diff options
24 files changed, 90 insertions, 79 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java index aba3b5f3ab7..fffa849f7d3 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java @@ -1,6 +1,7 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zms.ZmsClient; import com.yahoo.vespa.athenz.client.zts.ZtsClient; @@ -10,7 +11,7 @@ import com.yahoo.vespa.athenz.client.zts.ZtsClient; */ public interface AthenzClientFactory { - AthenzService getControllerIdentity(); + AthenzIdentity getControllerIdentity(); ZmsClient createZmsClient(); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java index c168ddf6caf..db9291cd651 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java @@ -9,6 +9,7 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.zone.UpgradePolicy; import com.yahoo.config.provision.zone.ZoneFilter; import com.yahoo.config.provision.zone.ZoneId; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; import com.yahoo.vespa.hosted.controller.api.integration.deployment.RunId; @@ -53,7 +54,7 @@ public interface ZoneRegistry { SystemName system(); /** Return the configserver's Athenz service identity */ - AthenzService getConfigServerAthenzService(ZoneId zoneId); + AthenzIdentity getConfigServerAthenzIdentity(ZoneId zoneId); /** Returns the Vespa upgrade policy to use for zones in this registry */ UpgradePolicy upgradePolicy(); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index 846c90a96f5..447f9a462b1 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zms.DefaultZmsClient; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -28,7 +29,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { } @Override - public AthenzService getControllerIdentity() { + public AthenzIdentity getControllerIdentity() { return identityProvider.identity(); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 0732eeb97c3..75b7e137998 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -11,7 +11,6 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; -import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.client.zms.RoleAction; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -19,9 +18,9 @@ import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.hosted.controller.Application; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.athenz.ApplicationAction; +import com.yahoo.vespa.hosted.controller.security.AccessControl; import com.yahoo.vespa.hosted.controller.security.AthenzCredentials; import com.yahoo.vespa.hosted.controller.security.AthenzTenantSpec; -import com.yahoo.vespa.hosted.controller.security.AccessControl; import com.yahoo.vespa.hosted.controller.security.Credentials; import com.yahoo.vespa.hosted.controller.security.TenantSpec; import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant; @@ -45,14 +44,14 @@ public class AthenzFacade implements AccessControl { private static final Logger log = Logger.getLogger(AthenzFacade.class.getName()); private final ZmsClient zmsClient; private final ZtsClient ztsClient; - private final AthenzService service; + private final AthenzIdentity service; @Inject public AthenzFacade(AthenzClientFactory factory) { this(factory.createZmsClient(), factory.createZtsClient(), factory.getControllerIdentity()); } - public AthenzFacade(ZmsClient zmsClient, ZtsClient ztsClient, AthenzService identity) { + public AthenzFacade(ZmsClient zmsClient, ZtsClient ztsClient, AthenzIdentity identity) { this.zmsClient = zmsClient; this.ztsClient = ztsClient; this.service = identity; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java index f7a8e702b06..37926d944b7 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java @@ -5,7 +5,6 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; -import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.client.zms.RoleAction; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -30,23 +29,23 @@ public class ZmsClientMock implements ZmsClient { private static final Logger log = Logger.getLogger(ZmsClientMock.class.getName()); private final AthenzDbMock athenz; - private final AthenzService controllerIdentity; + private final AthenzIdentity controllerIdentity; private static final Pattern TENANT_RESOURCE_PATTERN = Pattern.compile("service\\.hosting\\.tenant\\.(?<tenantDomain>[\\w\\-_]+)\\..*"); private static final Pattern APPLICATION_RESOURCE_PATTERN = Pattern.compile("service\\.hosting\\.tenant\\.[\\w\\-_]+\\.res_group\\.(?<resourceGroup>[\\w\\-_]+)\\.wildcard"); - public ZmsClientMock(AthenzDbMock athenz, AthenzService controllerIdentity) { + public ZmsClientMock(AthenzDbMock athenz, AthenzIdentity controllerIdentity) { this.athenz = athenz; this.controllerIdentity = controllerIdentity; } @Override - public void createTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token) { + public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) { log("createTenancy(tenantDomain='%s')", tenantDomain); getDomainOrThrow(tenantDomain, false).isVespaTenant = true; } @Override - public void deleteTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token) { + public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) { log("deleteTenancy(tenantDomain='%s')", tenantDomain); AthenzDbMock.Domain domain = getDomainOrThrow(tenantDomain, false); domain.isVespaTenant = false; @@ -55,7 +54,7 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token) { + public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token) { log("createProviderResourceGroup(tenantDomain='%s', resourceGroup='%s')", tenantDomain, resourceGroup); AthenzDbMock.Domain domain = getDomainOrThrow(tenantDomain, true); ApplicationId applicationId = new ApplicationId(resourceGroup); @@ -65,7 +64,7 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, OktaAccessToken token) { + public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaAccessToken token) { log("deleteProviderResourceGroup(tenantDomain='%s', resourceGroup='%s')", tenantDomain, resourceGroup); getDomainOrThrow(tenantDomain, true).applications.remove(new ApplicationId(resourceGroup)); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java index 8bb5ad12468..5c0407d35a9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java @@ -45,22 +45,22 @@ public class ZtsClientMock implements ZtsClient { } @Override - public InstanceIdentity registerInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, String attestationData, boolean requestServiceToken, Pkcs10Csr csr) { + public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, String attestationData, boolean requestServiceToken, Pkcs10Csr csr) { throw new UnsupportedOperationException(); } @Override - public InstanceIdentity refreshInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr) { + public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr) { throw new UnsupportedOperationException(); } @Override - public Identity getServiceIdentity(AthenzService identity, String keyId, Pkcs10Csr csr) { + public Identity getServiceIdentity(AthenzIdentity identity, String keyId, Pkcs10Csr csr) { throw new UnsupportedOperationException(); } @Override - public Identity getServiceIdentity(AthenzService identity, String keyId, KeyPair keyPair, String dnsSuffix) { + public Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix) { throw new UnsupportedOperationException(); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index c223d051237..01d9a01a316 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -268,7 +268,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { AthenzIdentityVerifier hostnameVerifier = new AthenzIdentityVerifier( singleton( - zoneRegistry.getConfigServerAthenzService( + zoneRegistry.getConfigServerAthenzIdentity( ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion())))); return HttpClientBuilder.create() .setUserAgent("config-server-proxy-client") diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ZoneRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ZoneRegistryMock.java index 393268b4750..4248a513950 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ZoneRegistryMock.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ZoneRegistryMock.java @@ -101,7 +101,7 @@ public class ZoneRegistryMock extends AbstractComponent implements ZoneRegistry return ZoneFilterMock.from(Collections.unmodifiableList(zones)); } - public AthenzService getConfigServerAthenzService(ZoneId zone) { + public AthenzService getConfigServerAthenzIdentity(ZoneId zone) { return new AthenzService("vespadomain", "provider-" + zone.environment().value() + "-" + zone.region().value()); } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java index 10ac30d8715..1811fc0c8f0 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.component; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import java.net.URI; @@ -16,12 +17,12 @@ import java.util.stream.Collectors; */ public class ConfigServerInfo { private final URI loadBalancerEndpoint; - private final AthenzService configServerIdentity; + private final AthenzIdentity configServerIdentity; private final Function<String, URI> configServerHostnameToUriMapper; private final List<URI> configServerURIs; public ConfigServerInfo(String loadBalancerHostName, List<String> configServerHostNames, - String scheme, int port, AthenzService configServerAthenzIdentity) { + String scheme, int port, AthenzIdentity configServerAthenzIdentity) { this.loadBalancerEndpoint = createLoadBalancerEndpoint(loadBalancerHostName, scheme, port); this.configServerIdentity = configServerAthenzIdentity; this.configServerHostnameToUriMapper = hostname -> URI.create(scheme + "://" + hostname + ":" + port); @@ -46,7 +47,7 @@ public class ConfigServerInfo { return loadBalancerEndpoint; } - public AthenzService getConfigServerIdentity() { + public AthenzIdentity getConfigServerIdentity() { return configServerIdentity; } } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 4fe0f420f05..550d6e7021e 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -8,6 +8,7 @@ import com.yahoo.security.KeyUtils; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.InstanceIdentity; @@ -63,7 +64,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final URI ztsEndpoint; private final Path trustStorePath; - private final AthenzService configserverIdentity; + private final AthenzIdentity configserverIdentity; private final Clock clock; private final ServiceIdentityProvider hostIdentityProvider; private final IdentityDocumentClient identityDocumentClient; diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java index 496f4bd667d..205e7b1e258 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.node.admin.nodeagent; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.NodeType; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.dockerapi.ContainerName; import com.yahoo.vespa.hosted.node.admin.component.TaskContext; @@ -33,7 +34,7 @@ public interface NodeAgentContext extends TaskContext { return node().getNodeType(); } - AthenzService identity(); + AthenzIdentity identity(); DockerNetworking dockerNetworking(); diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java index 9ca19a76706..1b33fed151e 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java @@ -4,6 +4,7 @@ import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.NodeType; import com.yahoo.config.provision.RegionName; import com.yahoo.config.provision.SystemName; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.dockerapi.ContainerName; import com.yahoo.vespa.hosted.node.admin.component.ZoneId; @@ -30,7 +31,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { private final NodeSpec node; private final Acl acl; private final ContainerName containerName; - private final AthenzService identity; + private final AthenzIdentity identity; private final DockerNetworking dockerNetworking; private final ZoneId zoneId; private final Path pathToNodeRootOnHost; @@ -38,7 +39,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { private final String vespaUser; private final String vespaUserOnHost; - public NodeAgentContextImpl(NodeSpec node, Acl acl, AthenzService identity, + public NodeAgentContextImpl(NodeSpec node, Acl acl, AthenzIdentity identity, DockerNetworking dockerNetworking, ZoneId zoneId, Path pathToContainerStorage, Path pathToVespaHome, String vespaUser, String vespaUserOnHost) { @@ -71,7 +72,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { } @Override - public AthenzService identity() { + public AthenzIdentity identity() { return identity; } @@ -157,7 +158,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { public static class Builder { private NodeSpec.Builder nodeSpecBuilder = new NodeSpec.Builder(); private Acl acl; - private AthenzService identity; + private AthenzIdentity identity; private DockerNetworking dockerNetworking; private ZoneId zoneId; private Path pathToContainerStorage; @@ -192,7 +193,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { return this; } - public Builder identity(AthenzService identity) { + public Builder identity(AthenzIdentity identity) { this.identity = identity; return this; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index d81c9f064b1..da3bd18440b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -5,7 +5,7 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; -import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.client.common.ClientBase; import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity; @@ -55,7 +55,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void createTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token) { + public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) { URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName())); HttpUriRequest request = RequestBuilder.put() .setUri(uri) @@ -66,7 +66,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void deleteTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token) { + public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) { URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName())); HttpUriRequest request = RequestBuilder.delete() .setUri(uri) @@ -76,7 +76,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token) { + public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token) { URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup)); HttpUriRequest request = RequestBuilder.put() .setUri(uri) @@ -87,7 +87,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, OktaAccessToken token) { + public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaAccessToken token) { URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup)); HttpUriRequest request = RequestBuilder.delete() .setUri(uri) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index cf044edeac0..e78478bc1a2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -17,13 +17,13 @@ import java.util.Set; */ public interface ZmsClient extends AutoCloseable { - void createTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token); + void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token); - void deleteTenancy(AthenzDomain tenantDomain, AthenzService providerService, OktaAccessToken token); + void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token); - void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token); + void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token); - void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzService providerService, String resourceGroup, OktaAccessToken token); + void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaAccessToken token); boolean getMembership(AthenzRole role, AthenzIdentity identity); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java index dccd18fed61..a67bd4dcad6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java @@ -33,7 +33,7 @@ public class ProviderResourceGroupRolesRequestEntity { @JsonProperty("resourceGroup") private final String resourceGroup; - public ProviderResourceGroupRolesRequestEntity(AthenzService providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) { + public ProviderResourceGroupRolesRequestEntity(AthenzIdentity providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) { this.domain = providerService.getDomainName(); this.service = providerService.getName(); this.tenant = tenantDomain.getName(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/TenancyRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/TenancyRequestEntity.java index 7883a505c71..6e1987130f2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/TenancyRequestEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/TenancyRequestEntity.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.athenz.client.zms.bindings; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import java.util.List; @@ -23,7 +24,7 @@ public class TenancyRequestEntity { @JsonInclude(JsonInclude.Include.NON_EMPTY) private final List<String> resourceGroups; - public TenancyRequestEntity(AthenzDomain tenantDomain, AthenzService providerService, List<String> resourceGroups) { + public TenancyRequestEntity(AthenzDomain tenantDomain, AthenzIdentity providerService, List<String> resourceGroups) { this.tenantDomain = tenantDomain.getName(); this.providerService = providerService.getFullName(); this.resourceGroups = resourceGroups; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 05395947fc1..ddba229d8d1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -1,10 +1,10 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts; +import com.yahoo.security.Pkcs10Csr; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; -import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.AwsRole; import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials; import com.yahoo.vespa.athenz.api.NToken; @@ -22,7 +22,6 @@ import com.yahoo.vespa.athenz.client.zts.bindings.RoleTokenResponseEntity; import com.yahoo.vespa.athenz.client.zts.bindings.TenantDomainsResponseEntity; import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; -import com.yahoo.security.Pkcs10Csr; import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.methods.RequestBuilder; @@ -65,8 +64,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { } @Override - public InstanceIdentity registerInstance(AthenzService providerIdentity, - AthenzService instanceIdentity, + public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, + AthenzIdentity instanceIdentity, String instanceId, String attestationData, boolean requestServiceToken, @@ -81,8 +80,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { } @Override - public InstanceIdentity refreshInstance(AthenzService providerIdentity, - AthenzService instanceIdentity, + public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, + AthenzIdentity instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr) { @@ -101,7 +100,7 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { } @Override - public Identity getServiceIdentity(AthenzService identity, String keyId, Pkcs10Csr csr) { + public Identity getServiceIdentity(AthenzIdentity identity, String keyId, Pkcs10Csr csr) { URI uri = ztsUrl.resolve(String.format("instance/%s/%s/refresh", identity.getDomainName(), identity.getName())); HttpUriRequest request = RequestBuilder.post() .setUri(uri) @@ -114,7 +113,7 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { } @Override - public Identity getServiceIdentity(AthenzService identity, String keyId, KeyPair keyPair, String dnsSuffix) { + public Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix) { Pkcs10Csr csr = new IdentityCsrGenerator(dnsSuffix).generateIdentityCsr(identity, keyPair); return getServiceIdentity(identity, keyId, csr); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 7b77fccfed6..efe244d500f 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -28,8 +28,8 @@ public interface ZtsClient extends AutoCloseable { * @param attestationData The signed identity documented serialized to a string. * @return A x509 certificate + service token (optional) */ - InstanceIdentity registerInstance(AthenzService providerIdentity, - AthenzService instanceIdentity, + InstanceIdentity registerInstance(AthenzIdentity providerIdentity, + AthenzIdentity instanceIdentity, String instanceId, // TODO Remove this parameter (unused/unnecessary) String attestationData, boolean requestServiceToken, @@ -40,8 +40,8 @@ public interface ZtsClient extends AutoCloseable { * * @return A x509 certificate + service token (optional) */ - InstanceIdentity refreshInstance(AthenzService providerIdentity, - AthenzService instanceIdentity, + InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, + AthenzIdentity instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr); @@ -51,7 +51,7 @@ public interface ZtsClient extends AutoCloseable { * * @return A x509 certificate with CA certificates */ - Identity getServiceIdentity(AthenzService identity, + Identity getServiceIdentity(AthenzIdentity identity, String keyId, Pkcs10Csr csr); @@ -60,7 +60,7 @@ public interface ZtsClient extends AutoCloseable { * * @return A x509 certificate with CA certificates */ - Identity getServiceIdentity(AthenzService identity, + Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java index 49d9bb1ec5c..67a49059776 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.athenz.client.zts.bindings; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.Pkcs10CsrUtils; @@ -32,8 +33,8 @@ public class InstanceRegisterInformation { @JsonProperty("token") private final boolean token; - public InstanceRegisterInformation(AthenzService providerIdentity, - AthenzService instanceIdentity, + public InstanceRegisterInformation(AthenzIdentity providerIdentity, + AthenzIdentity instanceIdentity, String attestationData, Pkcs10Csr csr, boolean requestServiceToken) { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java index b2af2d732bf..d1383bd04fd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts.utils; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.security.Pkcs10Csr; @@ -12,7 +13,7 @@ import java.security.KeyPair; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; /** - * Generates a {@link Pkcs10Csr} instance for use with {@link ZtsClient#getServiceIdentity(AthenzService, String, Pkcs10Csr)} + * Generates a {@link Pkcs10Csr} instance for use with {@link ZtsClient#getServiceIdentity(AthenzIdentity, String, Pkcs10Csr)} * * @author bjorncs */ @@ -24,7 +25,7 @@ public class IdentityCsrGenerator { this.dnsSuffix = dnsSuffix; } - public Pkcs10Csr generateIdentityCsr(AthenzService identity, KeyPair keypair) { + public Pkcs10Csr generateIdentityCsr(AthenzIdentity identity, KeyPair keypair) { return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + identity.getFullName()), keypair, SHA256_WITH_RSA) .addSubjectAlternativeName(String.format( "%s.%s.%s", diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java index 6b318fb16be..e5ed885b316 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.identity; import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import javax.net.ssl.SSLContext; @@ -13,6 +14,6 @@ import javax.net.ssl.SSLContext; * @author bjorncs */ public interface ServiceIdentityProvider { - AthenzService identity(); + AthenzIdentity identity(); SSLContext getIdentitySslContext(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index d8fa910aa73..2b0e50ed982 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.athenz.identity; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.log.LogLevel; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.security.KeyStoreType; import com.yahoo.security.SslContextBuilder; @@ -33,7 +34,7 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde private static final Duration REFRESH_INTERVAL = Duration.ofHours(1); private final AtomicReference<SSLContext> sslContext = new AtomicReference<>(); - private final AthenzService service; + private final AthenzIdentity service; private final File privateKeyFile; private final File certificateFile; private final File trustStoreFile; @@ -48,7 +49,7 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde createScheduler()); } - public SiaIdentityProvider(AthenzService service, + public SiaIdentityProvider(AthenzIdentity service, Path siaPath, File trustStoreFile) { this(service, @@ -58,7 +59,7 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde createScheduler()); } - public SiaIdentityProvider(AthenzService service, + public SiaIdentityProvider(AthenzIdentity service, File privateKeyFile, File certificateFile, File trustStoreFile, @@ -81,7 +82,7 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde } @Override - public AthenzService identity() { + public AthenzIdentity identity() { return service; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java index cd35a204b00..40f12b9c6db 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.utils; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; @@ -31,31 +32,31 @@ public class SiaUtils { private SiaUtils() {} - public static Path getPrivateKeyFile(AthenzService service) { + public static Path getPrivateKeyFile(AthenzIdentity service) { return getPrivateKeyFile(DEFAULT_SIA_DIRECTORY, service); } - public static Path getPrivateKeyFile(Path root, AthenzService service) { + public static Path getPrivateKeyFile(Path root, AthenzIdentity service) { return root .resolve("keys") .resolve(String.format("%s.%s.key.pem", service.getDomainName(), service.getName())); } - public static Path getCertificateFile(AthenzService service) { + public static Path getCertificateFile(AthenzIdentity service) { return getCertificateFile(DEFAULT_SIA_DIRECTORY, service); } - public static Path getCertificateFile(Path root, AthenzService service) { + public static Path getCertificateFile(Path root, AthenzIdentity service) { return root .resolve("certs") .resolve(String.format("%s.%s.cert.pem", service.getDomainName(), service.getName())); } - public static Optional<PrivateKey> readPrivateKeyFile(AthenzService service) { + public static Optional<PrivateKey> readPrivateKeyFile(AthenzIdentity service) { return readPrivateKeyFile(DEFAULT_SIA_DIRECTORY, service); } - public static Optional<PrivateKey> readPrivateKeyFile(Path root, AthenzService service) { + public static Optional<PrivateKey> readPrivateKeyFile(Path root, AthenzIdentity service) { try { Path privateKeyFile = getPrivateKeyFile(root, service); if (Files.notExists(privateKeyFile)) return Optional.empty(); @@ -65,11 +66,11 @@ public class SiaUtils { } } - public static Optional<X509Certificate> readCertificateFile(AthenzService service) { + public static Optional<X509Certificate> readCertificateFile(AthenzIdentity service) { return readCertificateFile(DEFAULT_SIA_DIRECTORY, service); } - public static Optional<X509Certificate> readCertificateFile(Path root, AthenzService service) { + public static Optional<X509Certificate> readCertificateFile(Path root, AthenzIdentity service) { try { Path certificateFile = getCertificateFile(root, service); if (Files.notExists(certificateFile)) return Optional.empty(); @@ -79,11 +80,11 @@ public class SiaUtils { } } - public static void writePrivateKeyFile(AthenzService service, PrivateKey privateKey) { + public static void writePrivateKeyFile(AthenzIdentity service, PrivateKey privateKey) { writePrivateKeyFile(DEFAULT_SIA_DIRECTORY, service, privateKey); } - public static void writePrivateKeyFile(Path root, AthenzService service, PrivateKey privateKey) { + public static void writePrivateKeyFile(Path root, AthenzIdentity service, PrivateKey privateKey) { try { Path privateKeyFile = getPrivateKeyFile(root, service); Files.createDirectories(privateKeyFile.getParent()); @@ -95,11 +96,11 @@ public class SiaUtils { } } - public static void writeCertificateFile(AthenzService service, X509Certificate certificate) { + public static void writeCertificateFile(AthenzIdentity service, X509Certificate certificate) { writeCertificateFile(DEFAULT_SIA_DIRECTORY, service, certificate); } - public static void writeCertificateFile(Path root, AthenzService service, X509Certificate certificate) { + public static void writeCertificateFile(Path root, AthenzIdentity service, X509Certificate certificate) { try { Path certificateFile = getCertificateFile(root, service); Files.createDirectories(certificateFile.getParent()); @@ -111,11 +112,11 @@ public class SiaUtils { } } - public static List<AthenzService> findSiaServices() { + public static List<AthenzIdentity> findSiaServices() { return findSiaServices(DEFAULT_SIA_DIRECTORY); } - public static List<AthenzService> findSiaServices(Path root) { + public static List<AthenzIdentity> findSiaServices(Path root) { String keyFileSuffix = ".key.pem"; Path keysDirectory = root.resolve("keys"); if ( ! Files.exists(keysDirectory)) diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/SiaUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/SiaUtilsTest.java index f69e937f294..0e6aff1eeca 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/SiaUtilsTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/SiaUtilsTest.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.utils; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import org.junit.Rule; import org.junit.Test; @@ -35,7 +36,7 @@ public class SiaUtilsTest { AthenzService barService = new AthenzService("my.domain.bar"); Files.createFile(SiaUtils.getPrivateKeyFile(siaRoot, barService)); - List<AthenzService> siaIdentities = SiaUtils.findSiaServices(siaRoot); + List<AthenzIdentity> siaIdentities = SiaUtils.findSiaServices(siaRoot); assertThat(siaIdentities.size(), equalTo(2)); assertThat(siaIdentities, hasItem(fooService)); assertThat(siaIdentities, hasItem(barService)); |