_CLI_DATA_PLANE_KEY_FILE", credentials.privateKeyFile().toString());
+        builder.environment().put("VESPA_CLI_DATA_PLANE_CERT_FILE", credentials.certificateFile().toString());
         return builder;
     }
 
-    private Path certificateRoot(TestConfig config) {
-        return config.system().isPublic() ? artifactsPath : Path.of(Defaults.getDefaults().underVespaHome("var/vespa/sia"));
+    private record Credentials(Path privateKeyFile, Path certificateFile) {}
+
+    private Credentials getCredentials(TestConfig config) {
+        final Path privateKeyFile;
+        final Path certificateFile;
+        if (config.system().isPublic()) {
+            privateKeyFile = artifactsPath.resolve("key");
+            certificateFile = artifactsPath.resolve("cert");
+        } else {
+            Path siaRoot = vespaHome.resolve("var/vespa/sia");
+            List<AthenzIdentity> services = SiaUtils.findSiaServices(siaRoot);
+            if (services.isEmpty()) {
+                throw new IllegalArgumentException("No service credentials in " + siaRoot + ". Application has no " +
+                                                   "Athenz service, and may not access read / write protected resources");
+            }
+            if (services.size() > 1) {
+                throw new IllegalStateException("More than one set of service credentials in " + siaRoot + ":\n"
+                                                + services.stream().map(AthenzIdentity::getFullName).collect(Collectors.joining("\n")));
+            }
+            privateKeyFile = SiaUtils.getPrivateKeyFile(siaRoot, services.get(0));
+            certificateFile = SiaUtils.getCertificateFile(siaRoot, services.get(0));
+        }
+        return new Credentials(privateKeyFile.toAbsolutePath(), certificateFile.toAbsolutePath());
     }
 
     private static String toSuiteDirectoryName(Suite suite) {
diff --git a/vespa-osgi-testrunner/src/test/java/com/yahoo/vespa/testrunner/VespaCliTestRunnerTest.java b/vespa-osgi-testrunner/src/test/java/com/yahoo/vespa/testrunner/VespaCliTestRunnerTest.java
index 288442eaf7d..a3e6203f645 100644
--- a/vespa-osgi-testrunner/src/test/java/com/yahoo/vespa/testrunner/VespaCliTestRunnerTest.java
+++ b/vespa-osgi-testrunner/src/test/java/com/yahoo/vespa/testrunner/VespaCliTestRunnerTest.java
@@ -26,7 +26,7 @@ class VespaCliTestRunnerTest {
         temp.toFile().deleteOnExit();
         Path tests = Files.createDirectory(temp.resolve("tests"));
         Path artifacts = Files.createDirectory(temp.resolve("artifacts"));
-        VespaCliTestRunner runner = new VespaCliTestRunner(artifacts, tests);
+        VespaCliTestRunner runner = new VespaCliTestRunner(artifacts, tests, Files.createDirectory(temp.resolve("vespa")));
 
         Path systemTests = Files.createDirectory(tests.resolve("system-test"));
         TestConfig testConfig = testConfig(SystemName.PublicCd);
@@ -57,7 +57,12 @@ class VespaCliTestRunnerTest {
         temp.toFile().deleteOnExit();
         Path tests = Files.createDirectory(temp.resolve("tests"));
         Path artifacts = Files.createDirectory(temp.resolve("artifacts"));
-        VespaCliTestRunner runner = new VespaCliTestRunner(artifacts, tests);
+        Path vespaHome = Files.createDirectory(temp.resolve("vespa"));
+        Path keyFile = vespaHome.resolve("var/vespa/sia/keys/my.domain.foo.key.pem");
+        Path certFile = vespaHome.resolve("var/vespa/sia/certs/my.domain.foo.cert.pem");
+        Files.createDirectories(keyFile.getParent());
+        Files.createFile(keyFile);
+        VespaCliTestRunner runner = new VespaCliTestRunner(artifacts, tests, vespaHome);
 
         Path systemTests = Files.createDirectory(tests.resolve("system-test"));
         TestConfig testConfig = testConfig(SystemName.cd);
@@ -76,9 +81,9 @@ class VespaCliTestRunnerTest {
         assertEquals("cd", builder.environment().get("VESPA_CLI_CLOUD_SYSTEM"));
         assertEquals("{\"endpoints\":[{\"cluster\":\"default\",\"url\":\"https://dev.endpoint:443/\"}]}",
                      builder.environment().get("VESPA_CLI_ENDPOINTS"));
-        assertEquals("/opt/vespa/var/vespa/sia/key",
+        assertEquals(keyFile.toString(),
                      builder.environment().get("VESPA_CLI_DATA_PLANE_KEY_FILE"));
-        assertEquals("/opt/vespa/var/vespa/sia/cert",
+        assertEquals(certFile.toString(),
                      builder.environment().get("VESPA_CLI_DATA_PLANE_CERT_FILE"));
     }