diff options
6 files changed, 61 insertions, 6 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 0415b33b29d..53e2592e0a6 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -17,6 +17,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import com.yahoo.vespa.athenz.client.zms.ZmsClientException; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; +import java.security.PublicKey; import java.time.Instant; import java.util.ArrayList; import java.util.HashSet; @@ -224,6 +225,11 @@ public class ZmsClientMock implements ZmsClient { } @Override + public void updateServicePublicKey(AthenzService athenzService, String publicKeyId, PublicKey publicKey) { + + } + + @Override public void deleteService(AthenzService athenzService) { athenz.getOrCreateDomain(athenzService.getDomain()).services.remove(athenzService.getName()); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 8ffb9331ddb..a4045016b78 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zms; +import com.yahoo.athenz.auth.util.Crypto; +import com.yahoo.security.KeyUtils; import com.yahoo.vespa.athenz.api.AthenzAssertion; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; @@ -23,6 +25,7 @@ import com.yahoo.vespa.athenz.client.zms.bindings.ResponseListEntity; import com.yahoo.vespa.athenz.client.zms.bindings.RoleEntity; import com.yahoo.vespa.athenz.client.zms.bindings.ServiceEntity; import com.yahoo.vespa.athenz.client.zms.bindings.ServiceListResponseEntity; +import com.yahoo.vespa.athenz.client.zms.bindings.ServicePublicKeyEntity; import com.yahoo.vespa.athenz.client.zms.bindings.StatisticsEntity; import com.yahoo.vespa.athenz.client.zms.bindings.TenancyRequestEntity; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; @@ -35,6 +38,7 @@ import org.apache.http.message.BasicHeader; import javax.net.ssl.SSLContext; import java.net.URI; +import java.security.PublicKey; import java.time.Instant; import java.util.Collections; import java.util.HashMap; @@ -356,6 +360,18 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override + public void updateServicePublicKey(AthenzService athenzService, String publicKeyId, PublicKey publicKey) { + URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/publickey/%s", + athenzService.getDomainName(), athenzService.getName(), publicKeyId)); + + ServicePublicKeyEntity entity = new ServicePublicKeyEntity(publicKeyId, Crypto.ybase64EncodeString(KeyUtils.toPem(publicKey))); + HttpUriRequest request = RequestBuilder.put(uri) + .setEntity(toJsonStringEntity(entity)) + .build(); + execute(request, response -> readEntity(response, Void.class)); + } + + @Override public void deleteService(AthenzService athenzService) { URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s", athenzService.getDomainName(), athenzService.getName())); execute(RequestBuilder.delete(uri).build(), response -> readEntity(response, Void.class)); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 80a0ddff204..e15af58cb76 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -12,6 +12,7 @@ import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.OAuthCredentials; import java.io.Closeable; +import java.security.PublicKey; import java.time.Instant; import java.util.List; import java.util.Map; @@ -70,6 +71,8 @@ public interface ZmsClient extends Closeable { void createOrUpdateService(AthenzService athenzService); + void updateServicePublicKey(AthenzService athenzService, String publicKeyId, PublicKey publicKey); + void deleteService(AthenzService athenzService); void createRole(AthenzRole role, Map<String, Object> properties); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java new file mode 100644 index 00000000000..4767b584661 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ServicePublicKeyEntity.java @@ -0,0 +1,32 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zms.bindings; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonGetter; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * @author freva + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class ServicePublicKeyEntity { + public final String id; + public final String key; + + @JsonCreator + public ServicePublicKeyEntity(@JsonProperty("id") String id, @JsonProperty("key") String key) { + this.id = id; + this.key = key; + } + + @JsonGetter("id") + public String name() { + return id; + } + + @JsonGetter("key") + public String key() { + return key; + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 0c73891bdae..13a61d65d78 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -38,7 +38,6 @@ import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; import java.util.List; -import java.util.Objects; import java.util.Optional; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -230,7 +229,7 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { return URI.create(ztsUrl.toString() + '/'); } public static class Builder { - private URI ztsUrl; + private final URI ztsUrl; private ErrorHandler errorHandler = ErrorHandler.empty(); private HostnameVerifier hostnameVerifier = null; private Supplier<SSLContext> sslContextSupplier = null; @@ -260,9 +259,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { } public DefaultZtsClient build() { - if (Objects.isNull(sslContextSupplier)) { - throw new IllegalArgumentException("No ssl context or identity provider available to set up zts client"); - } + if (sslContextSupplier == null) + throw new IllegalArgumentException("No SSL context or identity provider available to set up ZTS client"); return new DefaultZtsClient(ztsUrl, sslContextSupplier, hostnameVerifier, errorHandler); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java index e440d79a159..bc50bcb2bb6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzIdentityVerifier.java @@ -24,7 +24,7 @@ public class AthenzIdentityVerifier implements HostnameVerifier { private final Set<AthenzIdentity> allowedIdentities; public AthenzIdentityVerifier(Set<AthenzIdentity> allowedIdentities) { - this.allowedIdentities = allowedIdentities; + this.allowedIdentities = Set.copyOf(allowedIdentities); } @Override |