diff options
9 files changed, 45 insertions, 66 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index e4e964c7088..4af64286e7c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -5,10 +5,10 @@ import com.google.inject.Inject; import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.config.provision.Zone; -import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslKeyStoreContext; import com.yahoo.log.LogLevel; +import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; import com.yahoo.vespa.athenz.tls.KeyStoreType; import com.yahoo.vespa.defaults.Defaults; @@ -53,7 +53,7 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements private volatile KeyStore currentKeyStore; @Inject - public AthenzSslKeyStoreConfigurator(AthenzIdentityProvider bootstrapIdentity, + public AthenzSslKeyStoreConfigurator(ServiceIdentityProvider bootstrapIdentity, KeyProvider keyProvider, AthenzProviderServiceConfig config, Zone zone, diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java index 35b483affae..193a573c98d 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java @@ -3,7 +3,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl; import com.yahoo.athenz.zts.InstanceRefreshRequest; import com.yahoo.athenz.zts.ZTSClient; -import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; +import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; @@ -17,9 +17,9 @@ import java.security.cert.X509Certificate; public class AthenzCertificateClient { private final AthenzProviderServiceConfig.Zones zoneConfig; - private final AthenzIdentityProvider bootstrapIdentity; + private final ServiceIdentityProvider bootstrapIdentity; - public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity, + public AthenzCertificateClient(ServiceIdentityProvider bootstrapIdentity, AthenzProviderServiceConfig.Zones zoneConfig) { this.bootstrapIdentity = bootstrapIdentity; this.zoneConfig = zoneConfig; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzSslContextProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzSslContextProvider.java deleted file mode 100644 index 480105a2d86..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzSslContextProvider.java +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.athenz; - -import com.google.inject.Provider; - -import javax.net.ssl.SSLContext; - -/** - * Provides a {@link SSLContext} for use in controller clients communicating with Athenz TLS secured services. - * It is configured with a keystore containing the Athenz service certificate and a trust store with the Athenz CA certificates. - * - * @author bjorncs - */ -public interface AthenzSslContextProvider extends Provider<SSLContext> {} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index ffa537615b7..159a4f11619 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -10,8 +10,8 @@ import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zms.ZMSClient; import com.yahoo.athenz.zts.ZTSClient; import com.yahoo.container.jdisc.secretstore.SecretStore; -import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; @@ -28,10 +28,10 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { private final SecretStore secretStore; private final AthenzConfig config; private final AthenzPrincipalAuthority athenzPrincipalAuthority; - private final AthenzIdentityProvider identityProvider; + private final ServiceIdentityProvider identityProvider; @Inject - public AthenzClientFactoryImpl(SecretStore secretStore, AthenzIdentityProvider identityProvider, AthenzConfig config) { + public AthenzClientFactoryImpl(SecretStore secretStore, ServiceIdentityProvider identityProvider, AthenzConfig config) { this.secretStore = secretStore; this.identityProvider = identityProvider; this.config = config; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/SiaAthenzSslContextProvider.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/SiaAthenzSslContextProvider.java deleted file mode 100644 index 7ad98a2d703..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/SiaAthenzSslContextProvider.java +++ /dev/null @@ -1,22 +0,0 @@ -package com.yahoo.vespa.hosted.controller.athenz.impl; - -import com.google.inject.Inject; -import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; - -import javax.net.ssl.SSLContext; - -public class SiaAthenzSslContextProvider implements AthenzSslContextProvider { - - private final AthenzIdentityProvider identityProvider; - - @Inject - public SiaAthenzSslContextProvider(AthenzIdentityProvider identityProvider) { - this.identityProvider = identityProvider; - } - - @Override - public SSLContext get() { - return identityProvider.getIdentitySslContext(); - } -} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 9019b4ae4c5..cbd4614e51b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -8,9 +8,9 @@ import com.yahoo.config.provision.Environment; import com.yahoo.jdisc.http.HttpRequest.Method; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; import com.yahoo.vespa.athenz.utils.AthenzIdentities; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; @@ -62,11 +62,11 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { private static final Set<String> HEADERS_TO_COPY = new HashSet<>(Arrays.asList("X-HTTP-Method-Override", "Content-Type")); private final ZoneRegistry zoneRegistry; - private final AthenzSslContextProvider sslContextProvider; + private final ServiceIdentityProvider sslContextProvider; @Inject public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, - AthenzSslContextProvider sslContextProvider) { + ServiceIdentityProvider sslContextProvider) { this.zoneRegistry = zoneRegistry; this.sslContextProvider = sslContextProvider; } @@ -266,7 +266,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { } private static CloseableHttpClient createHttpClient(RequestConfig config, - AthenzSslContextProvider sslContextProvider, + ServiceIdentityProvider sslContextProvider, ZoneRegistry zoneRegistry, ProxyRequest proxyRequest) { AthenzIdentityVerifier hostnameVerifier = @@ -276,7 +276,7 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion())))); return HttpClientBuilder.create() .setUserAgent("config-server-proxy-client") - .setSslcontext(sslContextProvider.get()) + .setSslcontext(sslContextProvider.getIdentitySslContext()) .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier)) .setDefaultRequestConfig(config) .build(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java new file mode 100644 index 00000000000..6b318fb16be --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/ServiceIdentityProvider.java @@ -0,0 +1,18 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identity; + +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; +import com.yahoo.vespa.athenz.api.AthenzService; + +import javax.net.ssl.SSLContext; + +/** + * A interface for types that provides a service identity. + * Some similarities to {@link AthenzIdentityProvider}, but this type is not public api and intended for internal use. + * + * @author bjorncs + */ +public interface ServiceIdentityProvider { + AthenzService identity(); + SSLContext getIdentitySslContext(); +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index 437da05dfdd..161438e2bbe 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.athenz.identity; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; -import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.tls.KeyStoreType; @@ -27,7 +26,7 @@ import java.util.logging.Logger; * @author mortent * @author bjorncs */ -public class SiaIdentityProvider extends AbstractComponent implements AthenzIdentityProvider { +public class SiaIdentityProvider extends AbstractComponent implements ServiceIdentityProvider { private static final Logger log = Logger.getLogger(SiaIdentityProvider.class.getName()); @@ -83,13 +82,8 @@ public class SiaIdentityProvider extends AbstractComponent implements AthenzIden } @Override - public String getDomain() { - return service.getDomain().getName(); - } - - @Override - public String getService() { - return service.getName(); + public AthenzService identity() { + return service; } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index e41eab025d5..fc15442be84 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -8,7 +8,7 @@ import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException; import com.yahoo.jdisc.Metric; import com.yahoo.log.LogLevel; -import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; +import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.SslContextBuilder; import com.yahoo.vespa.defaults.Defaults; @@ -28,7 +28,7 @@ import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; * @author mortent * @author bjorncs */ -public final class AthenzIdentityProviderImpl extends AbstractComponent implements AthenzIdentityProvider { +public final class AthenzIdentityProviderImpl extends AbstractComponent implements AthenzIdentityProvider, ServiceIdentityProvider { private static final Logger log = Logger.getLogger(AthenzIdentityProviderImpl.class.getName()); @@ -44,8 +44,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen private final AthenzCredentialsService athenzCredentialsService; private final ScheduledExecutorService scheduler; private final Clock clock; - private final String domain; - private final String service; + private final com.yahoo.vespa.athenz.api.AthenzService identity; @Inject public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) { @@ -69,8 +68,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen this.athenzCredentialsService = athenzCredentialsService; this.scheduler = scheduler; this.clock = clock; - this.domain = config.domain(); - this.service = config.service(); + this.identity = new com.yahoo.vespa.athenz.api.AthenzService(config.domain(), config.service()); registerInstance(); } @@ -85,13 +83,18 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen } @Override + public com.yahoo.vespa.athenz.api.AthenzService identity() { + return identity; + } + + @Override public String getDomain() { - return domain; + return identity.getDomain().getName(); } @Override public String getService() { - return service; + return identity.getName(); } @Override |